This page intentionally left blank
P1: JZP CUNYXXX-FM
CUNYXXX/Dimitracopoulos
July 11, 2007
Logic Colloquium 2005 ...

This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!

This page intentionally left blank

P1: JZP CUNYXXX-FM

CUNYXXX/Dimitracopoulos

July 11, 2007

Logic Colloquium 2005

i

20:6

P1: JZP CUNYXXX-FM

CUNYXXX/Dimitracopoulos

July 11, 2007

ii

20:6

P1: JZP CUNYXXX-FM

CUNYXXX/Dimitracopoulos

July 11, 2007

20:6

lecture notes in logic

A Publication of The Association for Symbolic Logic This series serves researchers, teachers, and students in the field of symbolic logic, broadly interpreted. The aim of the series is to bring publications to the logic community with the least possible delay and to provide rapid dissemination of the latest research. Scientific quality is the overriding criterion by which submissions are evaluated. Editorial Board Anand Pillay, Managing Editor Department of Pure Mathematics, School of Mathematics, University of Leeds Lance Fortnow Department of Computer Science, University of Chicago Shaughan Lavine Department of Philosophy, The University of Arizona Jeremy Avigad Department of Philosophy, Carnegie Mellon University Vladimir Kanovei Institute for Information Transmission Problems, Moscow Steffen Lempp Department of Mathematics, University of Wisconsin See end of book for a list of the books in the series. More information can be found at http://www.aslonline.org/books-lnl.html.

iii

P1: JZP CUNYXXX-FM

CUNYXXX/Dimitracopoulos

July 11, 2007

iv

20:6

P1: JZP CUNYXXX-FM

CUNYXXX/Dimitracopoulos

July 11, 2007

lecture notes in logic

28

Logic Colloquium 2005 Proceedings of the Annual European Summer Meeting of the Association for Symbolic Logic, Held in Athens, Greece, July 28–August 3, 2005 Edited by

COSTAS DIMITRACOPOULOS Department of History and Philosophy of Science University of Athens

LUDOMIR NEWELSKI Mathematical Institute Wroclaw University

DAG NORMANN Department of Mathematics University of Oslo

JOHN R. STEEL Department of Mathematics and Computer Science University of California, Berkeley

association for symbolic logic

v

20:6

CAMBRIDGE UNIVERSITY PRESS

Cambridge, New York, Melbourne, Madrid, Cape Town, Singapore, São Paulo Cambridge University Press The Edinburgh Building, Cambridge CB2 8RU, UK Published in the United States of America by Cambridge University Press, New York www.cambridge.org Information on this title: www.cambridge.org/9780521884259 © Association for Symbolic Logic 2007 This publication is in copyright. Subject to statutory exception and to the provision of relevant collective licensing agreements, no reproduction of any part may take place without the written permission of Cambridge University Press. First published in print format 2007 eBook (EBL) ISBN-13 978-0-511-35476-2 ISBN-10 0-511-35476-2 eBook (EBL) hardback ISBN-13 978-0-521-88425-9 hardback ISBN-10 0-521-88425-X

Cambridge University Press has no responsibility for the persistence or accuracy of urls for external or third-party internet websites referred to in this publication, and does not guarantee that any content on such websites is, or will remain, accurate or appropriate.

CONTENTS

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

ix

Speakers and Titles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

xi

Jan A. Bergstra, Inge Bethke and Alban Ponse Thread algebra and risk assessment services . . . . . . . . . . . . . . . . . . . . . . . .

1

M´ario J. Edmundo Covering deﬁnable manifolds by open deﬁnable subsets . . . . . . . . . . . . .

18

Sergei S. Goncharov Isomorphisms and deﬁnable relations on computable models . . . . . . . .

26

Deirdre Haskell Independence for types in algebraically closed valued ﬁelds . . . . . . . . .

46

Eric Jaligot Simple groups of ﬁnite Morley rank . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

57

Hannes Leitgeb Towards a logic of type-free modality and truth . . . . . . . . . . . . . . . . . . . .

68

Justin Tatch Moore Structural analysis of Aronszajn trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

85

Sara Negri Proof analysis in non-classical logics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Charles Parsons Paul Bernays’ later philosophy of mathematics . . . . . . . . . . . . . . . . . . . . . 129 Greg Restall Proofnets for S5: Sequents and circuits for modal logic . . . . . . . . . . . . . 151 Helmut Schwichtenberg Recursion on the partial continuous functionals . . . . . . . . . . . . . . . . . . . . 173 Michael Sheard A transactional approach to the logic of truth . . . . . . . . . . . . . . . . . . . . . . 202 vii

viii

contents

Dieter Spreen On some problems in computable topology . . . . . . . . . . . . . . . . . . . . . . . . 221 Sergei Tupailo Monotone inductive deﬁnitions and consistency of New Foundations 255

INTRODUCTION

The 2005 European Summer Meeting of the Association for Symbolic Logic was held in Athens, Greece, July 28–August 3, 2005. The meeting was called Logic Colloquium 2005 and its sessions, except the opening one, which took place in the Main Building, took place in the building of the Department of Mathematics of the University of Athens. It was attended by 198 participants (and 25 accompanying persons) from 29 diﬀerent countries. The organizing body was the Inter-Departmental Graduate Program in Logic and Algorithms (MPLA) of the University of Athens, the National Technical University of Athens and the University of Patras. Financial support was provided by the Association for Symbolic Logic, the Athens Chamber of Commerce and Industry, the Bank of Greece, the Graduate Program in Logic and Algorithms, IVI Loutraki Water Co., the Hellenic Parliament, Katoptro Publications, Kleos S. A., the Ministry of National Education and Religious Aﬀairs, Mythos Beer Co., the National and Kapodistrian University of Athens, the National Bank of Greece and Sigalas Wine Co. The Program Committee consisted of Chi Tat Chong (Singapore), Costas Dimitracopoulos (Athens), Hartry Field (New York), Gerhard J¨ager (Bern), George Metakides (Patras), Ludomir Newelski (Wrocław), Dag Normann (Oslo), Rohit Parikh (New York), John Steel (Berkeley), Stevo Todorˇcevi´c (Paris), John Tucker (Swansea), Frank Wagner (Lyon) and Stan Wainer (Leeds, Chair). The Organizing Committee consisted of Dionysios Anapolitanos (Athens), Costas Dimitracopoulos (Athens, Chair), Lefteris Kirousis (Patras), George Koletsos (Athens), Michael Mytilinaios (Athens), Stavros Papastavridis (Athens), Thanases Pheidas (Iraklio), Panos Rondogiannis (Athens), George Stavrinos (Athens), Anneta Synachopoulos (Athens), Thanases Tzouvaras (Thessaloniki) and Stathis Zachos (Athens). The program of the meeting is listed on the following pages. All invited speakers were invited to submit a paper to the proceedings volume, but not all ix

x

INTRODUCTION

did. The submissions were all refereed and the editors would like to sincerely thank the referees for their work. The editors would like to express their deep gratitude to the Alexander S. Onassis Public Beneﬁt Foundation for generously providing a grant towards the cost of publication of this volume. The Editors Costas Dimitracopoulos, Athens Ludomir Newelski, Wrocław Dag Normann, Oslo John Steel, Berkeley

SPEAKERS AND TITLES

Tutorial Speakers Peter Aczel, Constructive set theory. University of Manchester, UK. Itay Ben-Yaacov, Model theory in positive and continuous logics. University of Wisconsin, Madison, USA. Phokion G. Kolaitis, Constraint satisfaction, complexity, and logic. I.B.M. Almaden Research Center and U.C.S.C., USA. Greg Restall, Proofnets for S5: Sequents and circuits for modal logic. University of Melbourne, Australia.

Plenary Speakers Jan A. Bergstra, Inge Bethke and Alban Ponse, Thread algebra and risk assessment services. University of Amsterdam, The Netherlands. Sergei S. Goncharov, Isomorphisms and deﬁnable relations on computable models. Novosibirsk State University, Russia. Deirdre Haskell, Independence for types in algebraically closed valued ﬁelds. McMaster University, Hamilton, Ontario, Canada. Eric Jaligot, Simple groups of ﬁnite Morley rank. University of Lyon 1, France. Justin Tatch Moore, Structural analysis of Aronszajn trees. Boise State University, Idaho, USA.

xi

xii

SPEAKERS AND TITLES

Andr´e Nies, Algebras with ﬁnite descriptions. University of Auckland, New Zealand. Charles Parsons, Paul Bernays’ later philosophy of mathematics. Harvard University, Cambridge, Massachusetts, USA. Helmut Schwichtenberg, Recursion on the partial continuous functionals. University of Munich, Germany. Michael Sheard, A transactional approach to the logic of truth. Saint Lawrence University, Canton, New York, USA. Sergei Tupailo, Monotone inductive deﬁnitions and consistency of New Foundations. Tallinn University of Technology, Estonia, and Ohio State University, USA. Klaus Weihrauch, Computable analysis. University of Hagen, Germany. Jindrich Zapletal, Forcing idealized. University of Florida, Gainesville, USA.

Special Sessions Computability in Analysis Vasco Brattka, Computability on non-separable Banach spaces. University of Cape Town, South Africa. Dieter Spreen, On some problems in computable topology. University of Siegen, Germany. Computer Science Logic Wiebe van der Hoek, Dynamic epistemic logic. University of Liverpool, UK. Stephan Kreutzer, Gaifman’s theorem and approximation schemes. Humboldt University of Berlin, Germany. Model Theory M´ario J. Edmundo, Covering deﬁnable manifolds by open deﬁnable subsets. University of Lisbon, Portugal. Piotr Kowalski, Projective D-varieties over a Hasse ﬁeld. University of Wrocław, Poland.

SPEAKERS AND TITLES

Philosophical Logic Hannes Leitgeb, Towards a logic of type-free modality and truth. University of Salzburg, Austria, and Stanford University, La Jolla, California, USA. Sara Negri, Proof analysis in non-classical logics. University of Helsinki, Finland.

xiii

THREAD ALGEBRA AND RISK ASSESSMENT SERVICES

JAN A. BERGSTRA, INGE BETHKE, AND ALBAN PONSE

Abstract. Threads as contained in a thread algebra emerge from the behavioral abstraction from programs in an appropriate program algebra. Threads may make use of services such as stacks, and a thread using a single stack is called a pushdown thread. Equivalence of pushdown threads is decidable. Using this decidability result, an alternative to Cohen’s impossibility result on virus detection is discussed and some results on risk assessment services are proved.

§1. Introduction. This paper is about thread algebra [1, 5]. Threads are processes tailored to describe sequential program behaviour and emerge from the behavioral abstraction of sequential programs. A basic thread models a ﬁnite program behaviour to be controlled by some execution environment: upon each action (e.g., a request for some service), a reply true or false from the environment determines further execution. Any execution trace of a basic thread ends either in the (successful) termination state or in the deadlock state. Both these states are modeled as special thread constants. Regular threads extend basic threads by comprising loop behaviour, and are reminiscent of ﬂowcharts [14, 12]. Threads may make use of services, i.e., devices that control (part of) their execution by consuming actions, providing the appropriate reply, and suppressing observable activity. Regular threads using the service of a single stack are called pushdown threads. Apart from the distinction between deadlock and termination, pushdown threads are comparable to pushdown automata or pushdown processes as described by Stirling [17] or Burkart and Steﬀen [9]. First, we recall from our companion paper [2] that equivalence of pushdown threads is decidable, and we provide a sketch of our proof. Then we elaborate on Cohen’s impossibility result on virus detection [10] (in that 1984 paper, the term computer virus was coined). Whereas Cohen showed that a test predicate that decides whether a program executes (and spreads) a virus cannot exist, we proposed in [8] a more modest test that can be used to forecast whether the execution of a thread has no security hazard. This is decidable for regular threads (as argued in [8]), and also for shrat-safe pushdown threads (as argued in this paper). In our approach, a security hazard is modeled as the occurrence Logic Colloquium ’05 Edited by C. Dimitracopoulos, L. Newelski, D. Normann, and J. Steel Lecture Notes in Logic, 28 c 2006, Association for Symbolic Logic

1

2

JAN A. BERGSTRA, INGE BETHKE, AND ALBAN PONSE

of a certain action in a thread. We deﬁne a service SHRAT (security hazard risk assessment tool) that provides the replies to such tests. The idea is as follows: a security hazard is modeled by an action risk and the security hazard risk test as sh.ok. In case SHRAT replies true to if sh.ok then P else Q, P will not execute risk and execution continues with P. In the other case (reply false), Q will be executed instead because P would execute risk (there is no security hazard risk assessment of Q). A major point is whether P itself may or may not execute sh.ok tests. If P is regular, this is not a problem and we prove that SHRAT is correct. In the case that P is a pushdown thread, correctness only follows if P is shrat-safe, i.e., contains no occurrences of both sh.ok and risk (this is a decidable property). Our approach oﬀers an alternative to that of Cohen in his well-known paper [10] which shows the impossibility of a test action that reacts on two arguments P and Q at the same time. More precisely, Cohen considers a decision procedure D (a predicate on program texts) that determines whether a program executes (and spreads) a virus. Then Cohen’s impossibility result is established by the program C deﬁned by C = if ¬D(C) then P else Q, where P executes a virus, and Q is virus-free. §2. Threads and services. In this section we recall the deﬁnitions of basic threads and regular threads. Furthermore we discuss services that may be used by a thread, and we consider the use-operator, which deﬁnes how a thread uses a service. 2.1. Threads. Basic thread algebra [5]1 , BTA, is tailored for the description of sequential program behaviour. Based on a ﬁnite set of actions A, it has the following constants and operators: • the termination constant S, • the deadlock or inaction constant D, • for each a ∈ A, a binary postconditional composition operator a . We use action preﬁxing a ◦ P as an abbreviation for P a P and take ◦ to bind strongest. The operational intuition behind thread algebra is that each action represents a command which is to be processed by the execution environment of a thread. More speciﬁcally, an action is taken as a command for a service oﬀered by the environment. The processing of a command may involve a change of state of this environment. At completion of the processing of the command, the service concerned produces a reply value true or false to the 1 In

[4], basic thread algebra is introduced under the name basic polarized process algebra.

THREAD ALGEBRA AND RISK ASSESSMENT SERVICES

3

thread under execution. The thread P a Q will then proceed as P if the processing of a yielded the reply true indicating successful processing, and it will proceed as Q if the processing of a yielded the reply false. BTA can be equipped with a partial order and an approximation operator in the following way: 1. is the partial ordering on BTA generated by the clauses (a) for all P ∈ BTA, D P, and (b) for all P1 , P2 , Q1 , Q2 ∈ BTA, a ∈ A, P1 Q1 & P2 Q2 ⇒ P1 a P2 Q1 a Q2 . 2. : N × BTA → BTA is the approximation operator determined by the equations (a) for all P ∈ BTA, (0, P) = D, (b) for all n ∈ N, (n + 1, S) = S, (n + 1, D) = D, and (c) for all P, Q ∈ BTA, n ∈ N, (n + 1, P a Q) = (n, P) a (n, Q). We further write n (P) instead of (n, P). The operator ﬁnitely approximates every thread in BTA. That is, for all P ∈ BTA, ∃n ∈ N 0 (P) 1 (P) · · · n (P) = n+1 (P) = · · · = P. Every thread in BTA is ﬁnite in the sense that there is a ﬁnite upper bound to the number of consecutive actions it can perform. Following the metric theory of [11] in the form developed as the basis of the introduction of processes in [3], BTA has a completion BTA∞ which comprises also the inﬁnite threads. Standard properties of the completion technique yield that we may take BTA∞ as the cpo consisting of all so-called projective sequences. That is, BTA∞ = {(Pn )n∈N | ∀n ∈ N (Pn ∈ BTA & n (Pn+1 ) = Pn )} with (Pn )n∈N (Qn )n∈N ⇔ ∀n ∈ N Pn Qn and (Pn )n∈N = (Qn )n∈N ⇔ ∀n ∈ N Pn = Qn . For a detailed account of this construction see [1]. In this cpo structure, ﬁnite linear recursive speciﬁcations represent continuous operators having as unique ﬁxed points regular threads, i.e., threads which can only reach ﬁnitely many states. A ﬁnite linear recursive speciﬁcation over BTA is a set of equations Xi = ti (X )

4

JAN A. BERGSTRA, INGE BETHKE, AND ALBAN PONSE

for i ∈ I with I some ﬁnite index set and all ti (X ) of the form S, D, or Xil ai Xir for il , ir ∈ I . Example 2.1.1. We deﬁne the regular threads 1. a ◦ b ◦ D, 2. a ◦ b ◦ S and 3. (a ◦ b)∞ (this informal notation is explained below) as the ﬁxed points for X1 in the speciﬁcations 1. X1 = a ◦ X2 , X2 = b ◦ X3 , X3 = D, 2. X1 = a ◦ X2 , X2 = b ◦ X3 , X3 = S, 3. X1 = a ◦ X2 , X2 = b ◦ X1 , respectively. Both a ◦ b ◦ D and a ◦ b ◦ S are ﬁnite threads; (a ◦ b)∞ is the inﬁnite thread corresponding to the projective sequence (Pn )n∈N with P0 = D, P1 = a ◦ D and Pn+2 = a ◦ (b ◦ Pn ). Observe that a ◦ b ◦ D a ◦ b ◦ S, a ◦ b ◦ D (a ◦ b)∞ , but a ◦ b ◦ S (a ◦ b)∞ . Convention 2.1.2. In reasoning with ﬁnite linear recursive speciﬁcations, we shall from now on identify variables and their ﬁxed points. For example, we say that P is the regular thread deﬁned by P = a ◦ P instead of stating that P equals the ﬁxed point for X in X = a ◦ X . 2.2. Services. A service is a component of an execution architecture for threads that can be used to determine the reply to an action. In [6] various services (called state machines in that paper) were considered, as well as their possible role in thread execution. A service is a pair Σ, F consisting of a set Σ of so-called co-actions and a reply function F . The reply function F of a service Σ, F is a mapping that gives for each sequence of co-actions in Σ+ the reply produced by the service. This reply is a boolean value true or false. Example 2.2.1 (Stack). One of the services that will occur in what follows is the stack S = Σ, F with Σ = {push:i, topeq:i, empty, pop | i ∈ I } for some ﬁnite set I , where push:i pushes i onto the stack and yields reply true, the action topeq:i tests whether i is on top of the stack, empty tests whether the stack is empty, and pop pops the stack if it is non-empty with reply true and yields the reply false otherwise (leaving the stack empty). By S(α) we denote a stack with contents α ∈ I ∗ with the leftmost element of α on top in case α = with the empty stack contents. In Example 3.1.1 we return to the use of a stack as a service. In order to provide a speciﬁc description of the interaction between a thread and a service, we will use for actions the general notation c.a where c is the so-called channel or focus and a is a co-action. For example, we write s.pop to denote the action which pops a stack via channel s.

THREAD ALGEBRA AND RISK ASSESSMENT SERVICES

5

For a service S = Σ, F and a ﬁnite thread P, we deﬁne P using the service S via channel c, notation P/c S, by the following rules: S/c S D/c S (P c .a Q)/c S (P c.a Q)/c S (P c.a Q)/c S (P c.a Q)/c S

= = = = = =

S, D, (P/c S) c .a (Q/c S) if c = c, P/c S if a ∈ Σ and F (a) = true, Q/c S if a ∈ Σ and F (a) = false, D if a ∈ Σ,

where S = Σ, F with F () = F (a) for all co-action sequences ∈ Σ+ . Note that actions that use a service S are not observable. The use operator is expanded to inﬁnite threads P by stipulating P/c S = (n (P)/c S)n∈N . As a consequence, P/c S = D if for every n, n (P)/c S = D. Example 2.2.2. We consider again the threads a ◦ b ◦ D, a ◦ b ◦ S and (a ◦ b)∞ from Example 2.1.1 but now in the versions c.a ◦ c.b ◦ D, c.a ◦ c.b ◦ S and (c.a ◦ c.b)∞ for some channel c and service S = {a, b}, F . Then (c.a ◦ c.b ◦ D)/c S = D and (c.a ◦ c.b ◦ S)/c S = S, but (c.a ◦ c.b)∞ /c S = D. §3. Pushdown threads and decidable equivalence. In this section we consider pushdown threads, i.e., regular threads that use a stack. Then, we recall from our paper [2] that equivalence of pushdown threads is decidable and sketch a proof of this fact. 3.1. Pushdown threads. In the next example we show that the use of services may turn regular threads into non-regular ones. Example 3.1.1. Let {a, b, s.push:1, s.pop} ⊆ A, where the last two actions refer to the stack S deﬁned in Example 2.2.1 with I = {1}. By the deﬁning equations for the use operator it follows that for any thread P and ∈ {1}∗ , (s.push:1 ◦ P)/s S() = P/s S(1). Furthermore, it easily follows that S (P s.pop S)/s S() = P/s S()

if = (the empty sequence), if = 1.

Now consider the regular thread Q deﬁned by 2 Q = (s.push:1 ◦ Q) a R, R = b ◦ R s.pop S. 2 Note

that a linear recursive speciﬁcation of Q requires (at least) ﬁve equations.

6

JAN A. BERGSTRA, INGE BETHKE, AND ALBAN PONSE

Then for all ∈ {1}∗ , Q/s S() = ((s.push:1 ◦ Q) a R)/s S() = (Q/s S(1)) a (R/s S()), R/s S(1) = b ◦ R/s S(), R/s S() = S. It is not hard to see that Q/s S() is an inﬁnite thread with the property that for all n ∈ N, a trace of n+1 a-actions produced by n positive and one negative reply on a is followed by n b-actions and S. This yields an nonregular thread: if Q/s S() were regular, it would be a ﬁxed point of some ﬁnite linear recursive speciﬁcation, say with k equations. But specifying a trace containing k b-actions followed by S already requires k+1 linear equations X1 = b ◦ X2 , . . . , Xk = b ◦ Xk+1 , Xk+1 = S, which contradicts the assumption. So Q/s S() is not regular. We call a regular thread that uses a stack as described in Example 2.2.1 a pushdown thread. In what follows we assume that pushdown threads are given with help of a distinguished identiﬁer from a ﬁnite linear recursive speciﬁcation F and a stack over some ﬁxed alphabet. The equations in F may contain actions that address the stack via the use-application /s . 3.2. Decidable equivalence. From our companion paper [2] we quote the following result: Theorem 3.2.1. Equivalence of pushdown threads is decidable. This theorem follows from a reduction to the dpda-equivalence problem whose decidability was proved by S´enizergues [15, 16]. Here we provide only a sketch, a detailed proof can be found in [2]. The idea is to use a transformation from pushdown threads to dpda’s such that the identity P/s S(α) = Q/s S() holds if and only if the identity L(A, P α ) = L(A, Q ) holds, where the latter identity expresses that for the derived dpda A, the language accepted by ‘conﬁguration’ P α equals the one accepted by conﬁguration Q . The transformation described in [2] consists of ﬁve steps and uses the dpda-equivalence result as formulated by Stirling [18] because this is closer to our setting: 1. Transform P/s S(α) and Q/s S() such that initially the stacks are nonempty (also if one of α and is the empty string), and such that upon their termination the stack is empty. The reason for this step stems from the fact that language acceptance for dpda’s is deﬁned on conﬁgurations

THREAD ALGEBRA AND RISK ASSESSMENT SERVICES

7

of the form Rα where R is a ‘state’ and α is a non-empty stack contents. A word w is in the accepted language iﬀ the dpda in initial state R empties the stack by performing the transitions whose labels form w. 2. Replace occurrences of D by loops that ﬁll the stack (e.g., replace Pi = D by Pi = s.push:j ◦ Pi for some j ∈ I ). The reason for this step is that D has no equivalent in the dpda-equivalence result. 3. Normalize inﬁnite traces: replace each equation Pi = Pl a Pr by Pi = S b (Pl a Pr ) with b an action that occurs not in P and Q. Here S is the thread that ﬁrst empties the stack and then terminates (S is also used in step 1). The reason for this step is that each inﬁnite trace becomes interlarded with exits b, and is thus characterized by ﬁnite traces which in turn are subject to dpda language acceptance. 4. Construction of an associated pushdown automaton (pda). The speciﬁcations of the so far transformed P(α) and Q() admit a straightforward deﬁnition of a pda whose transitions are deterministic. The only remaining problem is that the -transitions (that stem from stack actions) need not pop the stack, as required by the decidability result in [18]. 5. Construction of a dpda in which the -transitions only pop the stack. The pda thus obtained is transformed by changing its transition rules for . Those that do not pop the stack are either swallowed by an observable transition and yield a new transition rule, or form a loop, in which case they can be omitted. This step preserves language acceptance and concludes the transformation. We will exploit this decidability result by replacing certain equations in the deﬁnition of the regular thread that underlies a pushdown thread, i.e. in the deﬁnition of P when considering P/s S(α). For example, it is decidable whether a pushdown thread is normed, i.e., has the option to terminate (to end in S): let a linear recursive speciﬁcation | i = 1, . . . , n} F = {Pi = ti (P) be given (and thus a repertoire of stack actions and external actions). Replace each equation Pi = S ∈ F by P i = a◦P i and overline all remaining identiﬁers. Then Pk /s S(α) is normed ⇔ Pk /s S(α) = P k /s S(α). Remark 3.2.2. Interestingly, inclusion of pushdown threads is not decidable (although two pushdown threads are equivalent if they are included in each other). This follows from a reduction to the halting problem for Minsky machines — an approach also taken in Janˇcar et al. [13]. A detailed proof is recorded in [2]. §4. Security hazard risk assessment. In this section we consider the possibility that a pushdown thread uses a service that supports forecasting of certain future behaviour. In [7] various such services are studied (e.g., the

8

JAN A. BERGSTRA, INGE BETHKE, AND ALBAN PONSE

halting problem and “rational agents”) and in [8] we discuss a rather speciﬁc case: a service SHRAT (security hazard risk assessment tool). In this paper we provide a detailed construction of SHRAT for regular threads and a proof of its correctness. Finally, we consider SHRAT for pushdown processes and distinguish the case of shrat-safe threads. 4.1. A deﬁnition of SHRAT. We model a security hazard in a pushdown thread P as the execution of an action risk. Furthermore, P may contain a test action sh.ok that can use the service SHRAT to forecast whether risk will be executed: SHRAT replies true to Q sh.ok R if Q does not execute risk, and false if Q does execute the action risk (and then R is executed instead). In order to model forecasting, we ﬁrst deﬁne the residual thread of a pushdown thread P as the thread that remains after zero or more actions of P have been executed: Deﬁnition 4.1.1. Let P be a pushdown thread. We write Q ∈ Res (P) whenever Q is a residual thread of P: • • • •

P ∈ Res (P), P ∈ Res (P a Q), Q ∈ Res (P a Q), and if R ∈ Res (Q) and Q ∈ Res (P), then R ∈ Res (P).

Of course, the very idea of a service SHRAT that supports forecasting of the execution of future actions risk in a residual thread Q sh.ok R of P, thus (1)

(Q sh.ok R)/sh SHRAT

requires that SHRAT is aware of the speciﬁcation of Q. So, a reply function that only uses the current co-action and those processed before is in this case not suﬃcient. It seems most natural to model that SHRAT “gets to know and analyzes” Q’s speciﬁcation upon the request sh.ok in the use-application (1) above. We describe this change of state of SHRAT and the resulting reply in the following deﬁnition. Deﬁnition 4.1.2. Let a pushdown thread P be given by some speciﬁcation FP and let sh.ok be the only action in P with focus sh. Then the service SHRAT is deﬁned by the following two properties: (1) for any residual thread Q sh.ok R of P, (Q sh.ok R)/sh SHRAT = (Q sh.ok R)/sh SHRAT(FP , Q), where SHRAT(FP , Q) is the instance of SHRAT that has loaded FP and analyzed Q, and

9

THREAD ALGEBRA AND RISK ASSESSMENT SERVICES

(2) (Q sh.ok R)/sh SHRAT(FP , Q) = Q/sh SHRAT (thus reply true) if no risk-action will be executed in Q/sh SHRAT, SHRAT (thus reply false) if a risk-action R/ sh will be executed in Q/sh SHRAT. The (instantiated) service SHRAT(FP , Q) models a “security hazard risk assessment” in the sense that if a security hazard in Q is modeled by the execution of the action risk, the reply true to Q sh.ok R ensures that in the residual thread Q/sh SHRAT no security hazard will occur (cf. [8]). It can be the case that SHRAT(FP , Q) replies true because SHRAT will reply false to a future sh.ok-test in Q/sh SHRAT. For example, in the regular thread P1 given and depicted below, the various sh.ok-tests are evaluated as follows: P1 P2 P3 P4

= = = =

P2 sh.ok P8 P3 a P4 P5 sh.ok P6 P6 sh.ok P7

(true)

P5 P6 P7 P8

(true) (false)

? P1 : sh.ok /@ / ? @ ? R P8 : S P2 : a @ R @

P3 : sh.ok P4 : sh.ok /@ / \\ @ @ R R @ P5 : [ b ] P6 : [risk] P7 : [ c ]

[a]

where

= = = =

b ◦ P2 risk ◦ P1 c ◦ P8 S.

≈ a◦P

? P

and

a ≈ Pl a Pr . @ R @ Pl

Pr

Clearly, the thread T = P1 /sh SHRAT satisﬁes T = b ◦ T a c ◦ S. In the next section we discuss how to instantiate SHRAT for regular threads in an appropriate way. 4.2. SHRAT for regular threads. Following Convention 2.1.2, we assume that if a regular thread P1 is given, it is given by a linear recursive speciﬁcation FP1 that contains an equation P1 = t1 (P). Furthermore, we say that an equation Pj = Pl a Pr in FP1 has a predecessor if Pj occurs in the righthand side of at least one equation. Finally, we restrict to speciﬁcations FP1

10

JAN A. BERGSTRA, INGE BETHKE, AND ALBAN PONSE

with the property that if Pj = Pl sh.ok Pr ∈ FP1 , then l = r (otherwise, the reply to sh.ok would be meaningless). Starting from P1 /sh SHRAT with the regular thread P1 speciﬁed in FP1 , we provide an algorithm that upon each residual thread of the form (Pm sh.ok Pj )/sh SHRAT constructs an instantiated service SHRAT(FP1 , Pm ) that gives the correct reply. Typical for this algorithm is that SHRAT(FP1 , Pm ) contains a copy of FP1 in which all sh.ok actions are annotated with the correct reply. To this end, FP1 is loaded into SHRAT and analyzed as follows: number each equation that contains a risk-occurrence starting from 1. Then, for each numbered equation label each predecessor equation with the next free number until a connecting sh.ok-equation is found, or a loop occurs, or an equation without predecessors is found. In the case that some sh.ok-equation is found and connects via its true-branch, its sh.ok-action is annotated false (sh.okfalse ); if it connects via its false-branch, the equation is labeled with a fresh negative number (it may possibly lead to a risk-action, namely when a false-annotation is added in a future inspection). Then this procedure is repeated for equations labeled with a negative number, again instantiating ﬁrst occurrences of sh.ok-actions with false if their true-branch leads to an action risk. Finally, all non-annotated sh.ok-actions are annotated true because their true-branch does not lead to a risk-action. In Figure 1, we illustrate how the annotation proceeds: ﬁrst the two lowest sh.ok actions are annotated false, and because of the arrow, the equation of the leftmost one is labeled with a fresh negative number. The combination of the false-annotation and this label leads to the false-annotation of the topmost sh.ok-action. Construction of SHRAT(FP1 , Pm ) for a regular thread P1 . Let FP1 = {Pi = | i = 1, . . . , n} be a linear speciﬁcation of the regular thread P1 . Upon ti (P) a residual thread Pm sh.ok Pw , the service SHRAT(FP1 , Pm ) is constructed as follows: load FP1 in SHRAT. We further call this copy FPan1 . Label each equation in FPan1 that contains risk in the right-hand side with a number, starting from 1, say 1, . . . , k. If no risk-actions occur in FPan1 , then apply step 3 below. In the other case, apply step 1: 1. On FPan1 apply the procedure Eval+ (1), where Eval+ (i) for i ≥ 1 is deﬁned as follows: Eval+ (i): If the equation labeled with number i has the form (i) Pj = Pl a Pr , then evaluate all Pj occurrences in the right-hand sides of all equations,

THREAD ALGEBRA AND RISK ASSESSMENT SERVICES

11

sh.ok @ R @

sh.ok

...

sh.ok

[risk]

@ R @ [risk]

? ...

? ...

@ R @ ...

⇓

sh.okfalse @ R @

sh.okfalse

...

sh.okfalse

[risk]

@ R @ [risk]

? ...

? ...

@ R @ ...

Figure 1. Annotating sh.ok actions i.e., apply steps (1a) - (1e) below exhaustively, where evaluation goes with some bookkeeping: we will in some cases give equations a next free number and possibly annotate sh.ok-actions with false. The ﬁrst free positive number is k+1 and the ﬁrst free negative number is −1. Furthermore, the next free number for positive numbers is the smallest p > 0 not already used, and for negative numbers the largest p < 0 not already used: (a) No non-evaluated Pj occurrences left: if there is an equation numbered i+1 then apply Eval+ (i+1), else, if negative numbers are used, go to step 2; if none of these is the case, go to step 3, (b) If Pv = Pj sh.ok Pq , then replace sh.ok by sh.okfalse and search the next non-evaluated Pj occurrence (a possible number of this equation is preserved),

12

JAN A. BERGSTRA, INGE BETHKE, AND ALBAN PONSE

(c) If Pv = Pq sh.okPj and this equation is not numbered, then give it the next free negative number and search the next non-evaluated Pj occurrence, else just search the next non-evaluated Pj occurrence, (d) If Pv = Pq sh.okfalse Pj and this equation is not numbered, then give it the next free negative number and search the next nonevaluated Pj occurrence, else just search the next non-evaluated Pj occurrence, (e) All remaining cases, i.e., equations of the form Pv = Pj b Pq or Pv = Pq b Pj : if not yet numbered, give this equation the next free positive number and search the next non-evaluated Pj occurrence; else, just search the next non-evaluated Pj occurrence. 2. On FPan1 apply the procedure Eval− (−1), where Eval− (i) for i ≤ −1 is deﬁned as follows: Eval− (i): • if the equation labeled with number i has the form (i) Pj = Pl sh.ok Pr , then apply Eval− (i−1) if there is an equation numbered i−1, otherwise go to step 3; • if the equation labeled with number i has the form (i) Pj = Pl a Pr for a = sh.ok (possibly a = sh.okfalse ), then evaluate all Pj occurrences in the righthand sides of all equations, i.e., apply steps (2a) - (2e) below exhaustively, where evaluation again goes with some bookkeeping: we will in some cases give equations the next free negative number and possibly annotate sh.ok-actions with false: (a) No non-evaluated Pj occurrences left: if there is an equation numbered i−1 then apply Eval− (i−1), else go to step 3, (b) If Pv = Pj sh.ok Pq , then replace sh.ok by sh.okfalse and search the next non-evaluated Pj occurrence (a possible number of this equation is preserved), (c) If Pv = Pq sh.ok Pj , then search the next non-evaluated Pj occurrence, (d) If Pv = Pq sh.okfalse Pj and this equation is not numbered, then give it the next free negative number and search the next nonevaluated Pj occurrence, else just search the next non-evaluated Pj occurrence, (e) All remaining cases, i.e., equations of the form Pv = Pj b Pq or Pv = Pq b Pj : if not yet numbered, give this equation the next free negative number and search the next non-evaluated Pj occurrence; else, just search the next non-evaluated Pj occurrence.

THREAD ALGEBRA AND RISK ASSESSMENT SERVICES

13

3. Replace all sh.ok occurrences in FPan1 that are not yet annotated by sh.oktrue . Now SHRAT(FP1 , Pm ) is deﬁned as the service that replies to the residual thread Pm sh.ok Pw with the annotation b found in the right-hand side Pm sh.okb Pw of its internal speciﬁcation FPan1 . Theorem 4.2.1. Let P1 be a regular thread speciﬁed by the linear recursive speciﬁcation FP1 . Then, upon each residual thread of the form Pm sh.ok Pw , the tool SHRAT(FP1 , Pm ) is sound, i.e., agrees with Deﬁnition 4.1.2. Hence, (Pm sh.ok Pw )/sh SHRAT = (Pm sh.ok Pw )/sh SHRAT(FP1 , Pm ) Pm /sh SHRAT if Pm /sh SHRAT does not execute risk, = Pw /sh SHRAT otherwise. Proof. Assume Pm sh.ok Pw is a residual thread of P1 . Clearly the algorithm for SHRAT(FP1 , Pm ) terminates and Pm sh.okb Pw occurs at least once as a right-hand side in FPan1 (in case of multiple occurrences, b has the same value). We argue that the boolean b is the correct reply to (Pm sh.ok Pw )/sh SHRAT(FP1 , Pm ). FPan1

In case contains no risk action, all annotations are true (step 3), which obviously is correct. In case FPan1 contains at least one risk action, it is clear that after all Eval+ (i)’s have been applied (step 1), all true-branches of annotated sh.okfalse actions lead to risk. Furthermore, the right-hand sides of all negatively numbered equations have a sh.ok action (possibly annotated false) of which the false-branch leads to risk. At Eval− (i) (step 2), the negatively numbered equations with non-annotated action sh.ok will not be annotated false (as their true-branch does not lead to risk). The remaining labeled equations all have a residual thread that may lead to risk, and thus yield next (negative) numbers until a loop occurs, or an equation without a predecessor is found, or another sh.ok that connects via its true-branch occurs (in the latter case, this action is annotated false). Hence, after step 3, all annotations are correct. 4.3. SHRAT for pushdown threads. It is not clear how to deﬁne a (terminating) algorithm for SHRAT that is correct for arbitrary pushdown threads. However, in the particular case that either no test action sh.ok or no action risk is executed by a pushdown thread P, the correct reply of sh.ok in (P sh.ok Q)/sh SHRAT

14

JAN A. BERGSTRA, INGE BETHKE, AND ALBAN PONSE

follows easily from Theorem 3.2.1 (i.e., equivalence of pushdown threads is decidable): consider a pushdown thread Pk /s S(α) where Pk is speciﬁed in F. Assuming that the action a does not occur in F, deﬁne F a by replacing in F each occurrence of the action a by a and replacing all identiﬁers Pi by Pia . Then Pk /s S(α) does not execute a if and only if Pk /s S(α) = Pka /s S(α), so this is decidable. Note that if Pk /s S(α) = Pka /s S(α), then for any residual thread Pl /s S() of Pk /s S(α), also Pl /s S() = Pla /s S(). A pushdown thread P = Pk /s S(α) is called shrat-safe if either P = risk Pk /s S(α) or P = Pksh.ok /s S(α). In both cases the correct reply to sh.ok in P sh.ok Q can be found: • if P = Pkrisk /s S(α), then this reply is true, thus (P sh.ok Q)/sh SHRAT = P/sh SHRAT,

• if P = Pksh.ok /s S(α), then both replies can occur, thus (P sh.ok Q)/sh SHRAT P/sh SHRAT (reply true) if Pk /s S(α) = Pkrisk /s S(α), = Q/sh SHRAT otherwise, where the latter case is only meaningful if Q is also shrat-safe. Although much weaker, it is not unreasonable to consider shrat-safe pushdown threads. This situation can always be obtained: upon a residual thread (P sh.ok Q)/sh SHRAT, rename all sh.ok actions in the speciﬁcation of P, thus ignoring their forecasting eﬀect and evaluating both their true and false-branches. If SHRAT then replies true, this certainly comprises a security hazard risk assessment of P. The only problem is that if SHRAT replies false, it is not certain that P will indeed execute risk. §5. Digression and discussion. In this paper we presented some of our latest work on thread algebra and on security hazard risk assessment (as deﬁned in [8]). We end the paper with a few comments on the latter subject. 5.1. Architecture-sensitive services. First, we propose to call services as SHRAT architecture-sensitive services: in case SHRAT has to reply to a thread Q sh.ok R, it ﬁrst needs to analyze the future behaviour of Q and therefore it needs to “know” both the speciﬁcation and the particular execution state. Assuming

THREAD ALGEBRA AND RISK ASSESSMENT SERVICES

15

that Q is speciﬁed in FP , this idea is captured in Deﬁnition 4.1.2 by the equation (Q sh.ok R)/sh SHRAT = (Q sh.ok R)/sh SHRAT(FP , Q), which characterizes the instantiation of SHRAT to SHRAT(FP , Q). So, in the particular case of SHRAT (and similar services such as rational agents discussed in [7]), the reply in a use-application is architecture-sensitive and can not be deﬁned with a reply function that only depends on the current co-action and those processed before (such as the reply function for the stack deﬁned in Example 2.2.1). Typically, diﬀerent use-applications need not commute if architecture-sensitive services are involved, e.g., ([(risk ◦ S s.pop S) sh.ok D]/sh SHRAT)/s S() = D while ([(risk ◦ S s.pop S) sh.ok D]/s S())/sh SHRAT = S. Use-applications with services with a reply function that only depends on the current co-action and those processed before do commute if distinct foci are used (cf. [6]). 5.2. SHRAT for pushdown threads. At this stage, it is not clear how to deﬁne a (terminating) algorithm for SHRAT that is correct for all pushdown threads. One possibility may be to approximate pushdown threads by regular threads in such a way that a sound risk-analysis can be established. Given a linear speciﬁcation FP1 of P1 and a stack S, it seems likely that in P1 /s S(α) only ﬁnitely many stack conﬁgurations (uniformly depending on FP1 and α) play a distinctive role with respect to SHRAT’s replies. Another approach is to start from a game theoretic characterization of SHRAT: in residual threads of the form (2)

(Q sh.ok R)/sh SHRAT,

the service SHRAT has to give the correct reply (according to its Deﬁnition 4.1.2), while the opponent replies to all other test actions and aims for the execution of risk. We do not (yet) know whether game theoretic results cover this particular game. Hence: Open question: Is SHRAT decidable for all pushdown threads? An interesting simpliﬁcation may be the case of one-counter threads, i.e., regular threads that use a counter (a stack over a singleton datatype) instead of a stack, with s.push and s.pop as the only actions. Also for this case, the above question is still open. Of course, security hazard risk assessment for computable threads is undecidable. In the setting of Turing machines, given a regular control program P and tape conﬁguration Tape(α x) ˆ with head pointing at x, it is undecidable

16

JAN A. BERGSTRA, INGE BETHKE, AND ALBAN PONSE

whether some action of P will be executed in P/tmt Tape(α x): ˆ there is a straightforward reduction to the halting problem (cf. [7]). 5.3. SHRAT and external services. In order to deﬁne security hazard risk assessment in precisely the same way as was done in [8], the results and explanations for both the regular and the pushdown case in Section 4 should be slightly modiﬁed. In [8], a thread can also engage in external communication with a service E (via actions with focus e). Such a communication blocks further assessment of SHRAT because E is beyond control of the thread under execution. It is not diﬃcult to implement this modiﬁcation in the algorithm for regular threads: in the evaluation step, simply stop evaluation upon an equation deﬁned by a postconditional composition over e.m. However, for clarity of presentation we did not consider this possibility before. REFERENCES

[1] J. A. Bergstra and I. Bethke, Polarized process algebra and program equivalence, Automata, Languages and Programming, Proceedings 30th ICALP, Eindhoven, The Netherlands (J. C. M. Baeten, J. K. Lenstra, J. Parrow, and G. J. Woeginger, editors), LNCS, vol. 2719, Springer-Verlag, 2003, pp. 1–21. [2] J. A. Bergstra, I. Bethke, and A. Ponse, Decision Problems for Pushdown Threads, Electronic report PRG0502, Faculty of Science, University of Amsterdam, 2005, available at www.science.uva.nl/research/prog/publications.html. [3] J. A. Bergstra and J. W. Klop, Process algebra for synchronous communication, Information and Control, vol. 60 (1984), no. 1/3, pp. 109–137. [4] J. A. Bergstra and M. E. Loots, Program algebra for sequential code, Journal of Logic and Algebraic Programming, vol. 51 (2002), no. 2, pp. 125–156. [5] J. A. Bergstra and C. A. Middelburg, A thread algebra with multi-level strategic interleaving, Proceedings CIE 2005 (S. B. Cooper, B. Loewe, and L. Torenvliet, editors), LNCS, vol. 3526, Springer-Verlag, 2005, pp. 35– 48. [6] J. A. Bergstra and A. Ponse, Combining programs and state machines, Journal of Logic and Algebraic Programming, vol. 51 (2002), no. 2, pp. 175–192. [7] , Execution architectures for program algebra, Technical report Logic Group Preprint Series 230, Department of Philosophy, Utrecht University, 2004, to appear in the Journal of Applied Logic, prior version available at http://www.phil.uu.nl/preprints/lgps/ ?lang=en. [8] , A bypass of Cohen’s impossibility result, Advances in Grid Computing - EGC 2005 (P. M. A. Sloot, A. G. Hoekstra, T. Priol, A. Reinefeld, and M. Bubak, editors), LNCS, vol. 3470, Springer-Verlag, 2005, also vailable as Electronic report PRG0501 at www.science.uva. nl/research/prog/publications.html, pp. 1097–1106. [9] O. Burkart and B. Steﬀen, Pushdown processes: Parallel composition and model checking, CONCUR’94, LNCS, vol. 836, Springer-Verlag, August 1994, pp. 98–113. [10] F. Cohen, Computer viruses - theory and experiments, Computers & Security, vol. 6 (1984), no. 1, pp. 22–35, also available at http://vx.netlux.org/lib/afc01.html. [11] J. W. de Bakker and J. I. Zucker, Processes and the denotational semantics of concurrency, Information and Control, vol. 54 (1982), no. 1/2, pp. 70–120. [12] S. A. Greibach, Theory of Program Structures: Schemes, Semantics, Veriﬁcation, LNCS, vol. 36, Springer-Verlag, 1975. [13] P. Jancar, F. Moller, and Z. Sawa, Simulation problems for one-counter machines, ˇ

THREAD ALGEBRA AND RISK ASSESSMENT SERVICES

17

Proceedings of SOFSEM’99: The 26th Seminar on Current Trends in Theory and Practice of Informatics, LNCS, vol. 1725, Springer-Verlag, 1999, pp. 398– 407. [14] Z. Manna, Mathematical Theory of Computation, McGraw-Hill, New-York, 1974. [15] G. S´enizergues, L(A) = L(B)?, Technical report 1161-97, LaBRI, Universit´e Bordeaux, 1997, available at www.labri.u-bordeaux.fr. [16] , L(A) = L(B)? decidability results from complete formal systems, Theoretical Computer Science, vol. 251 (2001), pp. 1–166. [17] C. Stirling, Decidability of bisimulation equivalence for pushdown processes, Technical report EDI-INF-RR0005, Laboratory for Foundations of Computer Science, University of Edinburgh, 2000, available at http://www.inf.ed.ac.uk/research/lfcs/publications.html. [18] , Decidability of DPDA equivalence, Theoretical Computer Science, vol. 255 (2001), pp. 21–31. PROGRAMMING RESEARCH GROUP, FACULTY OF SCIENCE UNIVERSITY OF AMSTERDAM, THE NETHERLANDS and APPLIED LOGIC GROUP, DEPARTMENT OF PHILOSOPHY UTRECHT UNIVERSITY, THE NETHERLANDS

E-mail: [email protected] URL: www.science.uva.nl/~janb/ PROGRAMMING RESEARCH GROUP, FACULTY OF SCIENCE UNIVERSITY OF AMSTERDAM, THE NETHERLANDS

E-mail: [email protected] URL: www.science.uva.nl/~inge/ E-mail: [email protected] URL: www.science.uva.nl/~alban/

COVERING DEFINABLE MANIFOLDS BY OPEN DEFINABLE SUBSETS

´ MARIO J. EDMUNDO

Abstract. Let N be an o-minimal expansion of a real closed ﬁeld. We show that if X is a Hausdorﬀ deﬁnable manifold, then X can be covered by ﬁnitely many open deﬁnable subsets which are deﬁnably homeomorphic to open balls and the intersection of any two open deﬁnable subsets of this covering is a ﬁnite union of elements of the covering. We also mention the importance of this result in the solution of the torsion point problem for deﬁnably compact deﬁnable groups.

§1. Introduction. We work over a ﬁxed, but arbitrary, o-minimal structure N and deﬁnable means N -deﬁnable (possibly with parameters). By deﬁnition of o-minimality, in the model theoretic structure N , every deﬁnable subset of N is a ﬁnite union of points and intervals with endpoints in N ∪ {−∞, +∞}. One is often interested in studying deﬁnable groups in N . A deﬁnable group is a group whose underlying set is a deﬁnable set and the graphs of the group operations are deﬁnable sets. The theory of deﬁnable groups in arbitrary ominimal structures, which includes real algebraic groups and semi-algebraic groups, began with Anand Pillay’s paper [P] and has since then grown into a well developed branch of mathematics (see for example [E1], [PS], [PSt1], [PPS1] and [PPS2]). For example we have: (TOP) every deﬁnable group G has a unique deﬁnable manifold structure such that the group operations are continuous and the deﬁnable homomorphisms are also continuous; (DCC) the descending chain condition for deﬁnable subgroups of a deﬁnable group G; (QT) existence in the category of deﬁnable groups of the quotient of a deﬁnable group by a deﬁnable normal subgroup together with the existence of a corresponding deﬁnable section; 2000 Mathematics Subject Classiﬁcation. 03C64; 20E99. Key words and phrases. O-minimal structures and deﬁnable groups. With partial support from the FCT (Fundac¸a˜ o para a Ciˆencia e Tecnologia), program POCTI (Portugal/FEDER-EU). Logic Colloquium ’05 Edited by C. Dimitracopoulos, L. Newelski, D. Normann, and J. Steel Lecture Notes in Logic, 28 c 2006, Association for Symbolic Logic

18

COVERING DEFINABLE MANIFOLDS BY OPEN DEFINABLE SUBSETS

19

(AB) every deﬁnable group G of positive dimension has a deﬁnable abelian subgroup of positive dimension; (TOR) if G is a deﬁnable group, then for all m ∈ N, the subgroup G[m] of m-torsion points of G is a ﬁnite deﬁnable subgroup. Properties (TOP), (DCC) and (AB) were proved in [P]. Property (QT) is from [E1] and (TOR) is from the paper [S]. Property (TOP) is used to deﬁne the notion of deﬁnably connected [P] and of deﬁnably compact [PS]: a deﬁnable group G is deﬁnably connected if it has no proper nonempty open and closed (with respect to the topology given by (TOP)) deﬁnable subset; and G is deﬁnably compact if for every continuous deﬁnable map : (a, b) ⊆ [−∞, +∞] −→ G (continuous with respect to the topology on G given by (TOP)), the limit limt−→a + (t) and limt−→b − (t) exist in G. In o-minimal expansions of ﬁelds (TOR) has a strong version for deﬁnably compact groups, namely: Theorem 1.1. If N is an o-minimal expansion of a ﬁeld and G is a deﬁnably connected, deﬁnably compact deﬁnable group, then for each k ∈ N the subgroup G[k] of k-torsion points of G is non trivial. This result is a solution to a problem posed by Peterzil and Steinhorn in [PS] and was ﬁrst proved in an early version of the unpublished preprint [E2]. In [E2] there are three proofs of Theorem 1.1: the ﬁrst one follows from the fact that the o-minimal singular cohomology of G is a non trivial Hopf algebra; the second one follows from the o-minimal version of the Lefschetz coincidence theorem for o-minimal expansions of ﬁelds and was later modiﬁed and simpliﬁed in [BO2]; the third proof, which now appears in [EO] in a simpliﬁed version, computes the o-minimal singular cohomology of G and describes the subgroups G[k] in the abelian case, namely, this data is the same as that of a compact connected abelian Lie group of dimension dim G. All of these proofs of Theorem 1.1 use heavily o-minimal singular homology and cohomology whose existence was established in [Wo]. In the ﬁrst two one shows that the o-minimal Euler characteristic E(G) of G is zero and then apply a result from [S] to conclude the existence of the torsion points. There is now a diﬀerent proof by Peterzil and Starchenko [PSt2] which avoids o-minimal singular cohomology and uses instead o-minimal Morse theory exploring the method suggested by [BO1]. In these notes, for lack of space, we will avoid the language of o-minimal homology and cohomology and present instead the proof of the following result which does not rely on this formalism and is nevertheless crucial in the o-minimal singular homology orientation theory for deﬁnable manifolds which is used in all of the three proofs of Theorem 1.1:

20

´ MARIO J. EDMUNDO

Theorem 1.2. Assume that N is an o-minimal expansion of a ﬁeld. If X is a deﬁnable manifold of dimension n, then X can be covered by ﬁnitely many deﬁnable subsets deﬁnably homeomorphic to open ball in N n . This result is related to [BO2, Theorem 4.3] (and can be read oﬀ from the proofs of [BO2, Lemmas 4.1 and 4.2]) and to Wilkie’s result in [W] which says that an open deﬁnable subset X ⊆ N n can be covered by ﬁnitely many open cells. Under the assumption of Hausdorﬀness, we can improve Theorem 1.2 as follows: Theorem 1.3. Assume that N is an o-minimal expansion of a ﬁeld. If X is a Hausdorﬀ deﬁnable manifold of dimension n, then X can be covered by ﬁnitely many open deﬁnable subsets which are deﬁnably homeomorphic to open balls in N n and the intersection of any two open deﬁnable subsets of this covering is a ﬁnite union of elements of the covering. After developing the o-minimal singular homology orientation theory for deﬁnable manifolds using Theorem 1.2 one concludes that the homology group of G over Z of degree dim G is non trivial. Using classical homological algebra arguments adapted to the o-minimal context, it follows from this that the o-minimal singular cohomology H ∗ (G; Q) is isomorphic r to the Hopf algebra ∧[w1 , . . . , wr ]Q with w1 , . . . , wr of odd degree and i=1 degwi = dim G. From this information and classical computations, we also have that dim G the Euler-Poincar´e characteristic (G) = i=1 (−1)i tr(id|H i (G;Q) ) of G is actually zero. But by [BO2] (or by the construction of o-minimal homology [Wo], we have (G) = E(G), so the o-minimal Euler characteristic E(G) of G is zero. Hence, by [S] we conclude the existence of the torsion points. Below we work in an o-minimal expansion N of a ﬁeld (N, 0, 1, +, ·, k and the geometric realization |s| of s in N n is a subset of the closure |t| of the geometric realization |t| of t in N n . Note also that here as in [vdD], the geometric realizations of the simplicial complexes are not necessarily closed. Proof of Theorem 1.2. Let (X, Xi , φi )i∈I be a deﬁnable manifold. For each i, let (Ψi , Mi ) be a deﬁnable triangulation of φi (Xi ) ⊆ N n . Let s be an open simplex of Mi . Then |StMi s| ⊆ |Mi | ⊆ N n are open deﬁnable subsets (by the invariance of domain (see [Wo]), |Mi | is open in N n since it is deﬁnably homeomorphic to the open deﬁnable subset φi (Xi ) of N n ). So, we need to show that |StMi s| is deﬁnably homeomorphic to an open ball in N n . But this is a consequence of the following claim: Claim 2.1. Let M be a simplicial complex in N n such that |M | is an open deﬁnable subset of N n . If s is an open simplex of M , then |StM s| is deﬁnably homeomorphic to an open ball in N n . Take a barycentric subdivision of the simplicial complex M and let p be the barycentre of s. Since |M | is an open deﬁnable subset of N n , the set |StM s| is also an open deﬁnable subset of N n . Hence, there is an open ball Bn (p, ) in N n such that Bn (p, ) ⊆ |StM s|. For each point x in S n−1 (p, ) (the boundary of Bn (p, )) let lx+ (t) with t ≥ 0 be the half line that starts at p and passes through x. For each x ∈ S n−1 (p, ), let sx be the unique element such that lx+ (sx ) ∈ |StM s| − |StM s|. This element exists and is unique because |StM s| is closed and bounded and, since Bn (p, ) ⊆ |StM s|, every such half line must intersect |StM s| − |StM s|. Clearly, we have |StM s| = {lx+ (t) : 0 ≤ t < sx , x ∈ S n−1 (p, )} and for every q ∈ |StM s| − {p}, there are unique x ∈ S n−1 (p, ) and 0 ≤ t < sx such that q = lx+ (t). To ﬁnish the proof of the lemma, let h : |StM s| −→ Bn (p, )

be the deﬁnable homeomorphism given by h(lx+ (t)) = lx+ ( sx t). By [vdD, Chapter VI, Lemma 3.5], aﬃne deﬁnable manifolds are deﬁnably normal. By Proposition 2.2 below every abstract Hausdorﬀ deﬁnable manifold X is deﬁnably regular. Finally, by [vdD, Chapter X, Theorem 1.8], every deﬁnably regular abstract deﬁnable manifold is deﬁnably homeomorphic to an aﬃne deﬁnable manifold.

22

´ MARIO J. EDMUNDO

The argument in the following proof is contained in that of [BO1, Lemma 10.4]. Proposition 2.2. Every abstract Hausdorﬀ deﬁnable manifold X is deﬁnably regular, hence, aﬃne. Proof. For each i ∈ I and x, y ∈ Xi , let di (x, y) = |φi (x) − φi (y)|. Let K be a closed deﬁnable subset of X and a0 ∈ X \ K . For ∈ N and > 0, deﬁne K to be the set of all points y ∈ X such that if y ∈ Xi then there is a point x in Ki = Xi ∩ K with di (x, y) < . Clearly, K is an open deﬁnable subset containing K . Similarly we deﬁne L containing a0 to be the open deﬁnable subset of all points y ∈ X such that if y ∈ Xi and a0 ∈ Xi , then di (a0 , y) < . If for some ∈ N with > 0 we have K ∩ L = ∅, then we are done. Otherwise, K ∩L = ∅ for all suﬃciently small > 0. Now by deﬁnable choice ([vdD] Chapter VI, Proposition 1.2) and o-minimality, there is a deﬁnable continuous map a : (0, ) → X such that a() ∈ K ∩ L for all 0 < < . Since X is Hausdorﬀ, the limit lim→0 a() is unique and must be a0 . We reach a contradiction by showing that a0 ∈ K . Choose i such that a0 ∈ Xi . Then, since Xi is open, for all suﬃciently small ∈ N with > 0 we have a() ∈ Xi . So di (a(), Ki ) is well deﬁned and must be less than since a() belongs to

K . Therefore, lim→0 di (a(), Ki ) = 0 i.e., di (a0 , Ki ) = 0 and a0 ∈ K . For the rest of this section we will assume that (X, Xi , φi )i∈I is an abstract Hausdorﬀ deﬁnable manifold of dimension n, hence aﬃne. Since X is aﬃne, we have X ⊆ N k for some k, and so, by [vdD, Chapter VIII, (1.7)], we can deﬁnably triangulate the deﬁnable set X . But, for the proof of Theorem 1.3 we will be interested in a modiﬁcation of this notion. Proof of Theorem 1.3. Let (X, Xi , φi )i∈I be an aﬃne deﬁnable manifold. Suppose that V1 , . . . , Vn are non empty deﬁnable subsets of X . Let I = {1, 2, . . . , k} be a numbering of I . Put V0 = X and deﬁne inductively (Ki , Ni , (Ψi , Mi )) for i ∈ I by: K1 = {X1 ∩ Xj ∩ Vl : j ∈ I, l = 0, . . . , n}, (Ψ1 , M1 ) is a deﬁnable triangulation of φ1 (X1 ) compatible with the deﬁnable subsets in {φ1 (B) : B ∈ K1 } and N1 = {C ⊆ X : Ψ1 (φ1 (C )) is the geometric realization of an open simplex of M1 }; Ki+1 = {Xi+1 ∩ Xj ∩ Vl ∩ C : j ∈ I, l = 0, . . . , n and C ∈ N1 ∪ · · · ∪ Ni }, (Ψi+1 , Mi+1 ) is a deﬁnable triangulation of φi+1 (Xi+1 ) compatible with the deﬁnable sets in {φi+1 (B) : B ∈ Ki+1 } and Ni+1 = {C ⊆ X : Ψi+1 (φi+1 (C )) is the geometric realization of an open simplex of Mi+1 }. By a deﬁnable triangulation of the charts (Xi , φi )i∈I of X compatible with V1 , . . . , Vn we mean a sequence (Ψi , Mi )i∈I like above. For each i ∈ I and for each open k-simplex s of Mi , let StMi s be the star of s in Mi . Let 1, . . . , mi be an enumeration of all open simplexes of Mi and,

COVERING DEFINABLE MANIFOLDS BY OPEN DEFINABLE SUBSETS

23

for each l ∈ {1, . . . , mi }, let Wli = φi−1 (Ψ−1 i (|StMi s|)) where s is the open simplex of Mi corresponding to l . The following claims hold for the collection {Wli : i = 1, . . . , m, l = 1, . . . , mi } where I = {1, . . . , m}. (1) If i, j ∈ {1, . . . , m} and j > i, then for every l ∈ {1, . . . , mi } and k ∈ {1, . . . , mj } we have that Wli ∩ Wkj is a ﬁnite union of elements from {Wsj : s ∈ Skj } where Skj = {s ∈ {1, . . . , mj } : Wsj ⊆ Wkj }. (2) For every i ∈ {1, . . . , m}, if j, l ∈ {1, . . . , mi }, then we have that Wli ∩Wki is an element from {Wsi : s ∈ Sji } ∩ {Wsi : s ∈ Sli }. Claim (1) follows easily from deﬁnition of a deﬁnable triangulation of the charts (Xi , φi )i∈I of X compatible with V1 , . . . , Vn . In fact, if t is an open simplex of Mj and φj−1 (Ψ−1 j (|t|)) intersects Xi , then there is an open simplex s (|t|)) is a deﬁnable subset of φi−1 (Ψ−1 of Mi such that φj−1 (Ψ−1 j i (|s|)). Hence, j j i Wl ∩ Wk is a deﬁnable subset of Wk which is a ﬁnite union of subsets of the j i form φj−1 (Ψ−1 j (|t|)) where t is an open simplex of Mj . Now, since Wl ∩ Wk is open, if a subset of the form φj−1 (Ψ−1 j (|t|)) (with t is an open simplex of j −1 i Mj ) is contained in Wl ∩ Wk , then φj (Ψ−1 j (|StMj t|)) is also contained in Wli ∩ Wkj and claim (1) holds. On the other hand, (2) follows from the fact that given two open simplexes s and t of Mi , the intersection of the stars StMi s and StMi t is either empty or equals the star StMi r, where r is the open simplex of Mi generated by s and t. This is easy to see. In fact, an open simplex l of Mi is contained in StMi s ∩ StMi t if and only if |s|, |t| ⊆ |l | if and only if s and t generate an open simplex r of Mi and |s|, |t|, |r| ⊆ |l | if and only if s and t generate an open simplex r of Mi and l is contained in StMi r. Thus, it remains to show that each Wji is deﬁnably homeomorphic to an open ball in N n . Let s be the open simplex of Mi corresponding to j. Then Wji is deﬁnably homeomorphic to |StMi s| and |StMi s| ⊆ |Mi | ⊆ N n are open deﬁnable subsets (by the invariance of domain (see [Wo]), |Mi | is open in N n since it is deﬁnably homeomorphic to the open deﬁnable subset φi (Xi ) of N n ). So, we need to show that |StMi s| is deﬁnably homeomorphic to an open ball

in N n . But this is a consequence of Claim 2.1. We call the ﬁnite collection (Wl , l )l ∈L of open deﬁnable subsets Wl of X together with the deﬁnable homeomorphisms l : Wl −→ Bn (0, l ) ⊆ N n given by Theorem 1.2 (resp., Theorem 1.3) deﬁnable charts of X by open balls (resp., special deﬁnable charts of X by open balls). In this context it is natural to call each Wl a deﬁnable sub-ball of X and a deﬁnable subset U of X of the form l−1 (Bn (0, )) with 0 < < l a deﬁnable proper sub-ball of Wl (or of X ))

24

´ MARIO J. EDMUNDO

since we will have a deﬁnable homeomorphism from the closure U of U in X into the closed unit ball in N n sending U − U into the unit (n − 1)-sphere. Theorem 1.2 easily implies that if A ⊆ X is a deﬁnably compact deﬁnable subset of X , then A can be covered by ﬁnitely many deﬁnable proper sub-balls of X . See [BO2] for details. This fact shows that we could not obtain Theorem 1.3 using the usual deﬁnable triangulation theorem instead of the modiﬁed version. As pointed out in [BO2] (see also [T]) a counterexample occurs already in the classical case: the double suspension ΣΣP of Poincar´e dodecahedral space P is a compact, triangulated topological manifold homeomorphic to S 5 such that the star of each of the suspension points is not homeomorphic to an open subset V of ΣΣP whose closure V in ΣΣP is compact and for which there is a homeomorphism from V into the unit closed ball sending the boundary of V to the boundary of the unit closed ball. We could not ﬁnd in the literature classical analogues of Theorems 1.2 and 1.3 except for the trivial case of Theorem 1.2 that holds for compact topological manifolds. REFERENCES

[BO1] A. Berarducci and M. Otero, Intersection theory for o-minimal manifolds, Annals of Pure and Applied Logic, vol. 107 (2001), no. 1-3, pp. 87–119. [BO2] , Transfer methods for o-minimal topology, The Journal of Symbolic Logic, vol. 68 (2003), no. 3, pp. 785–794. [E1] M. Edmundo, Solvable groups deﬁnable in o-minimal structures, Journal of Pure and Applied Algebra, vol. 185 (2003), no. 1-3, pp. 103–145. [E2] , O-minimal cohomology and deﬁnably compact deﬁnable groups, RAAG preprint n. 24 (2004) (http://ihp-raag.org/). [EO] M. Edmundo and M. Otero, Deﬁnably compact abelian groups, Journal of Mathematical Logic, vol. 4 (2004), no. 2, pp. 163–180. [PPS1] Y. Peterzil, A. Pillay, and S. Starchenko, Deﬁnably simple groups in o-minimal structures, Transactions of the American Mathematical Society, vol. 352 (2000), no. 10, pp. 4397– 4419. [PPS2] , Linear groups deﬁnable in o-minimal structures, Journal of Algebra, vol. 247 (2002), no. 1, pp. 1–23. [PSt1] Y. Peterzil and S. Starchenko, Deﬁnable homomorphisms of abelian groups in ominimal structures, Annals of Pure and Applied Logic, vol. 101 (2000), no. 1, pp. 1–27. [PSt2] , Computing o-minimal topological invariants using diﬀerential topology, preprint, 2005. [PS] Y. Peterzil and C. Steinhorn, Deﬁnable compactness and deﬁnable subgroups of ominimal groups, Journal of the London Mathematical Society, vol. 59 (1999), no. 3, pp. 769–786. [P] A. Pillay, On groups and ﬁelds deﬁnable in o-minimal structures, Journal of Pure and Applied Algebra, vol. 53 (1988), no. 3, pp. 239–255. [S] A. Strzebonski, Euler characteristic in semialgebraic and other o-minimal groups, Journal of Pure and Applied Algebra, vol. 96 (1994), no. 2, pp. 173–201. [T] W. P. Thurston, Three-Dimensional Geometry and Topology, Princeton University Press, Princeton, 1997.

COVERING DEFINABLE MANIFOLDS BY OPEN DEFINABLE SUBSETS

25

[vdD] L. van den Dries, Tame Topology and o-Minimal Structures, Cambridge University Press, 1998. [W] A. Wilkie, Covering open deﬁnable sets by open cells, O-Minimal Structures (M. Edmundo, D. Richardson, and A. Wilkie, editors), Proceedings of the RAAG Summer School Lisbon 2003, Lecture Notes in Real Algebraic and Analytic Geometry, Cuvillier Verlag, 2005. [Wo] A. Woerheide, O-Minimal Homology, Ph.D. thesis, University of Illinois, UrbanaChampaign, 1996. CMAF UNIVERSIDADE DE LISBOA AV. PROF. GAMA PINTO 2 1649-003 LISBOA, PORTUGAL

E-mail: [email protected]

ISOMORPHISMS AND DEFINABLE RELATIONS ON COMPUTABLE MODELS

S. S. GONCHAROV

We are interested in computable structures and some diﬀerent computable representations of these structures. The basic deﬁnitions, results, and problems on this topic can be found in [1, 5, 4]. In the present paper, we consider the problems about algorithmic complexity of isomorphism. We also study the deﬁnability property on models and its connections with the Scott rank. The results were obtained in collaboration with J. Knight, W. Calvert, V. Harizanov, C. McCoy, R. Solomon, R. Shore, A. Morozov, D. Tusupov. Through the paper, we adopt the following conventions. 1. Languages are computable, for every structure a subset of serves as its universe. 2. The complexity of a structure A is identiﬁed with its atomic diagram D(A). ¨ 3. Sentences are identiﬁed with their Godel numbers. Under these conventions, a structure A is said to be computable (arithmetical or hyperarithmetical) if its diagram D(A), considered as a subset of , is computable (arithmetical or hyperarithmetical). There are known examples of computable structures of diﬀerent computable Scott ranks. There are also structures, for example, the Harrison ordering, of Scott rank 1CK + 1. Makkai [19] constructed a structure of Scott rank 1CK , which can be made computable [14] and simpliﬁed so that it is a computable tree [3]. In [2], further computable structures of Scott rank 1CK were constructed in the following classes: undirected graphs, ﬁelds of any characteristic, and linear orderings. These structures share the strong approximability property with the Harrison ordering and the tree in [3]. These results give us examples of computable structures with diﬀerent complexity of isomorphism problem for diﬀerent computable representations.

Partially supported by grant RFBR-05-01-00819 and President grant of Scientiﬁc School 2112.2003.01 Logic Colloquium ’05 Edited by C. Dimitracopoulos, L. Newelski, D. Normann, and J. Steel Lecture Notes in Logic, 28 c 2006, Association for Symbolic Logic

26

ISOMORPHISMS AND DEFINABLE RELATIONS ON COMPUTABLE MODELS

27

§1. Introduction. In this section, we recall some deﬁnitions and known results. The Scott rank is a measure of model-theoretic complexity. The notion comes from Scott Isomorphism Theorem (see [22]). Theorem 1.1 (Scott Isomorphism Theorem). For a countable structure A (a countable language L) there is an L1 sentence whose countable models are just isomorphic copies of A. In the proof by Scott, countable ordinals were assigned to tuples in A and with A itself. There are several diﬀerent deﬁnitions of the Scott rank. We begin with a family of equivalence relations. We will deﬁne A ∼ = B if these models A and B are isomorphic. Deﬁnition 1.2. Let a, b be tuples in A. 1. We write a ≡0 b if a and b satisfy the same quantiﬁer-free formulas. 2. For α > 0 we write a ≡α b if for all < α and c there exists d , and for each d there exists c such that a, c ≡ b, d . Deﬁnition 1.3. 1. The Scott rank of a tuple a in A is the least such that for all b the relation a ≡ b implies (A, a) ∼ = (A, b). 2. The Scott rank of A, denoted by SR(A), is the least ordinal α greater than the ranks of all tuples in A. Let us recall the deﬁnition of Kleene’s system O. The system consists of a set O of notations equipped with a partial ordering

P1: JZP CUNYXXX-FM

CUNYXXX/Dimitracopoulos

July 11, 2007

Logic Colloquium 2005

i

20:6

P1: JZP CUNYXXX-FM

CUNYXXX/Dimitracopoulos

July 11, 2007

ii

20:6

P1: JZP CUNYXXX-FM

CUNYXXX/Dimitracopoulos

July 11, 2007

20:6

lecture notes in logic

A Publication of The Association for Symbolic Logic This series serves researchers, teachers, and students in the field of symbolic logic, broadly interpreted. The aim of the series is to bring publications to the logic community with the least possible delay and to provide rapid dissemination of the latest research. Scientific quality is the overriding criterion by which submissions are evaluated. Editorial Board Anand Pillay, Managing Editor Department of Pure Mathematics, School of Mathematics, University of Leeds Lance Fortnow Department of Computer Science, University of Chicago Shaughan Lavine Department of Philosophy, The University of Arizona Jeremy Avigad Department of Philosophy, Carnegie Mellon University Vladimir Kanovei Institute for Information Transmission Problems, Moscow Steffen Lempp Department of Mathematics, University of Wisconsin See end of book for a list of the books in the series. More information can be found at http://www.aslonline.org/books-lnl.html.

iii

P1: JZP CUNYXXX-FM

CUNYXXX/Dimitracopoulos

July 11, 2007

iv

20:6

P1: JZP CUNYXXX-FM

CUNYXXX/Dimitracopoulos

July 11, 2007

lecture notes in logic

28

Logic Colloquium 2005 Proceedings of the Annual European Summer Meeting of the Association for Symbolic Logic, Held in Athens, Greece, July 28–August 3, 2005 Edited by

COSTAS DIMITRACOPOULOS Department of History and Philosophy of Science University of Athens

LUDOMIR NEWELSKI Mathematical Institute Wroclaw University

DAG NORMANN Department of Mathematics University of Oslo

JOHN R. STEEL Department of Mathematics and Computer Science University of California, Berkeley

association for symbolic logic

v

20:6

CAMBRIDGE UNIVERSITY PRESS

Cambridge, New York, Melbourne, Madrid, Cape Town, Singapore, São Paulo Cambridge University Press The Edinburgh Building, Cambridge CB2 8RU, UK Published in the United States of America by Cambridge University Press, New York www.cambridge.org Information on this title: www.cambridge.org/9780521884259 © Association for Symbolic Logic 2007 This publication is in copyright. Subject to statutory exception and to the provision of relevant collective licensing agreements, no reproduction of any part may take place without the written permission of Cambridge University Press. First published in print format 2007 eBook (EBL) ISBN-13 978-0-511-35476-2 ISBN-10 0-511-35476-2 eBook (EBL) hardback ISBN-13 978-0-521-88425-9 hardback ISBN-10 0-521-88425-X

Cambridge University Press has no responsibility for the persistence or accuracy of urls for external or third-party internet websites referred to in this publication, and does not guarantee that any content on such websites is, or will remain, accurate or appropriate.

CONTENTS

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

ix

Speakers and Titles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

xi

Jan A. Bergstra, Inge Bethke and Alban Ponse Thread algebra and risk assessment services . . . . . . . . . . . . . . . . . . . . . . . .

1

M´ario J. Edmundo Covering deﬁnable manifolds by open deﬁnable subsets . . . . . . . . . . . . .

18

Sergei S. Goncharov Isomorphisms and deﬁnable relations on computable models . . . . . . . .

26

Deirdre Haskell Independence for types in algebraically closed valued ﬁelds . . . . . . . . .

46

Eric Jaligot Simple groups of ﬁnite Morley rank . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

57

Hannes Leitgeb Towards a logic of type-free modality and truth . . . . . . . . . . . . . . . . . . . .

68

Justin Tatch Moore Structural analysis of Aronszajn trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

85

Sara Negri Proof analysis in non-classical logics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Charles Parsons Paul Bernays’ later philosophy of mathematics . . . . . . . . . . . . . . . . . . . . . 129 Greg Restall Proofnets for S5: Sequents and circuits for modal logic . . . . . . . . . . . . . 151 Helmut Schwichtenberg Recursion on the partial continuous functionals . . . . . . . . . . . . . . . . . . . . 173 Michael Sheard A transactional approach to the logic of truth . . . . . . . . . . . . . . . . . . . . . . 202 vii

viii

contents

Dieter Spreen On some problems in computable topology . . . . . . . . . . . . . . . . . . . . . . . . 221 Sergei Tupailo Monotone inductive deﬁnitions and consistency of New Foundations 255

INTRODUCTION

The 2005 European Summer Meeting of the Association for Symbolic Logic was held in Athens, Greece, July 28–August 3, 2005. The meeting was called Logic Colloquium 2005 and its sessions, except the opening one, which took place in the Main Building, took place in the building of the Department of Mathematics of the University of Athens. It was attended by 198 participants (and 25 accompanying persons) from 29 diﬀerent countries. The organizing body was the Inter-Departmental Graduate Program in Logic and Algorithms (MPLA) of the University of Athens, the National Technical University of Athens and the University of Patras. Financial support was provided by the Association for Symbolic Logic, the Athens Chamber of Commerce and Industry, the Bank of Greece, the Graduate Program in Logic and Algorithms, IVI Loutraki Water Co., the Hellenic Parliament, Katoptro Publications, Kleos S. A., the Ministry of National Education and Religious Aﬀairs, Mythos Beer Co., the National and Kapodistrian University of Athens, the National Bank of Greece and Sigalas Wine Co. The Program Committee consisted of Chi Tat Chong (Singapore), Costas Dimitracopoulos (Athens), Hartry Field (New York), Gerhard J¨ager (Bern), George Metakides (Patras), Ludomir Newelski (Wrocław), Dag Normann (Oslo), Rohit Parikh (New York), John Steel (Berkeley), Stevo Todorˇcevi´c (Paris), John Tucker (Swansea), Frank Wagner (Lyon) and Stan Wainer (Leeds, Chair). The Organizing Committee consisted of Dionysios Anapolitanos (Athens), Costas Dimitracopoulos (Athens, Chair), Lefteris Kirousis (Patras), George Koletsos (Athens), Michael Mytilinaios (Athens), Stavros Papastavridis (Athens), Thanases Pheidas (Iraklio), Panos Rondogiannis (Athens), George Stavrinos (Athens), Anneta Synachopoulos (Athens), Thanases Tzouvaras (Thessaloniki) and Stathis Zachos (Athens). The program of the meeting is listed on the following pages. All invited speakers were invited to submit a paper to the proceedings volume, but not all ix

x

INTRODUCTION

did. The submissions were all refereed and the editors would like to sincerely thank the referees for their work. The editors would like to express their deep gratitude to the Alexander S. Onassis Public Beneﬁt Foundation for generously providing a grant towards the cost of publication of this volume. The Editors Costas Dimitracopoulos, Athens Ludomir Newelski, Wrocław Dag Normann, Oslo John Steel, Berkeley

SPEAKERS AND TITLES

Tutorial Speakers Peter Aczel, Constructive set theory. University of Manchester, UK. Itay Ben-Yaacov, Model theory in positive and continuous logics. University of Wisconsin, Madison, USA. Phokion G. Kolaitis, Constraint satisfaction, complexity, and logic. I.B.M. Almaden Research Center and U.C.S.C., USA. Greg Restall, Proofnets for S5: Sequents and circuits for modal logic. University of Melbourne, Australia.

Plenary Speakers Jan A. Bergstra, Inge Bethke and Alban Ponse, Thread algebra and risk assessment services. University of Amsterdam, The Netherlands. Sergei S. Goncharov, Isomorphisms and deﬁnable relations on computable models. Novosibirsk State University, Russia. Deirdre Haskell, Independence for types in algebraically closed valued ﬁelds. McMaster University, Hamilton, Ontario, Canada. Eric Jaligot, Simple groups of ﬁnite Morley rank. University of Lyon 1, France. Justin Tatch Moore, Structural analysis of Aronszajn trees. Boise State University, Idaho, USA.

xi

xii

SPEAKERS AND TITLES

Andr´e Nies, Algebras with ﬁnite descriptions. University of Auckland, New Zealand. Charles Parsons, Paul Bernays’ later philosophy of mathematics. Harvard University, Cambridge, Massachusetts, USA. Helmut Schwichtenberg, Recursion on the partial continuous functionals. University of Munich, Germany. Michael Sheard, A transactional approach to the logic of truth. Saint Lawrence University, Canton, New York, USA. Sergei Tupailo, Monotone inductive deﬁnitions and consistency of New Foundations. Tallinn University of Technology, Estonia, and Ohio State University, USA. Klaus Weihrauch, Computable analysis. University of Hagen, Germany. Jindrich Zapletal, Forcing idealized. University of Florida, Gainesville, USA.

Special Sessions Computability in Analysis Vasco Brattka, Computability on non-separable Banach spaces. University of Cape Town, South Africa. Dieter Spreen, On some problems in computable topology. University of Siegen, Germany. Computer Science Logic Wiebe van der Hoek, Dynamic epistemic logic. University of Liverpool, UK. Stephan Kreutzer, Gaifman’s theorem and approximation schemes. Humboldt University of Berlin, Germany. Model Theory M´ario J. Edmundo, Covering deﬁnable manifolds by open deﬁnable subsets. University of Lisbon, Portugal. Piotr Kowalski, Projective D-varieties over a Hasse ﬁeld. University of Wrocław, Poland.

SPEAKERS AND TITLES

Philosophical Logic Hannes Leitgeb, Towards a logic of type-free modality and truth. University of Salzburg, Austria, and Stanford University, La Jolla, California, USA. Sara Negri, Proof analysis in non-classical logics. University of Helsinki, Finland.

xiii

THREAD ALGEBRA AND RISK ASSESSMENT SERVICES

JAN A. BERGSTRA, INGE BETHKE, AND ALBAN PONSE

Abstract. Threads as contained in a thread algebra emerge from the behavioral abstraction from programs in an appropriate program algebra. Threads may make use of services such as stacks, and a thread using a single stack is called a pushdown thread. Equivalence of pushdown threads is decidable. Using this decidability result, an alternative to Cohen’s impossibility result on virus detection is discussed and some results on risk assessment services are proved.

§1. Introduction. This paper is about thread algebra [1, 5]. Threads are processes tailored to describe sequential program behaviour and emerge from the behavioral abstraction of sequential programs. A basic thread models a ﬁnite program behaviour to be controlled by some execution environment: upon each action (e.g., a request for some service), a reply true or false from the environment determines further execution. Any execution trace of a basic thread ends either in the (successful) termination state or in the deadlock state. Both these states are modeled as special thread constants. Regular threads extend basic threads by comprising loop behaviour, and are reminiscent of ﬂowcharts [14, 12]. Threads may make use of services, i.e., devices that control (part of) their execution by consuming actions, providing the appropriate reply, and suppressing observable activity. Regular threads using the service of a single stack are called pushdown threads. Apart from the distinction between deadlock and termination, pushdown threads are comparable to pushdown automata or pushdown processes as described by Stirling [17] or Burkart and Steﬀen [9]. First, we recall from our companion paper [2] that equivalence of pushdown threads is decidable, and we provide a sketch of our proof. Then we elaborate on Cohen’s impossibility result on virus detection [10] (in that 1984 paper, the term computer virus was coined). Whereas Cohen showed that a test predicate that decides whether a program executes (and spreads) a virus cannot exist, we proposed in [8] a more modest test that can be used to forecast whether the execution of a thread has no security hazard. This is decidable for regular threads (as argued in [8]), and also for shrat-safe pushdown threads (as argued in this paper). In our approach, a security hazard is modeled as the occurrence Logic Colloquium ’05 Edited by C. Dimitracopoulos, L. Newelski, D. Normann, and J. Steel Lecture Notes in Logic, 28 c 2006, Association for Symbolic Logic

1

2

JAN A. BERGSTRA, INGE BETHKE, AND ALBAN PONSE

of a certain action in a thread. We deﬁne a service SHRAT (security hazard risk assessment tool) that provides the replies to such tests. The idea is as follows: a security hazard is modeled by an action risk and the security hazard risk test as sh.ok. In case SHRAT replies true to if sh.ok then P else Q, P will not execute risk and execution continues with P. In the other case (reply false), Q will be executed instead because P would execute risk (there is no security hazard risk assessment of Q). A major point is whether P itself may or may not execute sh.ok tests. If P is regular, this is not a problem and we prove that SHRAT is correct. In the case that P is a pushdown thread, correctness only follows if P is shrat-safe, i.e., contains no occurrences of both sh.ok and risk (this is a decidable property). Our approach oﬀers an alternative to that of Cohen in his well-known paper [10] which shows the impossibility of a test action that reacts on two arguments P and Q at the same time. More precisely, Cohen considers a decision procedure D (a predicate on program texts) that determines whether a program executes (and spreads) a virus. Then Cohen’s impossibility result is established by the program C deﬁned by C = if ¬D(C) then P else Q, where P executes a virus, and Q is virus-free. §2. Threads and services. In this section we recall the deﬁnitions of basic threads and regular threads. Furthermore we discuss services that may be used by a thread, and we consider the use-operator, which deﬁnes how a thread uses a service. 2.1. Threads. Basic thread algebra [5]1 , BTA, is tailored for the description of sequential program behaviour. Based on a ﬁnite set of actions A, it has the following constants and operators: • the termination constant S, • the deadlock or inaction constant D, • for each a ∈ A, a binary postconditional composition operator a . We use action preﬁxing a ◦ P as an abbreviation for P a P and take ◦ to bind strongest. The operational intuition behind thread algebra is that each action represents a command which is to be processed by the execution environment of a thread. More speciﬁcally, an action is taken as a command for a service oﬀered by the environment. The processing of a command may involve a change of state of this environment. At completion of the processing of the command, the service concerned produces a reply value true or false to the 1 In

[4], basic thread algebra is introduced under the name basic polarized process algebra.

THREAD ALGEBRA AND RISK ASSESSMENT SERVICES

3

thread under execution. The thread P a Q will then proceed as P if the processing of a yielded the reply true indicating successful processing, and it will proceed as Q if the processing of a yielded the reply false. BTA can be equipped with a partial order and an approximation operator in the following way: 1. is the partial ordering on BTA generated by the clauses (a) for all P ∈ BTA, D P, and (b) for all P1 , P2 , Q1 , Q2 ∈ BTA, a ∈ A, P1 Q1 & P2 Q2 ⇒ P1 a P2 Q1 a Q2 . 2. : N × BTA → BTA is the approximation operator determined by the equations (a) for all P ∈ BTA, (0, P) = D, (b) for all n ∈ N, (n + 1, S) = S, (n + 1, D) = D, and (c) for all P, Q ∈ BTA, n ∈ N, (n + 1, P a Q) = (n, P) a (n, Q). We further write n (P) instead of (n, P). The operator ﬁnitely approximates every thread in BTA. That is, for all P ∈ BTA, ∃n ∈ N 0 (P) 1 (P) · · · n (P) = n+1 (P) = · · · = P. Every thread in BTA is ﬁnite in the sense that there is a ﬁnite upper bound to the number of consecutive actions it can perform. Following the metric theory of [11] in the form developed as the basis of the introduction of processes in [3], BTA has a completion BTA∞ which comprises also the inﬁnite threads. Standard properties of the completion technique yield that we may take BTA∞ as the cpo consisting of all so-called projective sequences. That is, BTA∞ = {(Pn )n∈N | ∀n ∈ N (Pn ∈ BTA & n (Pn+1 ) = Pn )} with (Pn )n∈N (Qn )n∈N ⇔ ∀n ∈ N Pn Qn and (Pn )n∈N = (Qn )n∈N ⇔ ∀n ∈ N Pn = Qn . For a detailed account of this construction see [1]. In this cpo structure, ﬁnite linear recursive speciﬁcations represent continuous operators having as unique ﬁxed points regular threads, i.e., threads which can only reach ﬁnitely many states. A ﬁnite linear recursive speciﬁcation over BTA is a set of equations Xi = ti (X )

4

JAN A. BERGSTRA, INGE BETHKE, AND ALBAN PONSE

for i ∈ I with I some ﬁnite index set and all ti (X ) of the form S, D, or Xil ai Xir for il , ir ∈ I . Example 2.1.1. We deﬁne the regular threads 1. a ◦ b ◦ D, 2. a ◦ b ◦ S and 3. (a ◦ b)∞ (this informal notation is explained below) as the ﬁxed points for X1 in the speciﬁcations 1. X1 = a ◦ X2 , X2 = b ◦ X3 , X3 = D, 2. X1 = a ◦ X2 , X2 = b ◦ X3 , X3 = S, 3. X1 = a ◦ X2 , X2 = b ◦ X1 , respectively. Both a ◦ b ◦ D and a ◦ b ◦ S are ﬁnite threads; (a ◦ b)∞ is the inﬁnite thread corresponding to the projective sequence (Pn )n∈N with P0 = D, P1 = a ◦ D and Pn+2 = a ◦ (b ◦ Pn ). Observe that a ◦ b ◦ D a ◦ b ◦ S, a ◦ b ◦ D (a ◦ b)∞ , but a ◦ b ◦ S (a ◦ b)∞ . Convention 2.1.2. In reasoning with ﬁnite linear recursive speciﬁcations, we shall from now on identify variables and their ﬁxed points. For example, we say that P is the regular thread deﬁned by P = a ◦ P instead of stating that P equals the ﬁxed point for X in X = a ◦ X . 2.2. Services. A service is a component of an execution architecture for threads that can be used to determine the reply to an action. In [6] various services (called state machines in that paper) were considered, as well as their possible role in thread execution. A service is a pair Σ, F consisting of a set Σ of so-called co-actions and a reply function F . The reply function F of a service Σ, F is a mapping that gives for each sequence of co-actions in Σ+ the reply produced by the service. This reply is a boolean value true or false. Example 2.2.1 (Stack). One of the services that will occur in what follows is the stack S = Σ, F with Σ = {push:i, topeq:i, empty, pop | i ∈ I } for some ﬁnite set I , where push:i pushes i onto the stack and yields reply true, the action topeq:i tests whether i is on top of the stack, empty tests whether the stack is empty, and pop pops the stack if it is non-empty with reply true and yields the reply false otherwise (leaving the stack empty). By S(α) we denote a stack with contents α ∈ I ∗ with the leftmost element of α on top in case α = with the empty stack contents. In Example 3.1.1 we return to the use of a stack as a service. In order to provide a speciﬁc description of the interaction between a thread and a service, we will use for actions the general notation c.a where c is the so-called channel or focus and a is a co-action. For example, we write s.pop to denote the action which pops a stack via channel s.

THREAD ALGEBRA AND RISK ASSESSMENT SERVICES

5

For a service S = Σ, F and a ﬁnite thread P, we deﬁne P using the service S via channel c, notation P/c S, by the following rules: S/c S D/c S (P c .a Q)/c S (P c.a Q)/c S (P c.a Q)/c S (P c.a Q)/c S

= = = = = =

S, D, (P/c S) c .a (Q/c S) if c = c, P/c S if a ∈ Σ and F (a) = true, Q/c S if a ∈ Σ and F (a) = false, D if a ∈ Σ,

where S = Σ, F with F () = F (a) for all co-action sequences ∈ Σ+ . Note that actions that use a service S are not observable. The use operator is expanded to inﬁnite threads P by stipulating P/c S = (n (P)/c S)n∈N . As a consequence, P/c S = D if for every n, n (P)/c S = D. Example 2.2.2. We consider again the threads a ◦ b ◦ D, a ◦ b ◦ S and (a ◦ b)∞ from Example 2.1.1 but now in the versions c.a ◦ c.b ◦ D, c.a ◦ c.b ◦ S and (c.a ◦ c.b)∞ for some channel c and service S = {a, b}, F . Then (c.a ◦ c.b ◦ D)/c S = D and (c.a ◦ c.b ◦ S)/c S = S, but (c.a ◦ c.b)∞ /c S = D. §3. Pushdown threads and decidable equivalence. In this section we consider pushdown threads, i.e., regular threads that use a stack. Then, we recall from our paper [2] that equivalence of pushdown threads is decidable and sketch a proof of this fact. 3.1. Pushdown threads. In the next example we show that the use of services may turn regular threads into non-regular ones. Example 3.1.1. Let {a, b, s.push:1, s.pop} ⊆ A, where the last two actions refer to the stack S deﬁned in Example 2.2.1 with I = {1}. By the deﬁning equations for the use operator it follows that for any thread P and ∈ {1}∗ , (s.push:1 ◦ P)/s S() = P/s S(1). Furthermore, it easily follows that S (P s.pop S)/s S() = P/s S()

if = (the empty sequence), if = 1.

Now consider the regular thread Q deﬁned by 2 Q = (s.push:1 ◦ Q) a R, R = b ◦ R s.pop S. 2 Note

that a linear recursive speciﬁcation of Q requires (at least) ﬁve equations.

6

JAN A. BERGSTRA, INGE BETHKE, AND ALBAN PONSE

Then for all ∈ {1}∗ , Q/s S() = ((s.push:1 ◦ Q) a R)/s S() = (Q/s S(1)) a (R/s S()), R/s S(1) = b ◦ R/s S(), R/s S() = S. It is not hard to see that Q/s S() is an inﬁnite thread with the property that for all n ∈ N, a trace of n+1 a-actions produced by n positive and one negative reply on a is followed by n b-actions and S. This yields an nonregular thread: if Q/s S() were regular, it would be a ﬁxed point of some ﬁnite linear recursive speciﬁcation, say with k equations. But specifying a trace containing k b-actions followed by S already requires k+1 linear equations X1 = b ◦ X2 , . . . , Xk = b ◦ Xk+1 , Xk+1 = S, which contradicts the assumption. So Q/s S() is not regular. We call a regular thread that uses a stack as described in Example 2.2.1 a pushdown thread. In what follows we assume that pushdown threads are given with help of a distinguished identiﬁer from a ﬁnite linear recursive speciﬁcation F and a stack over some ﬁxed alphabet. The equations in F may contain actions that address the stack via the use-application /s . 3.2. Decidable equivalence. From our companion paper [2] we quote the following result: Theorem 3.2.1. Equivalence of pushdown threads is decidable. This theorem follows from a reduction to the dpda-equivalence problem whose decidability was proved by S´enizergues [15, 16]. Here we provide only a sketch, a detailed proof can be found in [2]. The idea is to use a transformation from pushdown threads to dpda’s such that the identity P/s S(α) = Q/s S() holds if and only if the identity L(A, P α ) = L(A, Q ) holds, where the latter identity expresses that for the derived dpda A, the language accepted by ‘conﬁguration’ P α equals the one accepted by conﬁguration Q . The transformation described in [2] consists of ﬁve steps and uses the dpda-equivalence result as formulated by Stirling [18] because this is closer to our setting: 1. Transform P/s S(α) and Q/s S() such that initially the stacks are nonempty (also if one of α and is the empty string), and such that upon their termination the stack is empty. The reason for this step stems from the fact that language acceptance for dpda’s is deﬁned on conﬁgurations

THREAD ALGEBRA AND RISK ASSESSMENT SERVICES

7

of the form Rα where R is a ‘state’ and α is a non-empty stack contents. A word w is in the accepted language iﬀ the dpda in initial state R empties the stack by performing the transitions whose labels form w. 2. Replace occurrences of D by loops that ﬁll the stack (e.g., replace Pi = D by Pi = s.push:j ◦ Pi for some j ∈ I ). The reason for this step is that D has no equivalent in the dpda-equivalence result. 3. Normalize inﬁnite traces: replace each equation Pi = Pl a Pr by Pi = S b (Pl a Pr ) with b an action that occurs not in P and Q. Here S is the thread that ﬁrst empties the stack and then terminates (S is also used in step 1). The reason for this step is that each inﬁnite trace becomes interlarded with exits b, and is thus characterized by ﬁnite traces which in turn are subject to dpda language acceptance. 4. Construction of an associated pushdown automaton (pda). The speciﬁcations of the so far transformed P(α) and Q() admit a straightforward deﬁnition of a pda whose transitions are deterministic. The only remaining problem is that the -transitions (that stem from stack actions) need not pop the stack, as required by the decidability result in [18]. 5. Construction of a dpda in which the -transitions only pop the stack. The pda thus obtained is transformed by changing its transition rules for . Those that do not pop the stack are either swallowed by an observable transition and yield a new transition rule, or form a loop, in which case they can be omitted. This step preserves language acceptance and concludes the transformation. We will exploit this decidability result by replacing certain equations in the deﬁnition of the regular thread that underlies a pushdown thread, i.e. in the deﬁnition of P when considering P/s S(α). For example, it is decidable whether a pushdown thread is normed, i.e., has the option to terminate (to end in S): let a linear recursive speciﬁcation | i = 1, . . . , n} F = {Pi = ti (P) be given (and thus a repertoire of stack actions and external actions). Replace each equation Pi = S ∈ F by P i = a◦P i and overline all remaining identiﬁers. Then Pk /s S(α) is normed ⇔ Pk /s S(α) = P k /s S(α). Remark 3.2.2. Interestingly, inclusion of pushdown threads is not decidable (although two pushdown threads are equivalent if they are included in each other). This follows from a reduction to the halting problem for Minsky machines — an approach also taken in Janˇcar et al. [13]. A detailed proof is recorded in [2]. §4. Security hazard risk assessment. In this section we consider the possibility that a pushdown thread uses a service that supports forecasting of certain future behaviour. In [7] various such services are studied (e.g., the

8

JAN A. BERGSTRA, INGE BETHKE, AND ALBAN PONSE

halting problem and “rational agents”) and in [8] we discuss a rather speciﬁc case: a service SHRAT (security hazard risk assessment tool). In this paper we provide a detailed construction of SHRAT for regular threads and a proof of its correctness. Finally, we consider SHRAT for pushdown processes and distinguish the case of shrat-safe threads. 4.1. A deﬁnition of SHRAT. We model a security hazard in a pushdown thread P as the execution of an action risk. Furthermore, P may contain a test action sh.ok that can use the service SHRAT to forecast whether risk will be executed: SHRAT replies true to Q sh.ok R if Q does not execute risk, and false if Q does execute the action risk (and then R is executed instead). In order to model forecasting, we ﬁrst deﬁne the residual thread of a pushdown thread P as the thread that remains after zero or more actions of P have been executed: Deﬁnition 4.1.1. Let P be a pushdown thread. We write Q ∈ Res (P) whenever Q is a residual thread of P: • • • •

P ∈ Res (P), P ∈ Res (P a Q), Q ∈ Res (P a Q), and if R ∈ Res (Q) and Q ∈ Res (P), then R ∈ Res (P).

Of course, the very idea of a service SHRAT that supports forecasting of the execution of future actions risk in a residual thread Q sh.ok R of P, thus (1)

(Q sh.ok R)/sh SHRAT

requires that SHRAT is aware of the speciﬁcation of Q. So, a reply function that only uses the current co-action and those processed before is in this case not suﬃcient. It seems most natural to model that SHRAT “gets to know and analyzes” Q’s speciﬁcation upon the request sh.ok in the use-application (1) above. We describe this change of state of SHRAT and the resulting reply in the following deﬁnition. Deﬁnition 4.1.2. Let a pushdown thread P be given by some speciﬁcation FP and let sh.ok be the only action in P with focus sh. Then the service SHRAT is deﬁned by the following two properties: (1) for any residual thread Q sh.ok R of P, (Q sh.ok R)/sh SHRAT = (Q sh.ok R)/sh SHRAT(FP , Q), where SHRAT(FP , Q) is the instance of SHRAT that has loaded FP and analyzed Q, and

9

THREAD ALGEBRA AND RISK ASSESSMENT SERVICES

(2) (Q sh.ok R)/sh SHRAT(FP , Q) = Q/sh SHRAT (thus reply true) if no risk-action will be executed in Q/sh SHRAT, SHRAT (thus reply false) if a risk-action R/ sh will be executed in Q/sh SHRAT. The (instantiated) service SHRAT(FP , Q) models a “security hazard risk assessment” in the sense that if a security hazard in Q is modeled by the execution of the action risk, the reply true to Q sh.ok R ensures that in the residual thread Q/sh SHRAT no security hazard will occur (cf. [8]). It can be the case that SHRAT(FP , Q) replies true because SHRAT will reply false to a future sh.ok-test in Q/sh SHRAT. For example, in the regular thread P1 given and depicted below, the various sh.ok-tests are evaluated as follows: P1 P2 P3 P4

= = = =

P2 sh.ok P8 P3 a P4 P5 sh.ok P6 P6 sh.ok P7

(true)

P5 P6 P7 P8

(true) (false)

? P1 : sh.ok /@ / ? @ ? R P8 : S P2 : a @ R @

P3 : sh.ok P4 : sh.ok /@ / \\ @ @ R R @ P5 : [ b ] P6 : [risk] P7 : [ c ]

[a]

where

= = = =

b ◦ P2 risk ◦ P1 c ◦ P8 S.

≈ a◦P

? P

and

a ≈ Pl a Pr . @ R @ Pl

Pr

Clearly, the thread T = P1 /sh SHRAT satisﬁes T = b ◦ T a c ◦ S. In the next section we discuss how to instantiate SHRAT for regular threads in an appropriate way. 4.2. SHRAT for regular threads. Following Convention 2.1.2, we assume that if a regular thread P1 is given, it is given by a linear recursive speciﬁcation FP1 that contains an equation P1 = t1 (P). Furthermore, we say that an equation Pj = Pl a Pr in FP1 has a predecessor if Pj occurs in the righthand side of at least one equation. Finally, we restrict to speciﬁcations FP1

10

JAN A. BERGSTRA, INGE BETHKE, AND ALBAN PONSE

with the property that if Pj = Pl sh.ok Pr ∈ FP1 , then l = r (otherwise, the reply to sh.ok would be meaningless). Starting from P1 /sh SHRAT with the regular thread P1 speciﬁed in FP1 , we provide an algorithm that upon each residual thread of the form (Pm sh.ok Pj )/sh SHRAT constructs an instantiated service SHRAT(FP1 , Pm ) that gives the correct reply. Typical for this algorithm is that SHRAT(FP1 , Pm ) contains a copy of FP1 in which all sh.ok actions are annotated with the correct reply. To this end, FP1 is loaded into SHRAT and analyzed as follows: number each equation that contains a risk-occurrence starting from 1. Then, for each numbered equation label each predecessor equation with the next free number until a connecting sh.ok-equation is found, or a loop occurs, or an equation without predecessors is found. In the case that some sh.ok-equation is found and connects via its true-branch, its sh.ok-action is annotated false (sh.okfalse ); if it connects via its false-branch, the equation is labeled with a fresh negative number (it may possibly lead to a risk-action, namely when a false-annotation is added in a future inspection). Then this procedure is repeated for equations labeled with a negative number, again instantiating ﬁrst occurrences of sh.ok-actions with false if their true-branch leads to an action risk. Finally, all non-annotated sh.ok-actions are annotated true because their true-branch does not lead to a risk-action. In Figure 1, we illustrate how the annotation proceeds: ﬁrst the two lowest sh.ok actions are annotated false, and because of the arrow, the equation of the leftmost one is labeled with a fresh negative number. The combination of the false-annotation and this label leads to the false-annotation of the topmost sh.ok-action. Construction of SHRAT(FP1 , Pm ) for a regular thread P1 . Let FP1 = {Pi = | i = 1, . . . , n} be a linear speciﬁcation of the regular thread P1 . Upon ti (P) a residual thread Pm sh.ok Pw , the service SHRAT(FP1 , Pm ) is constructed as follows: load FP1 in SHRAT. We further call this copy FPan1 . Label each equation in FPan1 that contains risk in the right-hand side with a number, starting from 1, say 1, . . . , k. If no risk-actions occur in FPan1 , then apply step 3 below. In the other case, apply step 1: 1. On FPan1 apply the procedure Eval+ (1), where Eval+ (i) for i ≥ 1 is deﬁned as follows: Eval+ (i): If the equation labeled with number i has the form (i) Pj = Pl a Pr , then evaluate all Pj occurrences in the right-hand sides of all equations,

THREAD ALGEBRA AND RISK ASSESSMENT SERVICES

11

sh.ok @ R @

sh.ok

...

sh.ok

[risk]

@ R @ [risk]

? ...

? ...

@ R @ ...

⇓

sh.okfalse @ R @

sh.okfalse

...

sh.okfalse

[risk]

@ R @ [risk]

? ...

? ...

@ R @ ...

Figure 1. Annotating sh.ok actions i.e., apply steps (1a) - (1e) below exhaustively, where evaluation goes with some bookkeeping: we will in some cases give equations a next free number and possibly annotate sh.ok-actions with false. The ﬁrst free positive number is k+1 and the ﬁrst free negative number is −1. Furthermore, the next free number for positive numbers is the smallest p > 0 not already used, and for negative numbers the largest p < 0 not already used: (a) No non-evaluated Pj occurrences left: if there is an equation numbered i+1 then apply Eval+ (i+1), else, if negative numbers are used, go to step 2; if none of these is the case, go to step 3, (b) If Pv = Pj sh.ok Pq , then replace sh.ok by sh.okfalse and search the next non-evaluated Pj occurrence (a possible number of this equation is preserved),

12

JAN A. BERGSTRA, INGE BETHKE, AND ALBAN PONSE

(c) If Pv = Pq sh.okPj and this equation is not numbered, then give it the next free negative number and search the next non-evaluated Pj occurrence, else just search the next non-evaluated Pj occurrence, (d) If Pv = Pq sh.okfalse Pj and this equation is not numbered, then give it the next free negative number and search the next nonevaluated Pj occurrence, else just search the next non-evaluated Pj occurrence, (e) All remaining cases, i.e., equations of the form Pv = Pj b Pq or Pv = Pq b Pj : if not yet numbered, give this equation the next free positive number and search the next non-evaluated Pj occurrence; else, just search the next non-evaluated Pj occurrence. 2. On FPan1 apply the procedure Eval− (−1), where Eval− (i) for i ≤ −1 is deﬁned as follows: Eval− (i): • if the equation labeled with number i has the form (i) Pj = Pl sh.ok Pr , then apply Eval− (i−1) if there is an equation numbered i−1, otherwise go to step 3; • if the equation labeled with number i has the form (i) Pj = Pl a Pr for a = sh.ok (possibly a = sh.okfalse ), then evaluate all Pj occurrences in the righthand sides of all equations, i.e., apply steps (2a) - (2e) below exhaustively, where evaluation again goes with some bookkeeping: we will in some cases give equations the next free negative number and possibly annotate sh.ok-actions with false: (a) No non-evaluated Pj occurrences left: if there is an equation numbered i−1 then apply Eval− (i−1), else go to step 3, (b) If Pv = Pj sh.ok Pq , then replace sh.ok by sh.okfalse and search the next non-evaluated Pj occurrence (a possible number of this equation is preserved), (c) If Pv = Pq sh.ok Pj , then search the next non-evaluated Pj occurrence, (d) If Pv = Pq sh.okfalse Pj and this equation is not numbered, then give it the next free negative number and search the next nonevaluated Pj occurrence, else just search the next non-evaluated Pj occurrence, (e) All remaining cases, i.e., equations of the form Pv = Pj b Pq or Pv = Pq b Pj : if not yet numbered, give this equation the next free negative number and search the next non-evaluated Pj occurrence; else, just search the next non-evaluated Pj occurrence.

THREAD ALGEBRA AND RISK ASSESSMENT SERVICES

13

3. Replace all sh.ok occurrences in FPan1 that are not yet annotated by sh.oktrue . Now SHRAT(FP1 , Pm ) is deﬁned as the service that replies to the residual thread Pm sh.ok Pw with the annotation b found in the right-hand side Pm sh.okb Pw of its internal speciﬁcation FPan1 . Theorem 4.2.1. Let P1 be a regular thread speciﬁed by the linear recursive speciﬁcation FP1 . Then, upon each residual thread of the form Pm sh.ok Pw , the tool SHRAT(FP1 , Pm ) is sound, i.e., agrees with Deﬁnition 4.1.2. Hence, (Pm sh.ok Pw )/sh SHRAT = (Pm sh.ok Pw )/sh SHRAT(FP1 , Pm ) Pm /sh SHRAT if Pm /sh SHRAT does not execute risk, = Pw /sh SHRAT otherwise. Proof. Assume Pm sh.ok Pw is a residual thread of P1 . Clearly the algorithm for SHRAT(FP1 , Pm ) terminates and Pm sh.okb Pw occurs at least once as a right-hand side in FPan1 (in case of multiple occurrences, b has the same value). We argue that the boolean b is the correct reply to (Pm sh.ok Pw )/sh SHRAT(FP1 , Pm ). FPan1

In case contains no risk action, all annotations are true (step 3), which obviously is correct. In case FPan1 contains at least one risk action, it is clear that after all Eval+ (i)’s have been applied (step 1), all true-branches of annotated sh.okfalse actions lead to risk. Furthermore, the right-hand sides of all negatively numbered equations have a sh.ok action (possibly annotated false) of which the false-branch leads to risk. At Eval− (i) (step 2), the negatively numbered equations with non-annotated action sh.ok will not be annotated false (as their true-branch does not lead to risk). The remaining labeled equations all have a residual thread that may lead to risk, and thus yield next (negative) numbers until a loop occurs, or an equation without a predecessor is found, or another sh.ok that connects via its true-branch occurs (in the latter case, this action is annotated false). Hence, after step 3, all annotations are correct. 4.3. SHRAT for pushdown threads. It is not clear how to deﬁne a (terminating) algorithm for SHRAT that is correct for arbitrary pushdown threads. However, in the particular case that either no test action sh.ok or no action risk is executed by a pushdown thread P, the correct reply of sh.ok in (P sh.ok Q)/sh SHRAT

14

JAN A. BERGSTRA, INGE BETHKE, AND ALBAN PONSE

follows easily from Theorem 3.2.1 (i.e., equivalence of pushdown threads is decidable): consider a pushdown thread Pk /s S(α) where Pk is speciﬁed in F. Assuming that the action a does not occur in F, deﬁne F a by replacing in F each occurrence of the action a by a and replacing all identiﬁers Pi by Pia . Then Pk /s S(α) does not execute a if and only if Pk /s S(α) = Pka /s S(α), so this is decidable. Note that if Pk /s S(α) = Pka /s S(α), then for any residual thread Pl /s S() of Pk /s S(α), also Pl /s S() = Pla /s S(). A pushdown thread P = Pk /s S(α) is called shrat-safe if either P = risk Pk /s S(α) or P = Pksh.ok /s S(α). In both cases the correct reply to sh.ok in P sh.ok Q can be found: • if P = Pkrisk /s S(α), then this reply is true, thus (P sh.ok Q)/sh SHRAT = P/sh SHRAT,

• if P = Pksh.ok /s S(α), then both replies can occur, thus (P sh.ok Q)/sh SHRAT P/sh SHRAT (reply true) if Pk /s S(α) = Pkrisk /s S(α), = Q/sh SHRAT otherwise, where the latter case is only meaningful if Q is also shrat-safe. Although much weaker, it is not unreasonable to consider shrat-safe pushdown threads. This situation can always be obtained: upon a residual thread (P sh.ok Q)/sh SHRAT, rename all sh.ok actions in the speciﬁcation of P, thus ignoring their forecasting eﬀect and evaluating both their true and false-branches. If SHRAT then replies true, this certainly comprises a security hazard risk assessment of P. The only problem is that if SHRAT replies false, it is not certain that P will indeed execute risk. §5. Digression and discussion. In this paper we presented some of our latest work on thread algebra and on security hazard risk assessment (as deﬁned in [8]). We end the paper with a few comments on the latter subject. 5.1. Architecture-sensitive services. First, we propose to call services as SHRAT architecture-sensitive services: in case SHRAT has to reply to a thread Q sh.ok R, it ﬁrst needs to analyze the future behaviour of Q and therefore it needs to “know” both the speciﬁcation and the particular execution state. Assuming

THREAD ALGEBRA AND RISK ASSESSMENT SERVICES

15

that Q is speciﬁed in FP , this idea is captured in Deﬁnition 4.1.2 by the equation (Q sh.ok R)/sh SHRAT = (Q sh.ok R)/sh SHRAT(FP , Q), which characterizes the instantiation of SHRAT to SHRAT(FP , Q). So, in the particular case of SHRAT (and similar services such as rational agents discussed in [7]), the reply in a use-application is architecture-sensitive and can not be deﬁned with a reply function that only depends on the current co-action and those processed before (such as the reply function for the stack deﬁned in Example 2.2.1). Typically, diﬀerent use-applications need not commute if architecture-sensitive services are involved, e.g., ([(risk ◦ S s.pop S) sh.ok D]/sh SHRAT)/s S() = D while ([(risk ◦ S s.pop S) sh.ok D]/s S())/sh SHRAT = S. Use-applications with services with a reply function that only depends on the current co-action and those processed before do commute if distinct foci are used (cf. [6]). 5.2. SHRAT for pushdown threads. At this stage, it is not clear how to deﬁne a (terminating) algorithm for SHRAT that is correct for all pushdown threads. One possibility may be to approximate pushdown threads by regular threads in such a way that a sound risk-analysis can be established. Given a linear speciﬁcation FP1 of P1 and a stack S, it seems likely that in P1 /s S(α) only ﬁnitely many stack conﬁgurations (uniformly depending on FP1 and α) play a distinctive role with respect to SHRAT’s replies. Another approach is to start from a game theoretic characterization of SHRAT: in residual threads of the form (2)

(Q sh.ok R)/sh SHRAT,

the service SHRAT has to give the correct reply (according to its Deﬁnition 4.1.2), while the opponent replies to all other test actions and aims for the execution of risk. We do not (yet) know whether game theoretic results cover this particular game. Hence: Open question: Is SHRAT decidable for all pushdown threads? An interesting simpliﬁcation may be the case of one-counter threads, i.e., regular threads that use a counter (a stack over a singleton datatype) instead of a stack, with s.push and s.pop as the only actions. Also for this case, the above question is still open. Of course, security hazard risk assessment for computable threads is undecidable. In the setting of Turing machines, given a regular control program P and tape conﬁguration Tape(α x) ˆ with head pointing at x, it is undecidable

16

JAN A. BERGSTRA, INGE BETHKE, AND ALBAN PONSE

whether some action of P will be executed in P/tmt Tape(α x): ˆ there is a straightforward reduction to the halting problem (cf. [7]). 5.3. SHRAT and external services. In order to deﬁne security hazard risk assessment in precisely the same way as was done in [8], the results and explanations for both the regular and the pushdown case in Section 4 should be slightly modiﬁed. In [8], a thread can also engage in external communication with a service E (via actions with focus e). Such a communication blocks further assessment of SHRAT because E is beyond control of the thread under execution. It is not diﬃcult to implement this modiﬁcation in the algorithm for regular threads: in the evaluation step, simply stop evaluation upon an equation deﬁned by a postconditional composition over e.m. However, for clarity of presentation we did not consider this possibility before. REFERENCES

[1] J. A. Bergstra and I. Bethke, Polarized process algebra and program equivalence, Automata, Languages and Programming, Proceedings 30th ICALP, Eindhoven, The Netherlands (J. C. M. Baeten, J. K. Lenstra, J. Parrow, and G. J. Woeginger, editors), LNCS, vol. 2719, Springer-Verlag, 2003, pp. 1–21. [2] J. A. Bergstra, I. Bethke, and A. Ponse, Decision Problems for Pushdown Threads, Electronic report PRG0502, Faculty of Science, University of Amsterdam, 2005, available at www.science.uva.nl/research/prog/publications.html. [3] J. A. Bergstra and J. W. Klop, Process algebra for synchronous communication, Information and Control, vol. 60 (1984), no. 1/3, pp. 109–137. [4] J. A. Bergstra and M. E. Loots, Program algebra for sequential code, Journal of Logic and Algebraic Programming, vol. 51 (2002), no. 2, pp. 125–156. [5] J. A. Bergstra and C. A. Middelburg, A thread algebra with multi-level strategic interleaving, Proceedings CIE 2005 (S. B. Cooper, B. Loewe, and L. Torenvliet, editors), LNCS, vol. 3526, Springer-Verlag, 2005, pp. 35– 48. [6] J. A. Bergstra and A. Ponse, Combining programs and state machines, Journal of Logic and Algebraic Programming, vol. 51 (2002), no. 2, pp. 175–192. [7] , Execution architectures for program algebra, Technical report Logic Group Preprint Series 230, Department of Philosophy, Utrecht University, 2004, to appear in the Journal of Applied Logic, prior version available at http://www.phil.uu.nl/preprints/lgps/ ?lang=en. [8] , A bypass of Cohen’s impossibility result, Advances in Grid Computing - EGC 2005 (P. M. A. Sloot, A. G. Hoekstra, T. Priol, A. Reinefeld, and M. Bubak, editors), LNCS, vol. 3470, Springer-Verlag, 2005, also vailable as Electronic report PRG0501 at www.science.uva. nl/research/prog/publications.html, pp. 1097–1106. [9] O. Burkart and B. Steﬀen, Pushdown processes: Parallel composition and model checking, CONCUR’94, LNCS, vol. 836, Springer-Verlag, August 1994, pp. 98–113. [10] F. Cohen, Computer viruses - theory and experiments, Computers & Security, vol. 6 (1984), no. 1, pp. 22–35, also available at http://vx.netlux.org/lib/afc01.html. [11] J. W. de Bakker and J. I. Zucker, Processes and the denotational semantics of concurrency, Information and Control, vol. 54 (1982), no. 1/2, pp. 70–120. [12] S. A. Greibach, Theory of Program Structures: Schemes, Semantics, Veriﬁcation, LNCS, vol. 36, Springer-Verlag, 1975. [13] P. Jancar, F. Moller, and Z. Sawa, Simulation problems for one-counter machines, ˇ

THREAD ALGEBRA AND RISK ASSESSMENT SERVICES

17

Proceedings of SOFSEM’99: The 26th Seminar on Current Trends in Theory and Practice of Informatics, LNCS, vol. 1725, Springer-Verlag, 1999, pp. 398– 407. [14] Z. Manna, Mathematical Theory of Computation, McGraw-Hill, New-York, 1974. [15] G. S´enizergues, L(A) = L(B)?, Technical report 1161-97, LaBRI, Universit´e Bordeaux, 1997, available at www.labri.u-bordeaux.fr. [16] , L(A) = L(B)? decidability results from complete formal systems, Theoretical Computer Science, vol. 251 (2001), pp. 1–166. [17] C. Stirling, Decidability of bisimulation equivalence for pushdown processes, Technical report EDI-INF-RR0005, Laboratory for Foundations of Computer Science, University of Edinburgh, 2000, available at http://www.inf.ed.ac.uk/research/lfcs/publications.html. [18] , Decidability of DPDA equivalence, Theoretical Computer Science, vol. 255 (2001), pp. 21–31. PROGRAMMING RESEARCH GROUP, FACULTY OF SCIENCE UNIVERSITY OF AMSTERDAM, THE NETHERLANDS and APPLIED LOGIC GROUP, DEPARTMENT OF PHILOSOPHY UTRECHT UNIVERSITY, THE NETHERLANDS

E-mail: [email protected] URL: www.science.uva.nl/~janb/ PROGRAMMING RESEARCH GROUP, FACULTY OF SCIENCE UNIVERSITY OF AMSTERDAM, THE NETHERLANDS

E-mail: [email protected] URL: www.science.uva.nl/~inge/ E-mail: [email protected] URL: www.science.uva.nl/~alban/

COVERING DEFINABLE MANIFOLDS BY OPEN DEFINABLE SUBSETS

´ MARIO J. EDMUNDO

Abstract. Let N be an o-minimal expansion of a real closed ﬁeld. We show that if X is a Hausdorﬀ deﬁnable manifold, then X can be covered by ﬁnitely many open deﬁnable subsets which are deﬁnably homeomorphic to open balls and the intersection of any two open deﬁnable subsets of this covering is a ﬁnite union of elements of the covering. We also mention the importance of this result in the solution of the torsion point problem for deﬁnably compact deﬁnable groups.

§1. Introduction. We work over a ﬁxed, but arbitrary, o-minimal structure N and deﬁnable means N -deﬁnable (possibly with parameters). By deﬁnition of o-minimality, in the model theoretic structure N , every deﬁnable subset of N is a ﬁnite union of points and intervals with endpoints in N ∪ {−∞, +∞}. One is often interested in studying deﬁnable groups in N . A deﬁnable group is a group whose underlying set is a deﬁnable set and the graphs of the group operations are deﬁnable sets. The theory of deﬁnable groups in arbitrary ominimal structures, which includes real algebraic groups and semi-algebraic groups, began with Anand Pillay’s paper [P] and has since then grown into a well developed branch of mathematics (see for example [E1], [PS], [PSt1], [PPS1] and [PPS2]). For example we have: (TOP) every deﬁnable group G has a unique deﬁnable manifold structure such that the group operations are continuous and the deﬁnable homomorphisms are also continuous; (DCC) the descending chain condition for deﬁnable subgroups of a deﬁnable group G; (QT) existence in the category of deﬁnable groups of the quotient of a deﬁnable group by a deﬁnable normal subgroup together with the existence of a corresponding deﬁnable section; 2000 Mathematics Subject Classiﬁcation. 03C64; 20E99. Key words and phrases. O-minimal structures and deﬁnable groups. With partial support from the FCT (Fundac¸a˜ o para a Ciˆencia e Tecnologia), program POCTI (Portugal/FEDER-EU). Logic Colloquium ’05 Edited by C. Dimitracopoulos, L. Newelski, D. Normann, and J. Steel Lecture Notes in Logic, 28 c 2006, Association for Symbolic Logic

18

COVERING DEFINABLE MANIFOLDS BY OPEN DEFINABLE SUBSETS

19

(AB) every deﬁnable group G of positive dimension has a deﬁnable abelian subgroup of positive dimension; (TOR) if G is a deﬁnable group, then for all m ∈ N, the subgroup G[m] of m-torsion points of G is a ﬁnite deﬁnable subgroup. Properties (TOP), (DCC) and (AB) were proved in [P]. Property (QT) is from [E1] and (TOR) is from the paper [S]. Property (TOP) is used to deﬁne the notion of deﬁnably connected [P] and of deﬁnably compact [PS]: a deﬁnable group G is deﬁnably connected if it has no proper nonempty open and closed (with respect to the topology given by (TOP)) deﬁnable subset; and G is deﬁnably compact if for every continuous deﬁnable map : (a, b) ⊆ [−∞, +∞] −→ G (continuous with respect to the topology on G given by (TOP)), the limit limt−→a + (t) and limt−→b − (t) exist in G. In o-minimal expansions of ﬁelds (TOR) has a strong version for deﬁnably compact groups, namely: Theorem 1.1. If N is an o-minimal expansion of a ﬁeld and G is a deﬁnably connected, deﬁnably compact deﬁnable group, then for each k ∈ N the subgroup G[k] of k-torsion points of G is non trivial. This result is a solution to a problem posed by Peterzil and Steinhorn in [PS] and was ﬁrst proved in an early version of the unpublished preprint [E2]. In [E2] there are three proofs of Theorem 1.1: the ﬁrst one follows from the fact that the o-minimal singular cohomology of G is a non trivial Hopf algebra; the second one follows from the o-minimal version of the Lefschetz coincidence theorem for o-minimal expansions of ﬁelds and was later modiﬁed and simpliﬁed in [BO2]; the third proof, which now appears in [EO] in a simpliﬁed version, computes the o-minimal singular cohomology of G and describes the subgroups G[k] in the abelian case, namely, this data is the same as that of a compact connected abelian Lie group of dimension dim G. All of these proofs of Theorem 1.1 use heavily o-minimal singular homology and cohomology whose existence was established in [Wo]. In the ﬁrst two one shows that the o-minimal Euler characteristic E(G) of G is zero and then apply a result from [S] to conclude the existence of the torsion points. There is now a diﬀerent proof by Peterzil and Starchenko [PSt2] which avoids o-minimal singular cohomology and uses instead o-minimal Morse theory exploring the method suggested by [BO1]. In these notes, for lack of space, we will avoid the language of o-minimal homology and cohomology and present instead the proof of the following result which does not rely on this formalism and is nevertheless crucial in the o-minimal singular homology orientation theory for deﬁnable manifolds which is used in all of the three proofs of Theorem 1.1:

20

´ MARIO J. EDMUNDO

Theorem 1.2. Assume that N is an o-minimal expansion of a ﬁeld. If X is a deﬁnable manifold of dimension n, then X can be covered by ﬁnitely many deﬁnable subsets deﬁnably homeomorphic to open ball in N n . This result is related to [BO2, Theorem 4.3] (and can be read oﬀ from the proofs of [BO2, Lemmas 4.1 and 4.2]) and to Wilkie’s result in [W] which says that an open deﬁnable subset X ⊆ N n can be covered by ﬁnitely many open cells. Under the assumption of Hausdorﬀness, we can improve Theorem 1.2 as follows: Theorem 1.3. Assume that N is an o-minimal expansion of a ﬁeld. If X is a Hausdorﬀ deﬁnable manifold of dimension n, then X can be covered by ﬁnitely many open deﬁnable subsets which are deﬁnably homeomorphic to open balls in N n and the intersection of any two open deﬁnable subsets of this covering is a ﬁnite union of elements of the covering. After developing the o-minimal singular homology orientation theory for deﬁnable manifolds using Theorem 1.2 one concludes that the homology group of G over Z of degree dim G is non trivial. Using classical homological algebra arguments adapted to the o-minimal context, it follows from this that the o-minimal singular cohomology H ∗ (G; Q) is isomorphic r to the Hopf algebra ∧[w1 , . . . , wr ]Q with w1 , . . . , wr of odd degree and i=1 degwi = dim G. From this information and classical computations, we also have that dim G the Euler-Poincar´e characteristic (G) = i=1 (−1)i tr(id|H i (G;Q) ) of G is actually zero. But by [BO2] (or by the construction of o-minimal homology [Wo], we have (G) = E(G), so the o-minimal Euler characteristic E(G) of G is zero. Hence, by [S] we conclude the existence of the torsion points. Below we work in an o-minimal expansion N of a ﬁeld (N, 0, 1, +, ·, k and the geometric realization |s| of s in N n is a subset of the closure |t| of the geometric realization |t| of t in N n . Note also that here as in [vdD], the geometric realizations of the simplicial complexes are not necessarily closed. Proof of Theorem 1.2. Let (X, Xi , φi )i∈I be a deﬁnable manifold. For each i, let (Ψi , Mi ) be a deﬁnable triangulation of φi (Xi ) ⊆ N n . Let s be an open simplex of Mi . Then |StMi s| ⊆ |Mi | ⊆ N n are open deﬁnable subsets (by the invariance of domain (see [Wo]), |Mi | is open in N n since it is deﬁnably homeomorphic to the open deﬁnable subset φi (Xi ) of N n ). So, we need to show that |StMi s| is deﬁnably homeomorphic to an open ball in N n . But this is a consequence of the following claim: Claim 2.1. Let M be a simplicial complex in N n such that |M | is an open deﬁnable subset of N n . If s is an open simplex of M , then |StM s| is deﬁnably homeomorphic to an open ball in N n . Take a barycentric subdivision of the simplicial complex M and let p be the barycentre of s. Since |M | is an open deﬁnable subset of N n , the set |StM s| is also an open deﬁnable subset of N n . Hence, there is an open ball Bn (p, ) in N n such that Bn (p, ) ⊆ |StM s|. For each point x in S n−1 (p, ) (the boundary of Bn (p, )) let lx+ (t) with t ≥ 0 be the half line that starts at p and passes through x. For each x ∈ S n−1 (p, ), let sx be the unique element such that lx+ (sx ) ∈ |StM s| − |StM s|. This element exists and is unique because |StM s| is closed and bounded and, since Bn (p, ) ⊆ |StM s|, every such half line must intersect |StM s| − |StM s|. Clearly, we have |StM s| = {lx+ (t) : 0 ≤ t < sx , x ∈ S n−1 (p, )} and for every q ∈ |StM s| − {p}, there are unique x ∈ S n−1 (p, ) and 0 ≤ t < sx such that q = lx+ (t). To ﬁnish the proof of the lemma, let h : |StM s| −→ Bn (p, )

be the deﬁnable homeomorphism given by h(lx+ (t)) = lx+ ( sx t). By [vdD, Chapter VI, Lemma 3.5], aﬃne deﬁnable manifolds are deﬁnably normal. By Proposition 2.2 below every abstract Hausdorﬀ deﬁnable manifold X is deﬁnably regular. Finally, by [vdD, Chapter X, Theorem 1.8], every deﬁnably regular abstract deﬁnable manifold is deﬁnably homeomorphic to an aﬃne deﬁnable manifold.

22

´ MARIO J. EDMUNDO

The argument in the following proof is contained in that of [BO1, Lemma 10.4]. Proposition 2.2. Every abstract Hausdorﬀ deﬁnable manifold X is deﬁnably regular, hence, aﬃne. Proof. For each i ∈ I and x, y ∈ Xi , let di (x, y) = |φi (x) − φi (y)|. Let K be a closed deﬁnable subset of X and a0 ∈ X \ K . For ∈ N and > 0, deﬁne K to be the set of all points y ∈ X such that if y ∈ Xi then there is a point x in Ki = Xi ∩ K with di (x, y) < . Clearly, K is an open deﬁnable subset containing K . Similarly we deﬁne L containing a0 to be the open deﬁnable subset of all points y ∈ X such that if y ∈ Xi and a0 ∈ Xi , then di (a0 , y) < . If for some ∈ N with > 0 we have K ∩ L = ∅, then we are done. Otherwise, K ∩L = ∅ for all suﬃciently small > 0. Now by deﬁnable choice ([vdD] Chapter VI, Proposition 1.2) and o-minimality, there is a deﬁnable continuous map a : (0, ) → X such that a() ∈ K ∩ L for all 0 < < . Since X is Hausdorﬀ, the limit lim→0 a() is unique and must be a0 . We reach a contradiction by showing that a0 ∈ K . Choose i such that a0 ∈ Xi . Then, since Xi is open, for all suﬃciently small ∈ N with > 0 we have a() ∈ Xi . So di (a(), Ki ) is well deﬁned and must be less than since a() belongs to

K . Therefore, lim→0 di (a(), Ki ) = 0 i.e., di (a0 , Ki ) = 0 and a0 ∈ K . For the rest of this section we will assume that (X, Xi , φi )i∈I is an abstract Hausdorﬀ deﬁnable manifold of dimension n, hence aﬃne. Since X is aﬃne, we have X ⊆ N k for some k, and so, by [vdD, Chapter VIII, (1.7)], we can deﬁnably triangulate the deﬁnable set X . But, for the proof of Theorem 1.3 we will be interested in a modiﬁcation of this notion. Proof of Theorem 1.3. Let (X, Xi , φi )i∈I be an aﬃne deﬁnable manifold. Suppose that V1 , . . . , Vn are non empty deﬁnable subsets of X . Let I = {1, 2, . . . , k} be a numbering of I . Put V0 = X and deﬁne inductively (Ki , Ni , (Ψi , Mi )) for i ∈ I by: K1 = {X1 ∩ Xj ∩ Vl : j ∈ I, l = 0, . . . , n}, (Ψ1 , M1 ) is a deﬁnable triangulation of φ1 (X1 ) compatible with the deﬁnable subsets in {φ1 (B) : B ∈ K1 } and N1 = {C ⊆ X : Ψ1 (φ1 (C )) is the geometric realization of an open simplex of M1 }; Ki+1 = {Xi+1 ∩ Xj ∩ Vl ∩ C : j ∈ I, l = 0, . . . , n and C ∈ N1 ∪ · · · ∪ Ni }, (Ψi+1 , Mi+1 ) is a deﬁnable triangulation of φi+1 (Xi+1 ) compatible with the deﬁnable sets in {φi+1 (B) : B ∈ Ki+1 } and Ni+1 = {C ⊆ X : Ψi+1 (φi+1 (C )) is the geometric realization of an open simplex of Mi+1 }. By a deﬁnable triangulation of the charts (Xi , φi )i∈I of X compatible with V1 , . . . , Vn we mean a sequence (Ψi , Mi )i∈I like above. For each i ∈ I and for each open k-simplex s of Mi , let StMi s be the star of s in Mi . Let 1, . . . , mi be an enumeration of all open simplexes of Mi and,

COVERING DEFINABLE MANIFOLDS BY OPEN DEFINABLE SUBSETS

23

for each l ∈ {1, . . . , mi }, let Wli = φi−1 (Ψ−1 i (|StMi s|)) where s is the open simplex of Mi corresponding to l . The following claims hold for the collection {Wli : i = 1, . . . , m, l = 1, . . . , mi } where I = {1, . . . , m}. (1) If i, j ∈ {1, . . . , m} and j > i, then for every l ∈ {1, . . . , mi } and k ∈ {1, . . . , mj } we have that Wli ∩ Wkj is a ﬁnite union of elements from {Wsj : s ∈ Skj } where Skj = {s ∈ {1, . . . , mj } : Wsj ⊆ Wkj }. (2) For every i ∈ {1, . . . , m}, if j, l ∈ {1, . . . , mi }, then we have that Wli ∩Wki is an element from {Wsi : s ∈ Sji } ∩ {Wsi : s ∈ Sli }. Claim (1) follows easily from deﬁnition of a deﬁnable triangulation of the charts (Xi , φi )i∈I of X compatible with V1 , . . . , Vn . In fact, if t is an open simplex of Mj and φj−1 (Ψ−1 j (|t|)) intersects Xi , then there is an open simplex s (|t|)) is a deﬁnable subset of φi−1 (Ψ−1 of Mi such that φj−1 (Ψ−1 j i (|s|)). Hence, j j i Wl ∩ Wk is a deﬁnable subset of Wk which is a ﬁnite union of subsets of the j i form φj−1 (Ψ−1 j (|t|)) where t is an open simplex of Mj . Now, since Wl ∩ Wk is open, if a subset of the form φj−1 (Ψ−1 j (|t|)) (with t is an open simplex of j −1 i Mj ) is contained in Wl ∩ Wk , then φj (Ψ−1 j (|StMj t|)) is also contained in Wli ∩ Wkj and claim (1) holds. On the other hand, (2) follows from the fact that given two open simplexes s and t of Mi , the intersection of the stars StMi s and StMi t is either empty or equals the star StMi r, where r is the open simplex of Mi generated by s and t. This is easy to see. In fact, an open simplex l of Mi is contained in StMi s ∩ StMi t if and only if |s|, |t| ⊆ |l | if and only if s and t generate an open simplex r of Mi and |s|, |t|, |r| ⊆ |l | if and only if s and t generate an open simplex r of Mi and l is contained in StMi r. Thus, it remains to show that each Wji is deﬁnably homeomorphic to an open ball in N n . Let s be the open simplex of Mi corresponding to j. Then Wji is deﬁnably homeomorphic to |StMi s| and |StMi s| ⊆ |Mi | ⊆ N n are open deﬁnable subsets (by the invariance of domain (see [Wo]), |Mi | is open in N n since it is deﬁnably homeomorphic to the open deﬁnable subset φi (Xi ) of N n ). So, we need to show that |StMi s| is deﬁnably homeomorphic to an open ball

in N n . But this is a consequence of Claim 2.1. We call the ﬁnite collection (Wl , l )l ∈L of open deﬁnable subsets Wl of X together with the deﬁnable homeomorphisms l : Wl −→ Bn (0, l ) ⊆ N n given by Theorem 1.2 (resp., Theorem 1.3) deﬁnable charts of X by open balls (resp., special deﬁnable charts of X by open balls). In this context it is natural to call each Wl a deﬁnable sub-ball of X and a deﬁnable subset U of X of the form l−1 (Bn (0, )) with 0 < < l a deﬁnable proper sub-ball of Wl (or of X ))

24

´ MARIO J. EDMUNDO

since we will have a deﬁnable homeomorphism from the closure U of U in X into the closed unit ball in N n sending U − U into the unit (n − 1)-sphere. Theorem 1.2 easily implies that if A ⊆ X is a deﬁnably compact deﬁnable subset of X , then A can be covered by ﬁnitely many deﬁnable proper sub-balls of X . See [BO2] for details. This fact shows that we could not obtain Theorem 1.3 using the usual deﬁnable triangulation theorem instead of the modiﬁed version. As pointed out in [BO2] (see also [T]) a counterexample occurs already in the classical case: the double suspension ΣΣP of Poincar´e dodecahedral space P is a compact, triangulated topological manifold homeomorphic to S 5 such that the star of each of the suspension points is not homeomorphic to an open subset V of ΣΣP whose closure V in ΣΣP is compact and for which there is a homeomorphism from V into the unit closed ball sending the boundary of V to the boundary of the unit closed ball. We could not ﬁnd in the literature classical analogues of Theorems 1.2 and 1.3 except for the trivial case of Theorem 1.2 that holds for compact topological manifolds. REFERENCES

[BO1] A. Berarducci and M. Otero, Intersection theory for o-minimal manifolds, Annals of Pure and Applied Logic, vol. 107 (2001), no. 1-3, pp. 87–119. [BO2] , Transfer methods for o-minimal topology, The Journal of Symbolic Logic, vol. 68 (2003), no. 3, pp. 785–794. [E1] M. Edmundo, Solvable groups deﬁnable in o-minimal structures, Journal of Pure and Applied Algebra, vol. 185 (2003), no. 1-3, pp. 103–145. [E2] , O-minimal cohomology and deﬁnably compact deﬁnable groups, RAAG preprint n. 24 (2004) (http://ihp-raag.org/). [EO] M. Edmundo and M. Otero, Deﬁnably compact abelian groups, Journal of Mathematical Logic, vol. 4 (2004), no. 2, pp. 163–180. [PPS1] Y. Peterzil, A. Pillay, and S. Starchenko, Deﬁnably simple groups in o-minimal structures, Transactions of the American Mathematical Society, vol. 352 (2000), no. 10, pp. 4397– 4419. [PPS2] , Linear groups deﬁnable in o-minimal structures, Journal of Algebra, vol. 247 (2002), no. 1, pp. 1–23. [PSt1] Y. Peterzil and S. Starchenko, Deﬁnable homomorphisms of abelian groups in ominimal structures, Annals of Pure and Applied Logic, vol. 101 (2000), no. 1, pp. 1–27. [PSt2] , Computing o-minimal topological invariants using diﬀerential topology, preprint, 2005. [PS] Y. Peterzil and C. Steinhorn, Deﬁnable compactness and deﬁnable subgroups of ominimal groups, Journal of the London Mathematical Society, vol. 59 (1999), no. 3, pp. 769–786. [P] A. Pillay, On groups and ﬁelds deﬁnable in o-minimal structures, Journal of Pure and Applied Algebra, vol. 53 (1988), no. 3, pp. 239–255. [S] A. Strzebonski, Euler characteristic in semialgebraic and other o-minimal groups, Journal of Pure and Applied Algebra, vol. 96 (1994), no. 2, pp. 173–201. [T] W. P. Thurston, Three-Dimensional Geometry and Topology, Princeton University Press, Princeton, 1997.

COVERING DEFINABLE MANIFOLDS BY OPEN DEFINABLE SUBSETS

25

[vdD] L. van den Dries, Tame Topology and o-Minimal Structures, Cambridge University Press, 1998. [W] A. Wilkie, Covering open deﬁnable sets by open cells, O-Minimal Structures (M. Edmundo, D. Richardson, and A. Wilkie, editors), Proceedings of the RAAG Summer School Lisbon 2003, Lecture Notes in Real Algebraic and Analytic Geometry, Cuvillier Verlag, 2005. [Wo] A. Woerheide, O-Minimal Homology, Ph.D. thesis, University of Illinois, UrbanaChampaign, 1996. CMAF UNIVERSIDADE DE LISBOA AV. PROF. GAMA PINTO 2 1649-003 LISBOA, PORTUGAL

E-mail: [email protected]

ISOMORPHISMS AND DEFINABLE RELATIONS ON COMPUTABLE MODELS

S. S. GONCHAROV

We are interested in computable structures and some diﬀerent computable representations of these structures. The basic deﬁnitions, results, and problems on this topic can be found in [1, 5, 4]. In the present paper, we consider the problems about algorithmic complexity of isomorphism. We also study the deﬁnability property on models and its connections with the Scott rank. The results were obtained in collaboration with J. Knight, W. Calvert, V. Harizanov, C. McCoy, R. Solomon, R. Shore, A. Morozov, D. Tusupov. Through the paper, we adopt the following conventions. 1. Languages are computable, for every structure a subset of serves as its universe. 2. The complexity of a structure A is identiﬁed with its atomic diagram D(A). ¨ 3. Sentences are identiﬁed with their Godel numbers. Under these conventions, a structure A is said to be computable (arithmetical or hyperarithmetical) if its diagram D(A), considered as a subset of , is computable (arithmetical or hyperarithmetical). There are known examples of computable structures of diﬀerent computable Scott ranks. There are also structures, for example, the Harrison ordering, of Scott rank 1CK + 1. Makkai [19] constructed a structure of Scott rank 1CK , which can be made computable [14] and simpliﬁed so that it is a computable tree [3]. In [2], further computable structures of Scott rank 1CK were constructed in the following classes: undirected graphs, ﬁelds of any characteristic, and linear orderings. These structures share the strong approximability property with the Harrison ordering and the tree in [3]. These results give us examples of computable structures with diﬀerent complexity of isomorphism problem for diﬀerent computable representations.

Partially supported by grant RFBR-05-01-00819 and President grant of Scientiﬁc School 2112.2003.01 Logic Colloquium ’05 Edited by C. Dimitracopoulos, L. Newelski, D. Normann, and J. Steel Lecture Notes in Logic, 28 c 2006, Association for Symbolic Logic

26

ISOMORPHISMS AND DEFINABLE RELATIONS ON COMPUTABLE MODELS

27

§1. Introduction. In this section, we recall some deﬁnitions and known results. The Scott rank is a measure of model-theoretic complexity. The notion comes from Scott Isomorphism Theorem (see [22]). Theorem 1.1 (Scott Isomorphism Theorem). For a countable structure A (a countable language L) there is an L1 sentence whose countable models are just isomorphic copies of A. In the proof by Scott, countable ordinals were assigned to tuples in A and with A itself. There are several diﬀerent deﬁnitions of the Scott rank. We begin with a family of equivalence relations. We will deﬁne A ∼ = B if these models A and B are isomorphic. Deﬁnition 1.2. Let a, b be tuples in A. 1. We write a ≡0 b if a and b satisfy the same quantiﬁer-free formulas. 2. For α > 0 we write a ≡α b if for all < α and c there exists d , and for each d there exists c such that a, c ≡ b, d . Deﬁnition 1.3. 1. The Scott rank of a tuple a in A is the least such that for all b the relation a ≡ b implies (A, a) ∼ = (A, b). 2. The Scott rank of A, denoted by SR(A), is the least ordinal α greater than the ranks of all tuples in A. Let us recall the deﬁnition of Kleene’s system O. The system consists of a set O of notations equipped with a partial ordering

Our partners will collect data and use cookies for ad personalization and measurement. Learn how we and our ad partner Google, collect and use data. Agree & close