A Finite Semantics of Simply-Typed Lambda Terms for Infinite Runs of<br> Automata
A FINITE SEMANTICS OF SIMPLY-TYPED LAMBDA TERMSFOR INFINITE RUNS OF AUTOMATA
KLAUS AEHLIGDepartment of Computer Science, University of Wales Swansea, Swansea SA2 8PP, United King-dom e-mail address : [email protected]
Abstract.
Model checking properties are often described by means of finite automata.Any particular such automaton divides the set of infinite trees into finitely many classes,according to which state has an infinite run. Building the full type hierarchy upon thisinterpretation of the base type gives a finite semantics for simply-typed lambda-trees.A calculus based on this semantics is proven sound and complete. In particular, forregular infinite lambda-trees it is decidable whether a given automaton has a run or not.As regular lambda-trees are precisely recursion schemes, this decidability result holds forarbitrary recursion schemes of arbitrary level, without any syntactical restriction. Introduction and Related Work
The lambda calculus [5] has long been used as model of computation. In its untypedform it is Turing complete. Even though models of the untyped lambda calculus are known,restricting it to a typing discipline allows for more specific models. The simply-typed lambdacalculus has a straight forward set-theoretic semantics.Quite early on, not only finite but also infinite lambda-terms have been considered. Forexample, Barendregt [5] introduced the concept of “B¨ohm trees” as a generalised conceptof normal forms for lambda-terms where normalisation does not necessarily terminate, butstill might produce a growing normal prefix; for example the term Y ( λzx.xz ) has the B¨ohmtree λx.x ( λx.x ( λx.x . . . )).Since Rabin [16] showed the decidability of the monadic second order (MSO) theory ofthe infinite binary tree this result has been applied and extended to various mathematicalstructures, including algebraic trees [8] and a hierarchy of graphs [7] obtained by iteratedunfolding and inverse rational mappings from finite graphs. The interest in these kind ofstructures arose in recent years in the context of verification of infinite state systems [13, 18]. F.3.2.
Key words and phrases:
Recursion Schemes, infinitary lambda calculus, automata.Partially supported by grant EP/D03809X/1 of the British Engineering and Physical Sciences ResearchCouncil (EPSRC). Part of this article was written while Klaus Aehlig was affiliated with the University ofToronto and supported by grant Ae 102-1/1 of the “Deutsche Forschungsgemeinschaft” (DFG).
LOGICAL METHODS l IN COMPUTER SCIENCE DOI:10.2168/LMCS-3 (3:1) 2007 c (cid:13)
K. Aehlig CC (cid:13) Creative Commons
K. AEHLIG
Recently Knapik, Niwi´nski and Urzyczyn [10] showed that the monadic second ordertheory of any infinite tree generated by a level-2 grammar satisfying a certain “safety”condition is decidable. Later they generalised [11] this result to grammars of arbitrarylevels, but still requiring the “safety” condition. In particular, the question was left openwhether a “safety” constraint is necessary to obtain decidability. In this article we will givea partial answer.It should be noted that trees given by higher-order grammars can also be understoodas trees given by simply-typed infinite, but regular, lambda terms. The “safety” conditionguarantees that beta-reduction can be carried out in such a way that variables never have tobe renamed in the process of substitution. This obviously is a property related to operationalaspects of computation. Our approach to avoid the need for such a restriction is thereforeto search for a denotational semantics. Denotational approaches tend to be less vulnerableto the need of requiring specific operational properties.To obtain effective constructions, like an effective semantics, it is useful to have aconcrete representation of the properties to be verified. Finite automata are a standardtool to do so. In this article we concentrate on automata with trivial acceptance condition.These automata do not exhaust the full of MSO but, as we shall see, are able to express areasonable set of safety properties.Their advantage, however, is that they seem particularly suited for a denotationalapproach. The reason is, that the “interface” is particularly simple. In order to combinetwo partial runs into a longer run, the only thing we have to look at is the state in whichthe automaton arrives.Based on this intuition we construct a semantics for the simple types. Actually, weuse the standard set-theoretic semantics. Hence the only thing we have to specify is theinterpretation of the base type. Following the discussion above, we describe a term of basetype by the set of states a given automaton can start a run on the tree denoted by thatterm.More precisely, we consider the following problem.Given a, possibly infinite, simply-typed lambda-tree t of base type, and givena non-deterministic tree automaton A . Does A have a run on the normalform of t ?The idea is to provide a “proof” of a run of A on the normal form of t by annotating eachsubterm of t with a semantical value describing how this subterm “looks, as seen by A ”.Since, in the end, all the annotations come from a fixed finite set, the existence of such aproof is decidable.The idea of a “proof” that a given automaton has a run on a tree is used, at least im-plicitly, in the work by Aehlig, de Miranda and Ong [4]. This work also gives an affirmativeanswer to the question of the decidability for the full MSO theory for trees generated bylevel-two recursion schemes.Very recently, simultaneously and independently, Luke Ong could give an affirmativeanswer [15] for trees generated by recursion schemes of arbitrary level, still deciding the fullMSO theory; he thus obtained a stronger result in what concerns decidability. His result isbased on game semantics [9] and is technically quite involved. Therefore the author believesthat his conceptually more simple approach still is of worth. Moreover, the novel finitarysemantics for the simple types introduced in this article, and the sound and complete proof FINITE SEMANTICS. . . FOR INFINITE RUNS OF AUTOMATA 3 system to show the existence of a run of an automaton seem to be of independent interest.An extended abstract [1] of this article appeared in the proceedings of CSL ’06.This article is organised as follows. In Section 2 we formally introduce automata withtrivial acceptance condition and study their languages. We also prove the closure of theselanguages under the modality “globally”. We also show that properties based on the modal-ity “eventually” are not expressible. In Section 3 we introduce infinitary simply-typedlambda trees and in Section 4 we introduce recursion schemes as a means to describe regu-lar lambda trees. This also shows that some lambda trees have a representation that is notonly effective, but also quite natural. In Section 5 we explain continuous normalisation forthe lambda calculus. The use of continuous normalisation is twofold. On the one hand, itallows simpler definitions and proofs, as one layer of input corresponds precisely to one layerof output. On the other hand, it is simply a necessity in order to have a well-defined normalform in the presence of non-terminating computations due to the infinitary nature of ourlambda trees. Section 6 introduces the finitary semantics and the proof system; Sections 7and 8 are devoted to the proofs of its soundness and completeness. Finally, in Section 9,we put the results together to obtain the mentioned decidability result.2.
Automata with Trivial Acceptance Condition
We assume a set of letters or terminals be given to us as a primitive notion. We use f to range over letters. Each letter f is associated an arity ♯ ( f ) ∈ N . Definition 2.1.
For Σ a set of terminals, a Σ -term is a, not necessarily well-founded, treelabelled with elements of Σ where every node labelled with f has ♯ ( f ) many children.A Σ -language is any subset of the set of all Σ-terms. We use the term language if Σ isunderstood. Example 2.2.
Let Σ ′ = { f , g , a } with f , g and a of arities 2, 1, and 0, respectively. Figure 1shows two Σ ′ -terms. Definition 2.3 (Trivial Automata) . A non-deterministic tree automaton with trivial ac-ceptance condition over the alphabet Σ, or a “trivial automaton” for short, is given by • a finite set Q of “states”, • a set I ⊂ Q of “initial states”, and • a transition function δ : Q × Σ → P (( Q ∪ {∗} ) N ).Here N = max { ♯ ( g ) | g ∈ Σ } is the maximal arity and we require δ ( q, g ) ⊂ Q ♯ ( g ) × {∗} N − ♯ ( g ) whenever q ∈ Q and g ∈ Σ. Definition 2.4 (Run of a Trivial Automaton) . If t is Σ-term, and A a trivial automatonover Σ, then a run (also “an infinite run”) of A on t starting in state q is a mapping r fromthe nodes of t to Q , such that the root is mapped to q , and, whenever p is a f -labelled nodein t and p , . . . , p ♯ ( f ) are the children of p , then ( r ( p ) , . . . , r ( p ♯ ( f ) ) , ∗ , . . . , ∗ ) ∈ δ ( r ( p ) , f ).A run up to level n starting in state q is a mapping from all nodes of t with distanceat most n to Q such that the above condition holds for all nodes p, −→ p in the domain of r ,i.e., whenever a node p is f -labelled and its children p , . . . , p ♯ ( f ) have distance at most n tothe root, then ( r ( p ) , . . . , r ( p ♯ ( f ) ) , ∗ , . . . , ∗ ) ∈ δ ( r ( p ) , f ).A run or a run up to level n , is a run or a run up to level n starting in some initialstate. K. AEHLIG f (cid:0)(cid:0) ❅❅ a f (cid:0)(cid:0) ❅❅ g fa (cid:0)(cid:0) ❅❅ gga ... f (cid:0)(cid:0) ❅❅ gga f (cid:0)(cid:0) ❅❅ gggga f (cid:0)(cid:0) ❅❅ gggggggga ...Figure 1: Two { f , g , a } -terms.We write A , q | = n t to denote that A has a run on t up to level n starting in state q .We write A , q | = ∞ t to denote that A has a run on t starting in state q . We write A | = n t to denote that A has a run up to level n on t and we write A | = ∞ t to denote that A has arun on t . Remark 2.5.
Trivially, every automaton has a run up to level 0 on every term starting inevery state. Also immediate from the definition we see that, if A has a run up to level n on t and m ≤ n then A has a run up to level m on t . Remark 2.6.
By K¨onig’s Lemma A has a run on t if and only if A has a run up to level n on t for every n ∈ N . Example 2.7.
Continuing Example 2.2 consider the property“Every maximal chain of letters g has even length”.It can be expressed by an automaton with two states Q = { q , q } where q means thatan even number of g s has been passed on the path so far, and q means that the maximalchain of g s passed has odd length. Then the initial state is q and the transition functionis as follows. δ ( f , q ) = { ( q , q ) } δ ( f , q ) = ∅ δ ( g , q ) = { ( q , ∗ ) } δ ( g , q ) = { ( q , ∗ ) } δ ( a , q ) = { ( ∗ , ∗ ) } δ ( a , q ) = ∅ Note that this automaton has an infinite run on the second tree in Figure 1, whereas it hasa run only up to level 3 on the first one.
Definition 2.8 ( L ( A )) . If A is a trivial automaton over the alphabet Σ then by L ( A ) wedenote the language of A , that is, the set L ( A ) = { t | A | = ∞ t } of all terms t such that A has a run on t . FINITE SEMANTICS. . . FOR INFINITE RUNS OF AUTOMATA 5
Proposition 2.9.
There exists a trivial automaton that accepts a tree if and only if its rootis labelled by the terminal f .Proof. Let q be an all-accepting state, i.e., δ ( q , g ) = { ( q , . . . , q , ∗ , . . . , ∗ ) } for all g ∈ Σ.Let q be the only initial state, and set δ ( q , f ) = { ( q , . . . , q , ∗ , . . . , ∗ ) } and δ ( q , g ) = ∅ for g = f . Lemma 2.10. If A and A are trivial automata, then there is a trivial automaton A with L ( A ) = L ( A ) ∪ L ( A ) .Proof. Let A i have state set Q i , initial states I i and transition δ i . Assume, without loss ofgenerality, that Q and Q are disjoint. Then A is given by the following data. State setis Q = Q ∪ Q , initial states are I = I ∪ I and the transition function δ is defined by δ ( q, f ) = δ i ( q, f ) for q ∈ Q i . Lemma 2.11. If A and A are trivial automata, then there is a trivial automaton A with L ( A ) = L ( A ) ∩ L ( A ) .Proof. Let A i have state set Q i , initial states I i and transition δ i . Set Q = Q × Q , I = I × I and define δ : ( Q × Q ) × Σ → P (( Q × Q ∪ {∗} ) N ) by δ (( q, q ′ ) , f ) = { (( q , q ′ ) , . . . , ( q ♯ ( f ) , q ′ ♯ ( f ) ) , ∗ , . . . , ∗ ) | ( q , . . . , q ♯ ( f ) , . . . ) ∈ δ ( q, f ) ∧ ( q ′ , . . . , q ′ ♯ ( f ) , . . . ) ∈ δ ( q, f ) } .Then Q , I and δ define an automaton A as desired.Non-determinism immediately provides us with closure under projection of the alpha-bet; we’ll give a precise definition of this property. Definition 2.12.
If Σ and Σ are sets of terminals, a projection from Σ to Σ, is a mapping π : Σ → Σ such that ♯ ( π ( f )) = ♯ ( f ) for all f ∈ Σ. If t is a Σ-term and π is a projection fromΣ to Σ, then by π ( t ) we denote the Σ-term that is obtained from t by replacing every label f by π ( f ). Remark 2.13.
In Definition 2.12 the condition on the arity is necessary to ensure that π ( t ) is a well-formed Σ-tree, i.e., every node g -labelled node has ♯ ( g ) many children. Lemma 2.14. If Σ and Σ are sets of terminals, π is a projection from Σ to Σ , and A is atrivial automaton Σ , then there is a trivial automaton A π such that L ( A π ) = { π ( t ) | t ∈ L ( A ) } . Proof.
Let A have state set Q , initial states I and transition δ . Then a possible automaton A π is given by the same set Q of states and the same set I of initial state, but with transitionfunction δ π defined by δ π ( q, g ) = S { δ ( q, f ) | f ∈ Σ , π ( f ) = g } .Another obvious closure property of the languages of trivial automata are the temporal“next” operators. Definition 2.15 ( EX L , AX L ) . If L is a language we define the languages EX L = { f t . . . t ♯ ( f ) | ∃ i.t i ∈ L} and AX L = { f t . . . t ♯ ( f ) | ∀ i.t i ∈ L} . Lemma 2.16. If A is a trivial automaton, then there exist trivial automata A EX and A AX with L ( A EX ) = EX L ( A ) and L ( A AX ) = AX L ( A ) . K. AEHLIG
Proof.
To construct A AX , add a new state q to the state set of A . This new state will bethe only initial state of A AX . Extend the transition function δ by setting δ ( q , f ) = { ( q , . . . , q ♯ ( f ) , ∗ , . . . , ∗ ) | q , . . . , q ♯ ( f ) ∈ I } where I is the set of initial states of A .To construct A EX from A add a new state q , which will be the only initial state of thenew automaton, and add a new all-accepting state q f . Extend δ by setting δ ( q , f ) = { ( q i , q f . . . , q f , q f , ∗ , . . . , ∗ ) , ( q f , q i . . . , q f , q f , ∗ , . . . , ∗ ) ,. . . ( q f , q f . . . , q i , q f , ∗ , . . . , ∗ ) , ( q f , q f . . . , q f , q i , ∗ , . . . , ∗ ) | q i ∈ I } where I is the set of initial states of A . Definition 2.17 ( p ∈ t , t | p , Path) . We use p ∈ t to express that p is a node in t . In thiscase we write t | p for the subterm of t whose root is p .A path in t is a maximal set P of nodes in t such that if a node p ∈ t different fromthe root is in P , then so is its parent, and such that for every node in P at most one of itschildren is in P . Remark 2.18.
Immediately from the definition of a path we note that if P is a path in t and p ∈ P has a child in t then some child of p has to be in P . Definition 2.19. If L is a language we define the languages EG L = { t | ∃ P ( P path in t ∧ ∀ p ∈ P.t | p ∈ L ) } and AG L = { t | ∀ p ∈ t.t | p ∈ L} . The next lemma states that the set of languages of trivial automata is closed underthe modal operator “globally”. On the one hand, this is an interesting closure property,which shows that at least safety properties can be expressed by trivial automata. On theother hand, it is worth looking at the proof of this lemma, as it shows, in a simple setting,all the central ideas that will be used to construct our finitary proof calculus and show itssoundness and completeness. The states of the automaton A AG constructed in the proofof Lemma 2.20 should be thought of as annotations proving that A has a run starting invarious states. Lemma 2.20. If A is a trivial automaton, then there exist trivial automata A EG and A AG such that L ( A EG ) = EG L ( A ) and L ( A AG ) = AG L ( A ) .Proof. Roughly speaking, the idea is to construct an alternating automaton that followsone path (for EG ) or spawns through all nodes (for AG ) and in each step spawns a newautomaton that verifies that A was a run on the subtree starting at the current node. Thisalternation can be removed by a simple powerset construction.Formally, let A be given by the state set Q , the initial states I and the transitionfunction δ . Define Q AG = P ( Q ), I AG = { M ∈ P ( Q ) | M ∩ I = ∅} , and δ AG ( M, f ) = { ( M , . . . , M ♯ ( f ) , ∗ , . . . , ∗ ) | [ ∀ q ∈ M ∃ ( q , . . . , q ♯ ( f ) , ∗ , . . . , ∗ ) ∈ δ ( f , q ) q ∈ M ∧ . . . ∧ q ♯ ( f ) ∈ M ♯ ( f ) ] ∧ ∀ i ( M i ∩ I = ∅ ) } . FINITE SEMANTICS. . . FOR INFINITE RUNS OF AUTOMATA 7
Let A AG be the automaton given by this data. Intuitively, the first condition in the transitionfunction ensures that every state in M can be continued to a run of A , whereas the secondcondition ensures that a new run of A can be started at every node.To verify these properties first assume that t ∈ AG L ( A ). For every node p ∈ t set M p = { q ∈ Q | A , q | = ∞ t | p } . Then the mapping p M p is a run of A AG on t . The firstcondition in the transition relation is fulfilled since every state that has a infinite run mustbe able to make a transition to new states that have an infinite run on the correspondingsubtrees. The second condition is satisfied since t ∈ AG L ( A ) guarantees that A has a runfor every subtree; so at every subtree, some initial state has to have a run.Now assume t ∈ L ( A AG ). So there is a run r of A AG on t . We have to show that t ∈ AG L ( A ). To do so, we show that for all trees t , all M ∈ Q AG , if there is any run of A AG on t starting in M then for all n ∈ N , it holds that ∀ q ∈ M. A , q | = n t | p .This indeed shows t ∈ AG L ( A ). By the properties of I AG and δ AG we immediately getthat for all p ∈ t the set r ( p ) contains an element q p ∈ I . Applying the claim to t | p weobtain that A has a run, starting in q p on t | p .So let us show the claim. We argue by induction on n . For n = 0 there’s nothing to show.So let n ≥ q ∈ M . Assume that t is of the form t = f t . . . t ♯ ( f ) and let M , . . . , M ♯ ( f ) thestates of the run of A AG at the children the root. Since ( M , . . . , M ♯ ( f ) , . . . ) ∈ δ AG ( M, f ) thereexist q , . . . , q ♯ ( f ) such that ( q , . . . , q ♯ ( f ) , . . . ) ∈ δ ( q, f ) and q i ∈ M i . Applying the inductionhypothesis to M i and t i we get A , q i | = n − t i . Together with the transition q ( q , . . . , q f )we get A , q | = n t .The construction for A EG is similar.Taking stock, we see that quite a few safety properties can be expressed by trivialautomata. Proposition 2.9 and Lemmata 2.10, 2.11, 2.16, and 2.20 show that the fragmentof CTL given by the following grammar can be expressed by trivial automata. ϕ, ψ ::= f | ϕ ∨ ψ | ϕ ∧ ψ | EX ϕ | AX ϕ | EG ϕ | AG ϕ Of course ¬ f can be expressed by an appropriate disjunction over all the other letters of thealphabet.Even though this grammar probably does not exhaust all the properties expressible bytrivial automata, it gives the right flair of the properties being safety properties. We willnow show that the simplest liveness property, that is the “eventually” modality, cannot beexpressed, not even for word languages. Definition 2.21 (Word Alphabet) . An alphabet Σ is called a word alphabet , if all its letters f ∈ Σ have arity ♯ ( f ) = 1. Remark 2.22.
If Σ is a word alphabet, then the only Σ-terms are ω -words. Lemma 2.23 (Pumping Lemma for Trivial Automata over Words) . Let A be a trivialautomaton over a word alphabet Σ . Then there is a natural number n such that for everyword w such that A | = n w there is a prefix of w of the form uv with | uv | ≤ n and | v | ≥ such that uv ω ∈ L ( A ) .Proof. Set n = | Q | + 1 where Q is the set of states of A . Let w = f f f . . . and assume A | = n w . Let the states q q . . . q n − constitute such a run up to level n on w . Since | Q | = n − ≤ i < j < n such that q i = q j . Set u = f . . . f i − and v = f i . . . f j − . Then q . . . q i − ( q i . . . q j − ) ω constitutes a run on uv ω and u , v are as desired. K. AEHLIG
An immediate consequence is, that trivial automata cannot express the property “even-tually b ”, as the following corollary shows. Corollary 2.24.
The language L = a ∗ b ( a + b ) ω is not the language of any trivial automaton.Proof. Suppose, for sake of contradiction, that L = L ( A ) for some trivial automaton A andlet n be as asserted by Lemma 2.23. Consider a n ba ω ∈ L = L ( A ) and let u , v be as assertedby the lemma. Since uv is a prefix of a n ba ω of length at most n , both, u and v must consistof letters a only, and therefore the lemma asserts a ω ∈ L ( A ) = L which is not the case.3. Infinitary Lambda Trees
Now let Σ ′ be a fixed set of letters and let f from now on only range over elements ofΣ ′ . The choice of the name Σ ′ will become clear in Definition 5.2, when we have to extendthe alphabet in the context of continuous normalisation. Definition 3.1.
The simple types , denoted by ρ , σ , τ , are built from the base type ι by arrows ρ → σ . The arrow associates to the right. In particular, −→ ρ → ι is short for ρ → ( ρ → ( . . . ( ρ n → ι ) . . . )).In the lambda calculus the most common way to from terms is via application. Inlambda-trees application is represented by a binary @-node. In linear notation, we omitthe “@” and write a tree consisting of an @-node at the root and subtrees s and t just asjuxtaposition st . Application associates to the right, i.e., rst is short for (( rs ) t ). Definition 3.2.
The infinitary simply-typed lambda-trees over typed terminals Σ ′ are coin-ductively given by the grammar r, s ::= x ρ | ( λx ρ t σ ) ρ → σ | ( t ρ → σ s ρ ) σ | f ι → ... → ι → ι . In other words, they are, not-necessarily well founded, trees built, in a locally type respectingway, from unary λx ρ -nodes, binary @-nodes representing application, and leaf nodes con-sisting of typed variables x ρ of type ρ and typed constants f ∈ Σ ′ of type ι → . . . → ι | {z } ♯ ( f ) → ι .Here λx ρ binds free occurrences of the variable x ρ in its body. Trees with all variablesbound are called closed .A lambda-tree with only finitely many non-isomorphic subtrees is called regular .We omit type superscripts if they are clear from the context, or irrelevant.We usually leave out the words “simply typed”, tacitly assuming all our lambda-treesto be simply typed and to use terminals from Σ ′ only. Figure 2 shows two regular lambda-trees. Arrows are used to show where the pattern repeats, or to draw isomorphic subtreesonly once. Note that they denote terms (shown in Figure 1) that are not regular. Here, by“denote” we mean the term reading of the normal form. Remark 3.3.
It should be noted that in lambda-trees, as opposed to Σ ′ -terms, all constantsand variables, no matter what their type is, occur at leaf positions.The reason is, that in a lambda-calculus setting the main concept is that of an applica-tion. This is different from first order terms, where the constructors are the main concept.Note that we use lambda-trees to denote Σ ′ -terms. As these are different concepts, even FINITE SEMANTICS. . . FOR INFINITE RUNS OF AUTOMATA 9 @ ❅❅(cid:0)(cid:0) a λx @ PPPP(cid:0)(cid:0) @ ❅❅(cid:0)(cid:0) f x @ ❍❍❍ @ (cid:0)(cid:0) ❅❅ g x ✟✟✯ @ (cid:0)(cid:0) PPPP @ ❅❅ g λϕ @ PPPP(cid:0)(cid:0) @ ❅❅(cid:0)(cid:0) f @ ❍❍❍ @ (cid:0)(cid:0) ❅❅ ϕ @ ❅❅(cid:0)(cid:0) ϕ a λϕλx @ (cid:0)(cid:0) ❅❅ ϕ @ (cid:0)(cid:0) ❅❅ ϕ x ✟✟✯ ❅❅■ Figure 2: Two regular lambda-trees with denotation being the { f , g , a } -terms in Figure 1.normal lambda-trees differ from their denotation. For example the lambda-tree @ (cid:0)❅ @ (cid:0)❅ ag a denotes the Σ ′ -term g (cid:0)❅ a a .4. Recursion Schemes as Means to Define Regular Lambda Trees
The interest in infinitary lambda-trees in the verification community recently arose bythe study of recursion schemes. It could be shown [10, 11] that under a certain “safety”condition the (infinite) terms generated by recursion schemes have decidable monadic secondorder theory. For our purpose it is enough to consider recursion schemes as a convenientmeans to define regular lambda-trees.
Definition 4.1.
Recursion schemes are given by a set of first-order terminal symbols,simply-typed non-terminal symbols and for every non-terminal F an equation F −→ x = e where e is an expression of ground type built up from terminals, non-terminals and thevariables −→ x by type-respecting application. There is a distinguished non-terminal symbol S of ground type, called the start symbol . Definition 4.2.
Each recursion scheme denotes , in the obvious way, a partial, in generalinfinite, term built from the terminals. Starting from the start symbol, recursively re-place the outer-most non-terminals by their definitions with the arguments substituted inappropriately. S = F a F x = f x ( F ( g x )) S ′ = F ′ ( W g ) F ′ ϕ = f ( ϕa )( F ′ ( W ϕ )) W ϕx = ϕ ( ϕx )Figure 3: Two recursion schemes. Definition 4.3.
To every recursion scheme is associated a regular lambda-tree in the fol-lowing way. First replace all equations F −→ x = e by F = λ −→ x .e where the right hand side is read as a lambda term.Then, starting from the start symbol, recursively replace all non-terminals by theirdefinition without performing any computations . Remark 4.4.
Immediately from the definition we note that the β -normal form of thelambda-tree associated with a recursion scheme, when read a term, is the term denoted bythat recursion scheme. Example 4.5.
Figure 3 shows two recursion schemes with non-terminals F : ι → ι , F ′ : ( ι → ι ) → ι , W : ( ι → ι ) → ι → ι , and S, S ′ : ι . Their corresponding lambda-trees are the onesshown in Figure 2. The sharing of an isomorphic sub-tree arises as both are translations ofthe same non-terminal W . As already observed, these recursion schemes denote the termsshown in Figure 1. Remark 4.6.
The notion of a recursion scheme wouldn’t change if we allowed λ -abstractions on the right hand side of the equations; we can always build the closure and“factor it out” as a new non-terminal. For example, the W ϕ in the definition of F ′ inFigure 3 should be thought of as the factored-out closure ( λx.ϕ ( ϕx )) which is part of a linethat originally looked F ′ ϕ = f ( ϕa )( F ′ ( λx.ϕ ( ϕx ))) . Continuous Normalisation for the Lambda Calculus
As mentioned in the introduction, we are interested in the question, whether an au-tomaton A has a run on the normal form of some lambda-tree t . Our plan to investigatethis question is by analysing the term t .However, there is no bound on the number of nodes of t that have to be inspected, andno bound on the number of beta-reductions to be carried out, before the first symbol ofthe normal form is determined — if it ever will be. In fact, it may well be that an infinitesimply-typed lambda-tree leaves the normal form undefined at some point. Example 5.1.
It should be noted that the typing discipline does not prevent the problemof undefinedness. This is due to inherently infinitary nature of recursion schemes. Let Y : ( ι → ι ) → ι , I : ι → ι , and S : ι be non-terminal symbols and consider the recursionscheme Y ϕ = ϕ ( Y ϕ ) Ix = xS = Y I
FINITE SEMANTICS. . . FOR INFINITE RUNS OF AUTOMATA 11 @ ✟✟✟✟✟ ❍❍❍❍❍ λxxλϕ @ ❍❍❍✟✟✟ ϕ @ ❍❍❍ ϕ ✟✟✟✏✏✶ Figure 4: The lambda-tree associated to the recursion scheme in Example 5.1.with start symbol S .Computing the normal form of the associated lambda-tree gives the following infinitereduction sequence S = Y I → β I ( Y I ) → β Y I → β . . . . Of course, the fact that thecomputation will never produce a terminal symbol can, in this example, also be triviallyseen from the fact that the whole recursion scheme does not contain any terminal symbol.Whereas the unboundedness of the number of symbols to be inspected is merely a hugeinconvenience, the possibility of undefinedness makes it unclear what it even is supposed tomean that “ A has a run on the normal form of t ” — if there is no such normal form.This problem of possible undefinedness of the normal form is similar to a situation inproof theory, where only strong principles guarantee the termination of the cut-eliminationprocedure, whereas the operation itself can be defined in primitive recursive arithmetic.Continuous Normalisation was introduced by Mints [12, 14] in order to separate cut-elimination for semiformal systems from their ordinal analysis. The operational aspects ofnormalisation, i.e., the manipulations on infinitary derivations, are isolated and describedindependently of the system’s proof theoretic complexity, but at the expense of introducingthe void logical rule Γ( R ) Γof repetition. Note that this rule is both, logically valid and has the subformula property.Using the repetition rule, the cut-elimination operator becomes primitive recursive andcan be studied in its own right. As Mints observed, this cut-elimination operator can alsobe applied to non-wellfounded derivations, resulting in a continuous function on derivationtrees (a concise exposition can be found in an article [6] by Buchholz).The possibility to handle infinite computations is particularly natural in the realm of thelambda calculus, where non-termination actually does happen. Let us explain the idea ofcontinuous normalisation for the lambda-calculus [2, 3] by considering the recursion schemein Example 5.1. The associated lambda tree is shown in Figure 4.We look at the outer-most constructor of the term and see an application. Just fromthis knowledge we cannot deduce any constructor of the normal form. The normal form read as a lambda-tree could be an application as well, e.g., if the left term is a terminal;since we’re trying to compute the normal form as a Σ ′ -tree, even in this case we wouldhave to inspect the term further to find out which terminal it is, the term starts with.But, more importantly, it could also be that the left term is a λ -abstraction, in which a beta-reduction has to be carried out and the normal form could look almost arbitrary. Sowe don’t know any constructor of the normal form yet. On the other hand, we want to beuniformly continuous with identity as modulus of continuity; in other words, we want toensure that the output of all nodes of level k only depend on the input of level k . We solvethis problem by outputting R , signalling that we have to read more input to decide whatthe normal form will look like.Having output R we now may look at the next level of the term. Seeing the λϕ westill don’t any constructor of the normal form, but at least we know that we have to waitfor a different reason — we have to carry out some computation. Therefore we output a β constructor, signalling that the delay in the output is due to a beta-reduction being carriedout. Note that in a certain sense (made precise in Lemma 5.4) this β “justifies” the first R -constructor. The application we have seen in the first step has disappeared due to thebeta-reduction being carried out. A different form of justification would be outputting aΣ ′ -term, where the lambda-tree reading contains an application. For example the term fa with f and a both terminals would have continuous normal form R ( f ( a )), with the R justified by the fact that f is applied to one argument a .After this beta-reduction the term I ( Y I ) is remaining, so we’re looking at an applicationagain, and, as before, wait by saying R . Again, there is a lambda abstraction to the leftof the application, so we say β and carry out the reduction due to the λx , leaving us with Y I , which happens to be the term we started with. Of course, we don’t know this yet, asthe only thing we see so far is the outermost @. But the fact that we arrived at
Y I againensures that the pattern R β R β . . . of the normal form will repeat.Let us now formally introduce continuous normalisation. As mentioned, we extend thelanguage by two new terminals. The R -constructor for a delay due to inspection of anapplication and the β -constructor for a delay due to a beta-reduction. Definition 5.2.
Define Σ = Σ ′ ∪ {R , β } with R , β two new terminals of arity one.The continuous normalisation procedure, which will compute the continuous normalform, follows the informal description above. In other words, if we see an applicationwe output R and carry on by reading more input. If we see a lambda-abstraction ourtyping restrictions force that we have to have collected some arguments before, so that abeta-reduction has to be carried out, accompanied by a β constructor; in the more generalcase [2] of the untyped lambda calculus [5] we would have to do a case distinction on whetherwe have at least one argument collected or not. In the latter case the normal form wouldstart with a λ . Finally, if we find a terminal symbol we construct a term, which is theterminal symbol applied to the continuous normal forms of the arguments collected so far.In our official Definition 5.3 of the continuous normal form, the expression t @ −→ t shouldbe read as “the continuous normal form of t , with arguments t , . . . , t n collected already”.Correspondingly the continuous normal form of t is t @() which we also abbreviate by t β . Definition 5.3.
For t , −→ t closed infinitary simply-typed lambda-trees such that t −→ t is ofground type we define a Σ-term t @ −→ t coinductively as follows.( rs )@ −→ t = R ( r @( s, −→ t ))( λx.r )@( s, −→ t ) = β ( r [ s/x ]@ −→ t ) f @ −→ t = f ( t β , . . . , t βn )Here we used r [ s/x ] to denote the substitution of s for x in r . This substitution is necessarilycapture free as s is closed. By f ( T , . . . , T n ) we denote the term with label f at the root FINITE SEMANTICS. . . FOR INFINITE RUNS OF AUTOMATA 13 and T , . . . , T n as its n children; this includes the case n = 0, where f () denotes the termconsisting of a single node f . Similar notation is used for R ( T ) and β ( T ). Moreover weused r β as a shorthand for r @().The term t β is also called the continuous normal form of t .A first observation is that the definition obeys the informal idea of “justifying” thedelay constructors. We note that, whenever the number of collected arguments increaseswe output a R , and whenever the number of arguments decreases (due to an argumentbeing consumed by a beta-reduction) we output a β . This bookkeeping of the number ofcollected arguments is made precise in the next lemma. Lemma 5.4. If t @( t , . . . , t k ) = W ( W ( . . . ( W ℓ . f ( −→ s )))) with W , . . . , W ℓ ∈ {R , β } thenthe equation k + |{ i | W i = R}| = |{ i | W i = β }| + ♯ ( f ) holds.Proof. A simple induction on ℓ . If ℓ = 0, the claim k = ♯ ( f ) follows from the typingrequirements. Note that we allowed the expression t @ −→ t only of t −→ t is well typed of groundtype. If ℓ > t is an application or a lambda-abstraction. In eithercase we unfold the definition of t @ −→ t once and can apply the induction hypothesis.Next we will study the relation between lambda terms, their continuous normal forms,and their normal forms in the usual sense, in case the latter exists. This, on the one hand,will give a clearer picture on what the continuous normal form of a lambda term is. Onthe other hand, it will also justify the claim, that is not only technically more convenientfor the development in the rest of this article to use continuous normalisation, but that itis also more informative.As an immediate observation, the reader might note that any property expressibleby some automaton A working on Σ ′ -trees can be lifted to a property on Σ-trees by“ignoring the additional R and β constructors”. The lifted property can also be ex-pressed by an automaton. We just have to extend the transition function δ by setting δ ( q, R ) = δ ( q, β ) = { ( q, ∗ , . . . , ∗ ) } . In particular, using continuous normalisation does notcause any disadvantages for the decision problem we are interested in.We already mentioned that output up to depth h only depends on the input up todepth h . To make this idea precise, we first define a notion of similarity for lambda-tree orΣ-terms. The relation r ≈ k s holds, if r and s coincide up to level k . This is made precisein the following definition. Definition 5.5.
For Σ-terms r , s we define, by induction on k , the relation r ≈ k s by thefollowing rules. r ≈ s r ≈ k s , . . . , r ℓ ≈ k s ℓ f ( r , . . . , r k ) ≈ k +1 f ( s , . . . , s ℓ )For lambda-trees r , s we define, by induction on k , the relation r ≈ k s by the followingrules. r ≈ s r ≈ k sλx.r ≈ k +1 λx.s r ≈ k r ′ s ≈ k s ′ rs ≈ k +1 r ′ s ′ x ≈ k x f ≈ k f Proposition 5.6. If r and s are both Σ -terms or both lambda-trees and ℓ, k ∈ N , then r ≈ ℓ s and ℓ ≥ k imply r ≈ k s .Proof. Induction on k . Remark 5.7.
Obviously, s = t holds if and only if ∀ k.s ≈ k t . Moreover, each of therelations ≈ k is an equivalence relation.Proposition 5.6 and Remark 5.7 together show, that we obtain a metric d if we set d ( s, t ) to be 0, if s = t and otherwise set d ( s, t ) = k +1 where k is maximal such that s ≈ k t .We will now show that continuous normalisation is continuous with respect to this topology.In fact, we even show a stronger statement of uniform continuity. Proposition 5.8. If s ≈ k s ′ and t ≈ k t ′ , . . . , t n ≈ k t ′ n then s @ −→ t ≈ k s ′ @ −→ t ′ .Proof. Induction on k . If k = 0, there is nothing to show. If k >
0, then the outermostconstructors of s and s ′ have to coincide. We unfold the definitions of s @ −→ t and s ′ @ −→ t ′ onceand apply the induction hypothesis.Now that we know (by Proposition 5.8) that continuous normalisation does not consumetoo much input in order to produce the output, we aim at showing that the output is actuallyuseful and not just a pointless collection of delay constructors. We have already seen (inLemma 5.4) that the R constructors are justified by either β constructors or the arity ofthe terminals in the output produced. So what remains to show is, that the β constructorsare not arbitrary, but in a reasonable sense related to the underlying computation. Infact, it will turn out, that every β constructor corresponds to a beta reduction in the headnormalisation strategy; compare Lemmata 5.9 and 5.10. It is well known that this reductionstrategy finds a normal form, if there is one. Lemma 5.9. If t @ −→ t = W ( . . . ( W k ( f ( s , . . . , s ♯ ( f ) )))) with W i ∈ {R , β } then there arelambda-trees r , . . . , r ♯ ( f ) such that • t −→ t reduces in n head-reduction steps to f −→ r where n is the number of β constructors, i.e., n = |{ i | W i = β }| , and • for each i it holds that r βi = s i .Proof. Induction on k . If k = 0, inspection of Definition 5.3 of t @ −→ t shows that it must bethe case that t = f . So, in this case f @ −→ t = f ( t β , . . . , t β♯ ( f ) ) and we can take −→ r to be −→ t .If k > W = β it must be the case that t = λx.t ′ . Then ( λx.t ′ )@( t , t , . . . , t ℓ ) = β (( t ′ [ t /x ])@( t , . . . , t ℓ )). So ( t ′ [ t /x ])@( t , . . . , t ℓ ) = W ( . . . ( W k ( f ( s , . . . , s ♯ ( f ) )))) and theinduction hypothesis gives us −→ r with r βi = s i such that t −→ t reduces in n − f −→ r .Since, moreover, in one head reduction step, t −→ t = ( λx.t ′ ) t t . . . t ℓ reduces to t ′ [ t /x ] t . . . t ℓ ,this yields the claim. If k > W = R the claim is immediate from the inductionhypothesis. Lemma 5.10. If t −→ t reduces by n head reduction steps to f r . . . r ♯ ( f ) then forsome W , . . . , W k ∈ {R , β } with |{ i | W i = β }| = n we have t @ −→ t = W ( . . . ( W k ( f ( r β , . . . , r β♯ ( f ) )))) .Proof. Induction on n . If n = 0 then t −→ t must be of the form f −→ r and, indeed, t @ −→ t = R ( . . . ( R ( f @ −→ r ))) = R ( . . . ( R ( f ( r β , . . . , r β♯ ( f ) )))).If n > t is of the form ( λxs ) −→ s . Writing −→ t ′ for −→ s −→ t we note that t @ −→ t = R ( . . . ( R (( λx.s )@ −→ t ′ ))) = R ( . . . ( R ( β ( s [ t ′ /x ]@( t ′ , . . . , t ′ ℓ ))))). Since the head reduct of t −→ t is s [ t ′ /x ] t ′ . . . t ′ ℓ , the induction hypothesis yields the claim. FINITE SEMANTICS. . . FOR INFINITE RUNS OF AUTOMATA 15
It should be noted that in the special case of −→ t being the empty list, Lemmata 5.9and 5.10 talk about the continuous normal form of t .6. Finitary Semantics and Proof System
Let A be a fixed nondeterministic tree automaton with state set Q and transitionfunction δ : Q × Σ → P (( Q ∪ {∗} ) N ). The main technical idea of this article is to use afinite semantics for the simple types, describing how A “sees” an object of that type. Definition 6.1.
For τ a simple type we define [[ τ ]] inductively as follows.[[ ι ]] = P ( Q )[[ ρ → σ ]] = [[ ρ ]] [[ σ ]]In other words, we start with the power set of the state set of A in the base case, and usethe full set theoretic function space for arrow-types. Remark 6.2.
Obviously all the [[ τ ]] are finite sets. Example 6.3.
Taking A to be the automaton of Example 2.7, we have [[ ι ]] = {∅ , { q } , { q } , Q } and examples of elements of [[ ι → ι ]] include the identity function id, as well as the “swap func-tion” swap defined by swap( ∅ ) = ∅ , swap( Q ) = Q , swap( { q } ) = { q } , and swap( { q } ) = { q } . Definition 6.4. [[ τ ]] is partially ordered as follows. • For
R, S ∈ [[ ι ]] we set R ⊑ S iff R ⊆ S . • For f, g ∈ [[ ρ → σ ]] we set f ⊑ g iff ∀ a ∈ [[ ρ ]] .f a ⊑ ga . Remark 6.5.
Obviously suprema and infima with respect to ⊑ exist.We often need the concept “continue with f after reading one R symbol”. We call this R -lifting. Similar for β . Definition 6.6.
For f ∈ [[ −→ ρ → ι ]] we define the liftings R ( f ) , β ( f ) ∈ [[ −→ ρ → ι ]] as follows. R ( f )( −→ a ) = { q | δ ( q, R ) ∩ f −→ a × {∗} × . . . × {∗} 6 = ∅} β ( f )( −→ a ) = { q | δ ( q, β ) ∩ f −→ a × {∗} × . . . × {∗} 6 = ∅} Remark 6.7. If A is obtained from an automaton working on Σ ′ -terms by setting δ ( q, R ) = δ ( q, β ) = { ( q, ∗ , . . . , ∗ ) } then R ( f ) = β ( f ) = f for all f .Using this finite semantics we can use it to annotate a lambda-tree by semantical valuesfor its subtrees to show that the denoted term has good properties with respect to A . Westart by an example. Example 6.8.
The second recursion scheme in Figure 3 denotes a term where the “sidebranches” contain 2 , , , . . . , n , . . . times the letter g . As these are all even numbers, theautomaton A of Example 2.7 should have a run starting in q .We now informally argue how a formal “proof” of this fact can be obtained by assigningsemantical values to the nodes of the corresponding lambda-tree, which is the right tree inFigure 2. The notion of “proof” will be made formal in Definition 6.10.So we start by assigning the root { q } ∈ [[ ι ]]. Since the term is an application, we haveto guess the semantics of the argument (of type ι → ι ). Our (correct) guess is, that itkeeps the parity of g s unchanged, hence our guess is id; the function side then must be @ (cid:0)(cid:0) PPPP @ ❅❅ g λϕ @ PPPP(cid:0)(cid:0) @ ❅❅(cid:0)(cid:0) f @ ❍❍❍ @ (cid:0)(cid:0) ❅❅ ϕ @ ❅❅(cid:0)(cid:0) ϕ a λϕλx @ (cid:0)(cid:0) ❅❅ ϕ @ (cid:0)(cid:0) ❅❅ ϕ x ✟✟✯ ❅❅■ id
7→ { q } ✲ Γ ϕ ⊢ { q } ✲ Γ ϕ ⊢ { q } 7→ { q } ✲ Γ ϕ ⊢ { q } 7→ { q } 7→ { q } ✲ Γ ϕ ⊢ { q } (cid:0)(cid:0)✒ Γ ϕ ⊢ id (cid:0)(cid:0)✒ Γ ϕ ⊢ { q } (cid:0)(cid:0)(cid:0)(cid:0)(cid:0)✒ id id and swap id (cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)✒ Γ ϕ,x ⊢ id and Γ ′ ϕ,x ⊢ swapΓ ϕ,x ′ ⊢ id and Γ ′ ϕ,x ′ ⊢ swap ✲(cid:0)(cid:0)✒ { q } ✛ id ✛ swap ✛ Γ ϕ ⊢ { q } ✛ Γ ϕ ⊢ id ✛ Γ ϕ ⊢ id ✛ Γ ϕ ⊢ id and Γ ′ ϕ ⊢ id ✛ Γ ϕ,x ⊢ { q } and Γ ′ ϕ,x ⊢ { q } Γ ϕ,x ′ ⊢ { q } and Γ ′ ϕ,x ′ ⊢ { q } ✛ Γ ϕ,x ⊢ { q } and Γ ′ ϕ,x ⊢ { q } Γ ϕ,x ′ ⊢ { q } and Γ ′ ϕ,x ′ ⊢ { q } ❅❅■ Γ ϕ,x ⊢ { q } and Γ ′ ϕ,x ⊢ { q } Γ ϕ,x ′ ⊢ { q } and Γ ′ ϕ,x ′ ⊢ { q } ✻ Figure 5: A proof that A has an infinite run starting in q on the denoted term.something that maps id to { q } . Let us denote by id
7→ { q } the function in [[ ι → ι ]] [[ ι ]] definedby (id
7→ { q } )(id) = { q } and (id
7→ { q } )( f ) = ∅ if f = id.The next node to the left is an abstraction. So we have to assign the body the value { q } in a context where ϕ is mapped to id. Let us denote this context by Γ ϕ .In a similar way we fill out the remaining annotations. Figure 5 shows the whole proof.Here Γ ′ ϕ is the context that maps ϕ to swap; moreover Γ ϕ,x , Γ ′ ϕ,x , Γ ϕ,x ′ , and Γ ′ ϕ,x ′ are thesame as Γ ϕ and Γ ′ ϕ but with x mapped to { q } and { q } , respectively.It should be noted that a similar attempt to assign semantical values to the otherlambda-tree in Figure 2 fails at the down-most x where in the context Γ with Γ( x ) = { q } we cannot assign x the value { q } .To make the intuition of the example precise, we formally define a “proof system” ofpossible annotations (Γ , a ) for a (sub)tree. Since the [[ τ ]] are all finite sets, there are onlyfinitely many possible annotations.To simplify the later argument of our proof, which otherwise would be coinductive, weadd a level n to our notion of proof. This level should be interpreted as “for up to n stepswe can pretend to have a proof”. This reflects the fact that coinduction is nothing butinduction on observations. Definition 6.9. A context is a finite mapping from variables x σ to their correspondingsemantics [[ σ ]]. We use Γ to range over contexts.If Γ is a context, x a variable of type σ and a ∈ [[ σ ]] we denote by Γ ax the context Γmodified in that x is mapped to a , regardless of whether x was or was not in the domain ofΓ. FINITE SEMANTICS. . . FOR INFINITE RUNS OF AUTOMATA 17
Definition 6.10.
For Γ a context, a ∈ [[ ρ ]] a value, and t an infinitary, maybe open, lambda-tree of type ρ , with free variables among dom(Γ), we defineΓ ⊢ n A a ⊑ t : ρ by induction on the natural number n as follows. • Γ ⊢ A a ⊑ t : ρ always holds. • Γ ⊢ n A a ⊑ x i : ρ holds, provided a ⊑ Γ( x i ). • Γ ⊢ n +1 A a ⊑ st : σ holds, provided there exists f ∈ [[ ρ → σ ]], u ∈ [[ ρ ]] such that a ⊑ R ( f u ),Γ ⊢ n A f ⊑ s : ρ → σ , and Γ ⊢ n A u ⊑ t : ρ . • Γ ⊢ n +1 A f ⊑ λx ρ .s : ρ → σ holds, provided for all a ∈ [[ ρ ]] there is a b a ∈ [[ σ ]] such that f a ⊑ β ( b a ) and Γ ax ⊢ n A b a ⊑ s : σ . • Γ ⊢ n A f ⊑ f : ι → . . . → ι → ι holds, provided for all −→ a ∈ [[ −→ ι ]] we have f −→ a ⊂ { q | δ ( q, f ) ∩ a × . . . × a ♯ ( f ) × {∗} × . . . × {∗} 6 = ∅} .It should be noted that all the quantifiers in the rules range over finite sets. Hence thecorrectness of a rule application can be checked effectively (and even by a finite automaton).We write Γ ⊢ ∞ A a ⊑ t : ρ to denote ∀ n. Γ ⊢ n A a ⊑ t : ρ . Remark 6.11.
Obviously Γ ⊢ n +1 A a ⊑ t : ρ implies Γ ⊢ n A a ⊑ t : ρ . Moreover, a ′ ⊑ a andΓ ⊢ n A a ⊑ t : ρ imply Γ ⊢ n A a ′ ⊑ t : ρ . Finally, Γ ⊢ n A a ⊑ t : ρ , if Γ ′ ⊢ n A a ⊑ t : ρ for some Γ ′ which agrees with Γ on the free variables of t .Also, in the second an in the last clause we may assume without loss of generality, that n >
0. However, this assumption is not necessary, and it is even technically more convenientnot to do so.
Remark 6.12.
We notice that the proof informally given in Example 6.8 and shown inFigure 5 complies with the formal Definition 6.10. Indeed, the annotations shown in thefigure are valid for any n .As already mentioned, for t a term with finitely many free variables, the annotations(Γ , a ) come from a fixed finite set, since we can restrict Γ to the set of free variables of t .If, moreover, t has only finitely many different sub-trees, that is to say, if t is regular, thenonly finitely many terms t have to be considered. So we obtain Proposition 6.13.
For t regular, it is decidable whether Γ ⊢ ∞ A a ⊑ t : ρ . Before we continue and show our calculus to be sound (Section 7) and complete (Sec-tion 8) let us step back and see what we will then have achieved, once our calculus is provensound and complete.Proposition 6.13 gives us decidability for terms denoted by regular lambda-trees, andhence in particular for trees obtained by recursion schemes. Moreover, since the annotationsonly have to fit locally, individual subtrees of the lambda-tree can be verified separately.This is of interest, as for each non-terminal a separate subtree is generated. In other words,this approach allows for modular verification; think of the different non-terminals as differentsubroutines. As the semantics is the set-theoretic one, the annotations are clear enough tobe meaningful, if we have chosen our automaton in such a way that the individual statescan be interpreted extensionally, for example as “even” versus “odd” number of g s.It should also be noted, that the number of possible annotations only depends on thetype of the subtree, and on A , that is, the property to be investigated. Fixing A andthe allowed types (which both usually tend to be quite small), the amount of work to be carried out grows only linearly with the representation of t as a regular lambda-tree. Forevery node we have to make a guess and we have to check whether this guess is consistentwith the guesses for the (at most two) child nodes. Given that the number of nodes of therepresentation of t grows linearly with the size of the recursion scheme, the problem is infixed-parameter- N P , which doesn’t seem too bad for practical applications.7.
Truth Relation and Proof of Soundness
The soundness of a calculus is usually shown by using a logical relation, that is, arelation indexed by a type that interprets the type arrow “ → ” as logical arrow “ ⇒ ”; inother words, we define partial truth predicates for the individual types [17].Since we want to do induction on the “observation depth” n of our proof · ⊢ n A · ⊑ · : τ wehave to include that depth in the definition of our truth predicates · ≺≺ n A · : τ . For technicalreasons we have to build in weakening on this depth as well. Definition 7.1.
For f ∈ [[ −→ ρ → ι ]], n ∈ N , t a closed infinitary lambda tree of type −→ ρ → ι ,the relation f ≺≺ n A t : −→ ρ → ι is defined by induction on the type as follows. f ≺≺ n A t : −→ ρ → ι iff ∀ ℓ ≤ n ∀−→ a ∈ [[ −→ ρ ]] ∀−→ r : −→ ρ ( ∀ i. a i ≺≺ ℓ A r i : ρ i ) ⇒ ∀ q ∈ f −→ a . A , q | = ℓ t @ −→ r Remark 7.2.
Immediately from the definition we get the following monotonicity property.If f ⊑ f ′ and f ′ ≺≺ n A t : ρ then f ≺≺ n A t : ρ . Remark 7.3.
In the special case −→ ρ = ε we get S ≺≺ n A t : ι iff ∀ q ∈ S. A , q | = n t β Here we used that ∀ ℓ ≤ n. A , q | = ℓ s iff A , q | = n s .Immediately from the definition we obtain weakening in the level. Proposition 7.4. If f ≺≺ n A t : ρ then f ≺≺ n − A t : ρ . Theorem 7.5.
Assume Γ ⊢ n A a ⊑ t : ρ for some Γ with domain { x , . . . , x } . For all ℓ ≤ n and all closed terms −→ t : −→ ρ , if ∀ i. Γ( x i ) ≺≺ ℓ A t i : ρ i then a ≺≺ ℓ A t [ −→ t / −→ x ] : ρ .Proof. Induction on n , cases according to Γ ⊢ n A a ⊑ t : ρ . • Case Γ ⊢ A a ⊑ t : ρ always. Use that a ≺≺ A . . . : ρ holds always. • Case Γ ⊢ n A a ⊑ x i : ρ because of a ⊑ Γ( x i ).Assume ∀ i. Γ( x i ) ≺≺ ℓ A t i : ρ i . We have to show a ≺≺ ℓ A x i [ −→ t / −→ x ] | {z } t i : ρ , which follows fromone of our assumptions by Remark 7.2. • Case Γ ⊢ n +1 A a ⊑ st : σ thanks to f ∈ [[ ρ → σ ]], u ∈ [[ ρ ]] such that a ⊑ R ( f u ),Γ ⊢ n A f ⊑ s : ρ → σ , and Γ ⊢ n A u ⊑ t : ρ .Let ℓ ≤ n + 1 be given, and −→ t : −→ ρ such that ∀ i. Γ( x i ) ≺≺ ℓ A t i : ρ i . We have to show a ≺≺ ℓ A ( st ) [ −→ t / −→ x ] | {z } η : σ .Let σ have the form σ = −→ σ → ι . Let k ≤ ℓ be given and −→ s : −→ σ , c i ∈ [[ σ i ]] such that c i ≺≺ k A s i : σ i . We have to show for all q ∈ a −→ c that A , q | = k ( sηtη )@ −→ r | {z } R . ( sη @( tη, −→ r )) . FINITE SEMANTICS. . . FOR INFINITE RUNS OF AUTOMATA 19
Hence it suffices to show that there is a ˜ q ∈ δ ( q, R ) such that A , ˜ q | = k − sη @( tη, −→ r ).Since k ≤ ℓ ≤ n + 1, we have k − ≤ n . Using Proposition 7.4 varioustimes we obtain ∀ i. Γ( x i ) ≺≺ k − A t i : ρ i . Hence we may use the induction hypothe-ses to Γ ⊢ n A f ⊑ s : ρ → σ and obtain f ≺≺ k − A sη : ρ → σ . Applying the induction toΓ ⊢ n A u ⊑ t : ρ yields u ≺≺ k − A tη : ρ .Applying Proposition 7.4 to c i ≺≺ k A s i : σ i yields c i ≺≺ k − A s i : σ i . Therefore ∀ ˆ q ∈ f u −→ c . A , ˆ q | = k − sη @( tη, −→ r ).Since a ⊑ R ( f u ) we get ∀ q ∈ a −→ c ∃ ˜ q ∈ δ ( q, R ) . ˜ q ∈ f u −→ c . This together with the laststatement yields the claim. • Case Γ ⊢ n +1 A f ⊑ λx ρ .s : ρ → σ thanks to ∀ a ∈ [[ ρ ]] ∃ b a ∈ [[ σ ]] such that f a ⊑ β ( b a ) andΓ ax ⊢ n A b a ⊑ s : σ .Let ℓ ≤ n + 1 be given and −→ t : −→ ρ with Γ( x i ) ≺≺ ℓ A t i : ρ i .We have to show f ≺≺ ℓ A ( λx ρ s σ ) η : ρ → σ where η is short for [ −→ t / −→ x ].Let σ have the form σ = −→ σ → ι . Let k ≤ ℓ be given and r : ρ , −→ s : −→ σ , c ∈ [[ ρ ]], c i ∈ [[ σ i ]] such that c ≺≺ k A r : ρ , c i ≺≺ k A s i : σ i . We have to show for all q ∈ f c −→ c that A , q | = k ( λxs ) η @( r, −→ s ) | {z } β.sη rx @ −→ s .Hence it suffices to show that there is a ˜ q ∈ δ ( q, β ) such that A , ˜ q | = k − sη rx @ −→ s .We know c ≺≺ k A r : ρ ; using Proposition 7.4 we get c ≺≺ k − A r : ρ and ∀ i. Γ( x i ) ≺≺ k − A t i : ρ i . Since k ≤ ℓ ≤ n + 1 we get k − ≤ n , hence we mayapply the induction hypothesis to Γ ax ⊢ n A b a ⊑ s : σ and obtain b a ≺≺ k − A sη rx : σ .Since again by Proposition 7.4 we also know c i ≺≺ k − A s i : σ i , we obtain for all ˆ q ∈ b a −→ c that A , ˆ q | = k − sη rx @ −→ s .Since f c ⊑ β ( b c ) we get that ∀ q ∈ f c −→ c ∃ ˜ q ∈ δ ( q, β ) . ˜ q ∈ b c −→ c . This, together with thelast statement yields the claim. • Case Γ ⊢ n A f ⊑ f : ι → ι thanks to ∀−→ a ∈ [[ ι ]] . f −→ a ⊂ { q | δ ( q, f ) ∩ −→ a = ∅} .Let ℓ ≤ n be given and −→ t : −→ ρ such that ∀ i. Γ( x i ) ≺≺ ℓ A t i : ρ i . We have to show f ≺≺ ℓ A f [ −→ t / −→ x ] | {z } f : ι → ι .Let k ≤ ℓ be given and −→ r : −→ ι , −→ S ∈ [[ ι ]] such that S i ≺≺ ℓ A r i : ι . We have to show for all q ∈ f −→ S that A , q | = ℓ f @ −→ r | {z } f −→ r β .From S i ≺≺ ℓ A r i : ι we get ∀ ˜ q i ∈ S i . A , ˜ q i | = ℓ r βi . Hence the claim follows since ∀ q ∈ f −→ S ∃−→ ˜ q ∈ δ ( a, f ) . −→ ˜ q ∈ −→ S .It should be noted that in the proof of Theorem 7.5 in the cases of the λ -rule and theapplication-rule it was possible to use the induction hypothesis due to the fact that we used continuous normalisation, as opposed to standard normalisation. Corollary 7.6.
For t a closed infinitary lambda term we get immediately from Theorem 7.5 ∅ ⊢ n A S ⊑ t : ι = ⇒ ∀ q ∈ S. A , q | = n t β In particular, if ∅ ⊢ ∞ A S ⊑ t : ι then ∀ q ∈ S. A , q | = ∞ t β . The Canonical Semantics and the Proof of Completeness
If we want to prove that there is an infinite run, then, in the case of an application st ,we have to guess a value for the term t “cut out”.We could assume an actual run be given and analyse the “communication”, in the senseof game semantics [9], between the function s and its argument t . However, it is simplerto assign each term a “canonical semantics” hh t ii A ∞ , roughly the supremum of all values wehave canonical proofs for.The subscript ∞ signifies that we only consider infinite runs. The reason is that thelevel n in our proofs Γ ⊢ n A a ⊑ t : ρ is not a tight bound; whenever we have a proofs of level n , then there are runs for at least n steps, but on the other hand, runs might be longerthan the maximal level of a proof. This is due to the fact that β -reduction moves subterms“downwards”, that is, further away from the root, and in that way may construct longerruns. The estimates in our proof calculus, however, have to consider (in order to be sound)the worst case, that is, that an argument is used immediately.Since, in general, the term t may also have free variables, we have to consider a canonicalsemantics hh t ii Γ A ∞ with respect to an environment Γ. Definition 8.1.
By induction on the type we define for t a closed infinite lambda-tree oftype ρ = −→ ρ → ι its canonical semantics hh t ii A ∞ ∈ [[ ρ ]] as follows. hh t ii A ∞ ( −→ a ) = { q | ∃−→ s : −→ ρ . hh−→ s ii A ∞ ⊑ −→ a ∧ A , q | = ∞ t @ −→ s } Remark 8.2.
For t a closed term of base type we have hh t ii A ∞ = { q | A , q | = ∞ t β } . Definition 8.3.
For Γ a context, t : ρ typed in context Γ of type ρ = −→ ρ → ι we define hh t ii Γ A ∞ ∈ [[ ρ ]] by the following explicit definition. hh t ii Γ A ∞ ( −→ a ) = { q | ∃ η. dom( η ) = dom(Γ) ∧ ( ∀ x ∈ dom(Γ) .η ( x ) closed ∧ hh η ( x ) ii A ∞ ⊑ Γ( x )) ∧∃−→ s : −→ ρ . hh−→ s ii A ∞ ⊑ −→ a ∧ A , q | = ∞ tη @ −→ s } Remark 8.4.
For t a closed term and Γ = ∅ we have hh t ii Γ A ∞ = hh t ii A ∞ . Proposition 8.5. If s has type −→ σ → ι in some context compatible with Γ , and η is somesubstitution with dom( η ) = dom(Γ) such that for all x ∈ dom(Γ) we have η ( x ) closed and hh η ( x ) ii A ∞ ⊑ Γ( x ) , then hh sη ii A ∞ ⊑ hh s ii Γ A ∞ Proof.
Let −→ a ∈ [[ −→ σ ]] and q ∈ hh sη ii A ∞ ( −→ a ) be given. Then there are −→ s : −→ σ with hh−→ s ii A ∞ ⊑−→ a such that A , q | = ∞ sη @ −→ s . Together with the assumed properties of η this witnesses q ∈ hh s ii Γ A ∞ ( −→ a ). Lemma 8.6. If r and s are terms of type σ → −→ ρ → ι and σ , respectively, in some contextcompatible with Γ , then we have hh rs ii Γ A ∞ ⊑ R ( hh r ii Γ A ∞ hh s ii Γ A ∞ ) Proof.
Let −→ a ∈ [[ −→ ρ ]] and q ∈ hh rs ii Γ A ∞ ( −→ a ) be given. Then there is η with ∀ x ∈ dom(Γ) . hh η ( x ) ii A ∞ ⊑ Γ( x ) and there are −→ s : −→ ρ with hh−→ s ii A ∞ ⊑ −→ a and A , q | = ∞ ( rs ) η @ −→ s | {z } R .rη @( sη, −→ s ) FINITE SEMANTICS. . . FOR INFINITE RUNS OF AUTOMATA 21 Hence there is a q ′ ∈ δ ( q, R ) with A , q ′ | = ∞ rη @( sη, −→ s ). It suffices to show that for this q ′ we have q ′ ∈ hh r ii Γ A ∞ hh s ii Γ A ∞ −→ a .By Proposition 8.5 we have hh sη ii A ∞ ⊑ hh s ii Γ A ∞ and we already have hh−→ s ii A ∞ ⊑ −→ a . Sothe given η together with sη and −→ s witnesses q ′ ∈ hh r ii Γ A ∞ hh s ii Γ A ∞ −→ a . Lemma 8.7.
Assume that λx.r has type σ → −→ ρ → ι in some context compatible with Γ .Then hh λxr ii Γ A ∞ ( a ) ⊑ β ( hh r ii Γ ax A ∞ ) Proof.
Let −→ a ∈ [[ −→ ρ ]] and q ∈ hh λxr ii Γ A ∞ ( a, −→ a ) be given. Then there is an η with ∀ x ∈ dom(Γ)we have η ( x ) closed and hh η ( x ) ii A ∞ ⊑ Γ( x ) and there are s, −→ s with hh s ii A ∞ ⊑ a and hh−→ s ii A ∞ ⊑ −→ a such that A , q | = ∞ ( λxr ) η @( s, −→ s ) | {z } β.r x [ s ] η @ −→ s So there is a ˜ q ∈ δ ( q, β ) with A , ˜ q | = ∞ r x [ s ] η @ −→ s . It suffices to show that ˜ q ∈ hh r ii Γ ax A ∞ ( −→ a ).By the properties of η and since hh s ii A ∞ ⊑ a we know that for all y ∈ dom(Γ ax ) we have hh η ( y ) ii A ∞ ⊑ Γ ax ( y ). This witnesses ˜ q ∈ hh r ii Γ ax A ∞ ( −→ a ). Lemma 8.8. hh x ii Γ A ∞ ⊑ Γ( x ) Proof.
Assume x of type −→ ρ → ι , let −→ a ∈ [[ −→ ρ ]] and q ∈ hh x ii Γ A ∞ ( −→ a ) be given. We have toshow Γ( x )( −→ a ).Since q ∈ hh x ii Γ A ∞ ( −→ a ), there is η with η ( x ) ⊑ a and −→ s : −→ ρ with hh−→ s ii Γ A ∞ ⊑ −→ a and A , q | = ∞ xη |{z} η ( x ) @ −→ s .But then −→ s witness that q ∈ hh η ( x ) ii A ∞ ( −→ a ) ⊂ Γ( x )( −→ a ) where the last subset relationholds since hh η ( x ) ii A ∞ ⊑ Γ( x ). Theorem 8.9. Γ ⊢ n A hh t ii Γ A ∞ ⊑ t : ρ Proof.
Induction on n , cases on t . Trivial for n = 0. So let n >
0. We distinguish casesaccording to t • Case rs σ . By induction hypothesis Γ ⊢ n − A hh r ii Γ A ∞ ⊑ r : σ → ρ and Γ ⊢ n − A hh s ii Γ A ∞ ⊑ s : σ .Moreover, by Lemma 8.6 hh rs ii Γ A ∞ ⊑ R ( hh r ii Γ A ∞ hh s ii Γ A ∞ ). Hence Γ ⊢ n A hh rs ii Γ A ∞ ⊑ rs : ρ . • Case λx σ r . By induction hypothesis we have for all a ∈ [[ σ ]] that Γ ax ⊢ n − A hh r ii Γ ax A ∞ ⊑ r : ρ .By Lemma 8.7 we have hh λxr ii Γ A ∞ ( a ) ⊑ β ( hh r ii Γ ax A ∞ ).Hence Γ ⊢ n A hh λxr ii Γ A ∞ ⊑ λxr : σ → ρ . • Case x . By Lemma 8.8 we have hh x ii Γ A ∞ ⊑ Γ( x ) and hence Γ ⊢ n A hh x ii Γ A ∞ ⊑ x : ρ . • Case t = f a terminal symbol. We have to show Γ ⊢ n A hh f ii Γ A ∞ ⊑ f : ι → ι .So, let −→ S ∈ [[ −→ ι ]] and q ∈ hh f ii Γ A ∞ ( S ). Hence there are −→ s of type ι with hh s i ii A ∞ ⊑ S i and A , q | = ∞ f @ −→ s | {z } f ( −→ s β ) .So there is (˜ q , . . . , ˜ q ♯ ( f ) , ∗ , . . . , ∗ ) ∈ δ ( q, f ) with A , ˜ q i | = ∞ s βi . But then ˜ q i ∈ hh s i ii A ∞ ⊂ S i . Corollary 8.10. If t : ι is closed and of ground type then ∅ ⊢ n A { q | A , q | = ∞ t β } ⊑ t : ι .Proof. By Remarks 8.4 and 8.2 we have hh t ii ∅ A ∞ = hh t ii A ∞ = { q | A , q | = ∞ t β } . So the claimfollows from Theorem 8.9. Finally, let us sum up what we have achieved.
Corollary 8.11.
For t a closed regular lambda term, and q ∈ Q it is decidable whether A , q | = ∞ t β .Proof. By Proposition 6.13 it suffices to show that ∅ ⊢ ∞ A { q } ⊑ t : ι holds, if and only if A , q | = ∞ t β .The “if”-direction follows from Corollary 8.10 and the weakening provided by Re-mark 6.11. The “only if”-direction is provided by Corollary 7.6.Note that, since there are only finitely many ways to extend a proof of level n to aproof of level n + 1 and all proofs of level n + 1 come from a proof of level n the corollaryimplies, by K¨onig’s Lemma, that A , q | = ∞ t β implies ∅ ⊢ ∞ A { q } ⊑ t : ι .9. Model Checking
Theorem 9.1.
Given a tree T defined by an arbitrary recursion scheme (of arbitrary level)and a property ϕ expressible by a trivial automaton, it is decidable whether T | = ϕ .Proof. Let t be the infinite lambda-tree associated with the recursion scheme. Then t iseffectively given as a regular closed lambda term of ground type and T is the normal formof t .Let A ϕ be the automaton (with initial state q ) describing ϕ . By keeping the statewhen reading a R or β it can be effectively extended to an automaton A that works onthe continuous normal form, rather than on the usual one. So T | = ϕ ⇔ A , q | = ∞ t β . Thelatter, however, is decidable by Corollary 8.11. Remark 9.2.
As shown in Section 2, the above theorem is in particular applicable to
CTL -properties built from letters, conjunction, disjunction, “next”, and “globally”.
Remark 9.3.
As discussed after Proposition 6.13 the complexity is fixed-parameter non-deterministic linear time in the size of the recursion scheme, if we consider ϕ and the allowedtypes as a parameter.Finally, looking back at the technical development, it is not clear to the author, whetherthis approach can be extended in a smooth way to work for arbitrary automata, as opposedto only trivial ones. It is tempting to conjecture that appropriate annotations of the proofswith priorities could extend the concept to parity automata (and hence the full of MonadicSecond Order). However, all the ways that seemed obvious to the author failed.One technical problem is that several paths might lead to the same state at the samenode, but with different priorities visited so far. A more fundamental problem is the way theruns are constructed in the proofs throughout this article; we’re given a run by inductionhypothesis and add a move at its beginning . As all acceptance conditions ignore finiteprefixes, all the promises to visit some state eventually are pushed in the future indefinitely.So, some promise on how long it will take for some promised event to happen seems to beneeded in the annotations, at least if we want these global conditions to fit with our localarguments. It is not clear to the author whether and how this can be achieved. FINITE SEMANTICS. . . FOR INFINITE RUNS OF AUTOMATA 23
References [1] K. Aehlig. A finite semantics of simply-typed lambda terms for infinite runs of automata. In Z. Esik,editor,
Procedings of the 20th international Workshop on Computer Science Logic (CSL ’06) , volume4207 of
Lecture Notes in Computer Science , pages 104–118. Springer Verlag, Sept. 2006.[2] K. Aehlig and F. Joachimski. On continuous normalization. In
Proceedings of the Annual Conferenceof the European Association for Computer Science Logic (CSL ’02) , volume 2471 of
Lecture Notes inComputer Science , pages 59–73. Springer Verlag, 2002.[3] K. Aehlig and F. Joachimski. Continuous normalization for the lambda-calculus and G¨odel’s T . Annalsof Pure and Applied Logic , 133(1–3):39–71, May 2005.[4] K. Aehlig, J. G. de Miranda, and C. H. L. Ong. The monadic second order theory of trees given byarbitrary level-two recursion schemes is decidable. In P. Urzyczyn, editor,
Proceedings of the 7th Inter-national Conference on Typed Lambda Calculi and Applications (TLCA ’05) , volume 3461 of
LectureNotes in Computer Science , pages 39–54. Springer-Verlag, Apr. 2005.[5] H. Barendregt. The type free lambda calculus. In J. Barwise, editor,
Handbook of Mathematical Logic ,volume 90 of
Studies in Logic and the Foundations of Mathematics , chapter D.7, pages 1091–1132.North-Holland Publishing Company, 1977.[6] W. Buchholz. Notation systems for infinitary derivations.
Archive for Mathematical Logic , 30:277–296,1991.[7] D. Caucal. On infinite transition graphs having a decidable monadic theory. In F. Meyer auf der Heideand B. Monien, editors,
Proceedings of the 23th International Colloquium on Automata, Languages andProgramming (ICALP ’96) , volume 1099 of
Lecture Notes in Computer Science , pages 194–205. SpringerVerlag, 1996.[8] B. Courcelle. The monadic second-order logic of graphs IX: Machines and their behaviours.
TheoreticalComput. Sci. , 151(1):125–162, 1995.[9] J. M. E. Hyland and C.-H. L. Ong. On full abstraction for PCF.
Information and Computation ,163(2):285–408, Dec. 2000.[10] T. Knapik, D. Niwi´nski, and P. Urzyczyn. Deciding monadic theories of hyperalgebraic trees. InS. Abramsky, editor,
Proceedings of the 5th International Conference on Typed Lambda Caculi andApplications (TLCA ’01) , volume 2044 of
Lecture Notes in Computer Science , pages 253–267. SpringerVerlag, 2001.[11] T. Knapik, D. Niwi´nski, and P. Urzyczyn. Higher-order pushdown trees are easy. In M. Nielson, editor,
Proceedings of the 5th International Conference Foundations of Software Science and ComputationStructures (FOSSACS ’02) , volume 2303 of
Lecture Notes in Computer Science , pages 205–222, Apr.2002.[12] G. Kreisel, G. E. Mints, and S. G. Simpson. The use of abstract language in elementary metamathe-matics: Some pedagogic examples. In R. Parikh, editor,
Logic Colloquium , volume 453 of
Lecture Notesin Mathematics , pages 38–131. Springer Verlag, 1975.[13] O. Kupferman and M. Y. Vardi. An automata-theoretic approach to reasoning about infinite-statesystems. In E. A. Emerson and A. P. Sistla, editors, , volume 1855 of
Lecture Notes in Computer Science , pages 36–52. SpringerVerlag, 2000.[14] G. E. Mints. Finite investigations of transfinite derivations.
Journal of Soviet Mathematics , 10:548–596,1978. Translated from: Zap. Nauchn. Semin. LOMI 49 (1975). Cited after Grigori Mints.
Selected papersin Proof Theory . Studies in Proof Theory. Bibliopolis, 1992.[15] C.-H. L. Ong. On model-checking trees generated by higher-order recursion schemes. In
Proceedings ofthe Twenty Frist Annual IEEE Symposium on Logic in Computer Science (LICS ’06) , pages 81–90,2006.[16] M. O. Rabin. Decidability of second-order theories and automata on infinite trees.
Transactions of theAmerican Mathematical Society , 141:1–35, July 1969.[17] W. W. Tait. Intensional interpretations of functionals of finite type.
The Journal of Symbolic Logic ,32(2):198–212, 1967.[18] I. Walukiewicz. Pushdown processes: Games and model-checking.
Information and Computation ,164(2):234–263, Jan. 2001.
This work is licensed under the Creative Commons Attribution-NoDerivs License. To viewa copy of this license, visit http://creativecommons.org/licenses/by-nd/2.0/http://creativecommons.org/licenses/by-nd/2.0/