Logic, Language and Computation: Festschrift in Honor of Satoru Takasu (Lecture Notes in Computer Science)

Neil D. Jones Masami Hagiya Masahiko Sato (Eds.)

Logic, Language and Computation Festschrift in Honor of Satoru Takasu

Springer-Verlag Berlin Heidelberg NewYork London Paris Tokyo Hong Kong Barcelona Budapest

Lecture Notes in Computer Science Edited by G. Goos and J. Hartmanis Advisory Board: W. Brauer

D, Gries

J. Stoer

792

Series Editors Gerhard Goos Universit~it Karlsruhe Postfach 69 80 Vincenz-Priessnitz-Strage 1 D-76131 Karlsruhe, Germany

Juris Hartmanis Cornell University Department of Computer Science 4130 Upson Hall Ithaca, NY 14853, USA

Volume Editors Neil D. Jones DIKU, University of Copenhagen Universitetsparken 1, DK-2100 Copenhagen, Denmark Masami Hagiya Department of Information Science, University of Tokyo 7-3-1 Hongo, Bunkyo-ku, Tokyo 113, Japan Masahiko Sato Research Institute of Electrical Communication, Tohoku University Sendai 980, Japan

CR Subject Classification (1991): F.4, F.3.3, F.1.3, D.3.3-4, 1.2.2

ISBN 3-540-57935-4 Springer-Verlag Berlin Heidelberg New York ISBN 0-387-57935-4 Spfinger-Verlag New York Berlin Heidelberg

CIP data applied for This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the fights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer-Verlag. Violations are liable for prosecution under the German Copyright Law. 9 Spfinger-Verlag Berlin Heidelberg 1994 Printed in Germany Typesetting: Camera-ready by author SPIN: 10132126 45/3140-543210 - Printed on acid-free paper

Preface Professor Satoru Takasu is scheduled to give his final lecture at the Research Institute of Mathematical Sciences (RIMS) in Kyoto at the end of March, 1994. The purpose of this volume is to celebrate Professor Takasu's career to date, and the many positive effects he has had upon theoretical computer science, both in Japan and worldwide. Professor Takasu has been involved in pathbreaking research work, especially in constructive type theory and its relation to automatic program synthesis. He was one of the first, and perhaps the first, seriously to consider using the computer to derive a program automatically from a constructive proof that a problem specification is satisfiable. Further, he has greatly stimulated Japanese theoretical computer science by his research, by his philosophy, and by advising a great many students since the time he dreamed he was building a computer (told to us many years ago). The range of areas in which he has supervised excellent work is surprisingly broad: automata theory, category theory, complexity theory, lambda calculus, machine learning, program synthesis, and verification; and many aspects of logic including: constructing programs from proofs, cut elimination, non-classical logics, proof theory, and logic programming. The editors of this volume are three of Takasu's former students, and Neil Jones was his very first student (in Canada, in the time 1962-66). We were motivated to organize this volume because we feel that this outstanding level of breadth, depth, energy, and research stimulation deserves recognition. The quality of the contributions here confirms this impression and Takasu's unusual ability to inspire good research among his students and colleagues. Biographical information Satoru Takasu was born in 1931, and his father was a well-known professor of mathematics at Tohoku University in Sendai. He earned his B.S., M.S., and Ph.D. degrees, all in mathematics, from the University of Tokyo, respectively in 1953, 1955, and 1959, with emphasis on homological algebra and mathematical logic. After this time he worked at Nippon Telegraph and Telephone until 1964. In the period 1962 to 1966 he was first Assistant and then Associate Professor at the newly established Computer Science Department at the University of Western Ontario in London, Canada. While there, he set the pattern for that department's further theoretical research, teaching the first courses in switching circuits, logic, and formal languages. These areas were not well recognized at the time, but later became an important part of North American computer science curricula. Further, he helped to organize a conference on General Systems T h e o r y when in Canada, and co-edited its proceedings. The contributions Dr. Takasu made in the initial stage of that department's development and the legacy t h a t he left behind are still greatly appreciated.

vI In 1966 he became Associate Professor at RIMS (Research Institute for Mathematical Sciences) at Kyoto University. He continued as Full Professor at RIMS from 1967 through 1994, and was director of the institute for two years in 19911993. That time was especially fruitful because RIMS was willing to devote means to organize symposia with mostly domestic but sometimes foreign researchers as well. Takasu organized or helped organize many RIMS symposia. He also hosted an IFIP Working Group 2.2 meeting, and organized several international symposia on theoretical computer science, supported by IBM Japan. From the very beginning, when the Japanese theoretical Computer Science community was very small, he played a central role in its development throughout the country. Almost all of today's good Japanese theoretical computer scientists have some connection with him, many as direct or indirect students. At RIMS Professor Takasu was in the right place at the right time, and most importantly, he had the right sense of direction. In particular, Takasu foresaw the fundamental role of constructive logic in theoretical computer science already in the 1960s after studying the work of Gentzen on cut elimination and the work of GSdel on dialectical interpretation. Although Kreisel and Constable published similar ideas at an early stage, it seems fair to say that Takasu was the first seriously to pursue this direction. This book These papers cover a wide spectrum, characteristic of Takasu's wide-ranging interests and activities. All are by former students or close colleagues. Many have to do with logic, and especially its applications and implementation on the computer. Following is a brief summary of the subjects of the various articles. C o n s t r u c t i v e T y p e T h e o r y . Lifschitz' Logic of Calculable Numbers and Optimizations in Program Extraction, by Susumu Hayashi and Yukihide Takayama, introduces a new approach to extract a program from a proof that an inputoutput specification is satisfiable. The approach starts from a logic devised by Lifschitz with quite different aims, but turns out to be closely related to earlier work by both authors. On Implicit Arguments, by Masami Hagiya and Yozo Toda, deals with a real problem in automation of logic: types are necessary for both theoretical and implementational reasons, but their overabundance can be distracting for human readers and writers. The authors provide a well-founded scheme for omitting many type annotations without informational or computational loss. A functional system with transfinitely defined types, by Mariko Yasugi and Susumu Hayashi, introduces a new formal system for constructive analysis, proves strong normalization, and describes its computational mechanisms.

The Non-deterministic Catch and Throw Mechanism and Its Subject Reduction Property, by Hiroshi Nakano, concerns the interface between logic and functional programming. Even though the catch/throw mechanism gives nondeterministic evaluation results, it is shown to be type-preserving under reductions in a constructive type discipline.

VII L a m b d a Calculus. Conservativeness of A over )~a-calculus, by Masahiko Sato and Yukiyoshi Kameyama, concerns a new functional programming language A that has encapsulated assignment but doesn't sacrifice referential transparency. It is shown that A is a conservative extension of a well-known lambda calculus with explicit substitutions. ML with First-Class Environments and its Type Inference Algorithm, by Shin-ya Nishizaki, and also related to explicit substitutions, describes an ML-polymorphic language with first-class environments and gives a type inference algorithm for the language. A Simple Proof of the Genericity Lemma, by Masako Takahashi, gives a short and elegant new proof of a classical theorem, whose usual proof is quite complex.

Logic~ Algebra, a n d Applications. The Logic of F0L Systems Formulated in Set Theory, by Richard W. Weyhranch and Carolyn Talcott, systematically reinterprets ideas from traditional logic with the ultimate goal of building an artificial reasoner, rather than providing a theory about what a reasoner might have done. Well-Ordering of Algebras and Kruskal's Theorem, by Ryu Hasegawa, shows the existence of a strong connection between a certain class of algebras and a hierarchy of ordinal notations known from mathematical logic. On Locomorphism in Analytical Equivalence Theory, by Shigeru Igarashi, Tetsuya Mizutani, Takashi Tsuji and Chiharu Hosono, concerns a logic for reasoning about and verifying concurrent and real-time systems. Locomorphism is a generalization of program equivalence, and can be considered as a homomorphism between acts. Analysis of a Software/Hardware System by Tense Arithmetic, by Kohji Tomita, Takashi Tsuji and Shigeru Igarashi, applies the framework of the preceding paper to analyze a typical (and realistic) example of a hardware/software system.

P r o g r a m T r a n s f o r m a t i o n . The Essence of Program Transformation by Partial Evaluation and Driving, by Neil D. Jones, shows that some well-studied program transformation schemes may be formulated in logical terms, giving links to both the classical predicate transformer semantics and to program analysis by abstract interpretation. Program Transformation via Contextual Assertions, by Ian A. Mason and Carolyn Talcott, applies their 'Variable Typed Logic of Effects' to justify on a logical basis a number of program transformations that can be used to optimize functional programs with side effects, including both assignment and pointers.

C o m p l e x i t y a n d Coding. On Coding Theorems with Modified Length Functions, by Kojiro Kobayashi, strengthens a result by Csiszar and K5rner in coding theory. Thirty Four Comparisons are Required to Sort 13 Items, by Takumi Kasai, Shusaku Sawato and Shigeki Iwata, establishes by a novel and sophisticated computer analysis that 13 items cannot be sorted in fewer than 34 comparisons, answering a question left open by Wells nearly 30 years ago. The result would not have been computationally feasible just a few years ago.

viii Acknowledgements Many have aided production of this volume. In addition to the authors, we want to thank Peter Holst Andersen, Robert Gltick, John Hart, Chetan Murthy, Hans Henrik Lcvengreen, Takako Nakahara, Peter Sestoft, Morten Heine Scrensen, Carolyn Talcott, and Lisa Wiese. The DART project, funded by the Danish Natural Sciences Research Council, partly supported P:H. Andersen, N.D. Jones, and M.H. Scrensen.

Contents Constructive Type Theory Lifschitz' Logic of Calculable Numbers and Optimizations in Program Extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Susumu Hayashi and Yukihide Takayama On Implicit Arguments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

10

Masami Hagiya and Yozo Toda A Functional System with Transfinitely Defined Types . . . . . . . . . . . . . . . . . . . . .

31

Mariko Yasugi and Susumu Hayashi The Non-deterministic Catch and Throw Mechanism and Its Subject Reduction Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

61

Hiroshi Nakano

Lambda Calculus Conservativeness of A over A~r-Calculus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

73

Masahiko Sato and Yukiyoshi Kameyama ML with First-Class Environments and its Type Inference Algorithm . . . . . .

95

Shin-ya Nishizaki A Simple P r o o f of the Genericity Lemma . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

117

Masako Takahashi

Logic, Algebra, and Applications The Logic of FOL Systems: Formulated in Set Theory . . . . . . . . . . . . . . . . . . . . . Richard W. Weyhrauch and Carolyn Talcott

119

Well-Ordering of Algebras and Kruskal's Theorem . . . . . . . . . . . . . . . . . . . . . . . . Ryu Hasegawa

133

On Locomorphism in Analytical Equivalence Theory . . . . . . . . . . . . . . . . . . . . . .

173

Shigeru Igarashi, Tetsuya Mizutani, Takashi Tsuji and Chiharu Hosono Analysis of a Software/Hardware System by Tense Arithmetic . . . . . . . . . . . .

Kohji Tomita, Tak~shi Tsuji and Shigeru Igarashi

188

xII

Program Transformation The Essence of P r o g r a m Transformation by Partial Evaluation and Driving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

206

Neil D. Jones Program

Transformation

via Contextual

Assertions ........................

225

Ian A. Mason and Carolyn Talcott

Complexity and Coding On Coding Theorems with Modified Length Functions . . . . . . . . . . . . . . . . . . . .

255

Kojiro Kobayashi Thirty four Comparisons are Required to Sort 13 Items . . . . . . . . . . . . . . . . . . .

Takumi K~sai, Shusaku Sawato and Shigeki Iwata

260

Lifschitz's Logic of Calculable N u m b e r s and Optimizations in P r o g r a m Extraction Susumu Hayashi 1 and Yukihide T a k a y a m a 2 1 Department of Applied Mathematical and Informatics, Ryukoku University, Seta, Ohtsu, Shiga, 520-21, Japan Department of Computer Science and Systems Engineering, Ritsumeikan University, 56-1, Kita-machi Tohjiin, Kita-ku, Kyoto, 603, Japan A b s t r a c t . In the early 80's, V. Lifschitz presented a classical logic which can code up constructive logic [8], [9]. We will show how it is used for optimization in program extraction. We will show that the second author's extended projection method [13], [14] can be considered as a translation of constructive proofs into Lifschitz's logic. We will also give an interpretation of Lifschitz's logic into the first author's type system ATTT, which evolved from the extended projection method.

1

Lifschitz's

logic and

information

relevance

It is well-known that classical logic can be faithfully embedded in constructive logic via so-called double-negation interpretations. These interpretations are finding applications to extraction of programs from classical proofs by means of continuation. The other way around, V. Lifschitz introduced a classical logic in which constructive logic can be coded up [8], [9]. The key idea of Lifschitz's logic is the "calculability predicate" K ( x ) , which stands for "x is a computable number." Lifschitz introduced the following realizability for his logic: r s K(t)

iff r = t

r s Vx.F

iff V x . r s F

r s 3x.F

iff 3 x . r s F

rstl

=t2

iff tl = t 2

rsFoG

iff r;AVz.(xsF

rsFAG

iff r o s F A r l

r(x) sG) sG

We assumed a surjective pairing of natural numbers and r0 and rl are the first and second components of the pair represented by the number r. Lifschitz read this realizability interpretation r s F as "r solves the problem F . "

The interpretation of the first order quantifiers resembles the realizability interpretation of second order quantifiers by Kreisel and Troelstra [7], which is an origin of the so-called "simple semantics" of polymorphism and data abstraction

in [111. Lifschitz interpreted the quantifiers above as classical quantifiers and defined constructive (Brouwerian) quantifiers Vs, 3 B as follows:

Vsx.F iff Vx.K(x) 9 F 3B x.F iff 3x.K(x) A F. Note that the realizability interpretations of the constructive quantifiers coincide with Kleene's realizability interpretation: r s VBx.F iff Vx.r(x) s F r s 3Sx.F iff 3x.rl s F(ro). Lifschitz's aim was a theory of computable (discrete) numbers. But, we may give another understanding of his theory and realizability interpretation. We may read "r s F " as "the program r satisfies the specification F " after the philosophy of "proofs as programs" or "program extraction," e.g., [1], [5], [12]. From the view point of "proofs as programs" notion, K(x) can be read as "x is relevant to our computation." (This interpretation was pointed out to us by J.Y. Girard and G. Mints.) In the next section, we will explain the significance of this interpretation and how it relates to Lifschitz's logic and the second author's extended projection method.

2

Information redundancy in program extraction

One of the main problems in program extraction is avoidance of redundant codes. The standard interpretation of the formula 3x.A in intuitionistic logic is a pair of a value v of the variable x and a witness (proof) of Air~x]. Suppose a programmer/verifier developed a proof of the formula above in Nuprl system or PX system to solve the problem "develop a formally verified program p which satisfies the condition A~/x]." The standard Curry-Howard interpretation says "take the first component of the proof developed." Let P be the proof. Then, P0 is p. If the program p is evaluated by call-by-value strategy, P must be evaluated to compute the value of P0. But, P is often of the form of pair (al, a ~ / a n d so evaluation of the second component a~ is not necessary. By simple program transformation or call-by-need evaluation, such unnecessary evaluation might be avoidable. However, as far as we stick to the standard interpretation of constructive logic, there is no way to specify the irrelevance of the second component. Let us illustrate it by an example. Suppose a client (specifier) wishes to have a program p(n) computing the n-th prime number. He wishes to specify the program and hand it to a programmer. If the specification is written by means of "proofs as programs" notion, it would have to be 3x E N.x is the n-th prime.

But, this is not the specification of a function which computes primes but pairs of primes and proofs of their primeness. The second component is not relevant to the client but there is no way not to specify the proof part. Several authors introduced formulas (or types) to avoid such unnecessary part in specifications. Examples of such formulas and types are subset types [1], [12], rank 0 formulas [5], and non-informative propositions [2]. These formulas and types are intended not to carry any information. For example, in P X system, if the (}-sign is put in front of a formula F , then (}F is intended not to carry any computational information. The (}-sign kills the computational information of F. Thus, a specifier can specify information of which subformula is irrelevant to him by using this new logical sign. Lifschitz's logic allows a dual and even finer approach. Remember that Lifschitz's K could specify which information is relevant. The specification 3 x . ( K ( x ) A "x is the n-th prime")

says that the prime x is relevant. If we do not use any K in the body of the existential quantifier above, this specification tells that only the prime x is relevant. To see Lifschitz's logic is more precise (expressive) to specify necessary and unnecessary information, let us consider the following formula 3q C N . 3 r E N . a = b * q + r

A r Y~Z).zxy. in the introduction is allowed in the global context. When a variable x defined as above is referenced, it must be given a sufficient number of implicit arguments, so that the type of the application becomes implicit-free. When x is applied to arguments in the explicit calculus, it can be reduced by the ordinary reduction rules. In the implicit calculus, on the other hand, in order to reduce an application of x containing implicit arguments, we must infer the implicit arguments during reduction. The simplest approach to cope with the problem is to allow reduction only when successive steps of/3-reduction eliminate all the implicit arguments. For example, when a n d I is given only two explicit arguments M and N, then (andI M N) is not allowed to be reduced to

AZ :*.Az:( X ~ Y ~ Z).z M N,

27

because X and Y are implicit arguments. On the other hand, the term

andI M N A (Ax:A.Ay:B.x) is reduced to M, because all the implicit arguments are eliminated and disappear. Another approach is to do typechecking during reduction. When an implicit A-abstraction Ax I A . M is encountered, it is reduced as follows, where ? is a newly created unknown variable. AxlA.M

~

M[x:=?]

On the other hand, while reducing an ordinary r (Ax:A.M)N ~

M[x:=N],

if A contains an unknown variable created in preceding reduction of an implicit A-abstraction, the type of N is computed and then unified with A. This seems to work well, but typechecking makes reduction very inefficient. Moreover, the formal treatment of the entire algorithm becomes complicated.

7

Conclusions

We have presented a typechecking algorithm that directly checks terms in the implicit calculus by restricting instantiation of unknowns introduced by implicit arguments. The algorithm was derived by the analyses of various situations in which the uniqueness of a translation is not preserved by reduction. The typechecker has actually been implemented and runs with reasonable efficiency. However, users of our typechecker sometimes find it difficult to distinguish between well-typed terms and ill-typed terms. It is therefore important to characterize the terms that can be checked by our typechecker in a style that is more natural and intuitive. With such a different style of formalization, it becomes meaningful to show the completeness and the termination of the typechecker. Finally, we want to work on the handling of implicit A-abstractions in the future.

Acknowledgments We deeply thank Randy Pollack and Atsushi Ohori for their invaluable advice, and Shin'ya Nishizaki for being the first and impatient user of our typechecker. The first author would also like to thank Professor Satoru Takasu, whose continuous encouragements were like an oasis in the desert.

28

References 1. H. Barendregt. Introduction to generalised type systems. Journal of Functional Programming, Vol.1, No.2, pp.124-154, 1991. 2. V. Breazu-Tannen, T. Coquand, C. A. Gunter and A. Scedrov. Inheritance as Implicit Coercion. Information and Computation, Vol.93, No.l, pp.172-221, 1991. 3. R. Harper and J. C. Mitchell. On the type structure of standard ML. ACM Transactions on Programming Languages and Systems, Vol.15, No.2, pp.211~ 1993. 4. Z. Luo and R. Pollack. LEGO proof development system: User's manual. Technical Report ECS-LFCS-92-211, LFCS, Computer Science Department, University of Edinburgh, 1992. 5. D. Miller. A logic programming language with lambda-abstraction, function variables, and simple unification. Journal of Logic and Computation, Vol.1, No.4, pp.497-536, 1991. 6. D. Miller. Unification of simply typed lambda-terms as logic programming. In K. Furukawa, editor, In Proceedings of the Eighth International Conference on Logic Programming, MIT Press, 1991. 7. D. Miller. Unification under a mixed prefix. Journal of Symbolic Computation, Vol.14, No.4, pp.321-358, 1992. 8. F. Pfenning. Elf: A language for logic definition and verified metaprogramming. In Proceedings of the Fourth Annual Symposium on Logic in Computer Science, Asilomar, California, 1989. 9. F. Pfenning. Logic programming in the LF logical Framework, In Proceedings of the First Workshop on Logical Frameworks, 1991. 10. R. Pollack. Implicit syntax. LFCS, Computer Science Department, University of Edinburgh, 1992. 11. M. H. Takahashi. Parallel Reductions in A-Calculus. Journal of Symbolic Computation, Vol.7, pp.113-123, 1989. 12. H. Tsuiki. A normalizing calculus with subtyping and overloading. Theoretical Aspects of Computer Software 94, Lecture Notes in Computer Science, to appear. 13. L. S. van Benthem Jutting. Typing in pure type systems. Information and Computation, Vol.105, pp.30-41, 1993.

29

The Typechecker Type(ro, F, M, A, k) ~/gl ~ n e w ~

type(Fo, F, M, B, k'), unify(to, F, A, B, k). Typet(Fo, F , M , A )

~-

]gt = n e w ,

type(Fo, F, M, B, k'), unify(Fo, F, A, B, k'). Kind(Fo, F, A, s) ~]t : new, type(Fo, F, A, s, k'), s is a sort. Context (@).

Context(/", x:A) ~Context(F),

Kind(/", 0, A, s). coerce(1"o,/", A, A, k) +-A is implicit-free. coerce(/"o, [1, H x {A.B, B', k) ~1" =_ xl :A1, " " , x,~:A~,

let ? be a new unknown, let ?'s type be Hxl:A1.....Hxn:A,~.A, let ?'s key be k, coerce(/"o, 17, B [ x : = ? X l " " Xn], B ' , ]~), instantiated(?xl 9""xn). coerce(1"o~/"~ A, B~ k) *-A -+ A'

coerce(/"0~ F, At, B~ ]~).

type(to,/", s, s', k) +(s, s') ~ Axiom. type(Fo,/7, x, A', k) ~F = FI,x:A,F'2 or 17o =/"I,x:A, F2, coerce(1"o, F, A, A', k). type(Fo, F, H x : A . B , s3, k) Kind(Fo,/", A, Sl), Kind(1"o, (1", x:A ), B, s2), (,51, 82, "53) e Rule. type(/"o,F, H x { A . B , s3, k) ~--

Kind(Fo, 1", A, Sl), Kind(Fo, ( F, x:A ), B, s2 ), ( e l , s2, s3) 6 Rule. type(Fo, F, Ax:A.M, Hx:A.B, k) ~--

type(Fo, (F, x:A), M, B, k), Kind(Fo, ]7, H x:A.B , s ). type(Fo, F, M N , B', k) ~type(Fo, F, M, C, k), C --* (Hx:A.B),

N is implicit-free, Type(to, F, N, A, k),

coerce(r0, r, B[x:=N], B', k). type(Fo, F, M t N, B', k) type(Fo, F, M, C, k ), C --* (Hx:A.B),

N is implicit-free,

Typet (Fo, r, N, A), coerce (Fo, F, B[x:=N:A], B', k ).

type(Fo, 17, M:A, A, k) ~-Kind(ro,/7, A, s), A is implicit-free, Wypet(Fo, F, M, A). unify(Fo, F, s, s, k). unify(Fo, F, x, x, k). unify(Fo, F, H x : A . A p, H x : B . B ' , k) unify(Fo, F, A, B, k), uni~y(Fo, (F, x:A), A', B', k). unify(Fo, F, Ax:A.M, Ax:B.N, k) eunify(to, r, A, B, k),

uni~y(ro, (r, x:d), M, N, k). unify(Fo, F, M M ' , N N ' , k) +-M's head is a variable in Fo, unify(Fo, F, M, N, k ), unify(Fo, F, M', N', k). unify(Fo,/7, M M ' , N N ' , k) M's head is a variable in F, unify(Fo, F, M, N, k), unify(Fo, F, M', N', • unify(Fo, F, M M', N t N ', k) ~--

30 M's head is a variable in Fo, unify(Fo, F, M, N, k), unify(Fo, F, M', N', k). unify(Fo, F, M M ' , N t N ', k) ,-M's head is a variable in F, unify(Po, F, M, N, k), unify(F0, F, M', N', A_). unify(Fo, F, M t M ', N N ' , k) ~-M's head is a variable in Fo, unify(ro, F, M, N, k), unify(Fo, F, M', N', k). unify(Fo, F, M t M ', N N ' , k) ~-M's head is a variable in F, unify(Fo, F, M, N, k), unify(Fo, F, M', N', 3_). unify(Fo, F, MC M ', N t N ', k) ~-M's head is a variable in Fo, unify(Fo, F, M, N, k), unify(Fo, F, M', N', k). unify(Fo, ]', MCM ', N t N ', k) ~-M's head is a variablel in F, unify(Fo, F, M, N, k), unify(Fo, F, M', N', 3_). unify(Fo, F, M:A, N:B, k) *-M's head is a variable in Fo, unify(Fo, F, M, N, k), unify(Fo, F, A, B, k). unify(Fo, F, M:A, N:B, k) *-M's head is a variable in F, unify(Fo, F, M, N, k), unify(Fo, F, A, B, 3_). unify(Fo, F, ?Xl " ' " Xn, M , k) ~-?'s type is Ilxl:A1.....Ilxn:A,~.A, M is implicit-free, M does not contain variables in F other than X l , . . . , x n , M contains no unknowns, no unknowns occur in the types of free variables in M,

?'s key is k, Type(Fo, F, M, A, k), replace each occurrence of ?M1 .-. M~ with M[xl:=M1,..., x~:=M~] unify(Fo, F, M, N, k) ~-M ---*M', N ----~N', unify(Fo, F, M', N', k). i n s t a n t i a t e d ( M ) ~-M does not begin with an unknown.

A Functional System with Transfinitely Defined Types Mariko YASUGI 1 and Susumu HAYASHI 2 1 Faculty of Science, Kyoto Sangyo University, Kita-ku, Kyoto, Japan 603 2 Faculty of Science and Engineering, Ryukoku University, Seta, Ohtsu, Japan 520-21

Introduction The first author formulated a system of generalized terms (called term-forms) in [9] in order to provide with the foundations to the "consistency proofs." Technically, it is a device to realize a functional interpretation of a formalized intuitionistic analysis (called A S O D in [9]), which has transfinite recursive definitions of predicates along some well-ordered structures and bar induction applied to "admissible formulas". Here we present a revised version of the system of term-forms, named T R M and consider A S O D in a more general setting, renaming it as T R D B . T R M is interesting by itself (aside from proof-theoretical necessity), and T R D B has its place among formal systems of constructive analysis. Our major objectives in this article are to prove the normalization theorem in T R M and to distil the computational mechanism of T R D B via a translation of T R D B into T R M . The paper is designed to be nearly self-contained. T R M is based on a kind of parametric types, called type-forms. Among the constructors of type-forms are the transfinite recursor (along some wellordered structure), parametric abstraction, projection to parametric objects and the conditional definition (Section 2). Term-forms belonging to such type-forms are defined in terms of abstraction, application, conditional definition, primitive recursion and bar recursion (Section 4). Section 1 furnishes the reader with some preparatory background. Normalizability of type-forms is proved by transfinite induction on the "degree" of type-forms (Section 3), and the same property of term-forms is proved in terms of the reducibility set, following the Tait method (Section 5). The ChurchRosser property can be established by well-known arguments (Section 6). This completes the first of our objective. Arithmetization of the normalization proof can be executed in T R D B with standard technique (Section 7). The opposite direction, realization of T R D B in T R M has been demonstrated in [9] as a consequence of the modified realizability (mr-)interpretation. We thus obtain the computational equivalence of T R M and T R D B . We also present, however, a direct translation of T R D B to T R M , associating formulas with type-forms and proofs with term-forms (Section 8). We can then complete our second objecticve.

32 Zucker has worked on the modified realizability interpretation of an extension of HA (Heyting arithmetic) with "twice iterated inductive definitions" applied to a subfamily of formulas. Interested readers can refer to [11].Our idea of T R M is an expansion of the "construction principle'!, which was proposed in [8], in order to interpret transfinite induction up to E0. A type system which requires reductions is not novel. We have quoted [2] and [6] as references, although their systems are impredicative while ours is not. We have taken much of notations, technical terms and proof techniques from [1], [3] and [5]. In the separate paper [10], we have presented interpretations of T R M in sets and in T R D B . We also plan to define an extension of T R D B which is complete with respect to the mr-translation.

1

Preliminaries

We first define formal expressions of number-theoretic objects and relations (in the basic language 13s and then give an account of the continuity of functionals. Our entire theory depends on a pre-supplied, primitive recursive well-ordered structure "1- -= (I, tt({in}), im is in fact empty. There can be more than one order structure 2-, but we assume just one for the sake of simplicity. D e f i n i t i o n 1. (1) The language B ~ consists of the following. (1.1) Propositional connectives. (1.2) There are variables, say X o n , x l ~ , . . . , x p n , . . . , where n = 0 , 1 , . . . . Variables with superscript n are called n-ary variables. (1.3) Constant symbols for natural numbers, say 0, 1, 2,..-. (1.4) Constant symbols for all the number-theoretic functions which are primitive recursive in function parameters. (1.5) Constants for primitive recursive relations such as = and < (of numbers). We assume the elementary relations concerning the structure 27 (such as 0),

36 and say t h a t c~ is reducible to a ~, or a~ is a reduct of a. Notice that, a and ( f are distinct if a --~ at, while they m a y be identical when (~ -.-*~.* a ' . (4) If a has no redex, then a is said to be normal. (5) If a is reduced to a normal t y p e - f o r m with respect to any sequence of reductions, then a is said to be strongly normalizable. (6) As is seen in (2.6) and (2.7) above, p and T~ have priorities in reduction. (In particular, Tr r] is infallibly its own redex due to (1.4).) We shall call these priority conditions p - s t r a t e g y and T~-strategy respectively.

Note. (1) Finite types (in the sense of G5del) are types defined by means of N and 4 . (2) Suppose a is a type-form and a ",~',~ a'. Then a ~ is a type-form, a variable occurs free in a r only if it does in a, and, in case a is a type, a ~ is also a type. (3) We could have countably m a n y recursors successively depending on the predecessors, but we will deal with just one T~ for the sake of simplicity. In order to assign scales of complexity to type-forms, we e x p a n d the wellordered s t r u c t u r e I . T h e idea of what follows in this section has been taken from the t r e a t m e n t of 7-degree in Section 11 of [7].

D e f i n i t i o n 8. (1) E x t e n d Z -

I~-

{i~ ; i C I }

(I, < i )

to (I*, 0. r 1-reduces to (i) r where r ~.z ~ or (ii) r where V "~ 7'. In case of (i), r E Red(~3) implies CV E Red(c@ In case of (ii), ~' E Red(7) by (CR 2') and hence r]' E sn by (CR 1'). @r]' E Red(a) by the induction hypothesis of L,(,r/). In either case, the premise of (CR 3') is satisfied for r and hence

r ~ Red(a). We have thus obtained r E Red(7 ~ a). This completes the proof of reducibility lemma. For the proof of Theorem 46, we need some more lemmas. They are corollaries

of (CR). (1) r E Red and r E Red imply cond[A ; r r E Red, then o'[3 _ lg(z). A(z 9 k) is VgVn(g[lg(z.k)=z.l~&n>lg(z.k)

D13[b; r

9 ; n, g] E R e d ) .

To show that A(z) holds, argue as follows. For some k, f[(Ig(z) + 1) -- z * k. If we put n = m + 1 and gl = ( f [ n ) * l , then gl[lg(z*k) = z , l c and n > lg(z*Ic). So, by the premise, 13[b; r ~;; n, g~] E Red. This is true for every l. That is, B[b; r r

n, ( f [ n ) . l ] E R e d

for every l. By (2) of Lemma A, this implies (,) AIB[b ; r ~b ; n, ( f i n ) , l] E Red. Now, if b(f) < m, then /3[b; r

~;; m, f] ~ app(r

f lm),

and this is the sole immediate reduct of B i b ; 4, ~b; m, f] by virtue of ~-strategy. Since r Ira) E Red as claimed above, (CR 3) implies B[b ; r ~ ; m, f] E Red. Next, if b(f) > m, then B[b; r r

m, f ] ~ B { m + l } ,

where B{m + 1} abbreviates app(app(r

; AIB[b ; r r

re+l,

( f [ m + l)*l]),

and this is the sole immediate reduct. ~ E Red by the premise, and hence, by definition, app (r ; f [ m ) E Red. Again, by definition and by (*), 13{m + 1} E Red. (CR 3) then implies 13[b; ~b, ~ ; m, f] E Red.

50 L e m m a C Let r be a term whose free occurrences of variable-forms (of type) are among X =_ X1, . . . , X~, and let ~ - r " " , r be reducible terms of corresponding types. Then r [~P/X] - r 1 6 2

,r

E Red.

Proof. By induction on the construction of r according to (4) of Definitions 27, 30 and 41. (4.1) If r is Z not similar to any of X, then r - X and hence r E Red by (CR 5). If r i s . , then the claim is trivial. If r is Xi, 1 < i < n, then r [~P/X] - r E Red. (4.2) If r is a constant f, then f E Red by (CR 4). (4.3) r is Ax. )i. By Lemma A, (Ax. X)[~P/X] =_ Ax.x [~P/X] E Red if, for every t, )i [~P/X] [t/x] =_ )i[t/x] [kV/X] E Red. (Notice that x does not occur free in ~P and x is not an associated variable of X.) To x[t/x] the induction hypothesis applies. (4.4) r is AX;~.)I. By (3) of Lemma A, r [~PlX] =- AX. )i [~P/X] E Red if, for every 0 E Red such that 0 .-. X, )i [~P/X] [OIX] - )i [~PlX, OIX] E Red, which holds by the induction hypothesis.n (4.5) r is xt where X : {x}% By the induction hypothesis, )i[~P/2d] E Red({x}~/). So, by definition, )i [~P/X] t =_ )it [~P/X] E Red([[~/[t/x][[). (4.6) r is )i0 where X E Red(/3 --* ~/). By the induction hypothesis, X [~P/X] E Red(/3 --* 7) and 0 [e/X] E Red(Z). X [~P/X] E Red implies that, for every ~ E Red(Z), )i [~P/X] ~ E Red. r [kV/X] __ )i [e/X] O[~P/X], and hence put ~ -- 0 [~P/X]. (4.7),-,(4.9) By the induction hypothesis and Lemma A. (4.10) r is B [ b ; 0, X ; m, f]. By the induction hypotheses and Lemma B. Now, Theorem

46 is a special case of Lemma

C; let ~P be ,~ and apply (CR

5). D e f i n i t i o n 49. If r and r share a normal form, we write r _~ r and the normal form of r will be denoted by Ir

51

6

Strong normalizability of term-forms

The uniqueness of the normal form of any term-form can be proved similarly to Proposition 19. Here we prove the P r o p o s i t i o n 50. for some r

If r

~.,~.z r

and r -~z~'r

then r

.",~,x.-> r and r

~.z...+ r

As an immediate corollary we obtain the C o n c l u s i o n 51. The normal form of a term-form is unique.

Putting Conclusions 48 (of Section 5) and 51 together, we can conclude the T h e o r e m 52. Every term-form is strongly normalizable to a unique normal form ('in the sense of Definition 34). For the proof of the proposition, we first claim a lemma, which is parallel to Lemma 18 in Section 3. L e m m a 53. Suppose r ~r r

and r ",-+r

Then r

"-+"'+ r and r

~+-,=+r for

SO~C ~.

We can follow standard arguments. For the cases where the redex of r is itself and r contains the redex of r use Lemmas 37 and 38 in Section 4. Notice that a[j < r i ; x] and B i b ; r r ; m, f] can have at most one immediate reduct due to a-strategy and/3-strategy. Proposition 50 can be proved by induction on the sum of the steps respectively between ~b and r and between q~ and r For the bases use the lemma above. This completes the proof of strong normalizability of term-forms. Note. We can define pairing and its converses as follows. (r

r

= 0; r

7fix -- app(x ; 0),

cond[l = 1 ; r

7r2x -- app(x ; 1).

,]1,

52 7

Computational

strength

of TRM

We first comment on an immediate consequence of the normalization theorem. L e m m a 54. The normal form of any hyper-term (no free variables or variableforms) of type N is a closed 13E{c) constant. This can be easily established by induction on the construction of a hyperterm of type N, by referring to the definitons and Lemma 37 in Section 4. The system of term-forms was invented originally in [9] to interpret the system A S O D , an intuitionistic system of arithmetic with Vf (on function variables), (iterated) transfinite inductive (recursive) definitions and the bar induction applied to "admissible" formulas. Although A S O D is a specific system, it is a system of general interest and the argument in [9] goes through in a more general setting. We give a brief account of it, calling the system T R D B 1. D e f i n i t i o n 55. (1) The language E of T R D B 1 consists of BE(c), the language of Heyting arithmetic, Vf and H, a predicate constant for the transfinite recursive definition along I. (2) A formula of this language is said to be admissible if H does not occur within the scope of 3 and V. In T R D B 1 , only admissible formulas are admitted as legitimate formulas. (In A S O D , admissible formulas formed a narrower class of formulas.) (3) T R D B 1 is based on Heyting arithmetic (applied to admissible formulas) with the additional axioms and inferences below. (3.1) WF(I), the well-foundedness of I. (3.2) Introduction and elimination of Vf. (3.3) Monotone bar induction applied to pairs of formulas (R, A), where R is H- and quantifier-free and A is admissible. For R, Hyp 1 and Hyp 2 (in Section 5) are assumed to be true. (3.4) Let G(i, x, ~) be an admissible formula without H and with a designate d predicate symbol ~, where ~ does not occur in the scope of 3 and V. (Specify such a G.) Then the axiom of transfinite recursive definition T R D ( G ) stands : V i e IVx (H(i, x) - G(i, x, H[i])), where H[i] abbreviates the abstract {j, y}((j b(f). So, by r ~ Hyp 3, app(r ; f[m) ~ A(f[m) for such re. In s u c h a c a s e , / 3 [ b ; r r ; m, f]-~ app(r ; rim), and hence Bib ; r r ; m, f] ~ A(f[m). Suppose m < b ( f ) and Bib ; r r ; m + 1, f*] ~ d(f*[(m + 1)) ~ Hyp 4,

for every f* an extension of f [m. By r

app(app(r

; f[m) ; Ak~[b ; r

r

; re+l,

(fFm)*k]) ~ A(f[m).

From this and (2) of Proposition 68 follows

U[b ; r

(~4 ; ?n, f] ~ A(fFm).

Put

C(z) : V m V f ( z = f [ m D B [ b ; r

r

; m, f] ~ A ( f F m ) ) .

For R(z) and C(z), the hypotheses of the bar induction hold, and so it follows that C(zo), or/3[b ; r r ; lg(zo), zo] ~ A(zo) by an informal account of the bar induction. (c) r ~ H(i, a) if and only if r ~ G (i, a, g[i]) by definition. (d) Suppose ~b ~ d. By definition, elf~y] ~ A[f/y] for every f. (~y. r A[f/y], and hence Ay. r ~ Vyd. Suppose next, r ~ Vyd. By definition, Cf A[f/y] for every f, and in particular, for f = Itl. Other cases can be dealt with similarly. Consider as an example,

[4] B

ADB"

60 Suppose r 1 6 2

X. r 1 6 2 (AX A. r

x / Y ] ~ B holds for every r such t h a t r ~ A and appropriate ~ B implies ((AX A. r 1 6 2 ~ B. Then, by definition, ~ A D B.

The necessity of Theorem 60 in Section 7 immediately follows from this. C o r o l l a r y 70. Let Vx3yA(x, y) be a closed, 1-I~-theorem of T R D B 1 . Let P be a proof of this. Then [PI : {x}N, and A (n, I~P~nl) is true for every numeral

?'t. Just by comparing the terms obtained in [9] and here, we obtain the P r o p o s i t i o n 71. Let P be a proof in T R D B 1 .

The term-form obtained from P for the mr (modified realizability)-translation of the endformula of P and the one by the direct translation in Definition 64 are the same. (See w of Part III

in [9].)

References 1. H. P. Barendregt, The lambda calculus (North-Holland, Amsterdam, 1981). 2. Th. Coquand and G. Huet, Calculus of constructions, Information and Computation 76 (1988), 95-120. 3. J-Y. Girard, P. Taylor and Y. Lafont, Proofs and types (Cambridge University Press, Cambridge, 1989). 4. W. A. Howard and G. Kreisel, Transfinite induction and bar induction of types zero and one, and the role of continuity in intuitionistic analysis, J. Symbolic Logic 31 (1966), 325-358. 5. J. Lambek and P. J. Scott, Introduction to higher order categorical logic (Cambridge University Press, Cambridge, 1984). 6. Z. Luo, An extended calculus of constructions (Department of Computer Science, University of Edinburgh, 1990). 7. G. Takeuti and M. Yasugi, The ordinals of the systems of second order arithmetic with the provably A12-comprehension axiom and with the A12-comprehension axiom respectively, Japanese J. Math. 41 (1973), 1-67. 8. M. Yasugi, Construction principle and transfinite induction up to e0, J. Austral. Math. Soc. 32 (1982), 24-47. 9. M. Yasugi, Hyper-principle and the functional structure of ordinal diagrams, Comment. Math. Univ. St. Pauli 34 (1985), 227-263 (the opening part) ; 35 (1986), 1-37 (the concluding part). 10. M. Yasugi and S. Hayashi, Interpretations of transfinite recursion and parametric abstraction in types, Words, Languages and Combinatorics IIedited by M. Ito and H. Jurgensen (World Scientific Publ., Singapore), to appear. 11. J. I. Zucker, Iterated inductive definitions, trees and ordinals, Metamathematical investigations of intuitionistic arithmetic and analysis, ed. by A. S. Troelstra, Lecture Notes in Math. 344 (Springer-Verlag, Berlin 1973), 392-453.

T h e N o n - d e t e r m i n i s t i c Catch and T h r o w M e c h a n i s m and Its S u b j e c t R e d u c t i o n P r o p e r t y Hiroshi Nakano Department of Applied Mathematics and Informatics, Ryukoku University, Seta, Otsu, 520-21, Japan nakano@rins, ryukoku, ac. jp

Abstract. A simple programming language and its typing system is introduced to capture the catch and throw mechanism with its nondeterministic feature. The subject reduction property of the system, which compensates for the unpleasant feature of the non-determinism, is shown. 1

Introduction

The catch and throw mechanism is a programming facility for non-local exit which plays an important role when programmers handle exceptional situations. In a previous paper [4], the author showed that the c a t c h / t h r o w mechanism corresponds to a variant formulation of Genzen's LJ following the Curry-Howard isomorphism in the opposite direction, and gave a realizability interpretation of the formal system by an abstract stack machine, in which the computational behavior of the mechanism was treated by a fixed evaluation strategy, and therefore the result of evaluation was unique. However, generally, the c a t c h / t h r o w mechanism introduces a non-determinism to evaluation processes, that is, the result of evaluation depends on the evaluation strategy. For example, let M be a t e r m defined by M = c a t c h u ((), x. )~y. 1 ) ( t h r o w u 2 ) ( t h r o w u 3)). There are three possible results for the evaluation of M depending on the evaluation strategy. In this paper, we first extend the language to capture the non-deterministic feature of the c a t c h / t h r o w mechanism, and introduce its typing system. We next show the subject reduction property of the system.

2

A programming

language

with

catch/throw

We first introduce a programming language based on A-calculus. The language has the catch and throw mechanism.

62 2.1

Syntax

Constants and variables. We first assume the following disjoint sets of individual constants, individual variables and tag variables are given. Ci Vi Vt

A set of individual constants c, d , . . . . A countably infinite set of individual variables x, y, z , . . . . A countably infinite set of tag variables u, v, w , . . . .

Tag variables are called tags.

Terms. The set of terms E is defined as follows: E ::=

Ci

1 V/ I c a t c h V t E

I AV~.E I <E, E>

[ injlE

I EE

] throwVtE

[ ~Vt.E

[ proJlE

[ inj2E

[ EVt

[ proj2E

[ caseEV~.EV~.E.

Example 1. )~x. c a s e x y.(inj 2 y) z.(inj I z) c a t c h u ((av. p r o j l <x, t h r o w v y > ) u ) We use M, N , . . . to denote terms. The terms n Vt. E and E Vt are used to denote a tag-abstraction and a tag-instantiation, respectively, c.f. [4]. Free and bound occurrences of variables are defined in the standard manner. We regard a tag variable u as bound in c a t c h u M and n u. M. We also define alphaconvertibility in the standard manner where we admit renaming of bound tag variable as well as bound individual variables. Hereafter, we treat terms modulo this alpha-convertibility. A term M so represents an equivalence class of terms which are alpha-convertible to M. We denote the set of individual and tag variables occurring freely in M by F I V ( M ) and F T V ( M ) , respectively. D e f i n i t i o n 1 ( S u b s t i t u t i o n ) . Let M, N s , . . . , N,~ be terms, and let x l , . . . , x ~ be individual variables. We use M[N1/xs,..., Nn/x~] to denote the term obtained from M by replacing all free occurrences of x l , . . . , x~ by N s , . . . , N,~, respectively. M[vl ~us,..., v~/u,~] is defined similarly, where u s , . . . , un and v l , . . . , vn are tag variables.

2.2

Operational semantics

Now we define an operational semantics of the language by a set of reduction rules on terms. The non-deterministic feature of the catch/throw mechanism is introduced by the following rule. D e f i n i t i o n 2 (~i-~). A relation ~7' on terms is defined as follows: M [ t h r o w u Nix] ~i+ t h r o w u N

(x E F I V ( M ) , x # M).

63

Example 2. < i n j 1 ( t h r o w u M), t h r o w v N > ~ t h r o w u M < i n j 1 ( t h r o w u M), t h r o w v N > ~ t h r o w v N throw u M ~ throw u M case z x . ( t h r o w u x) y.y ~i* t h r o w u x c a t c h u ( t h r o w u M) ~ t h r o w u M c a t c h v ( t h r o w u (Mv)) ~i~ t h r o w u (Mv)

The rest is defined by the following rules. Definition 3 (~).

A relation Hn on terms is defined as follows:

c a t c h u M Hn M c a t c h u ( t h r o w u M) ~ M

M)N

(u r F T V ( M ) ) (u ~ F T V ( M ) )

M[N/x]

(au. M) v ~n M[V/U] projl <M, p r o j2 < M , case ( i n j l L) x.M c a s e (inj2 L) x.M

N > ~-~ M n N > ~n N

y.N ~n M[L/x] y . g ~ NIL/Y]

D e f i n i t i o n 4 ( R e d u c t i o n r u l e s ) . We define a relation, denoted by ~+, by the union of ~ and ~n, that is,

M ~-+ N

iff

M ~-~ N or M H

D e f i n i t i o n 5 (--~). We define a relation, denoted by --% as follows: M -+ N if and only if N is obtained from M by replacing an occurrence of M I in M by N I such that M ~ ~-* N ~. Let 2+ be the transitive and reflexive closure of the relation ---~.

Example3. Let 1, 2 and 3 be distinct individual constants, and let M be as M = c a t c h u ((s

1) ( t h r o w u 2) ( t h r o w u 3)).

M --* c a t c h u ((s

1 ) ( t h r o w u 3)) --~ c a t c h u 1 -+ 1

M -+ c a t c h u ( t h r o w u 2) --~ 2 M -* c a t c h u ( t h r o w u 3) --~ 3

3

A typing

system

We now introduce a typing system for the programming language.

64 3.1

Syntax of typing judgements

Type expressions. Type expressions of our typing system consist of atomic types, conjunctions (A A B), disjunctions (A V B), implications (A D B) and exceptions (A < B). The last one is introduced to handle the catch/throw mechanism and represents another kind of disjunction (c.f. [4]). Individual contexts. An individual context is a finite mapping which assigns a type expression to each individual variable in its domain. We u s e / ' , / ' ~ , . . , to denote individual contexts, and denote the domain of an individual context/~ by Dora(F). Let A1,. 9 An be type expressions, and x l , . . 9 Xn individual variables such that if x~ = xy then A / = Aj for any i and j. We use {xl : A 1 , . . . , xn : An} to denote an individual context whose domain is { X l , . . . , xn} and which assigns A~ to xi for each i. Tag contexts. A tag context is a finite mapping which assigns a pair of a type expression and a set of individual variables to each tag variable in its domain. We use A , A ~ , . . . to denote tag contexts. Let U l , . . . ,un be tag variables. Let B 1 , . . . , Bn be type expressions, and let V1,..., Vn be sets of individual variables such that if ui = uj then B/ = By and Vi = ~ for any i and j. We use {Ul : BY1,..., un : B y'~ } to denote a tag context whose domain is { u l , . . . , un} and which assigns the pair (Bi,V~) to ui for each i. We denote the first and the second components of A(u) by At(u) and AV(u), respectively. For example, At(ui) Bi and A~(ui) = V/ if A = {ul : B ~ I , . . . ,?-tn :BnV"}. =

D e f i n i t i o n 6 ( C o m p a t i b l e c o n t e x t s ) . Let F and F ' be individual contexts. F is compatible with F ' if and only if F(x) = F'(x) for any individual variable x E Dom(F) N Dom(F'). We denote this by F II F'. Note that F U F ' is also an individual context i f / " II F~ is. The compatibility of tag contexts is also defined as follows: A is compatible with A' if and only if At(u) = An(u) for any individual variable u C Dom(A) n Dom(A'). We denote this by A I[ A/. When A and A' are compatible, we define a new tag context A [2 A' as follows.

A~(u) U A'V(u))

((At(u), (A U A')(u) = { A!u) ( A (u)

if u e Dora(A) A Dom(A') if u e Dora(A) and u r Dom(A') if u • Dora(A) and u E Dom(A')

Note that Dom( A U A') = Dom( A ) U Dom( A'). D e f i n i t i o n T . Let A be as A = { U l : B Y l , . . . , u n : B nv. }, and let u and v be tag variables. If {u,v} C Dom(A) implies At(u) = At(v), then we define a tag context A[v/u] as follows. =

:

B[',...,

: Bh"}.

We define Fly~x] similarly for an individual context F and individual variables x and y.

65 D e f i n i t i o n 8. Let V be a set of individual variables. We define a tag context A[V/{x}] as follows. Dom(a[W{x}]) = Dora(a) = at( )

(AV(u)-{x})UV A[V/{x}]~(u) = [ A~(u)

if x 9 AV(u) otherwise

Typing judgement. Let F and A be an individual context and a tag context, respectively, such that A~(u) C Dom(F) for any u E Dora(A). Let M be a term, and C a type expression. Typing judgements have the following form. F~- M:C; A T h e intended meaning of a typing judgement {xl : A1,.. 9 x,~ : A,~} t- M : C ; {ul : BY1,. 99 u,~ : B ~ ' } is roughly that when we execute the program M supplying values of the types A1 9.. A,~ for the corresponding fl'ee variables Xl, 9 9 x,~ of M , it normally reduces to a value of the type C, otherwise the program throws a value of By with a tag uj for some j (1 G j G n), and the thrown value depends on only the individual variables which belong to ~ . 3.2

Lc/t

We denote the typing system by Lc/t, which can be considered as a naturaldeduction-style reformulation of the logical system presented in [4]. We can see a more direct correspondence between proofs and programs in L~/t. Definition9 rules.

(Typing rules).

Lc/t is defined by the following set of typing

F U { x : A } E x : A ; A (vat)

FkM:A; A U { u : A v} (catch) FF-catchuM:A; A

Fxt-M E;A Fi U F.2 ~- t h r o w u M : A; A U {u: E u~

F U { x : A } k M:B; A F t - A x . M : A D B ; A (D-I)

}

(throw)

(x([ A~(u) for a n y u E D o m ( A ) )

Fl t - M : A D B ; A1 F2k-N:A; A2 FxUF2~-MN:B; AxUAe (D-E) I"H M:A; A U { u : E V} F F - ~ u . M : A d E ; A (d-I)

I"l t - M : A d E ; A F1UF2t-Mu:A; A U { u : E D~

66

F l i - M : A ; A 1 /"2F-N:B; A2 /"1 U ]"2 ~- < M , N > : A A B ; A~ U A2 (A-I) F}-M:AAB; A /" F- p r o j l M : A ; A (A1-E) F~- M : A ; A F~-inJl M : A V B ; A (Vl-I)

F~-M:AAB; A F ~- p r o j 2 M : B ; A (A~-E) Fb M:B; A F i - i n j 2 M : A V B ; A (V2-I)

F l t - L : A V B ; A1 I " 2 U { x : A } } - M : C ; A2 / " 3 U { y : B } F - N : C ; A3 /"1 U I'2 U/"3 t- case L x.M y.N :C ; (V-E) A1 U A2[Dom(F1)/{x}] U A3[Dom(F1)/{y}] The side condition for (D-I) is necessary to keep the system constructive. Note that the following inference rule of [4] corresponds to (D-I) of L~/t.

FA~B; F---* A D B ;

(~D)

A natural translation of this rule into Lc/t would be as follows.

Fu{x:A}eM:B; Fi-Ax.M:ADB;

{} (D-I)' {}

As a logic, (D-I)' is equivalent to (D-I) of Definition 9, but is too restrictive with respect to the variation of proofs, i.e., typed programs. For example, the following typing judgement, which is derivable in Lc/t, would not be derivable if we replaced (D-I) by (D-I)'. {} ~- c a t c h u (Ax. t h r o w u ( A y . y ) ) : A D A ; {} Moreover, the language would not have a subject reduction property, because {} t- c a t c h u ((A z. A x. z) ( t h r o w u (A y. y))): A D A ; {} would be still derivable, but c a t c h u ((A z. A x. z ) ( t h r o w u (A y. y))) --~ c a t c h u (A x. t h r o w u (A y. y)). This is the reason why we maintain the set of the relevant individual variables to each tag in tag contexts of typing judgements. The following example of a derivation shows that the programming language does not have Church-Rosser property even if we consider only the well-typed terms. Let M be the term Ax. )~f. c a t c h u (()~y.x)(throw u (fx))). The welltyped term M has two normal forms as follows. M --* )~x. )~f. c a t c h u ( t h r o w u ( f x)) --* A x. A f. f x M ~ Ax.)~f. c a t c h u x ~ )~x.)~f.x

67 Example 4. Let F be as F = {x : A, f : A D A}. Fk f:ADA;

{} (var) F F - x : A ; F F- f x : A ; {}

(vat) {} (D-E)

(var) { y : B } k x : A ; {} (D-I) (throw) {}b)~y.x:BDA; {} rkthrowu(fx):B; { u : A {x'l}} F F- ( ) ~ y . x ) ( t h r o w u ( f x ) ) : A ; {u:A{ x'/}} (D-E) _F k c a t c h u ( ( )~y. x ) ( t h r o w u ( f x ) ) ) : A ; {} (catch)

{x: A} k/k f. c a t c h u ((), y. x) ( t h r o w u (f x))): ( d D A) D d ; {} (D-I) {} k A x. A f. c a t c h u ((,k y. x) ( t h r o w u (f x))): A D (A D A) D A ; {} (D-I) 3.3

Basic p r o p e r t i e s of /holt

In this subsection, we presents a some basic properties of the system ~s a preparation for proving the subject reduction property of Lc/t. P r o p o s i t i o n 10. If F k M : C ; A is derivable, then F I V ( M )

C Dora(F) and

FTV(M) c Dora(A). Proof. By induction on the derivation o f / ' F- M : C ; A.

[]

D e f i n i t i o n 11. Let A and A' be tag contexts. We define a relation A E A' as follows. The relation A E A' holds if and only if -

II A ' ,

- D o r a ( A ) C D o m ( A ' ) , and - AV(u) C A'V(u) for any u C D o m ( A ) .

Note that A E (A U A') if A II A'. D e f i n i t i o n 12. Let d be a natural number. We say a typing judgement is dderivable if there exists a derivation of the judgement whose depth is less than or equal to d. P r o p o s i t i o n 13. Let d be a natural number, and let 1" F- M : C ; A be a dderivable typing judgement. 1. If 1" C F 1 and A K a t , then F t F- M : C ; A ~ is also d-derivable. 2. If Fly~x] is well defined, then Fly~x] ~- M [ y / x ] : C; A [ { y } / { x } ] is also dderivable. 3. If A[v/u] is well defined, then 1" ~- M[v/u] : C; A[v/u] is also d-derivable. Proof. By simultaneous inductions on d.

P r o p o s i t i o n 14. Let x and u be as x f[ F I V ( M )

[] and u r F T V ( M ) .

1. If F U { x : A } F- M : C ; A is derivable, then F k M : C ; A is also derivable. 2. If F k M : C ; A U {u : E v } is derivable, then F k M : C ; A is also derivable.

68

Proof. Straightforward induction on the derivations.

[]

P r o p o s i t i o n 15. Let M be term, and let u be a tag variable. If F F- t h r o w u M : C ; A is derivable, then F ~- t h r o w u M : A ; A is also derivable for any type A.

Proof. Since F F t h r o w u M : C ; A is derivable, so is F F M : E ; A ~ for some E and A' such that A = A'U{u :ED~ Therefore, we can derive F F t h r o w u M : A ; A for any A by (throw). [] P r o p o s i t i o n 16 ( S u b s t i t u t i o n ) . Let F1, 1"2, A1 and A2 be as 1"1 II 1"2 and A1 ]1 A2. If 1"1 ~- N : A ; A1 and F2 U { x : A } F M : C ; A2 are derivable, then 1"1 U 1"2 F M[N/x] : C ; A1 U A 2 [ D o m ( r l ) / { x } ] is also derivable.

Proof. By induction on the depth of the derivation of F2 U {x : A} F- M : C ; A2. Suppose that Q ~- N : A ; A1 and 1"2 U { x : A } ~- M : C ; A2 are derivable. By cases on the last rule used in the derivation of I"2 U {x : A} F M : C ; A2. Case 1: The last rule is (vat). T h a t is, M = y for some individual variable y such that { y : C } C F2 U {x:A}. If M = x, then we can derive F1 U 1"2 F M[N/x]: C ; A1UA2 [Dom(F1)/{x}] by applying Proposition 13 to the derivation of/"1 F N : A ; A1 since M[N/x] = N and C = A in this case. If M # x, then we can derive it by (var) since M[N/x] = y and {y: C} C 1"2 in this case. Case 2: The last rule is (catch). In this case, M = c a t c h u M ' and the following judgement is derivable for some u, V and M ' . F2U{x:A}F

M ' : C ; A 2 U { u : C V}

We can assume that u ff Dom(A1) by Proposition 13. By the induction hypothesis, we have a derivation of

1"1 U 1"2 F M'[N/x]: C; A1 U (A2 kl {u: c Y } ) [ D o m ( r l ) / { x } ] .

(1)

Since u ff D o m ( A 1 ) , we get M[N/x] = c a t c h u (M'[N/x]). By applying (catch) to (1), we get/"1 U/"2 F M[N/x]: C; A1 U A2[Dom(F1)/{x}].

Case 3: The last rule is (throw). In this case, M = t h r o w u M ' and the following judgement is derivable for some u, M ' , E, F~ and A such that F~ C /"2 U {x : A} and A2 = A U {u : ED~ F~ F - M ' : E ; A Let F be as F = F~ - {x :A}. Note that F C F2 and F~ C F U {x : A}. Therefore, by Proposition 13,

FU{x:A}F

M':E;

A.

By the induction hypothesis, we have a derivation of

1"1 U F F- M'[N/x] : E ; A1 U A[Dom(F1)/{x}].

69

Since M[N/x] = t h r o w u (M'[N/x]), by applying (throw),

1"1 O F [- M[N/x]: C;

A 1

U A[Dom(&)/{x}] U {u:

ED~176

Since F C/"2, by Proposition 13 again,

1"1 O I"2 ~- M[N/x] : C; Z~l kJ z~[Do~Tt(~l)/{x}] U {~t :ED~ Note that A[Dom(F1)/{x}] U {u" E D~ A 2 = A U {u :E D~ } and x ~ Dora(F).

= A2[Dom(F1)/{x}] because

Case4: The last rule is ( D - / ) . I n t h i s c a s e M = A y . M t, C = C1DC2 and the following judgement is derivable for some y, C1, C2 and M' such that y r A~(u) for any u E Dora(A2). F 2 U { x : A } U { y : C 1 } F - M ' : C 2 ; A2 We can assume that y r Dora(F1) by Proposition 13, and get M'[N/x] A y. (M[N/x]). By the induction hypothesis, we have a derivation of

FIUI~,2U{y:C,}~-M'[N/x]:CB; A1u~2[Dom(l"l)/{x}].

=

(2)

Since y r A~(u) for any u E Dora(A2) and y r Dorn(F1), we get y ~ (A1 U A2[Dom(Fi)/{x}])~(u) for any u e Dora(A1 U A2[Dom(F1)/{x}]). Therefore we can derive I"1 UF,2 P A y . (M'[N/x]): Cg; A1 UA2[Dom(F1)/{x}] by applying

( > D to (2). Case 5: The last rule is one of others. Similar.

4

The

subject

reduction

property

[]

o f Lc/t

As mentioned in Section 3.2, the language does not have Church-Rosser property even if we consider only the well-typed terms. However, it has the subject reduction property, which compensates for this unpleasant feature. In this section, we show the subject reduction property of Lc/t. L e m m a 1 7 . If F ~- M : C ; A is derivable and M ~i+ t h r o w v N, then F ~t h r o w v N : C ; A is also derivable.

Pwof. By induction on the depth of the derivation of F b M : C ; A. Suppose that F ~- M : C ; A is derivable and M ~ t h r o w v N. By Proposition 15, it is enough to show that F ~- t h r o w v N : C' ; A is derivable for some C'. By cases according to the last rules used in the derivation. Case 1: The last rule is (vat). This is impossible because M ~+ t h r o w v N.

70

Case 2: The last rule is (catch). M = c a t c h u M ~ and the following j u d g e m e n t is derivable for some u, V and M '. F F M ' : C ; A U { u : C V}

(3)

We can assume t h a t u f[ F T V ( t h r o w v N ) by P r o p o s i t i o n 13, and get M ~ = t h r o w v N or M t ~-* t h r o w v N from M ~-~ t h r o w v N . Therefore, from (3) or the induction hypothesis on (3),

Fb throwv N:C; AU{u:CV}. We get F F t h r o w v N : C ; A by Proposition 14 since u f[ F T V ( t h r o w v N).

Case 3: The last rule is (throw). In this case, M = t h r o w u M ~ and the following j u d g e m e n t is derivable for some u, M ~, E , F t and A t such t h a t F ~ C / ~ and A = A ' U {u:ED~ F ' I- M I : E ; A I

(4)

We get M ~ = t h r o w v N or M ~ ~ t h r o w v N from M ~ Therefore, from (4) or the induction hypothesis on (4), F 'FthrowvN:E;

throw

v N.

W.

We get F F t h r o w v N : E ; A by Proposition 13 since F t C F and A ~ E A.

Case 4: The last rule is (~-I). M = A x . M ' , C = Cz DC2 and the following j u d g e m e n t is derivable for some x, C1, C2 and M ' such t h a t x r A~(u) for any u E Dam(A). FU {x:C1} b M':C2;

A

(5)

We can assume t h a t x • F I V ( t h r o w v N ) by Proposition 13, and get M ~ = t h r o w v N or M ' ~+ t h r o w v N from M ~ t h r o w v N . Therefore, from (5) or the induction hypothesis on (5),

F U { x : C 1 } F t h r o w v N : C 2 ; A. We get F F t h r o w v N : C2 ; A by P r o p o s i t i o n 14 since x f[ F I V ( t h r o w v N).

Case 5: The last rule is one of others. Similar to Case 2 and Case 3. Lemma18.

[]

If l"~ M : C ; A is derivable and M ~n N , then F F N : C ; A is

also derivable. Proof. B y induction on the depth of the derivation o f / " F M : C ; A.

[] Suppose t h a t F F M : C ; A is derivable and M ~ N . By cases according to the form of M .

Case 1: M = c a t c h u N and u f[ F T V ( N ). In this c a s e , s F N : C ; AU{ u : C V} is derivable for some V. We get /" F N : C ; A by P r o p o s i t i o n 14 since u FTV(N).

71

Case 2: M = c a t c h u ( t h r o w u N ) and u f~ F T V ( N ) . The following judgement is derivable for some V, F' and A' such that F' C 1" and A U {u : C v } =

A I L] {u:CD~ F' ~ N : C ;

A'

Since P ' C 1" and A' U A U { u : c V } , 1" f- N : C ; A U { u : C V} is derivable by Proposition 13. Therefore, F ~- N : C ; A is also derivable by Proposition 14 since u (~ F T V ( N ) .

Case 3: M = (Ax. M i ) M 2 and N = Ml[M2/x] for some x, Mi and M2. The following two judgements are derivable for some A and x ~ A ~ (u) for any u 6 Dom(A). FU{y:A}f-MI:C;

A

(6)

Ft- M2:A; A

(7)

We get 1" ~- M I [ M 2 / x ] : C ; A [ D o m ( F ) / { x } ] from (6) and (7) by L e m m a 16, where J [ D o m ( P ) / { x } ] = A since x ([ AV(u) for any u E D o m ( A ) .

Case 4: M = (a u. M') v and N = M'[v/u] for some u, v and M ' . The following judgement is derivable for some E, F', A' and V such that F ' C F and A = A' U {v : ED~ F' ~ M ' : C ; A' U { u : E V} Since A' ]l {v: ED~ F' ~ M'[v/u] : C ; A'[v/u] U { v : E v } is derivable by Proposition 13. Since F' C F, by Proposition 13 again,

r ~ M ' [ v / u ] : C ; ~'[v/u] u { v : E V } . Since V C Dom(F'), u

v} E

u {v:E

a'u

:

= a.

Therefore, F H M ' [ v / u ] : C ; A is derivable by Proposition 13.

Case 5: M = proj{ <M1, M2> and N = Mi for some i (i = 1, 2). Similar. Case 6: M = c a s e (injiMo) xl.M1 x2.Ma and N = M~[Mo/x~] for some i (i = 1,2). Similar. []

If I" f- M : C ; A is derivable and M ~-~ N , then 1" F- N : C ; A is also derivable.

Lemma19.

Pro@ Straightforward from L e m m a 17 and L e m m a 18. If 1" F- M : C ; A is derivable and M N , then 1" F- N : C ; A is also derivable.

T h e o r e m 20 ( S u b j e c t r e d u c t i o n ) .

[]

72 Proof. By induction on the depth of the derivation of F ~- M : C ; A. Suppose t h a t F F- M : C ; A is derivable and M ~ N. If M ~ N , then trivial by L e m m a 19. Therefore we can assume that M --* N and M ~/+ N. By cases according to the last rules used in the derivation. A typical one is the case t h a t the last rule is (throw). In this case, M = t h r o w u M ~ and FI~-MI:E;

AI

is derivable for some u, M t, E, F t and A t such that F t C F and A = A t U {u:ED~ Since M --* N and M ~z. N , M ' --* N J and N = t h r o w u N ' for some N q T h e r e f o r e , / ~ ~- N ~ : E ; A ~ is derivable by the induction hypothesis. We get F b t h r o w u N ~: E ; A by applying (throw). The proofs for other cases are just similar. []

5

Concluding remarks

We have presented a programming language and its typing system which capture the non-deterministic feature of the c a t c h / t h r o w mechanism. We have shown that the system has subject reduction property, which compensates for the unpleasant feature of the non-determinism. There remain some problems which should be considered. Two major ones are (1) semantics, especially realizability interpretations, of typing judgements, and (2) normalizability, especially strong normalizability, of well-typed terms. The subject reduction property is good news concerning these problems, but both are still open.

References 1. M. Felleisen, D. Friedman, E. Kohlbecker, and B. Duba, A syntactic theory of sequential control, Theoretical Computer Science 52(1987) 205-237. 2. T. G. Griffin, A formulae-as-types notion of control, Conf. Rec. ACM Symp. on Principles of Programming Languages (1990) 47-58. 3. C. R. Murthy, An evaluation semantics for classical proofs, Proc. the 6th Annum IEEE Symp. on Logic in Computer Science (1991) 96-107. 4. H. Nakano, A Constructive Formalization of the Catch and Throw Mechanism, Proc. the 7th Annual IEEE Symp. on Logic in Computer Science (1992)82-89. 5. G. D. Plotkin, Call-by-name, call-by-value and the A-calculus, Theoretical Computer Science 1(1975) 125-159.

Conservativeness

of A over

Act-calculus

Masahiko Sato and Yukiyoshi K a m e y a m a Research Institute of ElectricM Communication Tohoku University, SendM 980, Japan

[email protected] [email protected]

A b s t r a c t . A is a unique functional programming language which has

the facility of the encapsulated assignment , without losing referential transparency. The let-construct in A can be considered as an environment, which has a close relationship to substitution in Act-calculus. This paper discusses the relationship between these two calculi; we first define a slightly modified version of A-cMculus which adopts de Bruijn's index notation. We then define an injective map froin Act-calculus to A, and show that the Beta-reduction and the ~-reductions in Act-calculus correspond to the/~-reduction and let-reductions in A-calculus, respectively. Finally, we prove that, as equality theories, A is conservative over the Act-calculus.

1

Introduction

A is a unique functional programming language which has the facility of the encapsulated assignment, without losing referential transparency [4]. We can assign a value to a variable in a similar way with imperative languages. By this facility, A programs can be quite efficient compared with programs written in ordinary functional languages. In spite of the existence of assignment, A does not lose mathematically good features. Namely, it has a clear semantics, and it is referentially transparent in the sense that the equality is preserved through substitution. (See [4] for details.) We believe that A is a good starting point of treating assignment in a mathematically well-founded manner. In A-calculus, the l e t - c o n s t r u c t plays a fundamental role. The evaluation of the l e t - c o n s t r u c t ( l e t ( ( x a)) b) can be naturally considered as evaluating b under the environment x = a. This concept of environment is closely related to the substitution in Au-calculus in [1]. Au-calculus is an extension of A-calculus where substitution has its own syntax, and explicitly described. Au-calculus is well founded, since it is conservative over A-calculus. This paper discusses the relationship between A-calculus and Au-calculus. First, we define a slightly modified version of A-calculus. The version we present in this paper adopts de Bruijn's index notation, and has a slightly extended l e t reductions. Next, we define an injection q5 from Act-calculus to A-calculus. Then we show that the Beta-reduction and the a-reductions in Aa-calculus correspond to the/3-reduction and let-reductions in A-calculus. Finally, we prove that, as

74 equality theories, A is conservative over Aa-calculus; namely, we have that s = t in Aa-calculus if and only if ~(s) = r in A. In the following, we use meta-variables t, s, u for Aa-terms, 8, r X for Aasubstitutions, a, b, c for A-terms, n, m for natural numbers.

2

,kit-calculus w i t h de Bruijn index

We quote the untyped Act-calculus in de Bruijn's index notation from [1]. We assume that readers are familiar with de Bruijn's notation and ha-calculus. See also [1] and [3]. D e f i n i t i o n I ( T e r m t a n d S u b s t i t u t i o n 8).

t ::: 1 I tul At I t [8] 8::=idl t It.818or

In de Bruijn's notation, all the bound variables disappear if they are just after A, or otherwise replaced by indices 1, 2, .-.. The indices represents the number of A-binders between the occurrence of the bound variable and the Abinder which actually binds this occurrence. For example, the term Ax.Ay.xy will be represented by ~(A(21)) in this notation. The term 1 represents the first index. An index larger than 1 is represented by 1 and T. The terms tu and At are as usual, except that there appears no bound variable after A. The term t [8] is the term t to which the substitution 8 is applied. Each substitution intuitively represents a simultaneous substitution for indices. The substitution i d is the identity. The substitution T is the "shift" operator, which substitutes n + 1 for each index n. The substitution t- 8 is "cons" of a term t and a substitution 8, which intuitively represents the substitution {1 := t, 2 := s l , 3 := s~,...} where 8 means {1 := s l , 2 := s2,.-.} Finally, 8 o r is the composition of two substitutions.

Definition 2 ( C o n t e x t C). C ::= () ] Ct ] tO] AC I C[8] J t[O]

o::=(> IC.81t.e I eoSISoe A context C has just one hole (). To emphasize it, we sometimes use the notation C ( ) . We may replace the hole with a term t or a substitution 8 in a context C ( ) , which is denoted as C(t) or C(8).

Definition 3 (1-step r e d u c t i o n - . ) .

Beta VarID

(At)s ---+t [s. id] 1 [id] ---* i

75 VarCons App Abs Clos IdL Shiftld Shi ftCons Map Ass

1 [t 9O] --* t (ts)[O] --+ (t[O])(s[O]) (At) [e] --+ A(t El. (eo T)] ) t [0] [r

~ t [0 o r

i d o 0 --* 0 T o id ---+~ T o (t . O) --+ 0 ( t . O) o X --+ t [X] 9 (0 o X) (0 0 r o X ~ 0 o (r o X)

Rules other than B e t a are called a-rules. Reduction relations for the B e t a rule and the a-rules are written as --+B and - % . B e t a - r e d u c t i o n corresponds to the usual 3-reduction in A-calculus, but it does not actually perfom the substitution. It merely adds a new substitution s 9 id to the term t. This substitution will be later resolved by a-reductions.

Definition 4 (Reduction --~). The relation ~

is the least relation satisfying

the following conditions: 1. ~ is reflexive and transitive. 2. t --+ s implies C(t} --++C(s}. 3. 0 --+ r implies C(O} ~ C{r The equality = is the equivalence relation induced by --~.

T h e o r e m 5 ( A b a d i e t al). The a-reduction is confluent and terminating. The whole An-calculus is confluent. The a-normal form of a An-term t is written as a(t). 3

3.1

A-calculus

and

pier-calculus

The Functional Programming Language A

A is a type-fl'ee functional programming language which has the facility of the encapsulated assignment. We can assign a value to a variable in a similar way with imperative languages. In spite of the existence of assignment, A does not lose mathematically good features. Namely, it has a clear semantics by ChurchRosser Theorem, and it is referentially transparent in the sense that the equality is preserved through substitution. In this paper, we reinforce this viewpoint by the fact that A is a conservative extension of An-calculus. The terms in A~-caleulus can be naturally translated into A, however, it is not clear t h a t the equality is preserved through this translation, since the introduction of assignment to A forces us to fix evaluation order to some extent while An-calculus allows strong reductions, which may reduce subterins inside A, in an arbitrary context. Therefore, conservativeness of A is an interesting problem.

76 3.2

Modification to A-calculus

This paper adopts a modified version of A-calculus. In this version, we use de Bruijn's index notation rather than using variable names. Therefore, a variable is represented as a natural number. Another modification is essential. Consider the following equation (taken from [4]): (let

((x t))

( a p p l y a b))

= (apply (let

( ( x t ) ) a) ( l e t

( ( x t ) ) b))

In this example, t, a, and b represent some terms in A-calculus. In a natural translation from Aa-calculus, this equation is expected to hold in any context. If t does not have assignable variables, the equation (without any context) holds. However, this equation does not hold in an arbitrary context. Consider the following (incorrect) equation: (lambda (y)

(let

((x y))

(apply a b)))

= (lambda (y) ( a p p l y ( l e t

( ( x y ) ) a)

(let

((x y)) b)))

In the original A-calculus, we have no way to evaluate the subterm ( l e t ( ( x y ) ) ( a p p l y a b)), since y is not closed. From the Church-Rosser P r o p e r t y of the original A-calculus, we can show that the equation above does not hold, which means the original calculus is not conservative over Ac~-calculns under a natural translation. Similarly, the original A-calculus is not conservative over the pure A-calculus; two equal A-terms Ay.(Ax.xx)y and Ay.yy are translated into two A-terms which are not equal 1. This example motivates our modification. We allow reductions of a term ( l e t ( ( x t) a ) , not only in the case that t is closed (and a is arbitrary), but also in the case that t and a are read-only. A read-only term is a term which does not have side-effect. Note that a read-only term a may contain assignment even if a has assignment; in this case, every variable in the assignment must be bound by l e t - c o n s t r u c t or lambda-construct in a. By extending l e t - r e d u c t i o n in this way, we can reduce, for example, the term like:

(lambda (y) (let ((x y)) (apply a b))) -~ (lambda (y) (apply ax[y] bx[y])) where a~[y] means the usual substitution if a and b are read-only. We can show that the resulting calculus still satisfies the Church-Rosser Property, and has the referential transparency. We simply call this modified version A, and use the term the "original" version if we mention A in [4]. 1 It follows that Theorem 4.6 in [4] also needs modification in the definition of A.

77 3.3

Definition of A-calculus

The set of N - t e r m s is defined for each natural number N as follows. D e f i n i t i o n 6 ( T e r m aN o f A-calculus). aN::=n

i f n >_ 1 (set ! n a N )

if n < N (let ( ( a N ) ) bN+l) ( w h i l e aN bN CN) ( i f aN bN CN) nil

(null? aN) ( p a i r aN bN) ( p a i r ? aN) ( c a r aN) (cdr aN) (lambda () a 1) ( f u n ? aN) ( a p p l y aN bN)

(mu aN) Intuitively, an N - t e r m aN is a term whose assignable variables are less than or equal to N. We often call an N - t e r m a term simply. The term ( s e t ! n aN) represents assignment for the variable n to the value aN. In order to keep referential transparency, we restrict the assignable variables to be bound by a l e t - c o n s t r u c t or a lambda-construct. Term constructs such as while, i f , n i l , p a i r , c a r , cdr, lambda, and a p p l y have usual meaning. Terms such as ( n u l l ? a) are predicates which decide whether a is n i l or not, and return t r u e or f a l s e . The term (mu a) is t h e / t - o p e r a t o r which invokes a recursive call. A t e r m which is constructed from variables, lambda-construct, apply-construct, and l e t - c o n s t r u c t is called a pure term. The terms n i l , ( p a i r aN bN), and (lambda () aN) are called constructor terms, and the terms ( n u l l ? aN), ( p a i r ? aN), and ( f u n ? aN) are called recognizer terms. We also say that n i l and ( n u l l ? aN) are of the same kind. Likewise, ( p a i r aN bN) and ( p a i r ? a N ) , are of the same kind, and (lambda () aN) and ( f u n ? aN) are of the same kind. Other combinations of pairs of these terms are of the different kind. T h e reduction rules of A-calculus are listed in the Appendix. The confluency of the original A-calculus is proved in [4], and the confluency of this version is proved similarly. The equality in A-calculus is the least equivalence relation which contains -~. Instead of explaining the reductions rules in detail, we give a simple example here. Readers are encouraged to read [4] for thorough understanding of the original A-calculus.

78

Example i (Reduction in A). Let t be the following term. (lambda () (apply (apply (lambda () (lambda () (pair I (pair 2 3)))) I) nil) ) If we use the notation with variable names, t is written as follows:

(lambda (x) (apply (apply (lambda (y) (lambda (z) (pair z (pair y x)))) x) nil) ) The following sequence is a reduction sequence starting from t. t

---+ (by Rule 12)

(lambda () (apply (let ((i)) (lambda () (pair 1 (pair 2 3)))) nil)) -+ (by Rule 17) (lambda () (apply (let ( ( 1 ) ) (lambda () ( p a i r 1 ( p a i r 3 3 ) ) ) )

nil) ) -~ (by Rule 16) (lambda () (apply (lambda () (pair 1 (pair 2 2))) nil) ) -~ (by Rule 12) (lambda () (let ((nil)) (pair i (pair 2 2))))

z9 -+ (by Rule 17) (lambda ()

(let ((nil)) (pair nil (pair 2 2)))) --+ (by Rule 16) (lambda () (pair nil (pair i I))) In this paper, we are mainly concerned with the fragment of A-calculus consisting of pure terms, which are sumcient for the translation from Ao--calculus. The fragment is called the pure-fragment The pure-fragment is closed under reduction. In the translation given later, we will need an intermediate calculus, which we temporarily call plet-calculus (parallel-let calculus). Definition 7 (Term a of plet-calculus). a::=n

ifn

> 1

I (let ( ( a l )

(a2) "-" (ak)) b)

I (lambda () a) I ( a p p l y a b) Since plet-calculus is solely used for the translation, we do not define reduction rules for it.

4

4.1

T r a n s l a t i o n of A~r-calculus into t h e p u r e - f r a g m e n t of A-calculus T r a n s l a t i o n o f Act-calculus i n t o p i e r - c a l c u l u s

This section presents a translation from A~-terms to p l e t - t e r m s . We begin with an auxiliary definition. D e f i n i t i o n 8 ( D e g r e e (~(a)). For each p l e t - t e r m a, its degree ~(a) is a natural number defined as follows:

=n

ifn>_l

5((let ( ( a l ) " " (a~)) b)) A m a x ( 5 ( a l ) , . - . , 5 ( a k ) , 5 ( b )

-- k)

5((lambda () a)) __Am a x ( 1 , 5 ( a ) - 1) ~ ( ( a p p l y a b)) A__m a x ( 5 ( a ) , 5(5)) Intuitively, 5(a) is the maximum index of free variables in a. If a does not have free variables, 5(a) is defined to be 1 rather than 0.

8O D e f i n i t i o n 9 ( T r a n s l a t i o n tt). For each I n - t e r m t, a p i e r - t e r m a is defined as follows:

= 1

(ts)* ~= ( a p p l y t t s t) (,~t) t ~ (lambda () t t) (t[0]) t ~ ( l e t 0 (e(tt)) t t)

The translation for substitution -(~) is defined as follows. D e f i n i t i o n 10 ( T r a n s l a t i o n 0(n)). For a substitution 0 in Icr-calculus and a natural number n (n _> 1), 0 (~) is a list of singleton-lists of p i e r - t e r m s defined as follows: id (n) ~ ((1) (2)

...

(n))

T(n) ~ ((2) (3)

...

( n + 1))

(a.0)(n)--A ( ( a t ) (bl) (b2) " " (bk) ( k + 2 ) )

i f 8 (~) is ((bl) (b2) . " (bk)) (0or

(((let

r

a l ) ) ... ( ( l e t

r

ak)))

i f 8 (n) is ((al) (a2) ... (ak)) and m is max(5(al),... ,5(ak)). P r o p o s i t i o n 11. The translation _t is injective.

Proof. First note that, for each substitution 0 and natural number n, the length (as a list) of 8 (~) is equal to or more than n. It follows that the length of (a. 0) ('~) is more than n + 1, so (a 90) (n) cannot be identical to i d (~) nor I (n). Moreover, its last element is a natural number k + 2, and differs 2 from the last element of (0 o r Hence, the images of -(~) for four classes of substitutions do not overlap. Using this fact, we can prove that, t t and 0 ('~) (for each n) are injective by the simultaneous induction on the complexity of the term t and the substitution 0. [] 4.2

Translation from p l e t - c a l c u l u s to A-calculus

First we define a + for each p i e r - t e r m a. Intuitively, a + is the term a with each free variable shifted (added by one), for example, ( a p p l y 3 (lambda () ( a p p l y 1 2 ) ) ) + 2 This is the reason why we attached the seemingly meaningless term k + 2 in the definition.

81 is ( a p p l y 4 ( l a m b d a () ( a p p l y 1 3 ) ) ) . To define a + , we need to define an auxiliary function a + , which adds one for each free variable in a whose value is more t h a n m.

Definition 12 (a+).

n+ = ixn n+

ifnm

( l a m b d a () a),+~ =ix (lambda () am++1) + b,~) + ( a p p l y a b)+~ ix ( a p p l y a,~ We simply write a0+ as a +. D e f i n i t i o n 13 ( T r a n s l a t i o n

* f r o m p l e t - c a l c u l u s t o A-calculus). ft* E/Xn

(let () b)* ~ (let (b*) 1) (let

((al)

.-. ( a k - 1 ) ( a k ) )

b)* zx ( l e t

((ak))

i f c is ( l e t (lambda () a)* A (lambda

c)

( ( a l +) ... ( a k _ l + ) )

b)*

() a*)

( a p p l y a b)* A ( a p p l y a* b*) In the following, we sometimes regard p i e r - t e r m s as pure terms in A-calculus ( t h r o u g h * translation). T h e translation ~ from Aa-calculus to the pure-fragment is defined as follows. D e f i n i t i o n 14 ( T r a n s l a t i o n

~ f r o m Ar

+(t) Theorem

t o A-calculus).

(t*)*

15. - * is injective. Hence 9 is injective.

Proof. Clear.

Remark. If a non-injective map were allowed as the translation ~, part of our result (the first part of T h e o r e m 23) would become trivial as shown below. In Ac~-calculus, the set of or-normal forms can be regarded as the set of pure Aterms, so the m a p a ( ) can be regarded as the translation from Aa-terms to pure A-terms. We have that, s = t holds if and only if or(s) = a(t) holds. A-calculus is also conservative over pure A-calculus 3. Namely, there is a m a p ~ from pure A-terms to A=terms such that a = b holds if and only if k~(a) = k~(b) holds. Let be the composition of ~ and ~; then we have t h a t s = t holds in Aa-ealeulus if and only if ~f(s) = ~f(t) holds in A-calculus. [] 3 This claim does not hold for the original A-calculus, but it does hold for the modified version presented in this paper.

82 4.3

P r o p e r t i e s of t h e t r a n s l a t i o n

In this section, we prove that the translation 4~ preserves the equality. First we state an extension of Lemma 4.2 in [4]. L e m m a 16. Let a and b be pure N - t e r m s for some natural n u m b e r N . Then ( l e t ( ( a ) ) b) reduces to b{1 :-- a, 2 := 1,3 :--- 2 , . . . , k := k - 1} using l e t rules only, where k is 6(b). Here {l := a, 2 := 1,3 :--- 2 , - . . , k := k - 1} denotes the simultaneous substitution. Note that a and b are not necessarily 0-terms. As was stated in Section 3.2, this lemma does not hold for the original A-calculus, since we cannot reduce the term ( l e t ( ( a ) ) b) i f a is not closed. On the contrary, the version we present in this paper satisfies this lemma, since all pure N-terms are read-only, which enables us to reduce the term ( l e t ( ( a ) ) b). Similarly, we have the following lemma. L e m m a 17. Let al . . . ak and b be pure N - t e r m s , and k be 5(b). If n >_ k, then ( l e t ( ( a l ) " " (a,~)) b) reduces to b{1 := a l , 2 : : a 2 , . . ' , k :--- ak} using l e t rules only. Note that, we regard p i e r - t e r m s as A-terms through the translation ()* in Lemma 17. These lemmata are proved by the induction on b. P r o p o s i t i o n 18. For each term-reduction rule t --* s in Ac~-calculus, ~(t) = 9 (s) holds in A-calculus. For each substitution-reduction rule 0 --+ r and a term s in A(r-calculus, ~5(s [0] ) = ~(s [r ) holds in A-calculus. Proof. This proposition is proved by case analysis.

( B e t a ) The left hand side (LHS, in short) of B e t a is translated into ( a p p l y (lambda () t t) s t ) which/3-reduces to (let

((st)) t t)

By Lemma 16, this is equal to tt{1 := s t , 2 : : 1,3 := 2,..-}. The right hand side (RHS, in short) of B e t a is translated into

(let ( ( s t ) (1) ... ( n - l ) )

t t)

Calculation of indexes shows that this is equal to tt{1 := s t, 2 := 1,3 := 2, 9 9 "}.

( V a r I D ) LHS is translated into ( l e t translated into 1.

((1))

1) which reduces to 1. RHS is

83 ( V a r C o n s ) LHS is translated into ( l e t ( ( t t) ... ) 1) which reduces to t t. RHS is translated into t t. ( A p p ) Suppose 0 (~((t~)t)) is ( ( a l ) .-. ( a k ) ) . LHS is translated into ( l e t ( ( a l ) (a2) " " (ak)) ( a p p l y t t s t ) ) . RHS is translated into

(apply (let

((al)

(a2) " " ( a l ) ) t f)

(let ( ( a l ) (a2) .." (am)) st)) where l and m are 5(tt) and 5(st). By Lemma 17, ( l e t ( ( a l ) ".. (ak)) t t) is equal to

tt{z :=at, ...,l:=az} and similarly for s t. Hence, by Lemma 16, LHS and RHS reduce to

(apply t t { l : = a l , . ' - , l : = a l } st{1 :=al, ..

.,m:=a~})

( A b s ) Suppose 0(5((~t)t)) is ( ( a l ) ' " ( a k ) ) . LHS is translated into ( l e t ( ( a l ) ' " (ak)) duces to

(lambda ( ) t t ) ) .

This re-

(lambda () t {2: =al{ 1 : =Z 2: :3,...}, k + 1:=ak{1:=2,2:=3,

...}}).

RHS is translated into

(lambda () (let ((I) ((let ((2) (3) -..) at)) ((let ((2) (3) ...) ak)))

t~)) The latter term reduces to the former by Lemma 17. (Clos) Suppose 0 (~(tt)) is ( ( a l ) ... ( a l ) ) , and r is ((bl) " " (bk)) where n is max(al,...,al). LHS is translated into (let

( ( b l ) - " (bk)) ( l e t ( ( a l ) " " (al)) t t ) )

84 RHS is t r a n s l a t e d into (let (((let ( ( b l )

""

(ha)) a l ) )

((let ( ( b l )

""

(bk)) a l ) ) )

tt) LHS and R H S reduce to tt{l:=al{l:=bl,...,k:=bk}, l :=az{ l :=bl, . . ., k:=bk } }. ( I d L ) Let n be ~(s). Suppose 0 (n) is ( ( b l ) . . . ( b k ) ) . Then, s [ i d o 0 ] lated into (let

(((let

((bl)

""

((let

((bl)

"'" (bk)) n ) ) )

is trans-

(bk)) 1))

st) Since k > n, this reduces to ( l e t ( ( b l ) . . . ( b n ) ) s t ) T h e n this t e r m is identical to (s [0])t by L e m m a 17. ( S h i f t I d ) Let n be 6(s). T h e t e r m s [ 1" o id] is t r a n s l a t e d into (let (((let ((i) ... (n + I)) 2)) ((let

((1)

.9

(n + 1)) 3 ) )

((let

((1)

...

(n + 1)) n + 1 ) ) )

st) This reduces to ( l e t ( ( 2 ) . 9 ( n + l ) ) s t) which is identical to ( s [ T ] ) t . ( S h l f t C o n s ) Let n be 6 ( @ Suppose 8 (n+l) is ( ( b l ) . . . (bk)). Then, s [ T o (t 98)] is t r a n s l a t e d into (let

(((let ((let

( ( t t) ( ( t t)

(bl) ' " (bl) " "

(b~) (k + 2 ) ) 2 ) ) (bk) (k + 2 ) ) 3 ) )

((let

( ( t t)

(bl) ".. (bk) (k + 2 ) ) n -t- 1 ) ) )

st) We also have k > n + 1, and the t e r m above reduces to (let

((bl)

...

(bn))

s ~)

85 which is equal to (s [0] )1. ( M a p ) Let n be 6(s). Suppose 0 (~) is ( ( a l ) ... ( a k ) ) , and ?(('~) is ((51) 9 " where m is m a x ( f (t), 6 ( a l ) , ' " , 6(ak), k + 2). Then, s [ ( t . 0) o )/] is translated into

(bz))

(let (((let ( ( b l ) " " (bl)) t i ) ) ((let ( ( b l ) " " (bl)) a l ) ) ((let ((51) "'" (bl)) a k ) ) ( ( l e t ((51) " " (bl)) k + 2 ) ) )

st) s [t [Z] 9 (0 o Z)] is translated into

(let

(((let ((let

((bl)

9. (bo)) t t ) )

((bl)

.. (bq)) a l ) )

((let

((bl)

9" (bq)) ak))

(k + 2)) st) where 6(t) is p, X (p) is ( ( b l ) "'. (bo)), m a x ( 6 ( a l ) , . . . ,~(ak)) is r, and X(~) is (@1) " " (bq)). We have t h a t p _< o _< l, r < q _< l, and n < k, therefore, by L e m m a 17, b o t h of these terms are equal to st {1 :=t~{1 :=bl,"" ", p: =b;}, 2:=al{l:=b],.-',r:=b~},

n:=an{1:=51,. -., r :=5~.}} ( A s s ) Let n be 6(s). Suppose 0 (n) is ( ( a l ) ' - . ( a k ) ) , r and X(p) is ((Cl) ... (Cm)) for appropriate o and p. Then, s [(0 o r o X] is translated into

(let

((let

((Cl) "'" (Cm))

(let ((let

((bl)

((c1)

(let

9

((bl)

st) s [0 o (r o X)] is translated into

""

(bl)) a l ) )

(Cm)) ""

(bl)) a k ) ) )

is ((51) . . . (b~)),

86 (let

(((let

(((let ((let

( ( e l ) " " (Cm)) b l ) ) ((el) '"

(Cm)) b l ) ) )

al)) ((let

(((let

((Cl) " " (Cm)) b l ) )

((let ( ( c l ) " " (era)) b l ) ) ) ak))) st) Both of these terms reduce to s t { l : =al{1 : =bl{1 : = c l , " ", m : =Cm},'" ", l: =bz{ 1 : =el,"" 1 : =ak{ 1 : :b1{1 : = c l , " ", m : =c,~},..., l: =bl{ 1 : = e l , ' '

', m :

", m :

=era}}, =era}}

Note that, we have used only l e t - r u l e s for proving the cases for a-rules. Note also that, the 1-step B e t a reduction can be simulated by the 1-step ~-reduction with some let-rules. [:] P r o p o s i t i o n 19. Let A-calculus.

t and s be Aa-terms. If t = s, then qb(t) = @(s) in

Proof. We first prove that, the result of Proposition 18 can be extended to an arbitrary context. Namely, for a context C ( ) , if t --* s, then ~ ( C ( t ) ) = ~ ( C ( s ) ) where t and s are terms or substitutions. These are straightforward if the used reduction rule is a a-rule. However, in the case of Beta-rule, there occurs a subtle point; for example, ((A2)3) [ T ] is translated into (let

((2)

(3) (4))

( a p p l y (lambda () 2) 3)).

On the other hand, the result of applying B e t a rule to it is 1 [ T ] which is translated into ( l e t ( ( 2 ) ) 1). We can use Lemma 17 to overcome this difficulty, and can prove the equality of ~ ( C ( t ) ) and ~(C(s)). Finally, we can extend the result for 1-step reductions to the general case, and get the desired proposition. []

r 5

By checking the proofs, we know that, if t = s is shown by a-rules only, then = r is shown by let-rules only. Translation

of the

pure-fragment

into

A(r-calculus

We now define the reverse translation, namely the translation from the purefragment of A-calculus to A(r-calculus.

87

Definition 20 (Translation k~). ~(n) ~ 1 [ Tn ] k~((let ( ( a ) ) b)) __A@(b)[k~(a). id] k~((lambda () a)) ~ AkD(a)

~P((apply a b) ) A= e(a)g/(b) In the first clause, 1 [ Tn ] is n-times application of substitution, that is, n

i"[ T ] ,.. [ T3".

Proposition 21. We have the following; 1. ~ is injective. Z. Let a and b be pure N - t e r m s in A. If a = b, then ~ ( a ) = k~(b) holds. Proof. We first prove the theorem for the case of a --~ b. It is proved by the induction on the derivation of a --+ b. We only have to consider Rules 1, 3, 5, 7, 12, 16, 17, and 19.

( R u l e s 1, 3, 5, 7) These cases are proved easily. ( R u l e 12) Suppose a i s ( a p p l y (lambda () c) d), b be ( l e t ( ( d ' ) ) c'), c --* c' and d ~ d'. Then, O(a) is (A~(c))q~(d), and ~P(b) is q~(c') [~P(d') 9i d ] . By the induction hypothesis and the B e t a rule in Aa-calculus, these terms are equal. ( R u l e 16) Suppose a i s ( l e t ( ( c ) ) d), 1 C F V ( d ) . d --* e, and bis e - . We have q~(a) is q~(d)[q~(c) 9 i d ] . We can show that, all the occurrences of 1 in q~(d) are followed by one or more T's, hence q~(d)[~P(c) 9 id] is equal to ~P(d){2 := 1, 3 := 2 , . . . } , which is again equal to q~(d-). We have 1 r F V ( e ) , and, therefore, d - ~ e - . By the induction hypothesis ~ ( d - ) = O ( e - ) , hence ~(a) = ~P(b). ( R u l e 17) Suppose a is ( l e t ( ( c ) ) d), p(d,p) = 1, c ~ c', d --* d', and e - d~[c'+], b is ( l e t ( ( c ' ) ) e). Then, q~(a) is ~(d)[~P(c). i d ] , which is equal to ~P(d') [q~(c') 9i d ] , by the induction hypothesis. By the induction on the term q~(d'), we have that the a-normal forms of this term and the term q>(e) [~(c'). id] are identical. Hence we have that ~P(a) and ~P(b) are o--equal. ( R u l e 19) This case is proved in a similar way as Rule 17. We can extend the result above to the equality a = b. 6

Main

[]

Theorem

This section presents the main theorem of this paper.

Proposition 22. For each A~r-term t, kP(~5(t)) = t holds. Moreover, the equality is shown by the l e t - r u l e s only.

88

Proof. This proposition is proved by the induction on the term t. T h e o r e m 23. Let t and s be Aa-terms. Then, t = s holds if and only if qs(t ) =

qS(s) holds. Moreover, if t is shown to be equal to s using c~-rules only, ~(t) and ~(s) are shown to be equal using let-rules only. If t is shown to be equal to s by several times applications of the Beta-rule, ~(t) and qS(s) are shown to be equal by the same times applications of the ~3-rule, and some applications of let-rules. Proof. The first part follows from Propositions 19, 21 and 22. The second part follows from the remarks for these propositions. [] Remark. Theorem 23 shows that the pure-fragment of A-calculus and A(r-calculus have a close relationship; as equality theories, A-calculus (the version presented in this paper) is conservative over Act-calculus. However, we can see several differences between them. Firstly, the reduction rules do not directly correspond, namely, t ~ s in Aa-calculus does not necessarily imply r -+ qS(s) in A-calculus. Secondly, substitutions are objects in Act-calculus, and can be directly treated, while its corresponding expression ( l e t ( ( a ) ) (}) is not a term in A-calculus. This reflects that, in A we only consider the environment with some term, and never treat one as an independent object. One of the design goals of A is to treat assignment in a mathematically well founded manner, which means we want to keep the referential transparency in our sense, and therefore, we do not separate terms and environments. As in Ac~-calculus, we have a complete normal-order strategy for the reductions in A, which we plan to implement on a computer. [] 7

Terms

with

Names

The results for the calculi with de Bruijn's index notation also hold for the calculi with variable-names. In this section, we briefly explain how to translate terms with variable-names between Ac~-calculus and A-calculus. Suppose X is a list of variables. In the following, ( x . X ) represents the cons of the variable x and the list X. The expression (x) represents the singleton list. D e f i n i t i o n 24 ( T e r m a in A). aX

::~

x

( s e t ! x a)

if x c X

b(x.X ) ) ( w h i l e ax bx c x ) (let

((x ax))

( i f a x bx c x ) nil

(null? ax)

(pair

ax bx)

89

(pair? a x )

(car ax) (cdr ax)

(lambda (x)

a(x ))

(fun? ax) (apply ax bx) (mu a x ) The pure-fragment and plet-calculus are defined similarly. We take the ha-calculus with names which does not have T operator. D e f i n i t i o n 25 ( T e r m t a n d S u b s t i t u t i o n 0 in ha-calculus). t ::= ~ I tu I hx.t I tie] o ::= ~d I ( t / x ) e

Ie o r

D e f i n i t i o n 26 ( T r a n s l a t i o n tt). For each h~-term t, a p l e t - t e r m a is defined as follows:

xt ~AX (t.s)t __A(apply t t s t) (/~x.t) t =~ (lambda (x) t t) (t[0]) t ~ (let 0 ~ t t) D e f i n i t i o n 27 ( T r a n s l a t i o n 0~ We fix a fresh variable v. For a substitution 0 in Ac~-calculus 0 ~ is a list which consists of pairs of variables and p i e r - t e r m s :

i d o ----A((v v))

((a/x) 90) ~ /i ( ( x a t) (Xl 51) (x2 b2) ... (xk bk) (v v)) i f 0~ is ( ( x l bl) (x2 b2) "" (x~ bk)) (0or176

((Xl ( l e t r

al))

(xk (let r

ak)))

i f 0o is ((xl al) (x2 a2) -.- (xk ak)) The translation 9 from plet-terms to A-terms case. Let the translation @(t) be (t~) *.

are defined as in the nameless

90

D e f i n i t i o n 28 ( T r a n s l a t i o n ~P). A

~(x) = x ~P((let ( ( x a ) )

b))~(b)[(~(a)/x).id]

~P((lambda (x) a)) ~ Ax.g'(a) ~P((apply a b) ) ~=~(a)O(b) We have the following theorem for these translations. T h e o r e m 29. We have the following; 1. 9 and ~ are injective. 2. For a A(r-term t, ~P(~5(t)) = t holds. 3. Let t and s be A~-terms. Then, t = s if and only if ~(t) = ~(s).

Remark. There are two versions of ha-calculus with variable names, one without the shift operator and one with the shift operator. We chose the first (naive) one here. The shift operator T in the calculus with variable names refers to a variable beyond a binder; for example, the third occurrence of x in the term Ax.Ax.(x[ T ]) is bound by the first A. The present A does not have such facility, and we cannot translate the latter version of A(r-calculus into A-calculus. If we would extend A so that we could refer a variable beyond a binder, we would be also able to embed this calculus into A-calculus. [] 8

Conclusion

In this paper, we have shown the rigid relationship between "explicit substitution" (ha-calculus) and our functional language A. We first presented a modified version of A so that we may reduce l e t - t e r m s under the "read-only" condition. We used de Bruijn's index notation in this presentation. We then gave a translation from A(r-calculus into the pure-fragment of A-calculus, and a reverse one. We proved that, through these translations, (r-rules correspond to let-rules, Betarule corresponds to/3-rule, and finally A is conservative over ha-calculus. We also presented a brief sketch of translation for calculi with variable names. Together with the Church-Rosser property and the referential transparency presented in [4], our result establishes that A is a well-founded programming language with assignment. As a future work, we will implement the language A on a computer, and develop a proof-system for A-programs.

Acknowledgements We would like to thank Makoto Tatsuta and Morten Heine Serensen for constructive comments. This work was partly supported by Grant-in-Aid for Scientific Research from the Ministry of Education, Science and Culture of Japan, No. 04235104 for the first author and No. 05780221 for the second author.

91

References 1. Abadi, M., L. Cardelli, P.-L. Curien, and J.-J. Levy: Explicit Substitutions, 17th Annual ACM Symp. on Principles of Programming Languages, pp. 31-46, 1990. 2. Curien, P.-L.: Categorical Combinators, Information and Control, 69, pp. 188-254, 1986. 3. de Bruijn, N. G., Lambda-calculus Notation with Nameless Dummies, a Tool for Automatic Formula Manipulation, Indag. Mat., 34, pp. 381-392, 1972. 4. Sato, M: A Purely Functional Language with Encapsulated Assignment, to appear in Proc. of Second Intl Symp. on Theoretical Aspects of Computer Software, 1994.

Appendix: A-calculus in de Bruijn's notation The Appendix gives several definitions including the reduction rules of A in de Bruijn's index notation. A position is a finite sequence of positive integers, with e being the empty sequence. For instance, 121 is a position. Each subterm in a term is specified by a position in a usual way. We use the notation t/p for the subterm of a term t at the position p. For instance, ( a p p l y ( a p p l y a b) c ) / 2 2 is a, and ( a p p l y ( a p p l y a b) e ) l ( is ( a p p l y ( a p p l y a b) e). For a term a and a position p, y(a,p) intuitively means the number of surrounding binders ( l e t or larabda) at the position p, and is defined as follows. D e f i n i t i o n 30.

y((let y((let

( ( b ) ) e),211q) ~=v(b,q) ( ( b ) ) c), 3q) A v(c, q) + 1

.((lambda

() b),3q) ~ . ( b , q ) + 1

~( ( f bl "" b.~),iq) A=~(b~-l,q) where f is not l e t nor lambda, ~(a, p) ~=0 otherwise Suppose a/p is a variable i. This occurrence of a variable is called bound if i < ~,(a,p), and free otherwise. Next, we define a natural number p(a,p) for a term a and a position p. In a term a, there may be several occurrences of a variable, and each may take a different value. We, therefore, sometimes need to know the absolute value of a variable-occurrence if we look at this occurrence from outside of a. The number p(a, p) is defined to be i - y(a, p) where a/p is a free occurrence of a variable in a, and i is the variable. Otherwise, p(a,p) is undefined. FV(a) is the set of p(a,p) where p ranges over all the free occurrences of variables in a.

92 Let us take an example. Let a be (let ( ( 2 ) ) ( p a i r 1 2 ) ) . Then u(a,211) is 0, the occurrence at 211 of a is free, and p(a, 211) is 2. u(a,32) is 1, the occurrence at 32 of a is bound, and p(a,32) is undefined, u(a,33) is 1, the occurrence at 33 of a is free, and p(a, 33) is 1. For a term a, two terms a + and a - are the term a with each free variable added by one, and subtracted by one, respectively. For instance, a+

is ( l e t

((3))

( p a i r 1 3))

a-

is ( l e t

((1))

( p a i r 1 1))

A precise definition of a + is given by Definition 12. An N - t e r m a is called N-closed if FV(a) n { 1 , . . . , N } = 0. The set CN represents the set of N-closed terms. An N - t e r m a is called N-read-only if, for any subterm in the form ( s e t ! n b), n is bound in a. RN represents the set of N-read-only terms. D e f i n i t i o n 31 ( S u b s t i t u t i o n ) . Let a and d be terms, and p be a position. We will define a term ap[a~ as follows: - If p is e, ap[d] is d. - Otherwise, 9 if a is (lambda () b), then ap[a~ is (lambda () 9 if a is ( l e t

((b))

bq[d+]) i f p is 3q, and is undefined otherwise.

c),

then a p M i s ( l e t ( ( b q M ) ) e)ifpis211q, ap[d]is ( l e t ( ( b ) ) cq[d+]) i f p is 3q. ap[d] is undefined otherwise. 9 if a is ( f bl ... bn) where f is not l e t nor lambda, ap[d] is ( f bl " " b~q[a~ ... b,~) i f p i s jq, 2 < j _< m + 1, and i is j - 1. 9 otherwise apld] is undefined. Substitution for multiple occurrences apl,...,pk[b] is defined to be apl[b] if k = 1, and (%1 [b])p~,...,pk [b] if k > 1. We next define the set s (a) for each N - t e r m a in A-calculus. Intuitively, if p E Z g ( a ) , the subterm alp should be evaluated at the next step by the l e t - r e d u c t i o n . Note, however, that we fix the evaluation order only for one occurrence of the l e t - c o n s t r u c t . If other rules are applicable, or there are other l e t - c o n s t r u c t s which do not interfere with this l e t - c o n s t r u c t , we m a y evaluate other subterms than one specified by Zg(a). For a position p and a set S, pS is the set {pq I q C S}. D e f i n i t i o n 32. If

a E CN, then Z~N(a) is 0. Otherwise,

EN( ) 5 3Ey+l(b) •g((let

((a))

b)) zx

211~N(a) U3~g+l(b) 211 ~ N (a )

i f a E CN, ifaERgandbERN+l, otherwise.

93

~N((set'

n a)) /x

ZN((lambda () a)) SN((While ~N((if

a b c))

i f a E CN, otherwise.

{e} 3~'g (a)

{d Lx 2zN(a)

a b e)) A 2EN(a)

r N ( ( a p p l y a b)) =~

32N(b) 2ZN(a) U 3 2 N ( b )

2ZN(a) Z N ( ( p a i r a b)) z~ z

{ 32N(b) 22N(a) U3~N(b)

2rN (a) Z N ( ( f a)) ~ 2ZN(b)

i f a C CN, ifaERNandbCRN, otherwise. i f a C CN, i f a c RN a n d b E RN, otherwise.

where f is a term construct not listed above

Note that, for a pure, open term a, ~ x ( a ) is not empty. The 1-step reduction relation ~ in de Bruijn notation is defined as follows: D e f i n i t i o n 33. 1. If n is a variable (an index), then n -~N n. 2. If a --*N d and s is one of fun?, n u l l ? , p a i r ? , car, cdr, and mu, then (s a ) - ~ N

(s d).

3. If a --+N d and b ~ N e and s is one of p a i r , a p p l y , then (s a b)--~N

(s d e).

4. If a --~N d, b ~ X e and c --~N f and s is i f or while, then (s a b e)--~N

(s d e f ) .

5. If a -'->1 d, then (lambda () a) --+N (lambda () d). --+N ( s e t ! n d ) . 7. If a ~ N d a n d b - - ~ N + l e, then ( l e t ( ( a ) ) b ) ~ N ( l e t ( ( d ) ) e). 8. If a E RN, (s a) is a recognizer term of some kind, and a is a constructor t e r m of the same kind, then (s a) -+N t r u e 9 9. If a 6 RN, (s a) is a recognizer term of some kind, and a is a constructor t e r m of a different kind, then (s a) --*N f a l s e . 10. I f a E R N , b E R N , a n d a - - * n d , then ( c a r ( p a i r a b)) -~N d. 11. I f a 6 R N , b E R N , a n d b ~ N e , then ( c d r ( p a i r a b)) -~N e. 12. If (lambda () a) E }~N, b C RN, a --+N+I d and b --*N e, then 6. If a --+N d, then ( s e t ! n a)

( a p p l y (lambda () a) b)--*N ( l e t

( ( e ) ) d).

13. I f a G R N a n d a - - ~ N d , then (mu a) -*N ( a p p l y d ( m u d ) ) . 14. If b --*N e then ( i f t r u e b c) --~Ne. 15. If c--+N f then ( i f f a l s e b e) --*N f-

94

16. If a 9 RN, 1 ~ FV(b), b 9 CN+I , and b -+N+I e, then (let

( ( a ) ) b) -"+N e - .

17. If a --*Iv d, p E Z g + i ( b ) , p(b,p) = 1, b ""~N+I e, and either (i) a E CN, or (ii) a E -RN and b E RN+I, then ( l e t ( ( a ) ) b) '-+Y ( l e t ( ( d ) ) ep[d+]). 18. I f p E Z g + l ( b ) , b/p-- ( s e t ! n f ) , b'-+g+l e, e/p = -- ( s e t ! n g ) , p(b, p2) = 1, and either (i) a E C y , o r (ii) a E RN and b E RN+I, then (let

( ( a ) ) b)---~N ( l e t

((g-))

ep[g]).

1 9 . If a --+,v d, p 6 Zg+l(b), b/p -

(lambda () / ) , u(b,p) = m, b --+N+I e, F V ( f ) N {m + 3 , . . . , m + 2 + N } = 0, ~'(e,p) = n, e/p - (lambda () g), positions Pi," ' ", Pk are all the free occurrences in g satisfying p(g, Pi) = n + 2 , and either (i) a E CN, or (ii) a E RN and b E RN+i, then n+2

(let 20. If b

-"+N

( ( a ) ) b)--*N ( l e t

( ( d ) ) ep[(lambda ()gpl,...,pk[d+'"+])]).

e and c --*N f , then (while true b C)--+N

(let ((x e)) (while f e f)).

21. (while false b c) --+N nil. We often omit the subscriPt N in --+N. We call the rule 12/3-rule, and the rules 16, 17, 18 and 19 let-rules. As in A~-calculus, /3-rule just adds a new environment to a term, and does not perform substitution. Later, let-rules will resolve this environment and perform the substitution. In let-rules, we may evaluate a subterm at a position in the set r ( a ) . Rules 17 and 19 do substitution for occurrences of the variable bound by this l e t . Rule 18 is the execution of assignment. Rule 16 eliminates l e t environment if there are no occurrences of the variable bound by this l e t . Note that l e t - r u l e s are extended from the original A by the reason stated in Section 3.2.

ML w i t h First-Class E n v i r o n m e n t s and its T y p e Inference A l g o r i t h m Shin-ya Nishizaki Research Institute for Mathematical Sciences, Kyoto University, Kitashirakawa-Oiwakecho, Kyoto, 606-01, Japan We present a typed A-calculus which enables us to handle first-class environments. The syntax and the reduction are obtained by applying the idea of Curien's "explicit substitution". The type system has ML-polymorphism and a type inference algorithm which is sound and terminates. Abstract.

1

Introduction

We treat various kinds of objects in programming languages. Most objects, e.g. integers or boolean values can be passed and returned between procedures. However, we cannot always use all of them in such a way. For example, procedures themselves are passed and returned between procedures in Lisp. In contrast, it is impossible to do so in BASIC. Objects which can be passed and returned between procedures, are said to be first-class. Many implementations ([MIT], [Lau901) of the p r o g r a m m i n g language Scheme enable us to utilize environments as first-class objects although this facility is not defined in its standardization ([RC86]). We consider the following two primitives as the principal ones:

(the-environment) which returns the current environment, and - ( e v a l { list } I environment }) which returns the result of evaluation of the expression represented by ( list } under { environment ). -

-

By these primitives, we can export an environment to anywhere independently of the textual structure of a program: ((lambda (env) (eval ' (+ x 1) env)) (let ((x i)) (the-environment))). The expression (+ x 1) is not evaluated under the environment where it appears, but under the one where ( t h e - e n v i r o n m e n t ) appears. Therefore, the result is 2. This construct will support packaging of procedures (see [AS85]) or debugging of programs. In order to obtain A-calculus with first-class environments, we adopt the idea of explicit substitution, i.e. A~-calculus ([CurS6], [nACCL90], [Cur91], [CHL92]). Next, we would like to explain how tile idea of ),a-calculus is applied to first-class environments.

96 In the usual A-calculus, fl-reduction is considered as the fundamental mechanism of computation. An example of/3-reduction is as

(Ax. Ay. x)M1M2

(1)

-+ (Ay x)[x:=M1]M2

(2)

- (Ay. M1)M2 P ~".

(3) (4)

/3-reduction is applied between Line (1) and Line (2). The hidden important point is that substitution operation is defined at the meta level, which means that the term in Line (2) is actually equivalent to the one in Line (3) and the description in Line (2) is nothing but an illusion at the object level. In other words, the variable reference mechanism is implemented at the meta level. This is the reason why environments do not appear anywhere in the process of/3reduction. In contrast, substitution operation is made explicit in Ac~-calculus by defining them in the object level, what is called, explicit substitution. This reveals the notion of environment, which is concealed in the meta level:

(5)

( Ax.Ay.x)M1 M2 --* ((Ay.x)[(M1/x) . ia~)M2 --* x[(M1/x) . ia][(M2/y) . ic~

(6)

--?-*MI[(M2/y) " ia] --.4,

9

9

9

.

A term in Line (6) corresponds to a term written x[x:=M1, y:=M2] in the usual A-calculus. We notice that this term can be read as the evaluation of variable x under environment (x ~-* M1, y ~-+ M2). We here find one of the important ideas in Ac~-calculus: environments as substitutions. From the discussion above, we know that we obtain the calculus with firstclass environments from Ac~-calculus by merging the syntactic classes of terms and of environments. We have investigated typed lambda calculus with first-class environments and already proposed the simply typed one in the previous paper [Nis94]. In this paper, we would like to introduce a ML-polymorphic version and present two fiandamental properties: one is subject reduction theorem and the other existence of a type inference algorithm.

2

ML-polymorphic

Calculus

ML~nv w i t h

First-Class

Environments Before defining our calculus in detail, we recall what ML-polymorphism is.

97

2.1

ML-polymorphism

ML is a functional programming language equipped with a type inference facility. The first important point of ML is its implicit type system: we do not need to append a type information to each argument. For example, in ANSI C, we write a program as int abs(int i) r e t u r n (i>O) ? i : -i ; where we must specify what type the argument i should be. In contrast, in ML, it is not necessary to specify types of arguments: fun abs i = if i > 0 t h e n i else (i); Instead, the type inference Mgorithm of M L finds the type of i: abs

: int->

int

And the second point is polymorphism which allows us to give several different types to one term. For example, in a term

(let f = Ax. x in (f f) end)

(7)

the variable f is of type (a --* a) --~ (a --* a) at the first occurrence in (f f), and of type c~ ~ a at tile second occurrence. These two types are derived from a polymorphic type Va.a --+ c~ (also called a type scheme). Polymorphism appears at variables which is quantified by let-expressions. Although a term (Af. (ff))(kx. x) is operationally equivalent to (7), the former term is untypable in ML. The syntax of ML typing can be summarized in the following: Type Judgement Monomorphic Type Polymorphic Type Polymorphic Type Assignment

F ~- M : o A ::= a [ (A ~ B) (7 ::= V~l " ' V(~.A F ::= {xl : o l } . . " {xn : o~}.

The class of types in ML is a proper subset of the one in polymorphic typed lambda calculus System F. For example, (Va.(a --* a)) --+ V a . ( a --+ a) is not a type of ML. This restriction on types ensures the existence of a type inference Mgorithm. Since, we have aimed at finding a type inference algorithm for a typed lambda calculus with first-class environments, we adopt ML as the base type theory, In F F- M : o, type assignment F gives us the type information of environments where M is evaluated. Therefore, we will obtain a definition of polymorphic environment types from that of polymorphic type assignments. 2.2

S y n t a x o f MLenv

D e f i n i t i o n 1 T y p e s o f ML . . . . Suppose that we are given three countable sets: - a set TypeVar of type variables,

98 - a set EnvTypeVar of environment type variables, - a set TermVar of term variables and - a mapping PVar which assigns each type variable to a finite set of term variables, called prohibited variables, which satisfies the condition that PVar-l( {Xl,... ,xn}) is an infinite set for any { x l , . . . ,xn}. Then, environment monotypes E, monotypes A, polytypes a, and environment polytypes 1" are mutual-inductively defined as [environment monotype] E ::= { x l : A1}-..{x,~: An}p, where n > 0, { x l , . . . ,xn} C_ PVar(p), and x l , . . . ,xn are distinct from each other. We do not distinguish them from sets of ordered pairs {xi : A~}. [monotype] A ::= a I E I ( A ~ B) [polytype] (r ::= Val .'. Vak.A, where k > 0.

We assume a-equivalence on this V-abstraction. For example, we do not distinguish Va.a --* a from V/J.~ --*/5. [environment polytype]

r::={xl :

(xn:

n)p

where n > 0, { x l , . . . ,x,~} _C PVar(p), and x l , . . . ,xn are distinct from each other. We do not distinguish them from sets of ordered pairs {xi : a~}. From the above definition, we know the following inclusion relation: environment polytypes U environment monotypes C monotypes C polytypes We imposed ment polytypes, general unifiers. for environment

the syntactic restrictions on environment mono- and environfor the existence of a unification algorithm which derives most As a result, a few conditions are placed also on substitutions type variables:

D e f i n i t i o n 2 S u b s t i t u t i o n for ( e n v i r o n m e n t ) t y p e v a r i a b l e s . A substitution ~ on environment type variables and type variables is a function which maps each type variable a to a type A and each environment type variable p to an

99

environment type {x~ : A~}p' such that PVar(p) N { x l , . . . , x~} = 0, PVar(p) C PVar(p'), and { x l , . . . , x ~ } C_ PVar(p'), and its domain dom(O) = {a E TypeVar [ a e • a} U {p 9 EnvTypeVar [ pe r p} is finite. A substitution 0 defined as above is extended uniquely to a function ] on types as:

(A~B)

0=A 0~B

0,

({Xl : a l } . . . { x n : cr,~}p)~ = {xl : a10} " ' ' {x~: a ~ } p ~ and (Val ... Vak.A ) 0 = Val ... Vak.( A~ where we assume that (Val .. 9Vak.A) is appropriately a-converted with respect to bound type variables. We will identify 0 and 0 in the rest of this paper. D e f i n i t i o n 3 R e s t r i c t i o n a n d E x t e n s i o n . Let F be a set of (environment) type variables and 0 a substitution. A restriction 0IF of 0 on V is a substitution that maps a ~ V (or p ~ V) to a ~ ( o r p e resp.) but a 9 1 4 9 t o n ( o r p , resp.). 0' is an extension of 0, or 0 is extended to 0', if ~ = 0rldom(e ). It is easily checked that P r o p o s i t i o n 4. Let E be an environment type and 0 a substitution. Then, E e

is an environment type. D e f i n i t i o n 5 R a w T e r m s in ML . . . . Raw terms M are inductively defined as M ::= x I A x . M I ( M N ) Iid[ ( M / x ) . N I ( M o N ) which are called a variable, a lambda-abstraction, a function application, an identity environment, an extension, and a composition, respectively. The first three constructs are similar to the usual )~-calculus' ones, in contrast, the last three new. The identity environment id returns the current environment when it is evaluated. We can regard id as ( t h e - e n v i r o n m e n t ) of Scheme. Extension ( M / x ) 9 N corresponds to the environment made by appending a new binding from x to M, to environment N. Composition (M o N ) is the result to which M evaluates in an environment N, when M is regarded as a term and N as an environment. In this case, we can regard ( M o N ) as (eva1 ' M N ) of Scheme. If M is also an environment, then (M o N ) is the substitution composition, identifying an environment with a substitution. N o t a t i o n 6. We will use the following vector notation: {x~: A ~ } p - - {Xl : A 1 } . - - { x ~ : d~}p, _-- { z , -

:

and

100

2.3

Typing Rules of MLenv

D e f i n i t i o n 7 T y p e J u d g e m e n t a n d T y p i n g R u l e s . We define a type judgement F F M : (r for an environment polytype F, a term M, and a polytype (r by the following rules called typing rules or sometimes type inference rules. When F t- M : a holds, we say that term M has type c~ under F.

Typing Rules: {x : ~ } F F x :

Var~

{x : A } F F M : B V F ( A x . M ) : (A + B)

FFM:(A~B)

Lam

FFN:A

F ~- ( M N ) : B

App,_

ld~

FFid:F FFM:a FFN:F' 1-' F ( M / x ) . N : {x : a } F ' ExtnF FFM:a

~ F ~bM:a

CompF

FF(MoN):a F F M : (V~.~)

aeFtv(F)

F FM :

FI-N:F

TypeGen~_ /" F M

(Va.~)

0"[a~-*A]

TypelnstF

N b M : { x : ~r}]" c~ ~' Ftv(/') U Ftv(_P') EnvGen~ F F M : {x : Vc~.a}F' F F M : {x : Vo~.~}F' F F M : { x : o"[a~A]}-l''

EnvlnstF

Readers should notice that side conditions are implicitly imposed by metavariables in each typing rules. For example,

{x : Vs. ~ ~

~}p F x : Ve.a

--+

p F (~x. z) : (Vs. ~ -~ a ) --+ (Vs. a -~ a )

Lam

is a wrong inference since (Va.a --+ a) is not a monotype. {x:~}{x:~}p~x:p

VarF

is also wrong since {x : a}{x_ : fl}p is not valid environment polytype. The let-expression in the usual ML is definable by the constructs for first-class environment as (let x = N in M end) ~ / M o ( ( M / x ) . id). This term is typable as

F b i d : F Ida 1;~_-i-~-/x-~.i[t]-(xi-o.--~F ExtnF {x:cr}/~ b M :~r F (M o ( ( N / x ) . id)): T Comp~ FFk:~

lol

similarly to the typing in the usual ML: :

FF)V:r {x:r FF(letx=NinMend):1This justifies our definition of let-expression from the aspect of typing. We will present its explanation from computational aspect in the next section. We end this section with the following proposition which is easily checked. P r o p o s i t i o n 8. If F F M : ~ (or F F M : A), then F ~ F M : a ~ (or I "~ F M : A e, respectively). 2.4

C o m p u t a t i o n Rules of ML~,~v

In the previous work [Nis94], we give a reduction to the simply typed lambda calculus with first-class environments, named AeGv. Actually, the reduction is not only defined for typed terms, but also for raw terms. Definition 9 W e a k R e d u c t i o n . A binary relation ( - ) ~ wr reduction, is inductively defined by the following rules: [ S u b s t i t u t i o n Rules] : (L o M) o N ~W T L o (M o N)

Ass~,

IdL~7" : idoM~M ~uT" IdR~7` : M o i d ~W T " M DFxtn~7" : ( ( L / x ) . M ) o N ~ ( ( L o N ) / x ) . ( M o N ) : x o ((3~l/x) 9 N ) -'+ M WT" VarSkip~7": y o ( ( M / x ) . N ) - ~ y oW TN VarRef~7`

DAppwr

:

wherex~y

(MIM2) o N ~ ( M l o N ) ( M 2 o N )

[Beta Rules] Betal~7` : ((Ax./~l) o L ) N -~ M o ( ( N / x ) . L) Beta2~ : ( * x . M ) N -~ M o ( ( N / x ) . id) WT` [C.o m p a t i b i l i t y Rules] : ( M N ) --+ (M'N) 'W'P ( M N ) W 7 ` (MN') AppR~,7"

AppL~.

Lam~7" Corn pL~,~ Corn pR~7`

:

(~x. M) (M o x ) (M o N)

E x t n L ~,7" : ( ( M / x ) . ExtnRw~

: ((M/x).N)

N)

1117"

W?" .-.+ WT ---+ ~UT" ----) W'P

(ax.M') (M' o N) (MoN')

if M -~ M' W7` g N -~ N' wr

if M --+ M' wr if M --+ M' 11)1" if N--+ X ' Wf

( ( M ' / x ) . N) JIM ~W T M' ( ( M / x ) . X ' ) if N -~ N' W~

(-), called weak

102 The readers should note that ()~x. ( - ) ) o ( - ) is not a redex in the reduction given here. This is the reason why we call this computation rule weak reduction (see also [CHL92]). The above reduction is actually defined independently of type system and therefore, we obtain an untyped calculus: D e f i n i t i o n 10 U n t y p e d Calculus Ae~v. We call the system which consists of raw terms and the above reduction rules, untyped calculus A~n~. We here mention the connection between the above system and the usual calculus without first-class environments, i.e. Aa-calculus. Readers familiar enough with the Aq-calculus should realize the following proposition: P r o p o s i t i o n 11. A~n~is a conservative extension of Aaw([CHL92]), that is, if

a term M is reduced to N in Ac%, then the term M is also reduced to N in Aenvunder the identification of M[a] to (M o cO. An example of terms not in A~-calculus but in A~-~ is L o ((Ax. M ) N ) : the classes of environments and of the terms are disjoint in A(7-calculus, and therefore, an environment must not be a term e.g. (Ax. M ) N . We next show two example of reduction. The first one is as follows:

((Ay. Ax. id)M)N --~ ((Ax. id) o ( ( M / y ) . id))N ~or -~ ido ( ( N / x ) . ( M / y ) . id) Wr ---* ( N / x ) . ( M / y ) . id "tVr

Beta2~ Betalwr

IdLwr

The term ((Ay. Ax. id)M)N in the first line corresponds to Scheme's program:

(((lambda (y) (lambda (x) (the-environment))) M) N). The second example is more complicated:

( Ae. (y

e) )( ( Ay. Ax. id)M N) o e))((N/x) . ( M / y ) . id) Wr (y o e) o ((((N/x) . (M/y) . id)/e) . id) y o (e o ( ( ( ( N / x ) . ( M / y ) . id)/e), id)) wr --*~y o ( ( N / x ) . ( M / y ) . id) --* y o ( ( M / y ) . id) Wr --*M vJr o

-h (Ae. (y

similar to the first example Beta2wr Asswr VarRefw~ VarSkip~ VarRefw~

The term (Ae. (y o e))((Ay. Ax. id)MN) corresponds to the following program:

((lambda (e) (eval 'y e)) (((lambda (y) (lambda (x) (the-environment))) M) N))

103 In the previous section on typing, the let-expression is defined by first-class environment's constructs presents a justification from the viewpoint of typing. In the usual A-calculus, let-expression (let x = N in M end) is equivalent to fl-redex ()~x. M ) N as far as the evaluation of terms is concerned. Rule Beta2 means that ()~x. M ) N is operationally equivalent to M o ( ( N / x ) 9 id). Therefore, we know the justification of the definition that (let x = N in M end) d j M o ( ( N / x ) 9 id). 2.5

Fundamental

P r o p e r t i e s o f MLenv

The goal of this section is the subject reduction theorem, which is the property t h a t types of any terms are preserved during their reduction. In order to prove it, we here introduce another judgement on typing, written F IF M : A (see also [Gun92]). The important difference between F- and IF-judgement is that the derivation tree of judgement 1" IF M : A is uniquely determined by a term M. In contrast, there may exist several derivation trees of ~ judgement F F M : cr for a term M. Thanks to this uniqueness, we can use induction on the structure on terms, in proving propositions on IF-judgement. The first part of this section is mainly devoted to prepare the notion of IF-judgement and its related properties. We first extend the notion of generic instance as used in the context of ML: D e f i n i t i o n 12 G e n e r i c I n s t a n c e . A binary relation ( - ) < ( - ) is first defined between a polytype and a monotype as VOZl . . " Vo~k.A _< A[Cq~A1...... ~,~-~At~]

Second, this binary relation is extended to one between polytypes as cr < T

r

a < A for every A sueh that T Infer(p, (f f) o ((Af. id)(Ax.x)), {p}) > > Infer(p, ((Af. id)(.~x, x) ), {p}) >>> Infer(p, (Af. id), {p}) >>>> Infer({f:'y}p, id, {p,y})

>>>
>>< ({x: x, >>< ((~ --* c~, idsubst, {p,%c~})

>>>

Unify(7 ~ { f : ?}p, (c~ ~ c~) ~/3, {p, % c~, fl})

>>< ([~ ~-~ (~ --+ ~), fl --+ { f : ((~ ---+(~)}p], {P,%a, fl}) > < ( { f : a ---+a}p, [7 ~-~..., fl ~--*...], {p,v,a, fl}) > > Infer({f :Va.(~ --+ a}p, ( f f ) , {p,q,,(~,fl}) >>> Infer({f:Vo~.a---~(~}p, f, {p, v, a, /~}) ~>>< (O~1--+ (~1, idsubst, {p, 7, a, fl,(~l})

>>>

Infer({f :Vo~.c~ -~ ~}p, f, {p,7, ch/3})

111

>>< >>> >>
<
_ 1),

140

as well as a one-to-one map h E : ( A * ) z ~ ]_I~ 1-[j B i j . If the bad sequence is extended to ~ ^ (a} where cr ~ (A*)~, a new set [[il-Ij B ~j ~ is defined by decomposing the summand such that h~((r) ~ 1-Ij Bioj into a disjoint sum as in Figure 1. There we suppose h~(~) = (~,s~,~,s~,...,

s ..... 1,~)

(As~)* x As~ • (As~)* x As~ x ... x As-_~ x (Asm)*. and after the decomposition, the product • is distributed over the disjoint sum + in order to maintain the form of ]-L 1-Ij B~j.

x (As~)*

x As,2

x . . . x As~,,_I

x (Asm)*

+ (As~)*

x(As~)~,, 1 x (As2)*

x As,2

x...x

As~,~_I

x (As.,)*

+ (As~)*

x AS,1

• ((As2)*)r

• As'2

x ... x As~,~_I

x (Asm)*

+ (As1)*

x As,1

x (As2)*

x(As~)~,2 x - - . x

+ (As1)*

x As~

x (As2)*

x As,2

x . . . x (As~,~_l) . . . . . , x (As,,)*

+ (As1)*

x As~

x (As2)*

x As,2

x ... x As~,~_I

((As~)*)~I • As~

As~,,_,

x (Asm)*

x ((As,,)*)o,~

where (with an abuse of notation), for (ri = (sn~_l+l, s,~_1+2,..., sn~-l}, ((As,)*)~,

=

+ ( A s , ^ ( ~ _ l + l ) ) * x As~ x (As~^(~_l+2)) *

+ (As~^(~,~_I+~)) * x Ass x (As~^(~_~+2)) * x . . . x As~ x ( A s ~ ^ ~ , _ ~ ) ) * Figure 1

The reification given in [37] is as follows. Suppose the base well-partial-order has a reification [ [ : B a d ( A ) --~ a + l . Let (A*)~ denote the set ]_Ii ]-Ij Bij associated to E E B a d ( A ) . If we find an ordinal assignment [(A*)~[ to each (A*)~ so that I(A*)~[ > [(A*)~^(~)[ then the required reification is obtained by the mapping Z ~ I(A*)~I. The assignment satisfying this condition is given as follows: for each (A*)~ = I_Ii I-INBij we assign an ordinal by ](A*)~] = ~]~i ~ j IBiJ[ where 9 is a natural sum and | is a natural product. Further, to each multiplicand Bij is assigned an ordinal according to whether Bij has the form A s or (As)* by the following equation: [Bijl

=

f ~2wIsl

~ wwisI+l

if Bij is A s if B i j is (As)*.

141

[(A*)){ > [(A*))^O) [ is easily checked using the fact t h a t the ordinals of the form aY ~ are multiplicatively indecomposable. It is possible, however, to assign smaller ordinals. All t h a t is required for the assignment is t h a t [As[ is additively indecomposable, [(As)*I is multiplicatively indecomposable, and {As[ < [(As)*[. Therefore we can assign wlSl to A s and ar ~ to (As)* unless ISl is an epsilon number, in which case IAsl < I(As)*l fails. To handle this case, define an ordinal function ( )~ by the following: at

=

(ct-1

l:

+ 1

if a is finite if a = / 3 + n a n d / 3 is a limit, not an epsilon n u m b e r if ct = / 3 + n a n d / 3 is a limit, an epsilon number.

This function ( )t simply skips all epsilon numbers. T h e n a new assignment to the multiplicands B,j is given by the equation

[B~j I =

[wlSl*

~.w~lslt

Bij Bij

if if

is A s is (As)*.

3.3 L e m m a

The mapping Z ~ ](A*)~[ yields a reification Bad(A*) ~ a~~ t + 1 where a is the order type of the base well-partial-order A. [] In turn, to show t h a t these ordinals a3~ are exactly the order types of H i g m a n embedding, we must give linearizations yielding the same ordinals as those of reifications. If the order type of the base well-partial-order is not of the tbrm e~ + n, then the required linearization is given by the recursive p a t h ordering on m o n a d i c t e r m s (kachinuki ordering) [24,33,26]. T h e kaehinuki ordering is a linear ordering r- on the set A* of finite lists of a linear order A, the order K defined as follows: < s o , . . . , s,~-m) r- ( t o , . . . , t ~ - l } if and only if one of the following holds: (o) (i) (ii) (iii)

m=Oandn>O so = to, (81,...) F- ( t l , . . . } So -~t0, ( S l , . . . } C (t0,...} so ~- to, (s0,...} __ { t l , . . . )

In (iii), _~ denotes >- U = and likewise for _E. By calculation, one can show t h a t the order type of kachmukl ordering is the ordinal c~~ [33]. Hencet, except the case a = e-~ + n, the kachinuki ordering gives the same ordinal aY ~ as the one given by the reification. For the exceptional Case, we must create a n o t h e r linearization providing the m a x i m u m order type. If the order t y p e a of the base well-partial-order is an epsilon n u m b e r ~ , then the following ordering U ~ gives the required linearization: for a , v C A*, the order relations g c-~ T holds if and only if either [a] < [r[ or b o t h I~l = Iv[ and ~r is smaller t h a n r by lexicographic ordering, where ]~1 denotes the length of the sequence ~. T h e n the order t y p e of c-' is (e~) ~ = c~~ + ~ . For the case a = e~ + n + 1 (n >_ 0), by induction , we m a y assume there is an order i s o m o r p h i s m I" I~ from (A\{mA})* .

.

.

.

.

--

14-ct

142

~eT+n+l

to w , where mA is the largest element of the linear order A. Then the sequence c~ = (or1, m A , . . . , ak-1, mA, qk) of A* is carried to

I 1, §

Io11

--

+'"

+

+

I, kl ,

giving the order isomorphism from A* to w~+'~+~. Therefore the following lemma holds. 3.4 L e m m a

Higman embedding on A* has a linearization of order type W~ t order type of the base well-partial-order A. []

where a

is the

Theorem 3.1 is an immediate consequence of Lemmata 3.3 and 3.4. From this observation, we see that the order types IBad(A*)l of Higman embedding has gaps at epsilon numbers as well as all ordinals that are not multiplicativel.y indecomposable. In the following sections, we show how these gaps are filled by other algebras uniquely.

4

Algebra

Embedding

In his seminal paper [20], Higman studied the divisibility ordering on abstract algebras, and showed minimal algebras are well-partial-orders if the set of operators is ordered by a well-partial-ordering. In particular, if the number of operators is finite, the divisibility orderings are always well-partial-orders. Higman embedding is a special case of this general observation. Our definition of algebras is almost on the same line of the minimal algebras. We include the disjoint sum and the direct product to the definition of algebras. Moreover we allow a set of generators, if the set itself is an algebra. In short, the class of algebras is the smallest class generated from empty sets and singletons by the disjoint sum +, the direct product x, and the least fixpoint operator tt using one algebra variable. Following the definition of algebras and their terms, we will define a partial ordering on each algebra, called an algebra embedding. This partial order is exactly the divisibility ordering of Higman. So every algebra embedding turns out to be a well-partial-order [5,20]. Our goal is to calculate the order type of these algebra embeddings. From this calculation, one unexpected property is shown: for each ordinal less than ~ ( ~ , 0), there is an algebra giving the ordinal as the order type. In addition, such an algebra is unique up to isomorphism (Theorem 6.19). In Section 5, we give the upper bounds of the order types by providing reifications, and in Section 6, the lower bounds by linearizations. 4.1 D e f i n i t i o n Algebras are generated by the following rules:

143

0

i:1

A

B

A+B

X A

B

A•

A

#X.A.

Here i is the identifier of the singleton, and we impose on A + B and A • B the condition that all identifiers occurring in them are distinct. X is the only one algebra variable. This means in our setting only single recursion is allowed [] The intended meaning of the connectives defining algebras should be almost clear. For example, i : 1 is a singleton containing a unique i. We have only one algebra variable X, and so it is impossible to define a m a n y sorted algebra with mutual recursion. The extension to this direction allows us more complicated structures as the tree embedding with gap condition, and will be handled in a forthcoming paper. If all occurrences of the variable X are within the scopes of #-operators, then the algebra is called closed; otherwise open. Note that though we have only single recursion, there is no restriction to use an algebra already constructed as a part of another algebra, e.g., #X. X • (pX. X + (i : 1)) + (i' : 1).

4.2 D e f i n i t i o n Let A be an algebra. t is a term of sort A iff t : A is derived by the following rules: i:1

a:A m:A+B

b:B ~b:A+B

a:A b:B (a, b} : A x B a:~A

va: #X.A

(~] is the substitution [(#X. A)/X]).

To be precise, the first rule should be written i : (i : 1). Namely i is a unique element of the singleton algebra i : 1. ~ and ~' are injections associated to each pair of algebras A and B. (., .) is a pairing flmction associated to each pair of algebras A and B. And y is the constructor associated to each initial algebra ~X. A. [] 4.3 R e m a r k In the last rule, the substitution ~A should be done without renaming of identifiers. For example, if A is X + (i : 1), the substitution ~A yields (#X. X + (i : 1 ) ) + ( i : 1). This last is not an algebra in an exact sense, since there are common identifiers i therein. For simplicity, we call such objects also algebras. []

144

We omit identifiers of singletons 1 if the distinction of the occurrences are clear from the context. 4.4 R e m a r k If A is an initial algebra of the form # X . C1X TM + . . . CpXnp with closed algebras C 1 , . . . , Cp, then A is isomorphic to the set of terms generated b y the following BNF: n 1 copies

a

::=

constl(cl,a,...,a)

n p copies

[

...

[ constp(cp, a , . . . , a ) (ci is a t e r m of sort C~)

where c o n s t k is any symbol uniquely associated to the algebra A and the summand. To see the isomorphism, identify c o n s t k ( c k , a l , . . . , a ~ ) with "y o ~k(ck, a l , . 9 a ~ ) where "y is the constructor associated to A and ~k is the k-th injection of CkA ~k to C1A TM + ... + CkA TM + ... + CpA np. [] 4.5 E x a m p l e (i) Natural numbers N = ttX. X + 1. The terms of sort N are generated by the BNF n ::= succ(n) I z e r o . (ii) Finite lists of A, A* = # X . A X + 1. The terms are generated by the rule l ::= push(a, l) I emp where a : A. (iii) Finite lists of A entailed with B, A * B = # X . A X + B. The terms are generated by the rule I ::= push'(a, l) ] t a i l ( b ) where a : A and b : B. The terms of this sort may be written in the form ( a l , . . . ,ak;b) (k > 0). (iv) Binary trees B = #X. X 2 + 1. The terms are generated by the rule t ::= cons(t,t) lnil [] 4.6 N o t a t i o n Let s and t be two term, not necessarily of the same sort.

s C t denotes that s is a subterm of t in a usual sense, s may be equal to t. We write s C t if s is a proper subterm of t. [] Next we define an embedding on each algebra A. The properties of this embedding are the center of our interest. Among the rules in the following definition, the projection rule is important and makes the embedding correspond to the divisibility ordering of [20]. Other congruence rules are generally required to partially ordered algebras [20,16] (in [16] this property of preserving order is called isotony; also antitony occurs in ordered algebraic structures). 4.7 Definition The embedding 1)

F(~(--1 + o~2)+ a l , a o )

(~>__~3

F(J~n-lan + " " + f?a2 + cel,O~o)

Figure 3

I1] = 1 IA + BI = IAI 9 IBI (natural sum) IA • BI = IAI Q IBI (natural product) [t~X. X~C,~ + ... + XC1 + Col =

6

Linearization

g(S?~IC,~I + . . - +

of Algebra

F21Ct {+ ( - 1 + [C01))

D

Embeddings

In the last section, the upper bounds of order types of algebra embeddings are given by the well-ordering on the class of algebras. Namely for each algebra A the order type of Bad(A) is upper bounded by IAI, which is the ordinal corresponding to A in the well-ordering of the class of algebras. The lower bounds of well-partial-orders are given by linearizations, as seen in Preliminaries. In this section, we give a uniform way to linearize the algebra embeddings, called Ackermann orderings. We show for almost all algebras A an Ackermann ordering gives a linearization of order type IAf. For exceptional cases, a modification of the Ackermann ordering yields the order type IA}. Therefore the ordinals }AI are lower bounds of algebra embeddings as well as their upper bounds. So we derive that the order type of embedding of an algebra A is exactly the ordinal IAI. Ackermann orderings on algebras depend on the orders of summands and multiplicands. That is to say, if one exchanges the order of summands from A + B to B + A then the associated Ackermann orderings are in general different, and likewise for A x B. Given an algebra, therefore, there are several associated Ackermann orderings according to the permutations of summands and multiplicands. 6.1 C o n v e n t i o n In this section, + and • are non-commutative unless otherwise mentioned.

[]

6.2 D e f i n i t i o n Let A be a closed algebra where the order of summands and multiplicands is fixed.

156

T h e Ackermann ordering on A is the binary relation _ Y22 then ~(13) =

J" #(13+ 1) #(13)

I

if the lowermost coefficient of 13o is equal to It(13o) otherwise.

If 13 = [2"y and "y --- "/o + m where "Yo is a limit and m is finite, then

=

[

+ 1)) #(~)

g = It(13) otherwise []

Therefore A* ~ IAI happens only when either (i) A is of the form ~iX. X~C~ + . . . + X k C k + m (n >_ 2, k > 0 and m is finite) and Ck* = It(~'2nCn * "J-"" "~ J~kCk'~). Then IAI = It(s * + . . . + g?kCk* +

l+m). (ii) A is of the f o r m / i X . X(C1 + m) (m is finite) and C1" = I t ( ~ . C1"). In this case, IAI = It(J'2(Cl* + 1 + m)). In these cases, we must find other linearizations yielding the same ordinals as the upper bounds IAI. The most difficult is to manipulate the case k > 1 of (i). 6.16 L e m m a Let A be an initial algebra of the form fiX. B[X] + X k C + D (degree 2 or more, k > 1, C, D are closed, and B[X] may be void). I f A* = C* there is a linearization of the embedding , o, o} _ 2. There is an embedding-reflecting map from ttX. X '~+1 + 1 to T as easily seen. Hence Wpo(T) implies Wpo(pX. X ~+1 + 1) for all n, which in turn implies well-orderedness of p([/~, 0).

168

7.2 T h e o r e m

Well-partial-orderedness of the tree embedding on finite ordered trees is equivalent to well-orderedness of the ordinal ~( ~2~, 0). [] This theorem is first proved by Rathjen and Weiermann [30] for non-ordered trees. We do not claim our method is essentially different with theirs. We include our method here hoping that the the reader might feel the argument is simpler and having an intention to provide a guide to more general arguments for mutual recursion. We also give a brief description for another result on finite trees, which already appeared in the literature but can be simplified by our method. In [19], Gupta proved that well-partial-orderedness of the tree minor relation is equivalent to well-orderedness of the ordinal e0- The method in [19] is to associate regular expressions to trees and ordinals to regular expressions so that bad sequences with respect to the tree minor yield descending sequences of ordinals less than G0.

A finite non-ordered tree is a minor of another if and only if the former is obtained from the latter by several applications of edge deletion and edge contraction. We write s ~,~ t ifs is a tree minor o f t (equal to the relation ~,~ in [19]). This is the graph minor relation applied on rooted trees but respecting the orientation on the edges (rooted trees may be regarded as oriented graphs where the orientations on the edges are from roots to leaves). In the above, we modified the notion of subterms to obtain the tree embedding as the embedding on the algebra T. In Figure 5, we observed that if the notion of subterms is not modified then s embeds into t undesirably. However the reader might notice that s is a minor of t by contracting the rightmost edge from the root of t (s,t are ordered trees here). In fact, if we add the omitted rule of subterms

act aC

cons(t,f)

t:Tand

f:F

then a finite ordered tree s embeds into t by the algebra embedding ST if and only if s is obtained from t by several applications of two rewriting rules in Figure 6. Observe that the rule (i) is the combination of a single application of edge contraction and several applications of edge deletion, and the rule (ii) is a consequence of several applications of edge deletions. So fixing in some canonical way the order on the sets of immediate successors of all nodes in order to transform non-ordered trees to ordered trees, we easily see s "~T t (with the added rule above for subterms) implies s

y, t]

36 > 0(6
0(5 < e D -~3yA[~.(t + 5), y, t + 5]) D ~(t) = ~(t + e))) , abbreviated by Pa(A,~), is called the predicate of action, where A[~,vx, t] is an act, and ~ defined by it is called a locus of A. []

175

T h e cosmos is given solely by the predicate. Since the i n t e r p r e t a t i o n of every p r o g r a m is defined by the predicate, analytic semantics is simpler t h a n m a n y o t h e r verification s y s t e m s (eg. denotational semantics [16]). T h e notion of loci, characterized by t h e o r e m 5 below, is a generalization of t h a t of execution sequences of p r o g r a m s . And it must be noted t h a t acts are interpreted on some model and not treated formally in the strict sense. F r o m now on, we a d o p t nonnegative rational numbers as time values. D e f i n i t i o n 3. A set of rational n u m b e r s is said to be discrete if and only if there exists a positive 5 and it holds t h a t Ix - Yl > 6 for a r b i t r a r y distinct elements x, y of it. [] N o t a t i o n 4. T h e set of all nonnegative rational n u m b e r s and t h a t of all natural n u m b e r s are denoted by Q>_0 and N, respectively. For a strictly increasing sequence (uk)kEY of Q_>0 where V is the set N or an initial segment of N , and its greatest element, if exists, is denoted by A, a left continuous step function f such t h a t Y0 if 0 < u < u0, f(u)= Yk+lifuk0Auxl

=xlApX2=X2--1

. []

T h e sharping oprerator is used for the sake of convenience. As shown in the above example on the other hand, the sharped act has less nondeterminism. Hence, when we want to express a fully nondeterministic act, the o p e r a t o r is not used.

3

The

Locomorphism

D e f i n i t i o n 10. If A and B are two acts on the d a t a domains D and D', respectively, and (~, ~r) is a pair of functions with r from D to D ' and 7r from Q>O to Q>_O, then an act A restricted by a precondition p is locomorphic to an act B w. r. t. (r abbreviated by (r : Alp ~ B, if and only if 0 is a fixed point of 7c, ~r diverges and it is monotonic, namely,

(a)

:

0,vt3 ( (u)

>

t)

and

vtvu(t


0 is such t h a t ~rl(t) = 4t.

178

For the second, it is easy to see that the following ALGOL-like program with parallel assignment statements represents a solution to the puzzle: while z 7~ 5 do b e g i n W := 3; i f z + w > 10 t h e n ( z , w } := (O,z + w - 10};

(z, w) := 10 3 (uz, uw} = (O,z + w - 10}) A pl = 3 V l = a A (uz, uw) = (z + w,O} A ul = O), using the stage variable l. It is easy to see that M ~ is equivalent to N(t)A( l=0hzC5a(vz, vw}={z,w) Avl=l V l-= 1 A (vz, vw} = (z,3) A vl = 2 V l --- 2 A (z + w > 10 A (uz, vw} = (O,z + w - - 10) Vz+w__ 1 . []

For an act R[x, ux], R~[x,~,x] is actable at any time and its behavior is the same as the original act except for the actability. The act R~[x, yx] induces n-step execution of the original act. D e f i n i t i o n 14. Let R1,. 9 R ~ be acts, none of which contains the time variable t. Let a~ (1 < i < m) be a formula, called a spurofRi, such that the set {tlai(t)} is nonnegative, discrete and infinite and in which both x and y x do not occur. Let [m] be the set { 1 , . . . , m}. Then a system of parallel programs (R~)~e[,q with spurs (ai)ic[,~] is denoted by

al(t) T Rl[x, vx]

II... II

a~(t) T R,~[x, ux],

which is defined by the act of the form

(c) ( ( a l ( t ) A 3 y R l [ x ,

y] D ]~l[X, px])A...A(am(t)A~yll~m[X,y] ~ I~,rn[X , pX])) # []

It must be noted that a spur is a generalization of a scheduler. The program system expresses a multi-CPU with simultaneous executions of processes (cf. temporal logic). As for expression of parallel programs, the sharping operator is used for the sake of convenience. It saves us from writing a complex and complicated act shown as above. On the other hand, the expression of programs with spurs for sequential but nondeterministic processes is simple as follows. For an act T in which t does not occur, an act of the form b(t) A T[z, uz], where the formula b has the same conditions as those of the spur ai, is an act representing a sequential program T with a spur b. Here, T does not have the sharping operator since we want to express nondeterministic sequential processes (See example 6). In order to investigate loci of parallel program systems, and to prove theorems of the locomorphism, the notion of "quasi-traces" is introduced, which is similar to that of traces but more convenient.

180

N o t a t i o n 15. Two strictly increasing sequences (Sk)k~N and (~/k)kCN consist of all elements in { t l a l ( t ) V . . . Y a m ( t ) } and {rib(t)} , respectively. The set {ilai(Sk)} is denoted by Sk for each k. [] Intuitively, 5k means the k-th time at which at least one process of P1 is scheduled and ~k does that of P2. The set Sk is all processes of P1 scheduled at time 6k. P r o p o s i t i o n 16. Let P be an act representing a parallel program system with a scheduler (ai)iE[m]. For each locus & of P, there exists an infinite sequence (6k, xk)keN such that ~ = 0((Ok, ~k)kGN). [] D e f i n i t i o n 17. For a parallel program P, a sequence given by proposition 16 is called a quasi-trace of the act. When we are not interested in time value 5k, we call (xk)keN a quasi-trace of P. A quasi-trace of an act representing a sequential program is defined in a similar manner. [] Now we show a necessary and sufficient condition that a locomorphism exists between a parallel program system and a sequential program. D e f i n i t i o n 18. For a sequence (Ri)ie[m] of acts, R s t [ x , y ] is the formula

iES

where S is a nonempty subset of [m].

[]

Hereafter, P1 denotes an act representing a system of m parallel programs (Ri)ic[,~] with spurs (ai)~e[,~], P'2 one representing a sequential program T with a spur b, and x and z are the sequences of variables of/)1 and P2 on the data domains D and D r, respectively.

Note 19. For a locus ~ of/)2, if T is unactable on ~(t) at some t, then the values of ~ are unchanged after t, so that T is unactable also on 2(u) for any u greater than t. Note 20. The formula R Sk t # expresses the action of/)1 at k-th scheduled time 6k. A sequence (Sk, wk)keg, satisfying Rsk~#~[xk,xk+l], is a quasi-trace of/)1 because P~ Ix, y, t] is equivalent to Rsk t# [x, y] if t = 8k, and false otherwise. In a similar manner, a sequence (~k, zk)k~g satisfying T~[zk, zk+l] is a quasi-trace of/)2. T h e o r e m 21. Let a function r from D to D r and a formula Uo be given. For

each combination of spurs al,. 9 am and b, there exists a function 7r such that (~,, 7r) : P1 [Uo --+ P2 if Uk defined by (i) and r satisfy (ii) below, where Sk is defined in notation 15. The converse also holds, i.e., if (r : P1]Uo --+ 1)2 then (i) and (ii) hold for some (Uk)keu. (i) Ua+l[y] -: 2x(Uk[x] A RSk~#~[x, y]) every k e N,

(ii) VxVy(Uk[x] A Rs~l#~[x,y] D T ~ ~ [ r 1 6 2 every k ~ N, where n~ is some natural number depending solely on k, and ~ = 0 n~ = c~.

181

Proof. (4=) Let the function ~r be defined by 7c(t)

f 0 if 0 < t < 60, %~,~(~) if 5~ < t < 5a+1,

k where sum(k) is an abbreviation of ~ j = 0 nj. It is easy to see that the function 7r satisfies the condition (a). Assume that d~ is any locus of P1 such that U0[d~(0)] and (hk,xk)kcN is its

quasi-trace. Uk [xk] and R& t#~[x~, xk+l] for each k follow from (i). Let us show that for any initial segment (x0, x l , . . . , Xl+l) of (x~)keN there exists an initial segment (Zo, zl,..., zs~,~(0) of a quasi-trace of P~ satisfying r = zo and ~b(xk+1) = z .... (~) by induction on the length of (Xo,xl,...,xl+1). First, in case where the length is i, (~(xo)) is an initial segment of a quasitrace of P'2 since any values of suitable types can be initial values of P2. Next, let us assume that (zo, Zl, 9 9 9 z .... (0) is an initial segment of a quasitrace of P2, and that r -- Zsum(1). From (ii), (T~)n*+~[~(xl+1),r holds, so that there exist nl+1 - 1 elements (z .... (z)+1,..., z .... (1)+~z+~-1) and (Z0,

Zl,

. . . , Z .....

(/), Z . . . . . (/)§

9" 9, Z~um(0+n~+~--l, r

is also an initial seg-

ment. Therefore, it is concluded PI with the initial condition

by induction

that for any quasi-trace

(xk)k~N

of

Uo [x0], there exists a quasi-trace (z~)kcN of P'2 and ~b(xk+I) = z~,~(k) for each k > - 1 . Hence, the step flmction ~: = t?((~, zk)~N) is a locus of P~ and it holds that r = ~:(7c(t)). ( ~ ) It is easy to show from (i) that, for any w satisfying Uk[w], there exists a locus d~ of P1 such that U0[d:(0)] and d:(ak) = w. Let 5: be such locus and k be the image of it by the locomorphism, then it holds that Rs'~:t # ~ [d~(~), d:((~+~)]. Following the locomorphism, g,(~(~)) = k(~r(~)) and r = k(~r((~+~)) hold. Let the time 3% be the first time such that b(7,-,) holds after 7c(5~), and let the time 7~:+~ satisfy the analogous conditions, i.e., it is the first time after 7c(~+~) that b(%~:+~) is true. T h e n (T~)n~[z(3/r~),2;(Trk+x)] holds where n~ is r~+~ - r ~ , n~ depends on only (ai)ie[,q, b and 7c, and it is independent from the choice of w. Next, we show that sum(co) tends to infinity. Assume sum(oc) < oe. Then na is 0 for any j greater than some k, which implies 7r(~y) = 3% = %~ = ~r(5~), which contradicts (a). Hence, sum(oe) tends to infinity. []

Note 22. As shown in example 4 below, the formula Uk may be given by the parameter k in practice. Note 23. The sufficient condition of theorem 21 is still correct without changing the proof even if the definition (i) is replaced by vxv

( G [x] A Rs,. t #

Hence, the following corollary also holds.

y] > G +1 [y])

182

C o r o l l a r y 24. For each combination of spurs a l , . . . , a m and b, there exists a function ~ and (r r) : P1 ]U --* P2 if a formula U and a function r from D to D' satisfy (i') and (ii') below for each nonempty subset S of [m].

(i') VxVy(U[x] A n s t # [ x , y ] D U[y]) . (initiality) (ii') VxVy(U[x] A R s ~#~[x, y] D T ~ns[r

(continuability)

r

O0

where ns is a natural number depending solely on S, and ~ k = 0 nsk = oc.

[]

Remark. If ns _> 1 every S, the last condition can be omitted. The following theorem for two sequential programs also holds, and the proof is similar to that of theorem 21. T h e o r e m 25. Let 1'1 be a sequential program T1 with a spur a and P2 be T2

with b. Let D1 and D2 be data domains of 1'1 and P2, respectively. Let a formula Uo be given. Then for each combination of spurs a and b, there exists a function such that (r : P1]U0 --* P2 if and only if a sequence of formulas (Uk)keN defined by the definition obtained (i) by replacing Rsk t# by T1 and a function %bfrom D1 to D2 satisfy the condition obtained by replacing R$ k ~# by T1 and T by T2 in (ii). [] It must be noted that corollary 24 for two sequential programs also holds if its conditions are modified similarly to theorem 25.

4

Examples

Example 4. Let us assume that the domain of every variable is the set N. Consider the following 2 acts, each of which computes n 2 or m 2, respectively: P1 :: a(t) A Tl[n,i,s;vn, vi, vs],

and

P2 :: b(t) A T2[m,r,u,j,l;vm, vr, vu, vj, vl],

where Tl[n,i,s;vn, vi, vs] is (i < nAvi = i + l h v s = s + n ) #, and T2[m,r,u,j,l; ~m, ~r, vu, ~j, M] is

(

l=O Ar<mAvl=l Avr=r+'lAvl=2 Y I=2 A(j2r-lAvj=lAvl=O)) V l=l

The original programs are as follows:

PI: while i < n do begin i:=i+1;

s:=s+n end;

# .

183

and P2: while r < m do begin r:=r+l; w h i l e j ~ 2r - 1 d o b e g i n j:=j+l; u:=u+l end; j:=l end .

Let the formula Uo[n,i,s] be given by (i,s) = (0,0} and the function r : (n,i,s) ~ ( m , r , u , j , l ) be defined by { m , r , u , j , I ) = (n,i, i2,1,0). Assertion

26. r22r+4[m, r, u, 1,0; m, r + 1, it + 2r + 1, 1,0] holds if r < m.

Proof. If r < m , it is easy to show t h a t (1) T22[m, r, u, l, 0; m, r + 1,u, 1,2]. A s s u m e r t is a positive natural number. Then it is trivial t h a t Te[m,r', u,j, 2; m , r ' , u + 1,j + 1,2] if j n. T h e n i is n by Uk and hence 2'2 is unactable. Since T1 is also unactable on r n, s), the condition (ii) holds. Therefore, (r : PllUo -~ P2 for some ~r. []

Example 5. Consider the following 2 acts Pz and P2, each of which c o m p u t e s n!: P1 :: a(t) A T l [ x , y ; u x , py], P2 :: b(t) A T2[z,w;uz, uw], where Tl[x,y;x',y'] is x >_ 1 A x ' = x - 1 A y' = x . y and T.2[z,w;z',w'] is z _< n A z ~ = z + 1 A w t = z . w , respectively. Let the functions r : (x, y} ~-+ (z, w} and r : (z, w} ~-+ (x, y} be such t h a t (z,w) = (n - x + 1, Pl " (n - x)!) and (x,y) = {n - z + 1, p2/(n - z + 1)!), respectively, with p a r a m e t e r s Pl, P2, and let U[x,y] be N(x) A N(y) A x where n{1} = n{2} = 1 and n{1,2} = 2. Hereafter, { 1 , . . . , n } denoted by (r

(r

is

Assume t h a t U[x, y] and R{1}*#[x, y; x', y'] hold. Since c~(x)- oz(y) = 1, we have (~b(x, y))~ = 1 and (~b(x', y'))v = c~(x + 1). Since (~p(x, Y))w, namely {x + 1 . . . . ,y - 1}, is nonempty from x + 1 < y, we choose x + 1 for z in T and then it holds that (r + {x + 1} = (r Hence, T[~(x,y),r holds. T h e formula (1) in case where S = {2} is proved in a similar manner. Let us assume that U[x,y] and R(1,2}*#[x,y;x',y']. Trivial, ( r = 1. T h e assumption implies that (r is nonempty, so that b o t h x + 1 and y - 1 are elements of the set. Let us consider 2 cases where x + 1 5~ y - I and x+l=y-1. Case l : x + l 7~y-1. Sincex+l y, and that of P2 is v r 1 V { 1 , . . . , n} - W = 0. From proposition 11 , the following facts are obtained. A s s e r t i o n 30. If P2 terminates, then P1 also does. A s s e r t i o n 3 1 . If (v,W) = (1, q~} {P2} v = l~in__la(i), then 1) {P1} o~(x), c~(y) 1-Ii~l c~(i).

[]

(x,y) = (O,n + []

Assertion 31 says the following. Let both P1 and P2 start with the expected values. Then that P1 finds a(i) = 0 for some i and either c~(x) or c~(y) is 0 for the output values (x, y) is derived from that P2 also finds c~(i) = 0 and the output value of v is 0. 5

Discussion

We have introduced the concept of locomorphism and have given useful theorems to derive it. Locomorphism is an extension of "homomorphism" of programs and one of their "simulation" discussed by McCarthy, Milner, etc., in late 1960's. There can be some relationship between the locomorphism and the "refinement" discussed by Lamport [7]. We can verify specifications of a parallel program if we investigate the images of the locomorphism. We can also investigate relationships between two parallel program systems if we verify those between corresponding "image" programs. To investigate the related works, Petri nets and event structures do not treat the change of program variables. Therefore actual programs are not easily verified in these system. Comparing them, locomorphism deals with the change of values of variables directly, hence the behavior of programs is esasily investigated. Manna and Milner's system [9] has an idea similar to ~-conversion, but it is too complicated to verify parallel programs. On the other hand, equivalence and locomorphism are either impossible to define on temporal logic, or difficult if possible. Although we assumed a spur to be infinite for simplicity, Theorem 21 in section 3 holds even if they are finite but large enough for processors to execute, so that in fact, conditions (i) and (ii) are still sufficient to derive the locomorphism in example 6 if each spur has at least n elements.

187

References 1. Hoare, C. A. R.: Communicating Sequential Processes, Prentice-Hall International, 1985. 2. Igarashi, S.: An axiomatic approach to the equivalence problems of algorithms with applications, Rep. Comp. Centre Univ. Tokyo, 1 (1968), pp. 1-101. 3. Igarashi, S.: The ~-conversion and an analytic semantics, in R. E. A. Mason (ed.), Inf. Proc. 83, Elsevier Science Publishers B.V., IFIP (1983), pp. 769-774. 4. Igarashi, S., Mizutani, T. and Tsuji, T.: An analytical semantics of parallel program processes represented by v-conversion., TENSOR, N. S., 45 (1987), pp. 222-228. 5. Igarashi, S., Mizutani, T. and Tsuji, T.: Specifications of parallel program processes in analyticM semantics., TENSOR, N. S., 45 (1987), pp. 240-244. 6. Kr6ger, F.: Temporal logic of programs, Springer-Verlag, 1987. 7. Lamport, L.: What good is temporal logic?, in R. E. A. Mason (ed.), Inf. Proc. 83, Elsevier Science Publishers B.V., IFIP (1983), pp. 657-668. 8. Loogen, R. and Goltz, U.: Modelling nondeterministic concurrent processes with event structures, Fundamenta Informatieae, X I V (1991), pp. 39-74. 9. Manna, Z. and Pnueli, A.: Completing the temporal picture, Theor. Comp. Sci, 83 (1991), pp. 97-130. 10. Milner, R.:Communication and Concurrency, Prentice-Hall International, 1989. 11. Mizutani, T., Hosono, C. and Igarashi, S.: Verification of programs using t,definable acts, Computer Software, 2, (1985), pp. 529-538 (in Japanese). 12. Mizutani, T.: An analytical equivalence theory of programs with applications., Ph. D. thesis, Univ. Tsukuba, 1987. 13. Mizutani, T., Igarashi, S. and Tsuji, T.: An analytical equivalence theory of computer programs, in A. Dias, J. Echevererria and A. Ibarra (eds.), International symposium on structures in mathematical theories (1990), pp. 199-204. 14. Moszkowski, B. C.: Executing Temporal Logic Programs, Cambridge Univ. Press, 1986. 15. Olderog, E. -R.: Correctness of concurrent processes, Theor. Comp. Sci., 80 (1991), pp. 263-288. 16. Soundararajan, N.: Denotational semantics of CSP, Theor. Comp. Sci., 33 (1984), pp. 279-304. 17. Takeuti, G.: Two applications of logic to mathematics, Princeton University Press, 1978.

A n a l y s i s of a S o f t w a r e / H a r d w a r e S y s t e m by Tense A r i t h m e t i c Kohji T O M I T A 1, Takashi T S U J I 2 and Shigeru I G A R A S H I 2 1 Mechanical Engineering Laboratory, AIST, MITI Namiki 1-2, Tsukuba 305 JAPAN 2 Institute of Information Science, University of Tsukuba Tennoudai 1-1, Tsukuba 305 JAPAN

In this paper we analyze a program of a software/hardware system using explicit rational time. The analysis is based on v-conversion, which interprets programs with rational time, and tense arithmetic. As a typical example we adopt a kind of bounded buffer problem, in which a producer sends data to a consumer with a bounded buffer, but the producer cannot examine status of the buffer. How to send data as fast as possible without overflowing the buffer is a problem. Properties of a program of the system are analyzed and safety conditions that the buffer does not overflow are obtained. Abstract.

1 Introduction Many systems to describe and reason about properties of parallel programs have been proposed. Most of them are based on one of the following three methods. The first is Hoare logic [4] extended for parallel programs [16,17,2]. The second is temporal logic [13,12]. The third is process algebra such as CSP [6], CCS [14,15], and so on. As for treatment of explicit time, most of these systems do not treat it a priori. But treatment of the explicit time :is indispensable to describe and reason about properties of parallel programs, especially in cases for describing executions that wait for some prescribed time, or re-sending of data due to communication errors. Thus, for that purpose, they must be extended. Calculus of duration [I] and a system by Pnueli and Harel [20] are examples of extension of temporal logic. But formulas in temporal logic are rather intended for excluding explicit time from their representations. Time dependent properties are expressed using temporal operators. Thus such extensions do not seem to be suited well. Moreover many of such systems assume interleaving execution of parallel processes. On the other hand, u-conversion 17] deals with explicit rational time by using one special variable t which represents time in an interpretation named cosmos. Allowing the time variable, many properties can be expressed in quite a natural manner. u-conversion converts formulas of mathematical theory into u-definable acts (or u-acts, acts). A u-act can be regarded as a generalized program, and its semantics is defined on formal logic. Using u-conversion, we can describe, analyze and verify properties of programs rigorously and uniformly.

189

Moreover a system based on u-conversion has the following advantages. First, it can prove axioms and inference rules of other systems, so that it is more general t h a n others [7]. Second, it treats u-acts, which are quite general representation of programs in some sense. By deciding on translation rules from p r o g r a m m i n g languages to u-acts, analysis or verification of different programming languages can be accomplished uniformly. Thus the system based on u-conversion does not depend on a so called programming language. An example of translation of programs in CSP [5] to u-acts is presented in [3]. Moreover, equivalence of programs, called locomorphism, has been introduced, and a verification method based on locomorphism has been developed [18,19]. Finally an interpreter which executes (a significant subset of) u-acts as programs has been implemented [11]. In this paper we study a typical example of parallel programs using explicit rational time, used to show that u-conversion enables natural and rigorous analysis of such programs. It is a typical example, and a similar method can be applied to other parallel programs. Moreover, the analysis are performed within the language of tense arithmetic [10], by introducing 'explicit' or concrete time terms in order to 'readably' cope with the problem discussed. The example we use in this paper is a variation of a bounded buffer problem, and we call it a real time problem on programs. The program is composed of two processes: one is a producer and the other is a consumer. The consumer process has a bounded buffer but the producer process can not examine whether the buffer is full or not. The problem is to send data as fast as possible without overflowing the buffer in such a configuration. For that purpose, the producer process has to know the processing time of data by the consumer process. Such situation can occur in one-way communications or in the case where communication time is so large that examination of the buffer is not practical. But such situation has not been analyzed enough. In section 2 we give some definitions concerning u-conversion. In section 3 we describe tense arithmetic. In section 4 we show the rational time problem in detail. In section 5 we analyze the program using u-conversion and derive two safety conditions. In section 6 we analyze it using tense arithmetic. In section 7 we conclude the paper. 2

u-Conversion

In this section, we give some definitions concerning u-conversion [7] necessary for this paper. D e f i n i t i o n 1. Let the language of T, L(T). We call ux a by substituting at u-definable act (or

T be a system of mathematical theory (e.g. FA [22]), T(L) be and x, y, z , . . . be metavariables representing fl-ee variables of qualitative. For any formula A of L(T), an expression obtained least one qualitative in place of free variables in A is cMled simply u-act or act). This operation is called u-conversion.

Hereafter, [ ] following a formula represents an occurrence or a substitution.

190

t~-acts have several interpretations. The simplest one is the p r i m a r y interpretation or 'oncer' interpretation. Intuitively, under this interpretation, A[x, ~,x] represents an action which changes the present state to a new state so that the new value of x is represented by gx, where a state is an assignment of values to free variables, and x is an abbriviation of X l , . . . , xn. More precisely it is defined as follows: D e f i n i t i o n 2. Let M be a model of L(T), L(M) be a language which is obtained by extending L(T) so that names of all elements of the universe of M are included as constants. We denote that a formula F of L(M) is true in M under an assignment a by r ~ F. The primary interpretation of A[x, ~,x] in M is as follows. Let c~ be the present state. -

If a ~ 3yA[x, y] then A is said to be actable. In this case, an element ~ of the universe which satisfies a ~ A[x, ~] is chosen. Then the next state is an assignment which is obtained from a by changing the assignment of x to ~. - If ~ ~ -,3yA[x, y] then A is said to be unactable. In this case the next state does not exist.

For example, an act vx = y & ~y = x swaps the values of variables x and y under this interpretation, and an act c & AV-~c & B corresponds to a conditional statement "if c t h e n A* else B*", where A* and B* are programs corresponding to A and B, respectively. Another interpretation, called cosmos, is given by the predicate of action. D e f i n i t i o n 3. The predicate of action, Pa(A, 5), is the following:

Vt Vs > 0 ((3y A[5(t), y, t] D 3 5 > 0 (5 < ~ & A[5(t),5(t+5),t]))

&(VS>_O (5 < ~ D -~3yA[5(t + 5 ) , y , t +5]) 5(t) = 5(t + ~))) 5 is a sequence of higher order variables corresponding to x, and 5(t) means values of variables x at time t. We denote 5(t) simply by x(t) when there is no possibility of confusion. The variable t is a special variable representing time and its domain is the set of nonnegative rationals. We call a value of 5 satisfing Pa(A, 5) a locus of variables x of act A. Intuitively, this predicate means that an act is executed, under the oncer interpretation, in an infinitesimal time interval when actable, and that the values of variables are kept unchanged during the act is unactable. If the set of t satisfying 3yA[5(t),y,t] is discrete, then 5 is a step function continuous to the left. In this p a p e r we assume acts are interpreted by the predicate of action. Moreover, we assume that values of variables are kept as far as possible. It is called the least action principle. An act A #, defined later, obtained from A is

191

similar to A but it preserves the values of variables as far as possible under some decided order of variables, so that the least action principle is satisfied. In addition, the values of variables change when it acts. Thus change of value means t h a t an action must have occurred. D e f i n i t i o n 4. For a formula A[x, y], A # is defined as follows. We define A by fit =_ A n, where

A 1 =- A & (3y2"'" 3ynAyl [xl] D xl = Yl), A 2 =- A & A 1 A ( 3 y 1 3 y 3 . . . 3 y n A l y 2 [ x 2 ] D z 2 = y 2 ) , A n =- A & A 1 & ... ,g= A n-I ,g= (~yi ... 3y~_~An-~y. [Xn] D Xn = y~) 9 We define A # [ x , t,x] for A by V x V y ( A # [ x , y] - ~ z ( A [ x , z] & z r x) & A[x, y]). In the definition, A is equivalent to A except that the values of the maxim u m number of the leftward variables among x ~ , . . . , xn are preserved whenever permitted. For an act R[x, ~x, t] and a unary predicate a, (a(t) D R) # is an act which is obtained from R by restricting the time when it is actable so that R acts only at the time when a(t) holds. Such a(t) is called a spur for R, if the set of t satisfying a(t) is discrete. Usually we suppose that an act R represents an essential algorithm (which corresponds to a usual program) not containing scheduling information. Besides the interpretation of (a(t) D R[x, ux, t]) # by P a corresponds to the execution of act R under a scheduler a(t). Thus, it is often the case t h a t an act interpreted by P a includes an abstract execution system such as a scheduler. D e f i n i t i o n 5. a(t) T R II b(t) T S is defined as follows:

((a(t) (b(t)

t]

R[=, .=, t])

3yS[=,y,t]

Intuitively, it represents an act which executes acts R and S concurrently under spurs a(t) and b(t) respectively and satisfies the least action principle. The interpretation corresponds to an execution of a parallel program composed of two processes: one process corresponds to R and is executed when a(t) holds, and the other process corresponds to S and is executed when b(t) holds9 We can treat programs using explicit rational time in a natural and uniform manner in the system based on the v-conversion. In order to prove some property P of a program, it is sufficient to prove that any locus of the program (more precisely, an act corresponding to it) interpreted by Pa satisfies P. In the case of a program which contains explicit time, the program contains the variable t representing time, and we must represent values of variables at different times. Even in such cases, we can treat them uniformly9

192

3

Tense

Arithmetic

Tense arithmetic is based on rational number theory, and deals with time as a rational value. It is a generalization of the usual first-order predicate calculus with certain modification of terms so as to include time terms of the form either (i)eJA, (ii)e;A or (iii)]'A, where A is a logical formula and e is a (time) term. T h e expression e I A means intuitively the infimum of the set of times when A holds, at or after the time represented by e. If the set is e m p t y then eJA = e - 1, and if the infimum does not exist as a rational value then eJA = e - 2. The expressions ]'A and e; A mean intuitively the infimum of the set of times when A holds, after an observation time (or a current time), and after e, repectively. Thus ~'true means the currnt time, where true denotes the ever true predicate constant. The axiom for e] A is given by

3x.B[x] & 3q(I[q,B] & eJA = q) V 3x.B[x] ~ -,~q.I[q,B] & e]A = e - 2 V -,3x.B[x] & eJ A = e - 1 ,

where

B[x] = e < x &: A= , I[y, F] =- L[y, F] & Vz(L[z, FI 3 z < y ) ,

L[y, F ] - Vz(F[z]

y < z),

A, - xjA = x & (3e(r > 0 &V6(0 < 5 < e D x + S J A # x +5)) V(3c(r > 0 & V~(0 < ~ _< r D x + ~JA = x + 5)) & xJ-,A # x)) .

Intuitively, I[y, F] and L[y, F] mean that y is the infimum and a lower bound of the set {x I Fix]}, and if the t r u t h value of A is a step function of time, Ax means that A is true at time x. e; A is given in a similar manner to eJA except that e < x & A= is used instead of B[x]. TA is defined by TA =Ttrue; A. Let T be a (first-order) mathematical theory. We add new predicate constants called spurs a,/3, 7,. 99to the language of T, so that we obtain an extended theory T(a,/3, % . . . ) adding a few axioms described later on. A spur intuitively means a drive, control, or scheduler for parallel processes. For instance, suppose P1//['2 stands for the concurrent programs P1 and P2- We associate two distinct spurs a and/3 with them, and assume that P1 is moved 1 step by each a; and similarly for P2, by each ft. In accordance with the general framework for interpretation described below, a spur a as a predicate constant will be sent on to a discrete set of rationals (as time) denoted by Sa. Thus P1 will move 1 step further consecutively at

193

t = 1.1, 1.2, 1.3 if a n d only if {1.1, 1.2, 1.3} C S~ a n d {7 I 1.1 < ? < 1.2 or 1.2
m + 1) are undefined.

~--- (X), and

D e f i n i t i o n 8. tk is defined as follows for k > 0: k

tk=Tm+

E

h(i)

i=Xm+2

for m which satisfies Xm < k 0: t~ = tl + & ( t l ) , t~ = max{tk + Ab(tk), t'k--1 + g(Xk'l) + Ab(t~_l + g(Xk-1))}, for k > 1

197

Then we define Tj and X5 which represent the time that the computer sends the next data after the buffer becomes empty for the j t h time and the value of variable x (and thus y), respectively. D e f i n i t i o n 10. T~ and X5 are defined inductively as follows: 1. T~ = tl and X~ = X0 (= 0). 2. If there exists n(> Xj) which satisfies

tn+l q- Z A b ( t n + l )

ttn+l =

,

then ~r;+ 1 = tn+l, Xj+ 1 = n,

for the least such n. Otherwise T~+1 = oo, Xj+ 1 ' = oc, and T'j, X ' j ( J > j + 1) are undefined. Then k-1

t~ = Tj + ~b(Tj) +

Z

(g(xi) + ~b(t'i + g(x~)))

i=Xj+I /

!

holds clearly for j which satisfies X j 0). Pro@ From the facts that 2 and ~) are increasing functions (see Appendix B) and ~) is left continuous, (1) is equivalent to 2(t~) _< ~)(t~) + N for any k(> 0), which is equivalent to t~(t~)+l < tk+N. Because t~(t~.) < t'k >_0

i=X}+I

holds for any j , m such that X.~ < k + N 0). There are many loci which satisfy this condition. Here we consider safety conditions in two cases, one is that the computer is fast enough and the other is that it is slow.

Case 1. Firstly, we assume that the computer is fast enough, more precisely max h(i) < min g(Xi)

(3)

holds. In this case, we can easily show that Vj3iT~ = Ti (see appendix C). Intuitively, it means that the buffer becomes empty only when the computer is waiting. Let T~ = Te. Moreover we assume that the computer waits when it sends more than N data, more precisely N . min f(xi) >_c

(4)

holds. Then we can obtain k < Xm, therefore, for n which satisfies Xn < k _< Xn+l,

tk+N -- t~k =

E

j=g

Exj+l,X

i +i

E (9(XO+Ab(t +9(XO))

i=Xj +1

'

k--1

+Ex.+I,X.+I + Aa(T~ + EX.+I,X.+I) -

E

i=Xn +1

(g(Xi) + Ab(t~ + g(Xi)))

Xm-1

+

E

k+N

(Ex~+I,X~+~+Aa(Tj+Exj+I,X~+~)) +

j=Xn+l+l

E

i=Xm+2

h(i)-Ab(T;)"

Clearly it is sufficient that Xj+l

Exj+I,xj+I >_ E

(g(X~) + dz)

i=Xd+I

holds in addition to condition (4), where dz = max Ab(t). Intuitively it means that the time of computation of data by the computer is larger than the time necessary for graphic display. Especially, it holds when

f(xi) >_g(Xi) + d~ is satisfied. Consequently we obtain the following proposition.

(5)

199

P r o p o s i t i o n . A sufficient condition that the buffer does not overflow is (4) and (5) when the computer is fast enough, i.e. (3) holds. The condition corresponds to the normal design of the program: while sending at most N d a t a the computer waits for more than the time necessary for displaying them.

Case 2. Next, we consider another case, i.e. the computer is slow enough. More precisely, we assume the following two conditions: if 9(X~) >__c then i = 1 and f ( x 1 ) >_ 9(?(1) ,

(6)

if 9(Xi) < c then 9(Xi) + d~ 0), where gm = max{g(X~) ] g(X~) < e} (see appendix D). Thus we obtain the following proposition. P r o p o s i t i o n . When the computer is slow enough, i.e. (6) and (7) hold, the buffer does not overflow if N - m i n h(i) > g,~ (8) holds.

Proof. t~+ N - t~ >_ tk + N . rain h(i) - t~ >_ N . min h(i) - (g-~ + Z~b) ~---0.

[]

The reason why the buffer did not overflow in the actual problem seems to be that it was similar to the second case. Of course the condition that we have sent only finite sequence of commands also affected the actual p r o b l e m . It seems somewhat strange that the computer is slow compared to graphic output. It is because computation time involves waiting time for scheduling and the channel. Due to methods of scheduling or buffering, the computer has to wait too long and thus computation time can become large.

6

Analysis

by Tense

Arithmetic

In this section we represent and analyze the program using tense arithmetic. More precisely, analogues of definitions in section 5 such as tk and t~ are obtained from the specification of the program using representations in tense arithmetic, and a similar analysis is performed in usual mathematics. At first, to express the delay of communication eo explicitly, we use an additional variable x' instead of x in P r o g r a m 2. x / varies in accordance with x except that it is delayed for e0 so that x' - y represents the number of d a t a in the buffer. Thus we can simply denote the overflowing state by x r - y > N. Then let c~ and 3 be spurs of P r o g r a m 1 and P r o g r a m 2, respectively. Assuming a frame axiom, specification of the program is given as follows:

200 (i) oo~, 0 / 3 , (ii) P o & - ~ a &

Ta=OD [ a { P t & s = c & u = "

-c},

(iii) P, & ~a & Ta{P2} , (iv) P2 &-~ce& ta{s < c & ea v s >_c& P~} ,

(v) e~ ,~ ~

a t~ = o Ta{P~' & s "- (0 - t) v

~& px=x+l ~z pw[px] = X x + l ~ : P s = f ( X x + I ) & p u = t & P C = 1 V C = 2 & s < c & ux = x + 1 & vw[vx] = X~+I & us = s + f ( x ~ + l ) & pC = 1 and the initial conditions are ~(0) = 0 and 2(0) = 0. In the act, C is a label variable, and C is a part to compute the ( x + l ) s t d a t a Xx+l, and after computing, it changes the value of C from 1 to 2. In this case, h(i) is written as follows: h(1) = max{t I 2(t) = 0 & ~(t) = 2} - a0, where a0 satisfies a(ao) & Vt(a(t) D t l.

205

Appendix B We are to prove t h a t ?) is a monotonic increasing function which satisfies P a ( a ( t ) T W II b(t - eo) T R,&), but we consider the case in which only R is executed for simplicity. Intuitively it can be justified because act W does not affect the variable y. But formally a similar proof is necessary. Let R' be (b(t) & 3 y R [ x , y, t] D R[x, , x , t]) #. From the difinition of # ,

R' - b(t) & x > y & v < t ux = 2c & uy = y + l & uv = t + g(~v[y]) . For any & such t h a t P a ( R ' , ~ ) , if R' is actable at time t, more precisely, if 3yR'[&(t), y, t] then R'[3c(t), &(t+0), t] from the definition of Pa. Hence ~)(t+0) =

9(t) + 1. If V5 _> 0(5 < e D -,3yR'[&(t + 5 ) , y , t + 5]), i.e. if it is u n a c t a b l e from time t to time t + e, then clearly 5:(t) = 5:(t + e) holds and thus ~)(t) = ~)(t + e). Therefore ~) is increasing. It can be shown easily by existence of a l o c o m o r p h i s m from a(t) T W II b(t) T R to N ( t ) & py = py + 1, where N is a predicate indicating n a t u r a l numbers. Appendix Proposition.

C

If (3) holds then V j ~ i T j = Ti holds.

Proof. T h e proof is by m a t h e m a t i c a l induction on j. Clearly Tg = 11 = T0 holds for j = 0. Suppose it holds for j = g and let T[ = Ti. We can assume T~+ 1 = t,~ for some m. Then t ~ - 1 + g(X .... 1) < t,~ holds because t,~_~ + ! g ( X , ~ - l ) < t,~_1 + g ( X ~ - I ) V[e] ~- F'[e'].

L e m m a (eval):

3

The

3.1

Syntax

and

Semantics

of the First-Order

Theory

S y n t a x of F o r m u l a s

The atomic formulas of our language assert the operational equivalence of two expressions. In addition to the usual first-order formula constructions we add contextual assertions: if ~ is a formula and U is a certain type of context, then UI[4~]] is a formula. This form of formula expresses the fact that the assertion holds at the point in the program text marked by the hole in U, if execution of the program reaches that point. The contexts allowed in contextual assertions are called univalent contexts, (U-contexts). The class of U-contexts, U, is defined as follows.

Definition (lg): = {.} +

et{x :=

The well-formed formulas, W, of (the first order part of) our logic are defined as follows:

Definition (W): w =

---

+ (w

w) +

+ (vx)(w)

233

We let q5 range over W. Negation is definable, -,~ is just 9 ~ F a l s e , where F a l s e is any unsatisfiable assertion, such as T = Nil. Similarly conjunction, A, and disjunction, V and the biconditional, ~ , are all definable in the usual manner. We let ~ e abbreviate -~(seq(e, . ) [ F a l s e ] ) and 1}e abbreviate its negation. Note that JI e expresses the computational definedness of the expression e. Given a particular U, for example l e t { x := ink(v)}., we will often abuse notation and write l e t { x := mk(v)}[(~5] rather than ( l e t { x := mk(v)}.)[g}~. Thus we write -~seq(e, [False[) rather than -~(seq(e, .)[False]). Note that the context U will in general bind free variables in ~. A simple example is the law which expresses the effects of ink: (Vy)(let{x := mk(v)}[~(x ----y) A c e l l ? ( x ) ~ T A get(x) -~ v[) For simplicity we have omitted certain possible contexts from the definition of llJ. However those left out may be considered abbreviations. Two examples are: (1)

if(e0, ]4~0], Ir

abbreviates

l e t { z := e0}[(z E N i l => qbl) k (~(z ~ Nil) => qb0)~

z fresh.

(2)

v~(e0,..., e,~, U[[~, e,~+,,...) abbreviates s e q ( e 0 , . . . , e,~, U[~]) In order to define the semantics of contextuM assertions, we must extend computation to univalent contexts. The idea here is quite simple, to compute with contexts we need to keep track of the let-conversions that have taken place with the hole in the scope of the l e t . To indicate that the substitution is in force at the hole in U we write U~r]. Computation is then written as F; U~r] ~ F'; U'la'] and is defined in full in [10]. For example if x is not in the domain of a, then

3.2

Semantics of Formulas

In addition to being a useful tool for establishing laws of operational equivalence, (ciu) can be used to define a satisfaction relation between memory contexts and equivalence assertions. In an obvious analogy with the usual first-order Tarskian definition of satisfaction this can be extended to define a satisfaction relation

v b The definition of satisfaction F ~ r structure of 4i.

is given by a simple induction on the

D e f i n i t i o n ( F D ~[~]): (VF, ~r, r e5) such that FV(~ ~) U FV(ej) _c Dora(F) for j < 2 we define satisfaction: /r. ~ (eo -- el)[O] C ~ (4% => ~l)[a]

iff (VR C aDom(V))(V[R[e~]] ~ F[R[e~]]) iff

( r b ~0[a])

implies

(V D ~1[0"])

F ~ V[~[~r]

iff

(VF',R,a')((F; V[o'[ ~ F';R~o"[)impliesF'~ ~[a'])

C b (Vx)r162

iff

(Vv 9 VDom(V))(F b ~5[cr{x := v}])

234

We say that a formula is valid, written ~ r if F ~ 4~[a] for F, ~r such that FV(qSr _CDom(F). Following the usual convention we will often write q5 as an assertion that 9 is valid, omitting the ~ sign. Note that the underlying logic is completely classical.

3.3

C o n t e x t u a l A s s e r t i o n Principles

The theorem (ca) provides several principles for reasoning about contextual assertions: a simple principle concerning reduction contexts; a general principle for introducing contextual assertions (akin to the rule of necessitation in modal logic); a principle for propagating contextual assertions through equations; and a principle for composing contexts (or collapsing nested contextual assertions); a principle for manipulating contexts; three principles demonstrating that contextual assertions interact nicely with the propositional connectives, if we take proper account of assertions that are true for the trivial reason that during execution, the point in the program text marked by the context hole is never reached; and a principle (whose converse is false) concerning the quantifier. Finally a lemma demonstrating that contextual assertions interact nicely with evaluation. Proofs of the principles in this section can be found in [10]. T h e o r e m (ca):

(i) (ii) (iii) (iiii) (iv) (v) (vii) (viii) (villi)

~ RM 4~ implies

uie0 u ell ~

~ U[~

g[e0] u V[ell y fresh

U[Vxq51 ::~ VxU[qS~

wherex not free in U

L e m m a (eval): F0; Uo[ao] ~ F1; UI~trl~ implies

(F0 ~ U0~4~[c~0] iff F1 ~ Ul[~][cq])

A simple use of (ca) is the following principle: L e m m a (cut):

~ : . v~r

and

~ r ~

U'W~

implies

~ ~ =~ (U[U'I)W~

235

P r o o f (cut):

Assume ~ ~' ~

U[~' =~ U'~"]]

U~#'~ ~ U[[U'[[#"]] s =~ (U[U'])[#"]

3.4

U'[[g"']. Thus

by (ca.ii). by (ca.viii). by (ca.iiii) and classical logic.

Memory Operation Principles

This logic extends and improves the complete first order system presented in [16, 19]. There certain reasoning principles were established as basic, and from these all others, suitably restricted, could be derived using simple equational reasoning. The system presented there had several defects. In particular the rules concerning the effects of mk and s e t had complicated side-conditions. Using contextual assertions we can express them simply and elegantly. Their justification is also unproblematic. The contextual assertions and laws involving ink, s e t and get are given below. The assertion, (ink.i), describes the allocation effect of a call to ink. While (mk.ii) expresses what is unaffected by a call to ink. The assertion, (mk.iii), expresses the totality of ink. The mk delay law, (ink.iv), asserts that the time of allocation has no discernable effect on the resulting cell. In a world with control effects evaluation of e0 must be free of them for this principle to be valid [6]. The first three contextual assertions regarding s e t are analogous to those of ink. They describe what is returned and what is altered, what is not altered as well as when the operation is defined. The remaining three principles involve the commuting, cancellation, absorption of calls to s e t . For example the s e t absorption principle, (set.vi), expresses that under certain simple conditions allocation followed by assignment may be replaced by a suitably altered allocation. The contextual assertions regarding g e t follow the above pattern. They describe what is altered and returned, what is not altered as well as when the operation is defined. L e m m a ( M e m o r y O p e r a t i o n Laws): (ink.i)

l e t { x := mk(v)}[~(x --~ y) A c e l l ? ( x ) ~ T A get(x) ~ vl x fresh

(mk.ii)

y ~ get(z) => l e t { x := mk(v)}[y ~ get(z)~

(mk.iii)

~mk(z)

(ink.iv)

l e t { y := e0}let{x := mk(v)}el ~ l e t { x := mk(v)}let{y := e0}el x • FV(e0), y r FV(v)

(set.i)

c e l l ? ( z ) =~ l e t { x := s e t ( z , y ) } [ g e t ( z ) ~ y A x----- Nile)

(set.ii)

(y ~ get(z) A ~(W -- z)) =~ l e t { x := set(w, v)}Ey ~ get(z)~

(set.iii)

c e l i ? ( z ) =V ~ set(z, x)

236 (set.iv)

-,(xo ~ x2) seq(set(xo, Xl) , set(x2, x3)) ~ seq(set(x2, x3), set(xo, Xl ))

(set.v)

s e q ( s e t ( x , Yo), set(x, Yl)) -- set(x~ Yl)

(set.vi)

l e t { z :-- mk(x)}seq(set(z, w), e) ~- l e t { z :----mk(w)}e z not free in w

(get.i)

l e t { x := get(y))~x ~ get(y)]

(get.ii)

y ~ get(z) ~ l e t { x :----get(w)}[y ~ get(z)]

(get.iii)

cell?(x) if(e, ~new(x)], [new(x)[)

(v)

new(z) A

A

x

w

~9r {ink,set}

let{y := e} new(x)l

wEFV(e)

Note that in (new.iii) the variables x and y could name the same cell. An important principle concerning newness is reuse:

Theorem (new reuse): l e t { x :=

mk(v)}seq(eo,~new(x)[)

=::>

( l e t { x :----mk(v)}seq(e0, el )

s e q ( l e t { x :----mk(v)}e0, l e t { x := mk(get(x))}el))

4

Tools for Transformations

We now develop some tools for reasoning about recursively defined programs. These tools fall into three general classes: principles for proving input-output assertions, principles for proving program equivalence, and principles for manipulating memory. Contextual assertions play an important role here, especially in the formulation of rules for propagation of invariants. We begin with some notation. In the following we let x, xi, y b e sequences of distinct variables, and let v be a sequence of value expressions. We let f be a sequence of function symbols and let fi denote the i-th symbol of f. We work in the context of an arbitrary but fixed system of definitions A. If the symbols of f are among those defined in A, we write Af C_ A for the subsystem [fi(xl) +-- F~ I i < n[ where n + 1 is the length of f, and f~(xi) +-- F~ is the definition of fi in A for i _< n. We write e { f := Ax.e ~} for the replacement of the function symbol f by the explicitly defined function Ax.e ~ in e. This is obtained by replacing each occurrence f ( e ] , . . . , ek) in e by let{x~ :-- ei I 1 < i < k}e'. Similarly, e{fi := )~xi.e~} denotes the simultaneous replacement of function symbols fi by %xi.e~ in e. We will use analogous conventions for sequences, g of function symbols.

239

4.1

Invariants

The central idea in this subsection is to formalize the notion of propagating an assertion to all important points in an expression, which in this case consists in all occurrences of recursive function calls. This is accomplished by defining the notion of a system of invariants, generalizing Floyd-style inductive assertions. Definition (System of invariants): A system of invariants for f is a sequence of pairs of formulas (r ~p~) for i _< n = I f I. We let I range over systems of invariants. The r are to be thought of as preconditions for fi, while the r are post-conditions. We adopt the convention that the variable z will serve as the value of the output, and that x~ will serve as input variables for r Thus occurrences of these variables in the invariants will be used to name parameters in calls to the defined functions, These invariants are used to propagate assertions across any calls to these functions. To make this precise we make the following definition. D e f i n i t i o n (I, f - p r o p a g a t i o n ) : Let I be a system of invariants for f, and let 0, 0 ~ be any invariants. We say that 0 (I, f)-propagates across l e t { z := e}. to 0' and denote this relation by

i,f 0

let{

.=

just if one of the following holds: (i)

No element of f occurs in e and 0 ~ l e t { z := e}[[O']].

(ii)

e=fi(v),0

(iii)

~

(r

and(~i) ~ ~ O',wherea={x::=v};

e = l e t { z o := eo}el and there is some 0o such that ~ I , f 0 ~ l e t { z := eo}10~~ ~ z , f 0o ~ l e t { z := el}~0'~

(iv)

e = if(eo, el, e2) and there is some 01,02 such that 0 ~

if(eo, [01~, [02~)

~ I , f 01 =~ l e t { z := el}lOt] ~ I , f 02 ~

l e t { z := e2}[0' 1

The key computational property of invariant propagation is expressed by the following lemma. Lemma (I-prop): Let 1 be a system of invariants for f, and let 0,0' be invariants such that ~ I , f 0 ~ l e t { z := e}[0'l. If F ~ 0[o-], and F;e ~" ~2~ F';v then (a)

F;e ~, ~2~ F';v without using A f and F' ~ O'[~r{z := v}]; or

(b)

F; e ~ ~ 1"'; R[fi(v)] (without using Af) and

240

(b.1)

r'

(5.2)

:= v}];

r,f

:= v}

zet{z := a[z]}I0']

Definition (I-inductive): Let I be a system of invariants for f. We say that Af is /-inductive if ~ z , f r ~ l e t { z :-- F~}~b~ for i l e t { x := eq?(n, 0)}[-~(x ~- Nil) =:> 01 A x ~ Nil ~ 02]

(1)

~I,sum! O1 =~ l e t { z :-----c}[#;0]

(2)

~I,Sum! 02 ~ l e t { z := s e q ( s e t ( c , n + get(c)), s u m ! ( n - 1, c))}~[r

241

for some 01,02. We take 81 = O0 A eq?(n, 0) ~ T and 02 = 80 A eq?(n, 0) ~ Nil. Then (0) follows by clause (i), (new.i), (ca), and simple let laws. (1) follows by clause (i), (new.i), and simple let laws. For (2) we use clause (iii). Thus we must show

(3)

1,s m, r

(4)

let{z' :=

hi,sum, 00 ~ l e t { z :=

et(c, sum!(n

--

+get(c))H00] 1,C))}[~b0]

for some 00. Take 00 = r then (3) follows by clause (i), some simple properties of numbers and addition (c notin n + get(c)) and (new.iii), and (4) follows by clause (ii). [] 4.2

G e n e r a l P r i n c i p l e s for E s t a b l i s h i n g E q u i v a l e n c e

The recursion induction principle is based on the least-fixed-point semantics of recursive definition systems. Two systems can be shown to define equivalent programs by showing that each satisfies the others defining equations. Theorem

(Recursion Induction):

To prove

u for i _~ n, it suffices to find a system I of invariants for f (and g), such that for

i~n (i)

0~ ~ r

(ii)

Af and Ag are/-inductive;

(iii)

r

~ g~(xi) ~ F~{fj := Axj.gj(xj) [j l e t { b := assoc(t2, s)} if(b, i f ( term-eq( t l , snd(b)), cons(T, s), cons(Nil,

Nil)),

cons(T, acons(t2, tl, s)))],

cons(Nil,Nil)], ?(t rm-op( ),term-op( )) > match-a gs(t m-args(t ),t m-a gs(t ),s)], [T > cons(Nil,Nil)])

[atom?(tl) >

match-args(al , a2, s) *-- i f ( a n d ( n u l l ? ( a l ) , null?(a2)), cons(T, s),

if (or(null?(al),null?(a2)), cons(Nil, Nil), l e t { w := match(car(ai), car(a2), s)} if(car(w),

match-a gs(car(al), calf(a2), cons(Nil, Nil)))) Transforming match We observe that the result produced by match is a new cell and in recursive calls the cell returned by subcomputations is discarded. We will transform the definition of match to a version match! that takes a new cell initialized so that the cdr is the input substitution. This cell is reused and eventually returned as the result (with contents suitably updated). Thus conses constructing the result are replaced by s e t p a i r ! s on the reusable cell, and third argument to the call to match! from match-args! is now 'by reference'. The resulting definition of match! is the following. D e f i n i t i o n (match!): match!(tl, t2, c) ~-

248

cond([atom?(t2) > let{b := assoc(t2, cdr(c))} if(b, • term-eq(tl, snd(b)), setcar](c, T), setpair!(c, Nil, Nil)), setpair!(c, T, acons(t2, tl, cdr(c))))], [atom?(tl) > setpair!(c, Nil, Nil)l,

[eq?( term-op( tl ), term-op( t2 ) ) > match-args/(term-args(tl), term-args(t2), c)], [T > setpair!(c, Nil, Nil)I) match-args/(al, a2, c) ~ i f (and(null?(al), null.7(a2)), setcar!(c, T), i f (or (nu11?(al), nu11?(a2)), setpair!(c, Nil, Nil),

seq(match/(car(al), car(a2), c), if(car(c),

match-args!(cdr(al), cdr(a~), c), setpair!(c, Nil, Nil))))) Although the intended domain of match constrains the first two arguments to be terms and the third argument to be a substitution, the transformation preserves equivalence under more general conditions. T h e o r e m (match):

match(t1, t2, s) ~- l e t { c := cons(x, s)}match/(tl, t2, c) P r o o f (match): The proof of (match) uses (m-reuse). In order to use this principle as stated, we need to modify match, match-args to take a pair as their third argument, and ignore the first component. We show the modified form is equivalent to the original. We then establish the key invariants for match/, match-args]. Finally we use (m-reuse) to establish the equivalence of the modified matcher to the fully transformed matcher. Thus (match) follows directly from (modified match) and (match') below. [::]match We will use the following notation. M, Ma are the bodies of the defining equations for match, and match-args respectively. M!, Ma! are the bodies of the defining equations for match/, and match-argsl respectively. Definition (match', match-args'): Let match', match-args' be the modified matcher with defining equations

match'(t1, t2, y) ~ iV[ match-args' (al, a2, y) *-- Ma'

249

where M~ is obtained from M by replacing: match-args by match-argJ; the first three occurrences of s by sad(y); and the final occurrence (in the call to match-argJ) by y. Ma' is obtained from Ma by replacing: match by matcff; match-args by match-args'; the first occurrence of s by sad(y); and the second occurrence (in the call to matcff) by y; and the occurrence of cdr(w) (in the call to match-args') by p r ( f s t ( y ) , cdr(w)). L e m m a (modified m a t c h ) : p r ? ( y ) -~ T A s a d ( y ) U ~

match(t1, t2, s) -~ match'(tl, t~, y) A match-args(al , a2, s) -~ match-args' (al , a2, y) Proof :

This is proved by (elaborated) recurs!on induction, taking

ematc h = match(t1, t~, sad(y)) ematch_arg s = match-args(al, a2, sad(y)) ematc h, = match'(t1, t2, pr(fst(y), s)) !

e match_arg s, = match-args (al, a2, pr(fst(y), s)) [] The key invariants for match! and match-args, t are preservation of newness of the third argument, and the return of that argument. This is expressed in the following lemma. L e m m a (match-new): r A z ~ c , then

Let r = new(c) A pr?(get(c)) ~ T, and let ~ =

new(c) ~ seq(matcht(ta, t2, c), lnew(c)]) new(c) ~ seq(match-arg.s.t(al, a2, c), [neu(c)l) r ~ l e t { z := match!(tl,t2, c)}Ir r ~ l e t { z := match-args!(ax,a2, c)}~] P r o o f : By (subgoal induction) using an argument similar to that found in the proof of (sum!) in the previous section. [] L e m m a (match'):

match'(t1, t2, y) -~ L~ [match!(tl, t2, c)] match-args' ( al , a~, y) ~- L~ [match-args!(al , a2, c)] P r o o f : By (m-reuse). To see this, define H, Ha as follows: His M~; and Ha is Ma' with the subexpression l e t { w :---- match(car(a1), car(a2), s ) } i f ( c a r ( w ) , . . . , . . . )

250 replaced by l e t { w := match(car(a1), car(a2), s)}let{p := g e t ( w ) } •

.).

Let Z be the function substitution list

match ~ := At1, t2, y.Lymatch/(& , t2, c), match-args' := )~al , a2, y.L ~ match-args/( al , a2, c ). Then, by (match-new), the main work that remains is to show (a)

L~[M.~ c< H{E}, and L~[Ma.~ oc Ha{Z}

(b)

L~[match/(tl, &, c)] ~ M~{Z}, and L~[match-args!(al, a2, c)] = Ma'{Z}

(c)

matcht(&,t2,y) ~- H, and match-args'(al,a2,y) ~- Ha

(b) follows from (a) and (m-prop), (c) can easily be established using the Peephole rule. To establish (a) we use the definition of c 0, v > 0 such that u _~ ri < 1 - v for all i, then CT(2) with the modified length IwilR is true. T h e o r e m 1 ( C s i s z a r &: K S r n e r ([2])). / f there exist constants u > O, v > 0 such that u ~ ri ~_ 1 - v for all i, then for any sequence of probabilities D = ( P l , . - . , P m ) there is a code C = ( w l , . . . , W m ) for D such that

SpilwilR < go + (--logmin{u,v}).

In the present paper, we show that if limi__,~ r i / 2 - i --- 0 then CT(2) with the modified length IwilR does not hold true. A comment on Theorem 1 is in order. Sciszar & KSrner ([2]) obtained Theorem 1 from a more practical motivation than ours. They considered the situation where the cost c(a) to send a symbol a depends on the symbol a to be sent, and the total cost c(w) to send a binary word w = a l a 2 . . , a~ is the sum c(al) + ... + c(an). They showed that CT is still true if we replace the length Iwil with the cost c(wi) and replace the value HD with HD/aO, where (~ = (~0 is the root of the equation 2 -~c(~ + 2 -~c(1) = 1. Restricting to the case where the unit of cost is normalized so that 2 -c(~ + 2 -c(1) = 1 and hence c~0 = 1, the part CT(2) of their result corresponds to the

257

s t a t e m e n t of T h e o r e m 1 for the special case R = (r, r , . . . ) , r = 2 -~(~ However, their proof essentially proves the s t a t e m e n t of T h e o r e m 1. T h e problem considered in the present paper is closely related to the problem of c o n s t r u c t i n g K o l m o g o r o v complexity and a priori (universal) distributions ([1],

[3]). 2

The

Main

Result

O u r main result says that, if limi_+~ r i / 2 - i = 0, then CT(2) with the modified length Iwiln does not hold true. Theorem

2. I f limi~oo r i / 2 - i = 0 then f o r any c there is a sequence o f probabilities D = (pl , . . . ,p,~) such that ~pilwilR -

f o r a n y code C = ( w l , .

HD

>_ c

., w,n) f o r D .

P r o @ Let A be an a r b i t r a r y positive integer. Let I ~ be an integer such t h a t r i / 2 - i _< 1 / A for any i > I ~ .

Let r} be defined by ,

~1

ifl

r~ = ~ 2 - ~ / A

< i < I a - 1 ,

if Iz~ _< i.

T h e n we have r~' > _ ri for each i and r~t _> r~ _> . . . . a l . . . an, let Iwl' be defined by iw l,

{ 0 -logr'i

=

For a binary word w =

if all of a l , . . . , an are 1, ifai=0andai+l .....

T h e n we have ]w['

I~IR

>

-

l o g r 'i ~

-

logri

-

log ri.

-

-

log ri,

log(1

-

r~+l)

-

...

-

log(1

-

rn)

For each t _ 1, let D t be the sequence of probabilities (1/2 t . . . . , 1 / 2 t ) , and let C = (Wl,.. 9 w2~ ) be an a r b i t r a r y code for Dr. We prove t h a t for all sufficiently large t, Z ( 1 / 2 t ) [ w i l n - HD, > log A --2. Since ,5 m a y be arbitrarily large, this proves the theorem.

258

Let X0 be the set of binary words Xo = { l i l i k 0},

and for j > 1 let Xj be the set of binary words X j ~. {a 1 . . . a j _ l O l i ] a l , . . .

, a j _ 1 E {0, 1},i > 0}

(li denotes the binary word consisting of i l's). Then X0, X1, X 2 , . . . is a partition of the set of all binary words. The following two properties are easy to see. (1) The set X0 contains at most one of w l , . . . , w2,, and, for j > 1, X j contains at most 2 j-1 of Wl . . . . ,w2t. The sum of these upper bounds for X o , . . . , X t is 1 + 1 + 2 + 2 2 + ... + 2 t-1 = 2 t, i.e., the number of symbols to be encoded. (2) [w[' = 0 for any w E X0 and, for j > 1, Iwl' = - l o g r ~ for any w E x j . Hence, if j < k then lul' _ (1/2t)(--CA + Z?~=l( j + 1ogA)2 j - l )

-- t

(c~ is a constant that depends only on A) = (1/2t)(--CA + (logA)(2 t - 1) + t2 t - 2 t + 1) -- t

= log A -- 1 + (--CA -- log A + 1)/2 t _> log A - 2. []

The roles of two symbols 0, 1 are symmetrical. Hence, in T h e o r e m 2 we can replace the assumption l i m i _ ~ r i / 2 -~ = 0 with lim~-.~r ( 1 - r i ) / 2 - i = 0. Although it is tempting to conjecture that the assumption liminf~_.~ r~ -- 0 is sufficient, at present it is unknown even whether the assumption lim~_~ r i / 2 -~ = 0 can be replaced with a weaker one, for example, limi_.~ r i / 2 -i/2 = O. Acknowledgments

The author thanks Dr. Tsutomu Kawabata who gave the author necessary technical information on coding theorems. The technical discussions with him were also quite helpful. The author also thanks Prof. Etsuya Tomita for much help concerning the present work.

259

References 1. Chuitin, G.: A theory of program size formally identicM to information theory, JACM 22 (1975) 3 2 9 - 340 2. Csiszar, I., KSrner, J.: Information Theory: Coding Theorems for Discrete Memoryless Systems, Academic Press (1981) 3. Kobayashi, K.: On malign input distributions for algorithms, IEICE Trans. on Information and Systems E 7 6 - D (June 1993) 634 - 640. (An extended abstract of this paper can be found in "Algorithms and Computation, Proc. of 3rd Int. Symp., ISAAC '92" (Ed. by T. Ibaraki et al.), Lecture Notes in Computer Science 650 (1992), 239 - 248.) 4. Shannon, C. E.: A mathematical theory of communication, Bell System Tech. J. 27 (1948) 379 - 423, 623 - 656

T h i r t y four C o m p a r i s o n s are R e q u i r e d to Sort 13 I t e m s Takumi Kasai, Shusaku Sawato, and Shigeki Iwata Department of Computer Science, The University of Electro-Communications 1-5-1 Chofugaoka, Chofu-shi, Tokyo, 182 JAPAN A b s t r a c t . The number of comparisons made in merge insertion sort [2] is known to be minimum to sort n items, n _~ 12, n = 20, 21. An exhaustive computation was carried out within 10 days by a workstation to show that the number is also minimum for n = 13. The problem has been open for nearly three decades since Mark Wells discovered the optimMity of the sorting procedure for n = 12 in 1965.

1

Introduction

Merge insertion [2] is a sorting procedure using small number of comparisons. Manacher [4] has shown that the sorting procedure is not optimal. He gave a sorting algorithm using less comparisons than merge insertion for n items, n > 189. For n < 189 items, however, merge insertion uses the least comparisons ever known. The number of comparisons made in the merge insertion sort is

F(n) = ~ [log2(3k)], where the best lower bound of the number of comparisons k--1 to sort n items known to date is L(n) = [log 2 n!] (see [3, p.187].) The minimum number of comparisons S(n) to sort n items satisfies in general

L(n) < S(n) < F(n), and for n < l l , n = 20,21, we obtain L(n) = S(n) = F(n). Thus the number of comparisons of the sorting procedure is optimal for these n. By simple calculations, we obtain that L(12) = 29, F(12) = 30, L(13) = 33, and F(13) = 34. I n 1965 Mark Wells found that S(12) = 30 by an exhaustive search about 60 hours on a computer [1,3,5,6]. This implies that the merge insertion sort is optimal for n = 12 as far as the number of comparisons is considered. We have made an exhaustive computation for n = 13 and discovered that S(13) = 34. The computer we used is NEC EWS4800/380 (98 mips) and the computation has taken about 230 hours. The amount of the main memory which we used during the computation was 100 mega bytes. The program is written in C language and consists of 8,800 lines. Compared with Mark Wells' computation, our program took 7 minutes to show that S(12) = 30.

2

The Exhaustive

Computation

The purpose of our computation is to show the following:

261

T h e o r e m 1. There does not exist any sorting process with at most L(13) = 33

comparisons to sort 13 items. Assume that G be a directed acyclic graph (dag) with n nodes. If there is a p a t h of length > 0 in G from node u to node v, then we write u -~ v, and if there is not any path then we write u 74 v. If u -~ v and v -~ w, and if G contains the edge (u, w), then the edge is always eliminated from G, since we are concerned only with existence of a path among nodes in G. We call two dags G1 = (1/'1, E l ) and G2 = (V2,E2) isomorphic if there exists a bijection f : V1 ~ V2 such that E2 = { ( f ( u ) , f ( v ) ) I (u,v) E El}. We call two dags G1 = (V1,E1) and G2 = (V2, E2) quasi-isomorphic either if they are isomorphic or if there exists a bijection f : V1 --* V2 such that E2 = { ( f ( u ) , f ( v ) ) ] (v,u) 6 El}. For a dag G, let T(G) denote the number of possible permutations which assign integers {1, 2, . . . , n} to the nodes of G so that the number associated with u is less than the number associated with v whenever (u, v) is in G. If a graph G contains a cycle, then T ( G ) = 0. For two disjoint dags G1 = (V1,E1) and G2 = (V2,E2), let a l UG2 denote the dag (V1 U V.2,E1 UE2). For a graph G and its node v, let G - {v} denote the graph G after the deletion of both v and the edges adjacent to v. For a graph G = (V, E) and a set of edges E' among nodes of V, let G + E ' denote the graph (V, E U E'). Let us define the and-or labeled tree S~. A label of each or-node of S~ is a dag with n nodes. A label of each and-node is the form (G, (u, v)) where G is a dag and u, v are nodes of G. We sometimes confuse a node of Sn with its label. The root of S~ is an or-node and is labeled with a graph of n isolated nodes. We say that an or-node of S,~ is of level k if the length of the path from the root to the or-node is 2k (k > 0). An or-node of level k is a dag G with n nodes such that n! n! E(G)- 2kT(G) > 2L(~), (2.1) where E(G) is the efficiencyof G. (See [3, p.189].) A dag G is said to be sorted if for every pair u,v of nodes of G, either u -4 v or v -< u. Every son in Sn of an or-node G is an and-node, and is labeled with (G, (u, v)) for nodes u, v, such that u ~ v and v s u in G. The and-node (G, (u,v)) has exactly two sons G1 and G2 of or-nodes, Gx = G + {(u,v)}, G2 = G + {(v,u)}. If at least one of G1 or G2 does not satisfy equation (2.1), then {G, (u, v)) is eliminated from S,~. Thus an or-node of level k has an even number (possibly zero) of or-nodes of level k + 1 as its grandsons. The length of the path from the root to any node in Sn is restricted to at most 2L(n). Thus the level of each or-node in S~ is at most L(n). A leaf of S,~ labeled with the sorted dag has the value success. The value of an and-node (or-node) is success if both values of its sons are (one of its sons is, respectively) success. The value of the node of S~ is failure if the value is not success. We note that if two dags labeled with or-nodes in S~ are quasiisomorphic then they have the same values. The proof of the theorem is to show that the value of the root of S~ is failure, if n = 13. Our objective is to make an exhaustive search on the and-or labeled

262

tree $13. In what follows, we focus our attention on the case n = 13. The basic technique to cope with an exhaustive tree search is backtracking. Since the tree is huge, we need some unusual considerations.

To find or-nodes of $13 of t h e n e x t level For a matrix M, let [M]i j denote the i j - t h element of M, and let M T denote the transpose matrix of M. For a dag G consisting of nodes Xl, x2,. 9 xn, let C ( G ) be the n • n matrix, where

[c(a)],j = T(G + (See [3, p.190].) If G is the label of an or-node in $13 of the level k (0 _< k < L(13)), and if 1 _< [C(G)]ij, [C(G)]ji ~_ 2 n ( 1 3 ) - ( k + l ) , then both dags G + { ( x i , x j ) } and G + { ( x j , x i ) } satisfy equation (2.1); thus G has a son (andnode) (G, (xi, x j ) ) , and (G, (xi, xj)> has two sons (or-nodes) G + {(xi, x j ) } and G ...[-{(xj, x i ) } o f level k + 1 in $13. P r o p o s i t i o n 2. Let G be a dag with nodes Xl, x2, . . . , Xn, and let { x l , x2, " . . , xk } be the set of all nodes such that indeg(xi) = O. For each ~ (1 < ~ L(12) is proved" end;

Figure 3

Wells' Mgorithm.

Lecture Notes in Computer Science For information about Vols. 1-714 please contact your bookseller or Springer-Verlag

Vol. 715: E. Best (Ed.), CONCUR'93. Proceedings, 1993. IX, 541 pages. 1993.

Vol. 732: A. Bode, M. Dal Cin (Eds.), Parallel Computer Architectures. IX, 311 pages. 1993.

Vol. 716: A. U. Frank, I. Campari (Eds.), Spatial Information Theory. Proceedings, 1993. XI, 478 pages. 1993.

Vol. 733: Th. Grechenig, M. Tscheligi (Eds.), Human Computer Interaction. Proceedings, 1993. XIV, 450 pages. 1993.

Vol. 717: L Sommerville, M. Paul (Eds.), Software Engineering - ESEC '93. Proceedings, 1993. XII, 516 pages. 1993.

Vol. 734: J. Volkert (Ed.), Parallel Computation. Proceedings, 1993. VIII, 248 pages. 1993.

Vol. 718: J. Seberry, Y. Zheng (Eds.), Advances in Cryptology - AUSCRYPT '92. Proceedings, 1992. XIII, 543 pages. 1993. Vol. 719: D. Chetverikov, W.G. Kropatsch (Eds.), Computer Analysis of Images and Patterns. Proceedings, 1993. XVI, 857 pages. 1993. Vol. 720: V.Ma~ik, J. La'Yansk)~,R.R. Wagner (Eds.), Database and Expert Systems Applications. Proceedings, 1993. XV, 768 pages. 1993. VoL 721: J. Fitch (Ed.), Design and Implementation of Symbolic Computation Systems. Proceedings, 1992. VIII, 215 pages. 1993. Vol. 722: A. Miola (Ed.), Design and Implementation of Symbolic Computation Systems. Proceedings, 1993. XII, 384 pages. 1993. Vol. 723: N. Aussenac, G. Boy, B. Gaines, M. Linster, J.G. Ganascia, Y. Kodratoff (Eds.), Knowledge Acquisition for Knowledge-Based Systems. Proceedings, 1993. XIII, 446 pages. 1993. (Subseries LNAI). Vol. 724: P. Cousot, M. Falaschi, G. Fil~, A. Ranzy (Eds.), Static Analysis. Proceedings, 1993. IX, 283 pages. 1993. Vol. 725: A. Schiper (Ed.), Distributed Algorithms. Proceedings, 1993. VIII, 325 pages. 1993. Vol. 726: T. Lengauer (Ed.), Algorithms - ESA '93. Proceedings, 1993. IX, 419 pages. 1993 Vol. 727: M. Filgueiras, L. Damas (Eds.), Progress in Artificial Intelligence. Proceedings, 1993. X, 362 pages. 1993. (Subseries LNAI). Vol. 728: P. Torasso (Ed.), Advances in Artificial Intelligence. Proceedings, 1993. XI, 336 pages. 1993. (Subseries LNAI). Vol. 729: L. Donatiello, R. Nelson (Eds.), Performance Evaluation of Computer and Communication Systems. Proceedings, 1993. VIII, 675 pages. 1993. Vol. 730: D. B. Lomet (Ed.), Foundations of Data Organization and Algorithms. Proceedings, 1993. XIt, 412 pages. 1993. Vol. 731: A. Schill (Ed.), DCE - The OSF Distributed Computing Environment. Proceedings, 1993. VIII, 285 pages. 1993.

Vol. 735: D. Bjcrner, M. Broy, I. V. Pottosin (Eds.), Formal Methods in Programming and Their Applications. Proceedings, 1993. IX, 434 pages. 1993. VoL 736: R. L. Grossman, A. Nerode, A. P. Ravn, H. Rischel (Eds.), Hybrid Systems. VIII, 474 pages. 1993. Vol. 737: J. Calmet, J. A. Campbell (Eds.), Artificial Intelligence and Symbolic Mathematical Computing. Proceedings, 1992. VIII, 305 pages. 1993. Vol. 738: M. Weber, M. Simons, Ch. Lafontaine, The Generic Development Language Deva. XI, 246 pages. 1993. Vol. 739: H. Imai, R. L. Rivest, T. Matsumoto (Eds.), Advances in Cryptology - ASIACRYPT '91. X, 499 pages. 1993. Vol. 740: E. F. Brickell (Ed.), Advances in Cryptology CRYPTO '92. Proceedings, 1992. X, 593 pages. 1993. Vol. 741: B. Preneel, R. Govaerts, J. Vandewalle (Eds.), Computer Security and Industrial Cryptography. Proceedings, 1991. VIII, 275 pages. 1993. Vol. 742: S. Nishio, A. Yonezawa (Eds.), Object Technologies for Advanced Software. Proceedings, 1993. X, 543 pages. 1993. Vol. 743: S. Doshita, K. Furukawa, K. P. Jantke, T. Nishida (Eds.), Algorithmic Learning Theory. Proceedings, 1992. X, 260 pages. 1993. (Subseries LNAI) Vol. 744: K. P. Jantke, T. Yokomori, S. Kobayashi, E. Tomita (Eds.), Algorithmic Learning Theory. Proceedings, 1993. XI, 423 pages. 1993. (Subseries LNAI) Vol. 745: V. Roberto (Ed.), Intelligent Perceptual Systems. VIII, 378 pages. 1993. (Subseries LNAI) Vol. 746: A. S. Tanguiane, Artificial Perception and Music Recognition. XV, 210 pages. 1993. (Subseries LNAI). Vol. 747: M. Clarke, R. Kruse, S. Moral (Eds.), Symbolic and Quantitative Approaches to Reasoning and Uncertainty. Proceedings, 1993. X, 390 pages. 1993. Vol. 748: R. H. Halstead Jr., T. Ito (Eds.), Parallel Symbolic Computing: Languages, Systems, and Applications. Proceedings, 1992. X, 419 pages. 1993. Vol. 749: P. A. Fritzson (Ed.), Automated and Algorithmic Debugging. Proceedings, 1993. VIII, 369 pages. 1993. Vol. 750: J. L. Dlaz-Herrera (Ed.), Software Engineering Education. Proceedings, 1994. XII, 601 pages. 1994.

Vol. 751: B. J/ihne, Spatio-Temporal Image Processing. XII, 208 pages. 1993. Vol. 752: T. W. Finin, C. K. Nicholas, Y. Yesha (Eds.), Information and Knowledge Management. Proceedings, 1992. VII, 142 pages. 1993.

Vol. 774: M. Ban~tre, P. A. Lee (Eds.), Hardware and Software Architectures for Fault Tolerance. XIII, 311 pages. 1994. Vol. 775: P. Enjalbert, E. W. Mayr, K. W. Wagner (Eds.), STACS 94. Proceedings, 1994. XIV, 782 pages. 1994.

Vol. 753: L. J. Bass, J. Gornostaev, C. Unger (Eds.), Human-Computer Interaction. Proceedings, 1993. X, 388 pages. 1993.

Vol. 776: H. J. Schneider, H. Ehrig (Eds.), Graph Transformations in Computer Science. Proceedings, 1993. VIII, 395 pages. 1994.

Vol. 754: H. D. Pfeiffer, T. E. Nagle (Eds.), Conceptual Structures: Theory and Implementation. Proceedings, 1992. IX, 327 pages. 1993. (Subseries LNAI).

Vol. 777: K. yon Luck, H. Marburger (Eds.), Management and Processing of Complex Data Structures. Proceedings, 1994. VII, 220 pages. 1994.

Vol. 755: B. Miller, H. Partsch, S. Schuman (Eds.), Formal Program Development. Proceedings. VII, 371 pages. 1993.

Vol. 778: M. Bonuccelli, P. Crescenzi, R. Petreschi (Eds.), Algorithms and Complexity. Proceedings, 1994. VIII, 222 pages. 1994.

Vol. 756: J. Pieprzyk, B. Sadeghiyan, Design of Hashing Algorithms. XV, 194 pages. 1993.

Vol. 779: M. Jarke, J. Bubenko, K. Jeffery (Eds.), Advances in Database Technology - - EDBT '94. Proceedings, 1994. XII, 406 pages. 1994.

Vol. 757: U. Banerjee, D. Gelernter, A. Nicolau, D. Padua (Eds.), Languages and Compilers for Parallel Computing. Proceedings, 1992. X, 576 pages. 1993. Vol. 758: M. Teillaud, Towards Dynamic Randomized Algorithms in Computational Geometry. IX, 157 pages. 1993. Vol. 759: N. R. Adam, B. K. Bhargava (Eds.), Advanced Database Systems. XV, 451 pages. 1993. Vol. 760: S. Ceri, K. Tanaka, S. Tsur (Eds.), Deductive and Object-Oriented Databases. Proceedings, 1993. XII, 488 pages. 1993. Vol. 761: R. K. Shyamasundar (Ed.), Foundations of Software Technology and Theoretical Computer Science. Proceedings, 1993. XIV, 456 pages. 1993. Vol. 762: K. W. Ng, P. Raghavan, N. V. Balasubramanian, F. Y. L. Chin (Eds.), Algorithms and Computation. Proceedings, 1993. XIII, 542 pages. 1993. Vol. 763: F. Pichler, R. Moreno Dfaz (Eds.), Computer Aided Systems Theory - EUROCAST '93. Proceedings, 1993. IX, 451 pages. 1994.

Vol. 780: J. J. Joyce, C.-J. H. Seger (Eds.), Higher Order Logic Theorem Proving and Its Applications. Proceedings, 1993. X, 518 pages. 1994. Vol. 781: G. Cohen, S. Litsyn, A. Lobstein, G. Z6mor (Eds.), Algebraic Coding. Proceedings, 1993. XII, 326 pages. 1994. Vol. 782: J. Gutknecht (Ed.), Programming Languages and System Architectures. Proceedings, 1994. X, 344 pages. 1994. Vol. 783: C. G. GUnther (Ed.), Mobile Communications. Proceedings, 1994. XVI, 564 pages. 1994. Vol. 784: F. Bergadano, L. De Raedt (Eds.), Machine Learning: ECML-94. Proceedings, 1994. XI, 439 pages. 1994. (Subseries LNAI). Vol. 785: H. Ehrig, F. Orejas (Eds.), Recent Trends in Data Type Specification. Proceedings, 1992. VIII, 350 pages. 1994. Vol. 786: P. A. Fritzson (Ed.), Compiler Construction. Proceedings, 1994. XI, 451 pages. 1994.

Vol. 764: G. Wagner, Vivid Logic. XII, 148 pages. 1994. (Subseries LNAI).

Vol. 787: S. Tison (Ed.), Trees in Algebra and Programming - CAAP '94. Proceedings, 1994. X, 351 pages. 1994.

Vol. 765: T. Helleseth (Ed.), Advances in Cryptology EUROCRYPT '93. Proceedings, 1993. X, 467 pages. 1994.

Vol. 788: D. Sannella (Ed.), Programming Languages and Systems - ESOP '94. Proceedings, 1994. VIII, 516 pages. 1994.

Vol. 766: P. R. Van Loocke, The Dynamics of Concepts. XI, 340 pages. 1994. (Subseries LNAI). Vol. 767: M. Gogolla, An Extended Entity-Relationship Model. X, 136 pages. 1994.

Vol. 789: M. Hagiya, J. C. Mitchell (Eds.), Theoretical Aspects of Computer Software. Proceedings, 1994. XI, 887 pages. 1994.

Vol. 768: U. Banerjee, D. Gelernter, A. Nicolau, D. Padua (Eds.), Languages and Compilers for Parallel Computing. Proceedings, 1993. XI, 655 pages. 1994.

Vol. 790: J. van Leeuwen (Ed.), Graph-Theoretic Concepts in Computer Science. Proceedings, 1993. IX, 431 pages. 1994.

Vol. 769: J. L. Nazareth, The Newton-Cauchy Framework. XII, 101 pages. 1994.

Vol. 791: R. Guerraoui, O. Nierstrasz, M. Riveill (Eds.), Object-Based Distributed Programming. Proceedings, 1993. VII, 262 pages. 1994.

Vol. 770: P. Haddawy (Representing Plans Under Uncertainty. X, 129 pages. 1994. (Subseries LNAI). Vol. 771: G. Tomas, C. W. Ueberhuber, Visualization of Scientific Parallel Programs. XI, 310 pages. 1994. Vol. 772: B. C. Warboys (Ed.),Software Process Technology. Proceedings, 1994. IX, 275 pages. 1994. Vol. 773: D. R. Stinson (Ed.), Advances in Cryptology CRYPTO '93. Proceedings, 1993. X, 492 pages. 1994.

Vol. 792: N. D. Jones, M. Hagiya, M. Sato (Eds.), Logic, Language and Computation. XII, 269 pages. 1994.