Identifiers in Registers - Describing Network Algorithms with Logic
IIdentifiers in Registers (cid:63)
Describing Network Algorithms with Logic
Benedikt Bollig, Patricia Bouyer, and Fabian Reiter
LSV, CNRS, ENS Paris-Saclay, Universit´e Paris-Saclay, France [email protected] , [email protected] , [email protected] Abstract.
We propose a formal model of distributed computing basedon register automata that captures a broad class of synchronous networkalgorithms. The local memory of each process is represented by a finite-state controller and a fixed number of registers, each of which can storethe unique identifier of some process in the network. To underline thenaturalness of our model, we show that it has the same expressive poweras a certain extension of first-order logic on graphs whose nodes areequipped with a total order. Said extension lets us define new functionson the set of nodes by means of a so-called partial fixpoint operator.In spirit, our result bears close resemblance to a classical theorem ofdescriptive complexity theory that characterizes the complexity class pspace in terms of partial fixpoint logic (a proper superclass of the logicwe consider here).
This paper is part of an ongoing research project aiming to develop a descriptivecomplexity theory for distributed computing .In classical sequential computing, descriptive complexity is a well-establishedfield that connects computational complexity classes to equi-expressive classes oflogical formulas. It began in the 1970s, when Fagin showed in [6] that the graphproperties decidable by nondeterministic Turing machines in polynomial time areexactly those definable in existential second-order logic. This provided a logical—and thus machine-independent—characterization of the complexity class np .Subsequently, many other popular classes, such as p , pspace , and exptime werecharacterized in a similar manner (see for instance the textbooks [8,12,15]).Of particular interest to us is a result due to Abiteboul, Vianu [1], andVardi [18], which states that on structures equipped with a total order relation,the properties decidable in pspace coincide with those definable in partial fixpointlogic . The latter is an extension of first-order logic with an operator that allowsus to inductively define new relations of arbitrary arity. Basically, this means thatnew relations can occur as free (second-order) variables in the logical formulasthat define them. Those variables are initially interpreted as empty relationsand then iteratively updated, using the defining formulas as update rules. If the (cid:63) Built with the knowledge package: technical terms are hyperlinked to their definitions. a r X i v : . [ c s . F L ] N ov B. Bollig, P. Bouyer, and F. Reiter sequence of updates converges to a fixpoint, then the ultimate interpretations arethe relations reached in the limit. Otherwise, the variables are simply interpretedas empty relations. Hence the term “partial fixpoint”.While well-developed in the classical case, descriptive complexity has so farnot received much attention in the setting of distributed network computing.As far as the authors are aware, the first step in this direction was taken byHella et al. in [10,11], where they showed that basic modal logic evaluated onfinite graphs has the same expressive power as a particular class of distributedautomata operating in constant time. Those automata constitute a weak modelof distributed computing in arbitrary network topologies, where all nodes syn-chronously execute the same finite-state machine and communicate with eachother by broadcasting messages to their neighbors. Motivated by this result,several variants of distributed automata were investigated by Kuusisto and Reiterin [14], [17] and [16] to establish similar connections with standard logics such asthe modal µ -calculus and monadic second-order logic . However, since the modelsof computation investigated in those works are based on anonymous finite-statemachines, they are much too weak to solve many of the problems typicallyconsidered in distributed computing, such as leader election or constructing aspanning tree. It would thus be desirable to also characterize stronger models.A common assumption underlying many distributed algorithms is that eachnode of the considered network is given a unique identifier. This allows us, forinstance, to elect a leader by making the nodes broadcast their identifiers andthen choose the one with the smallest identifier as the leader. To formalize suchalgorithms, we need to go beyond finite-state machines because the number of bitsrequired to encode a unique identifier grows logarithmically with the number ofnodes in the network. Recently, in [2,3], Aiswarya, Bollig and Gastin introduced asynchronous model where, in addition to a finite-state controller, nodes also havea fixed number of registers in which they can store the identifiers of other nodes.Access to those registers is rather limited in the sense that their contents can becompared with respect to a total order, but their numeric values are unknown tothe nodes. Similarly, register contents can be copied, but no new values can begenerated. Since the original motivation for this model was to automatically verifycertain distributed algorithms running on ring networks, its formal definitionis tailored to that particular setting. However, the underlying principle can begeneralized to arbitrary networks of unbounded maximum degree, which was thestarting point for the present work. Contributions.
While on an intuitive level, the idea of finite-state machinesequipped with additional registers might seem very natural, it does not imme-diately yield a formal model for distributed algorithms in arbitrary networks.In particular, it is not clear what would be the canonical way for nodes tocommunicate with a non-constant number of peers, if we require that they allfollow the same, finitely representable set of rules.The model we propose here, dubbed distributed register automata , is anattempt at a solution. As in [2,3], nodes proceed in synchronous rounds and havea fixed number of registers, which they can compare and update without having dentifiers in Registers – Describing Network Algorithms with Logic 3 access to numeric values. The new key ingredient that allows us to formalizecommunication between nodes of unbounded degree is a local computing devicewe call transition maker . This is a special kind of register machine that the nodescan use to scan the states and register values of their entire neighborhood ina sequential manner. In every round, each node runs the transition maker toupdate its own local configuration (i.e., its state and register valuation) basedon a snapshot of the local configurations of its neighbors in the previous round.A way of interpreting this is that the nodes communicate by broadcasting theirlocal configurations as messages to their neighbors. Although the resulting modelof computation is by no means universal, it allows formalizing algorithms for awide range of problems, such as constructing a spanning tree (see Example 5) ortesting whether a graph is Hamiltonian (see Example 6).Nevertheless, our model is somewhat arbitrary, since it could be just oneparticular choice among many other similar definitions capturing different classesof distributed algorithms. What justifies our choice? This is where descriptivecomplexity comes into play. By identifying a logical formalism that has the sameexpressive power as distributed register automata, we provide substantial evidencefor the naturalness of that model. Our formalism, referred to as functional fixpointlogic , is a fragment of the above-mentioned partial fixpoint logic. Like the latter,it also extends first-order logic with a partial fixpoint operator, but a weaker onethat can only define unary functions instead of arbitrary relations. We show thaton totally ordered graphs, this logic allows one to express precisely the propertiesthat can be decided by distributed register automata. The connection is stronglyreminiscent of Abiteboul, Vianu and Vardi’s characterization of pspace , and thuscontributes to the broader objective of extending classical descriptive complexityto the setting of distributed computing. Moreover, given that logical formulas areoften more compact and easier to understand than abstract machines (compareExamples 6 and 8), logic could also become a useful tool in the formal specificationof distributed algorithms.The remainder of this paper is structured around our main result:
Theorem 1.
When restricted to finite graphs whose nodes are equipped with atotal order, distributed register automata are effectively equivalent to functionalfixpoint logic.
After giving some preliminary definitions in Section 2, we formally introducedistributed register automata in Section 3 and functional fixpoint logic in Section 4.We then sketch the proof of Theorem 1 in Section 5, and conclude in Section 6.
We denote the empty set by ∅ , the set of nonnegative integers by N = { , , , . . . } ,and the set of integers by Z = { . . . , − , , , . . . } . The cardinality of any set S iswritten as | S | and the power set as S .In analogy to the commonly used notation for real intervals, we define thenotation [ m : n ] := { i ∈ Z | m ≤ i ≤ n } for any m, n ∈ Z such that m ≤ n . B. Bollig, P. Bouyer, and F. Reiter
To indicate that an endpoint is excluded, we replace the corresponding squarebracket with a parenthesis, e.g., ( m : n ] := [ m : n ] \ { m } . Furthermore, if we omitthe first endpoint, it defaults to 0. This gives us shorthand notations such as[ n ] := [0 : n ] and [ n ) := [0 : n ) = [0 : n − identifier of anode, we mean its numerical representation. A graph is formally represented as apair G = ( V, E ), where the set V of nodes is equal to [ n ), for some integer n ≥ E consists of undirected edges of the form e = { u, v } ⊆ V such that u (cid:54) = v . Additionally, E must satisfy that every pair of nodes is connected by asequence of edges. The restriction to graphs of size at least two is for technicalreasons; it ensures that we can always encode Boolean values as nodes.We refer the reader to [5] for standard graph theoretic terms such as neighbor , degree , maximum degree , distance , and spanning tree .Graphs are used to model computer networks, where nodes correspond to pro-cesses and edges to communication links. To represent the current configurationof a system as a graph, we equip each node with some additional information: thecurrent state of the corresponding process, taken from a nonempty finite set Q ,and some pointers to other processes, modeled by a finite set R of registers.We call Σ = ( Q, R ) a signature and define a Σ - configuration as a tuple C = ( G, q , r ), where G = ( V, E ) is a graph, called the underlying graph of C , q : V → Q is a state function that assigns to each node a state q ∈ Q , and r : V → V R is a register valuation function that associates with each node a register valuation ρ ∈ V R . The set of all Σ -configurations is denoted by C ( Σ ).Figure 1 on page 6 illustrates part of a ( { q , q , q } , { r , r , r } )-configuration.If R = ∅ , then we are actually dealing with a tuple ( G, q ), which we call a Q - labeled graph . Accordingly, the elements of Q may also be called labels . A set P of labeled graphs will be referred to as a graph property . Moreover, if the labelsare irrelevant, we set Q equal to the singleton := { ε } , where ε is our dummylabel. In this case, we identify ( G, q ) with G and call it an unlabeled graph. Many distributed algorithms can be seen as transducers . A leader-election algo-rithm, for instance, takes as input a network and outputs the same network, butwith every process storing the identifier of the unique leader in some dedicatedregister r . Thus, the algorithm transforms a ( , ∅ )-configuration into a ( , { r } )-configuration. We say that it defines a ( , ∅ )-( , { r } )-transduction. By the sametoken, if we consider distributed algorithms that decide graph properties (e.g.,whether a graph is Hamiltonian), then we are dealing with a ( I, ∅ )-( { yes , no } , ∅ )-transduction, where I is some set of labels. The idea is that a graph will beaccepted if and only if every process eventually outputs yes .Let us now formalize the notion of transduction. For any two signatures Σ in = ( I, R in ) and Σ out = ( O, R out ), a Σ in - Σ out - transduction is a partial dentifiers in Registers – Describing Network Algorithms with Logic 5 mapping T : C ( Σ in ) → C ( Σ out ) such that, if defined, T ( G, q , r ) = ( G, q (cid:48) , r (cid:48) ) forsome q (cid:48) and r (cid:48) . That is, a transduction does not modify the underlying graphbut only the states and register valuations. We denote the set of all Σ in - Σ out -transductions by T ( Σ in , Σ out ) and refer to Σ in and Σ out as the input and outputsignatures of T . By extension, I and O are called the sets of input and outputlabels , and R in and R out the sets of input and output registers . Similarly, any Σ in -configuration C can be referred to as an input configuration of T and T ( C )as an output configuration .Next, we introduce our formal model of distributed algorithms. Definition 2 (Distributed register automaton).
Let Σ in = ( I, R in ) and Σ out = ( O, R out ) be two signatures. A distributed register automaton (or sim-ply automaton ) with input signature Σ in and output signature Σ out is a tuple A = ( Q, R, ι, ∆, H, o ) consisting of a nonempty finite set Q of states , a finiteset R of registers that includes both R in and R out , an input function ι : I → Q ,a transition maker ∆ whose specification will be given in Definition 3 below, aset H ⊆ Q of halting states , and an output function o : H → O . The registers in R \ ( R in ∪ R out ) are called auxiliary registers . Automaton A computes a transduction T A ∈ T ( Σ in , Σ out ). To do so, it runsin a sequence of synchronous rounds on the input configuration’s underlyinggraph G = ( V, E ). After each round, the automaton’s global configuration isa (
Q, R )-configuration C = ( G, q , r ), i.e., the underlying graph is always G . Asmentioned before, for a node v ∈ V , we interpret q ( v ) ∈ Q as the current stateof v and r ( v ) ∈ V R as the current register valuation of v . Abusing notation,we let C ( v ) := ( q ( v ) , r ( v )) and say that C ( v ) is the local configuration of v . InFigure 1, the local configuration of node 17 is ( q , { r , r , r (cid:55)→ , , } ).For a given input configuration C = ( G, q , r ) ∈ C ( Σ in ), the automaton’s initialconfiguration is C (cid:48) = ( G, ι ◦ q , r (cid:48) ), where for all v ∈ V , we have r (cid:48) ( v )( r ) = r ( v )( r )if r ∈ R in , and r (cid:48) ( v )( r ) = v if r ∈ R \ R in . This means that every node v isinitialized to state ι ( q ( v )), and v ’s initial register valuation r (cid:48) ( v ) assigns v ’s ownidentifier (provided by G ) to all non-input registers while keeping the given valuesassigned by r ( v ) to the input registers.Each subsequent configuration is obtained by running the transition maker ∆ synchronously on all nodes. As we will see, ∆ computes a function (cid:74) ∆ (cid:75) : ( Q × V R ) + → Q × V R that maps from nonempty sequences of local configurations to local configurations.This allows the automaton A to transition from a given configuration C to thenext configuration C (cid:48) as follows. For every node u ∈ V of degree d , we consider thelist v , . . . v d of u ’s neighbors sorted in ascending (identifier) order, i.e., v i < v i +1 for i ∈ [1 : d ). (See Figure 1 for an example, where u corresponds to node 17.)If u is already in a halting state, i.e., if C ( u ) = ( q, ρ ) ∈ H × V R , then its localconfiguration does not change anymore, i.e., C (cid:48) ( u ) = C ( u ). Otherwise, we define C (cid:48) ( u ) = (cid:74) ∆ (cid:75) (cid:0) C ( u ) , C ( v ) , . . . , C ( v d ) (cid:1) , which we may write more suggestively as (cid:74) ∆ (cid:75) : C ( u ) C ( v ) ,...,C ( v d ) (cid:55)−−−−−−−−−→ C (cid:48) ( u ) . B. Bollig, P. Bouyer, and F. Reiter q r r r
17 34 98 q r r r q r r r
34 5 83 q r r r
98 7 7
Fig. 1.
Part of a configu-ration, as seen by a singlenode. Assuming the iden-tifiers of the nodes are thevalues represented in blackboxes (i.e., those stored inregister r ), the automa-ton at node 17 will updateits own local configuration( q , { r , r , r (cid:55)→ , , } )by running the transitionmaker on the sequence con-sisting of the local configu-rations of nodes 17, 2, 34,and 98 (in that exact order). Intuitively, node u updates its own local configuration by using ∆ to scan asnapshot of its neighbors’ local configurations. As the system is synchronous, thisupdate procedure is performed simultaneously by all nodes.A configuration C = ( G, q , r ) is called a halting configuration if all nodes arein a halting state, i.e., if q ( v ) ∈ H for all v ∈ V . We say that A halts if it reachesa halting configuration.The output configuration produced by a halting configuration C = ( G, q , r ) isthe Σ out -configuration C (cid:48) = ( G, o ◦ q , r (cid:48) ), where for all v ∈ V and r ∈ R out , wehave r (cid:48) ( v )( r ) = r ( v )( r ). In other words, each node v outputs the state o ( q ( v ))and keeps in its output registers the values assigned by r ( v ).It is now obvious that A defines a transduction T A : C ( Σ in ) → C ( Σ out ). If A receives the input configuration C ∈ C ( Σ in ) and eventually halts and producesthe output configuration C (cid:48) ∈ C ( Σ out ), then T A ( C ) = C (cid:48) . Otherwise (if A doesnot halt), T A ( C ) is undefined. Deciding graph properties.
Our primary objective is to use distributed registerautomata as decision procedures for graph properties. Therefore, we will focus onautomata A that halt in a finite number of rounds on every input configuration,and we often restrict to input signatures of the form ( I, ∅ ) and the outputsignature ( { yes , no } , ∅ ). For example, for I = { a, b } , we may be interested inthe set of I -labeled graphs that have exactly one a -labeled node v (the “leader”).We stipulate that A accepts an input configuration C with underlying graph G = ( V, E ) if T A ( C ) = ( G, q , r ) such that q ( v ) = yes for all v ∈ V . Conversely, A rejects C if T A ( C ) = ( G, q , r ) such that q ( v ) = no for some v ∈ V . Thiscorresponds to the usual definition chosen in the emerging field of distributeddecision [7]. Accordingly, a graph property P is decided by A if the automatonaccepts all input configurations that satisfy P and rejects all the others.It remains to explain how the transition maker ∆ works internally. dentifiers in Registers – Describing Network Algorithms with Logic 7 Definition 3 (Transition maker).
Suppose that A = ( Q, R, ι, ∆, H, o ) is adistributed register automaton. Then its transition maker ∆ = ( ˜ Q, ˜ R, ˜ ι, ˜ δ, ˜ o ) consists of a nonempty finite set ˜ Q of inner states , a finite set ˜ R of inner registers that is disjoint from R , an inner initial state ˜ ι ∈ ˜ Q , an inner transition function˜ δ : ˜ Q × Q × ( ˜ R ∪ R ) → ˜ Q × ( ˜ R ∪ R ) ˜ R , and an inner output function ˜ o : ˜ Q → Q × ˜ R R . Basically, a transition maker ∆ = ( ˜ Q, ˜ R, ˜ ι, ˜ δ, ˜ o ) is a sequential register automa-ton (in the spirit of [13]) that reads a nonempty sequence ( q , ρ ) , . . . , ( q d , ρ d ) ∈ ( Q × V R ) + of local configurations of A in order to produce a new local con-figuration ( q (cid:48) , ρ (cid:48) ). While reading this sequence, it traverses itself a sequence(˜ q , ˜ ρ ) , . . . , (˜ q d +1 , ˜ ρ d +1 ) of inner configurations , which each consist of an innerstate ˜ q i ∈ ˜ Q and an inner register valuation ˜ ρ i ∈ ( V ∪ {⊥} ) ˜ R , where the sym-bol ⊥ represents an undefined value. For the initial inner configuration, we set˜ q = ˜ ι and ˜ ρ (˜ r ) = ⊥ for all ˜ r ∈ ˜ R . Now for i ∈ [ d ], when ∆ is in the innerconfiguration (˜ q i , ˜ ρ i ) and reads the local configuration ( q i , ρ i ), it can compareall values assigned to the inner registers and registers by ˜ ρ i and ρ i (with respectto the order relation on V ). In other words, it has access to the binary relation ≺ i ⊆ ( ˜ R ∪ R ) such that for ˜ r, ˜ s ∈ ˜ R and r, s ∈ R , we have ˜ r ≺ i r if and only if˜ ρ i (˜ r ) < ρ i ( r ), and analogously for r ≺ i ˜ r , ˜ r ≺ i ˜ s , and r ≺ i s . In particular, if˜ ρ i (˜ r ) = ⊥ , then ˜ r is incomparable with respect to ≺ i . Equipped with this relation, ∆ transitions to (˜ q i +1 , ˜ ρ i +1 ) by evaluating ˜ δ (˜ q i , q i , ≺ i ) = (˜ q i +1 , ˜ α ) and comput-ing ˜ ρ i +1 such that ˜ ρ i +1 (˜ r ) = ˜ ρ i (˜ s ) if ˜ α (˜ r ) = ˜ s , and ˜ ρ i +1 (˜ r ) = ρ i ( s ) if ˜ α (˜ r ) = s ,where ˜ r, ˜ s ∈ ˜ R and s ∈ R . Finally, after having read the entire input sequenceand reached the inner configuration (˜ q d +1 , ˜ ρ d +1 ), the transition maker outputsthe local configuration ( q (cid:48) , ρ (cid:48) ) such that ˜ o (˜ q d +1 ) = ( q (cid:48) , ˜ β ) and ˜ β ( r ) = ˜ r implies ρ (cid:48) ( r ) = ˜ ρ d +1 (˜ r ). Here we assume without loss of generality that ∆ guaranteesthat ρ (cid:48) ( r ) (cid:54) = ⊥ for all r ∈ R . Remark 4.
Recall that V = [ n ) for any graph G = ( V, E ) with n nodes. However,as registers cannot be compared with constants, this actually represents anarbitrary assignment of unique, totally ordered identifiers. To determine thesmallest identifier (i.e., 0), the nodes can run an algorithm such as the following. Example 5 (Spanning tree).
We present a simple automaton A = ( Q, R, ι, ∆, H, o )with input signature Σ in = ( , ∅ ) and output signature Σ out = ( , { parent , root } )that computes a (breadth-first) spanning tree of its input graph G = ( V, E ),rooted at the node with the smallest identifier. More precisely, in the computedoutput configuration C = ( G, q , r ), every node will store the identifier of its treeparent in register parent and the identifier of the root (i.e., the smallest identifier)in register root . Thus, as a side effect, A also solves the leader election problemby electing the root as the leader.The automaton operates in three phases, which are represented by the setof states Q = { , , } . A node terminates as soon as it reaches the third phase,i.e., we set H = { } . Accordingly, the (trivial) input and output functions are ι : ε (cid:55)→ o : 3 (cid:55)→ ε . In addition to the output registers, each node has anauxiliary register self that will always store its own identifier. Thus, we choose B. Bollig, P. Bouyer, and F. Reiter
Algorithm 1
Transition maker of the automaton from Example 5 if ∃ neighbor nb ( nb . root < my . root ) : my . state ← my . parent ← nb . self ; my . root ← nb . root (cid:27) Rule 1 else if my . state = 1 ∧ ∀ neighbor nb (cid:20) nb . root = my . root ∧ ( nb . parent (cid:54) = my . self ∨ nb . state = 2) (cid:21) : my . state ← Rule 2 else if ( my . state = 2 ∧ my . root = my . self ) ∨ ( my . parent . state = 3) : my . state ← (cid:27) Rule 3 else do nothing R = { self , parent , root } . For the sake of simplicity, we describe the transitionmaker ∆ in Algorithm 1 using pseudocode rules. However, it should be clear thatthese rules could be relatively easily implemented according to Definition 3.All nodes start in state 1, which represents the tree-construction phase. ByRule 1, whenever an active node (i.e., a node in state 1 or 2) sees a neighborwhose root register contains a smaller identifier than the node’s own root register,it updates its parent and root registers accordingly and switches to state 1. Toresolve the nondeterminism in Rule 1, we stipulate that nb is chosen to be theneighbor with the smallest identifier among those whose root register containsthe smallest value seen so far.As can be easily shown by induction on the number of communication rounds,the nodes have to apply Rule 1 no more than diameter( G ) times in order forthe pointers in register parent to represent a valid spanning tree (where the rootpoints to itself). However, since the nodes do not know when diameter( G ) roundshave elapsed, they must also check that the current configuration does indeedrepresent a single tree, as opposed to a forest. They do so by propagating a signal,in form of state 2, from the leaves up to the root.By Rule 2, if an active node whose neighbors all agree on the same rootrealizes that it is a leaf or that all of its children are in state 2, then it switches tostate 2 itself. Assuming the parent pointers in the current configuration alreadyrepresent a single tree, Rule 2 ensures that the root will eventually be notified ofthis fact (when all of its children are in state 2). Otherwise, the parent pointersrepresent a forest, and every tree contains at least one node that has a neighboroutside of the tree (as we assume the underlying graph is connected).Depending on the input graph, a node can switch arbitrarily often betweenstates 1 and 2. Once the spanning tree has been constructed and every node isin state 2, the only node that knows this is the root. In order for the algorithmto terminate, Rule 3 then makes the root broadcast an acknowledgment messagedown the tree, which causes all nodes to switch to the halting state 3.(An example run and a proof of correctness can be found in Appendix A.) (cid:117)(cid:116) Building on the automaton from Example 5, we now give an example of agraph property that can be decided in our model of distributed computing. The dentifiers in Registers – Describing Network Algorithms with Logic 9 following automaton should be compared to the logical formula presented laterin Example 8, which is much more compact and much easier to specify.
Example 6 (Hamiltonian cycle).
We describe an automaton with input signature Σ in = ( , { parent , root } ) and output signature Σ out = ( { yes , no } , ∅ ) that de-cides if the underlying graph G = ( V, E ) of its input configuration C = ( G, q , r ) isHamiltonian, i.e., whether G contains a cycle that goes through each node exactlyonce. The automaton works under the assumption that r encodes a valid spanningtree of G in the registers parent and root , as constructed by the automaton fromExample 5. Hence, by combining the two automata, we could easily construct athird one that decides the graph property of Hamiltonicity.The automaton A = ( Q, R, ι, ∆, H, o ) presented here implements a simplebacktracking algorithm that tries to traverse G along a Hamiltonian cycle. Its setof states is Q = (cid:0) { unvisited , visited , backtrack } × { idle , request , good , bad } (cid:1) ∪ H ,with the set of halting states H = { yes , no } . Each non-halting state consists oftwo components, the first one serving for the backtracking procedure and thesecond one for communicating in the spanning tree. The input function ι initializesevery node to the state ( unvisited , idle ), while the output function simply returnsthe answers chosen by the nodes, i.e., o : yes (cid:55)→ yes , no (cid:55)→ no . In additionto the input registers, each node has a register self storing its own identifierand a register successor to point to its successor in a (partially constructed)Hamiltonian path. That is, R = { self , parent , root , successor } . We now describethe algorithm in an informal way. It is, in principle, easy to implement in thetransition maker ∆ , but a thorough formalization would be rather cumbersome.In the first round, the root marks itself as visited and updates its successor register to point towards its smallest neighbor (the one with the smallest identifier).Similarly, in each subsequent round, any unvisited node that is pointed to by oneof its neighbors marks itself as visited and points towards its smallest unvisited neighbor. However, if all neighbors are already visited , the node instead sendsthe backtrack signal to its predecessor and switches back to unvisited (in thefollowing round). Whenever a visited node receives the backtrack signal from its successor , it tries to update its successor to the next-smallest unvisited neighbor.If no such neighbor exists, it resets its successor pointer to itself, propagates the backtrack signal to its predecessor, and becomes unvisited in the following round.There is only one exception to the above rules: if a node that is adjacent to theroot cannot find any unvisited neighbor, it chooses the root as its successor . Thisway, the constructed path becomes a cycle. In order to check whether that cycleis Hamiltonian, the root now broadcast a request down the spanning tree. If the request reaches an unvisited node, that node replies by sending the message bad towards the root. On the other hand, every visited leaf replies with the message good . While bad is always forwarded up to the root, good is only forwarded bynodes that receive this message from all of their children. If the root receives only good , then it knows that the current cycle is Hamiltonian and it switches to thehalting state yes . The information is then broadcast through the entire graph, sothat all nodes eventually accept. Otherwise, the root sends the backtrack signalto its predecessor, and the search for a Hamiltonian cycle continues. In case there is none (in particular, if there is not even an arbitrary cycle), the root willeventually receive the backtrack signal from its greatest neighbor, which indicatesthat all possibilities have been exhausted. If this happens, the root switches tothe halting state no , and all other nodes eventually do the same. (cid:117)(cid:116) In order to introduce functional fixpoint logic, we first give a definition of first-order logic that suits our needs. Formulas will always be evaluated on ordered ,undirected, connected, I -labeled graphs, where I is a fixed finite set of labels.Throughout this paper, let N be an infinite supply of node variables and F bean infinite supply of function variables ; we refer to them collectively as variables .The corresponding set of terms is generated by the grammar t ::= x | f ( t ), where x ∈ N and f ∈ F . With this, the set of formulas of first-order logic over I isgiven by the grammar ϕ ::= (cid:104) a (cid:105) t | s < t | s (cid:93) t | ¬ ϕ | ϕ ∨ ϕ | ∃ x ϕ, where s and t are terms, a ∈ I , and x ∈ N . As usual, we may also use theadditional operators ∧ , ⇒ , ⇔ , ∀ to make our formulas more readable, and wedefine the notations s ≤ t , s = t , and s (cid:54) = t as abbreviations for ¬ ( t < s ),( s ≤ t ) ∧ ( t ≤ s ), and ¬ ( s = t ), respectively.The sets of free variables of a term t and a formula ϕ are denoted by free( t ) andfree( ϕ ), respectively. While node variables can be bound by the usual quantifiers ∃ and ∀ , function variables can be bound by a partial fixpoint operator that wewill introduce below.To interpret a formula ϕ on an I -labeled graph ( G, q ) with G = ( V, E ), weare given a variable assignment σ for the variables that occur freely in ϕ . This isa partial function σ : N ∪ F → V ∪ V V such that σ ( x ) ∈ V if x is a free nodevariable and σ ( f ) ∈ V V if f is a free function variable. We call σ ( x ) and σ ( f ) the interpretations of x and f under σ , and denote them by x σ and f σ , respectively.For a composite term t , the corresponding interpretation t σ under σ is defined inthe obvious way.We write ( G, q ) , σ | = ϕ to denote that ( G, q ) satisfies ϕ under assignment σ .If ϕ does not contain any free variables, we simply write ( G, q ) | = ϕ and referto the set P of I -labeled graphs that satisfy ϕ as the graph property defined by ϕ . Naturally enough, we say that two devices (i.e., automata or formulas) are equivalent if they specify (i.e., decide or define) the same graph property andthat two classes of devices are equivalent if their members specify the same classof graph properties.As we assume that the reader is familiar with first-order logic, we only definethe semantics of the atomic formulas (whose syntax is not completely standard):( G, q ) , σ | = (cid:104) a (cid:105) t iff q ( t σ ) = a (“ t has label a ”) , ( G, q ) , σ | = s < t iff s σ < t σ (“ s is smaller than t ”) , ( G, q ) , σ | = s (cid:93) t iff { s σ , t σ } ∈ E (“ s and t are adjacent”) . dentifiers in Registers – Describing Network Algorithms with Logic 11 We now turn to functional fixpoint logic . Syntactically, it is defined as theextension of first-order logic that allows us to write formulas of the formpfp f : ϕ ( f , . . . , f (cid:96) , in , out )... f (cid:96) : ϕ (cid:96) ( f , . . . , f (cid:96) , in , out ) ψ , ( ∗ )where f , . . . , f (cid:96) ∈ F , in , out ∈ N , and ϕ , . . . , ϕ (cid:96) , ψ are formulas. We use thenotation “ ϕ i ( f , . . . , f (cid:96) , in , out )” to emphasize that f , . . . , f (cid:96) , in , out may occurfreely in ϕ i (possibly among other variables). The free variables of formula ( ∗ ) aregiven by (cid:83) i ∈ ( (cid:96) ] (cid:2) free( ϕ i ) \ { f , . . . , f (cid:96) , in , out } (cid:3) ∪ (cid:2) free( ψ ) \ { f , . . . , f (cid:96) } (cid:3) .The idea is that the partial fixpoint operator pfp binds the function variables f , . . . , f (cid:96) . The (cid:96) lines in square brackets constitute a system of function definitionsthat provide an interpretation of f , . . . , f (cid:96) , using the special node variables in and out as helpers to represent input and output values. This is why pfp alsobinds any free occurrences of in and out in ϕ , . . . , ϕ (cid:96) , but not in ψ .To specify the semantics of ( ∗ ), we first need to make some preliminaryobservations. As before, we consider a fixed I -labeled graph ( G, q ) with G = ( V, E )and assume that we are given a variable assignment σ for the free variablesof ( ∗ ). With respect to ( G, q ) and σ , each formula ϕ i induces an operator F ϕ i : ( V V ) (cid:96) → V V that takes some interpretation of the function variables f , . . . , f (cid:96) and outputs a new interpretation of f i , corresponding to the functiongraph defined by ϕ i via the node variables in and out . For inputs on which ϕ i does not define a functional relationship, the new interpretation of f i behaveslike the identity function. More formally, given a variable assignment ˆ σ thatextends σ with interpretations of f , . . . , f (cid:96) , the operator F ϕ i maps f ˆ σ , . . . , f ˆ σ(cid:96) to the function f new i such that for all u ∈ V , f new i ( u ) = (cid:40) v if v is the unique node in V s.t. ( G, q ) , ˆ σ [ in , out (cid:55)→ u, v ] | = ϕ i , u otherwise.Here, ˆ σ [ in , out (cid:55)→ u, v ] is the extension of ˆ σ interpreting in as u and out as v .In this way, the operators F ϕ , . . . , F ϕ (cid:96) give rise to an infinite sequence( f k , . . . , f k(cid:96) ) k ≥ of tuples of functions, called stages , where the initial stage containssolely the identity function id V and each subsequent stage is obtained from itspredecessor by componentwise application of the operators. More formally, f i = id V = { u (cid:55)→ u | u ∈ V } and f k +1 i = F ϕ i ( f k , . . . , f k(cid:96) ) , for i ∈ ( (cid:96) ] and k ≥
0. Now, since we have not imposed any restrictions onthe formulas ϕ i , this sequence might never stabilize, i.e, it is possible that( f k , . . . , f k(cid:96) ) (cid:54) = ( f k +11 , . . . , f k +1 (cid:96) ) for all k ≥
0. Otherwise, the sequence reaches a(simultaneous) fixpoint at some position k no greater than | V | | V |· (cid:96) (the numberof (cid:96) -tuples of functions on V ).We define the partial fixpoint ( f ∞ , . . . , f ∞ (cid:96) ) of the operators F ϕ , . . . , F ϕ (cid:96) tobe the reached fixpoint if it exists, and the tuple of identity functions otherwise. That is, for i ∈ ( (cid:96) ], f ∞ i = (cid:40) f ki if there exists k ≥ f kj = f k +1 j for all j ∈ ( (cid:96) ],id V otherwise.Having introduced the necessary background, we can finally provide thesemantics of the formula pfp[ f i : ϕ i ] i ∈ ( (cid:96) ] ψ presented in ( ∗ ):( G, q ) , σ | = pfp[ f i : ϕ i ] i ∈ ( (cid:96) ] ψ iff ( G, q ) , σ [ f i (cid:55)→ f ∞ i ] i ∈ ( (cid:96) ] | = ψ, where σ [ f i (cid:55)→ f ∞ i ] i ∈ ( (cid:96) ] is the extension of σ that interprets f i as f ∞ i , for i ∈ ( (cid:96) ].In other words, the formula pfp[ f i : ϕ i ] i ∈ ( (cid:96) ] ψ can intuitively be read as“if f , . . . , f (cid:96) are interpreted as the partial fixpoint of ϕ , . . . , ϕ (cid:96) , then ψ holds”. Syntactic sugar
Before we consider a concrete formula (in Example 8), we first introduce some“syntactic sugar” to make using functional fixpoint logic more pleasant.
Set variables.
According to our definition of functional fixpoint logic, the op-erator pfp can bind only function variables. However, functions can be used toencode sets of nodes in a straightforward manner: any set U may be representedby a function that maps nodes outside of U to themselves and nodes inside U tonodes distinct from themselves. Therefore, we may fix an infinite supply S of setvariables , and extend the syntax of first-order logic to allow atomic formulas ofthe form t ∈ X , where t is a term and X is a set variable in S . Naturally, thesemantics is that “ t is an element of X ”. To bind set variables, we can then writepartial fixpoint formulas of the form pfp (cid:2) ( f i : ϕ i ) i ∈ ( (cid:96) ] , ( X i : ϑ i ) i ∈ ( m ] (cid:3) ψ , where f , . . . , f (cid:96) ∈ F , X , . . . , X m ∈ S , and ϕ , . . . , ϕ (cid:96) , ϑ , . . . , ϑ m , ψ are formulas. Thestages of the partial fixpoint induction are computed as before, but each setvariable X i is initialized to ∅ , and falls back to ∅ in case the sequence of stagesdoes not converge to a fixpoint. (More details can be found in Appendix B.1.) Quantifiers over functions and sets.
Partial fixpoint inductions allow us to iterateover various interpretations of function and set variables and thus provide away of expressing (second-order) quantification over functions and sets. Sincewe restrict ourselves to graphs whose nodes are totally ordered, we can easilydefine a suitable order of iteration and a corresponding partial fixpoint inductionthat traverses all possible interpretations of a given function or set variable. Tomake this more convenient, we enrich the language of functional fixpoint logicwith second-order quantifiers, allowing us to write formulas of the form ∃ f ϕ and ∃ X ϕ , where f ∈ F , X ∈ S , and ϕ is a formula. The semantics is the standardone. (More details can be found in Appendix B.2.)As a consequence, it is possible to express any graph property definable in monadic second-order logic , the extension of first-order logic with set quantifiers. dentifiers in Registers – Describing Network Algorithms with Logic 13 Corollary 7.
When restricted to finite graphs equipped with a total order, func-tional fixpoint logic is strictly more expressive than monadic second-order logic.
The strictness of the inclusion in the above corollary follows from the factthat even on totally ordered graphs, Hamiltonicity cannot be defined in monadicsecond-order logic (see, e.g., the proof in [4, Prp. 5.13]). As the following exampleshows, this property is easy to express in functional fixpoint logic.
Example 8 (Hamiltonian cycle).
The following formula of functional fixpointlogic defines the graph property of Hamiltonicity. That is, an unlabeled graph G satisfies this formula if and only if there exists a cycle in G that goes througheach node exactly once. ∃ f ∀ x (cid:0) f ( x ) (cid:93) x (cid:1) ∧ ∀ x ∃ y (cid:2) f ( y ) = x ∧ ∀ z (cid:0) f ( z ) = x ⇒ z = y (cid:1)(cid:3) ∧∀ X (cid:16)(cid:2) ∃ x ( x ∈ X ) ∧ ∀ y (cid:0) y ∈ X ⇒ f ( y ) ∈ X (cid:1)(cid:3) ⇒ ∀ y ( y ∈ X ) (cid:17) Here, x, y, z ∈ N , X ∈ S , and f ∈ F . Intuitively, we represent a given Hamilto-nian cycle by a function f that tells us for each node x , which of x ’s neighbors weshould visit next in order to traverse the entire cycle. Thus, f actually representsa directed version of the cycle.To ensure the existence of a Hamiltonian cycle, our formula states that thereis a function f satisfying the following two conditions. By the first line, eachnode x must have exactly one f -predecessor and one f -successor, both of whichmust be neighbors of x . By the second line, if we start at any node x and collectinto a set X all the nodes reachable from x (by following the path specified by f ),then X must contain all nodes. (cid:117)(cid:116) Having introduced both automata and logic, we can proceed to explain the firstpart of Theorem 1 (stated in Section 1), i.e., how distributed register automatacan be translated into functional fixpoint logic (see Appendix C for a full proof).
Proposition 9.
For every distributed register automaton that decides a graphproperty, we can construct an equivalent formula of functional fixpoint logic.Proof (sketch).
Given a distributed register automaton A = ( Q, R, ι, ∆, H, o )deciding a graph property P over label set I , we can construct a formula ϕ A offunctional fixpoint logic that defines P . For each state q ∈ Q , our formula usesa set variable X q to represent the set of nodes of the input graph that are instate q . Also, for each register r ∈ R , it uses a function variable f r to representthe function that maps each node u to the node v whose identifier is storedin u ’s register r . By means of a partial fixpoint operator, we enforce that on any I -labeled graph ( G, q ), the final interpretations of ( X q ) q ∈ Q and ( f r ) r ∈ R representthe halting configuration reached by A on ( G, q ). The main formula is simply ϕ A := pfp (cid:20) ( X q : ϕ q ) q ∈ Q ( f r : ϕ r ) r ∈ R (cid:21) ∀ x (cid:16) (cid:95) p ∈ H : o ( p )= yes x ∈ X p (cid:17) , which states that all nodes end up in a halting state that outputs yes .Basically, the subformulas ( ϕ q ) q ∈ Q and ( ϕ r ) r ∈ R can be constructed in sucha way that for all i ∈ N , the ( i + 1)-th stage of the partial fixpoint inductionrepresents the configuration reached by A in the i -th round. To achieve this, eachof the subformulas contains a nested partial fixpoint formula describing the resultcomputed by the transition maker ∆ between two consecutive synchronous rounds,using additional set and function variables to encode the inner configurations of ∆ at each node. Thus, each stage of the nested partial fixpoint induction correspondsto a single step in the transition maker’s sequential scanning process. (cid:117)(cid:116) Let us now consider the opposite direction and sketch how to go from functionalfixpoint logic to distributed register automata (see Appendix D for a full proof).
Proposition 10.
For every formula of functional fixpoint logic that defines agraph property, we can construct an equivalent distributed register automaton.Proof (sketch).
We proceed by structural induction: each subformula ϕ willbe evaluated by a dedicated automaton A ϕ , and several such automata canthen be combined to build an automaton for a composite formula. For thispurpose, it is convenient to design centralized automata, which operate on a givenspanning tree (as computed in Example 5) and are coordinated by the root ina fairly sequential manner. In A ϕ , each free node variable x of ϕ is representedby a corresponding input register x whose value at the root is the currentinterpretation x σ of x . Similarly, to represent a function variable f , every node v has a register f storing f σ ( v ). The nodes also possess some auxiliary registerswhose purpose will be explained below. In the end, for any formula ϕ (potentiallywith free variables), we will have an automaton A ϕ computing a transduction T A ϕ : C ( I, { parent , root } ∪ free( ϕ )) → C ( { yes , no } , ∅ ), where parent and root are supposed to constitute a spanning tree. The computation is triggered bythe root, which means that the other nodes are waiting for a signal to wake up.Essentially, the nodes involved in the evaluation of ϕ collect some information,send it towards the root, and go back to sleep. The root then returns yes or no ,depending on whether or not ϕ holds in the input graph under the variableassignment provided by the input registers. Centralizing A ϕ in that way makes itvery convenient (albeit not efficient) to evaluate composite formulas. For example,in A ϕ ∨ ψ , the root will first run A ϕ , and then A ψ in case A ϕ returns no .The evaluation of atomic formulas is straightforward. So let us focus on themost interesting case, namely when ϕ = pfp[ f i : ϕ i ] i ∈ ( (cid:96) ] ψ . The root’s program isoutlined in Algorithm 2. Line 1 initializes a counter that ranges from 0 to n (cid:96)n − n is the number of nodes in the input graph. This counter is distributedin the sense that every node has some dedicated registers that together store thecurrent counter value. Every execution of A inc will increment the counter by 1, orreturn no if its maximum value has been exceeded. Now, in each iteration of theloop starting at Line 2, all registers f i and f new i are updated in such a way thatthey represent the current and next stage, respectively, of the partial fixpointinduction. For the former, it suffices that every node copies, for all i , the contentsof f new i to f i (Line 3). To update f new i , Line 4 calls a subroutine update ( f new i ) dentifiers in Registers – Describing Network Algorithms with Logic 15 Algorithm 2 A ϕ for ϕ = pfp[ f i : ϕ i ] i ∈ [1 : (cid:96) ] ψ , as controlled by the root init ( A inc )2 repeat @every node do for i ∈ [1 : (cid:96) ] do f i ← f new i for i ∈ [1 : (cid:96) ] do update ( f new i )5 if @every node ( ∀ i ∈ [1 : (cid:96) ] : f new i = f i ) then goto until execute ( A inc ) returns no / ∗ until global counter at maximum ∗ /7 @every node do for i ∈ [1 : (cid:96) ] do f i ← self execute ( A ψ ) whose effect is that f new i = F ϕ i (( f i ) i ∈ ( (cid:96) ] ) for all i , where F ϕ i : ( V V ) (cid:96) → V V is the operator defined in Section 4. Line 5 checks whether we have reacheda fixpoint: The root asks every node to compare, for all i , its registers f new i and f i . The corresponding truth value is propagated back to the root, where false is given preference over true . If the result is true , we exit the loop andproceed with calling A ψ to evaluate ψ (Line 8). Otherwise, we try to incrementthe global counter by executing A inc (Line 6). If the latter returns no , thefixpoint computation is aborted because we know that it has reached a cycle. Inaccordance with the partial fixpoint semantics, all nodes then write their ownidentifier to every register f i (Line 7) before ψ is evaluated (Line 8). (cid:117)(cid:116) This paper makes some progress in the development of a descriptive distributedcomplexity theory by establishing a logical characterization of a wide class ofnetwork algorithms, modeled as distributed register automata.In our translation from logic to automata, we did not pay much attentionto algorithmic efficiency. In particular, we made extensive use of centralizedsubroutines that are triggered and controlled by a leader process. A naturalquestion for future research is to identify cases where we can understand adistributed architecture as an opportunity that allows us to evaluate formulasfaster. In other words, is there an expressive fragment of functional fixpointlogic that gives rise to efficient distributed algorithms in terms of running time?What about the required number of messages? We are then entering the field ofautomatic synthesis of practical distributed algorithms from logical specifications.This is a worthwhile task, as it is often much easier to declare what should bedone than how it should be done (cf. Examples 6 and 8).As far as the authors are aware, this area is still relatively unexplored. However,one noteworthy advance was made by Grumbach and Wu in [9], where theyinvestigated distributed evaluation of first-order formulas on bounded-degreegraphs and planar graphs. We hope to follow up on this in future work.
Acknowledgments.
We thank Matthias F¨ugger for helpful discussions. Worksupported by ERC
EQualIS (FP7-308087) and ANR
FREDDA (17-CE40-0013).
References
1. Serge Abiteboul and Victor Vianu. Fixpoint extensions of first-order logic anddatalog-like languages. In
Proceedings of the Fourth Annual Symposium on Logicin Computer Science (LICS ’89), Pacific Grove, California, USA, June 5-8, 1989 ,pages 71–79. IEEE Computer Society, 1989. doi:10.1109/LICS.1989.39160 .2. C. Aiswarya, Benedikt Bollig, and Paul Gastin. An automata-theoretic approach tothe verification of distributed algorithms. In Luca Aceto and David de Frutos-Escrig,editors, , volume 42 of
LIPIcs , pages 340–353. SchlossDagstuhl - Leibniz-Zentrum fuer Informatik, 2015. doi:10.4230/LIPIcs.CONCUR.2015.340 .3. C. Aiswarya, Benedikt Bollig, and Paul Gastin. An automata-theoretic approachto the verification of distributed algorithms.
Inf. Comput. , 259(Part):305–327, 2018. doi:10.1016/j.ic.2017.05.006 .4. Bruno Courcelle and Joost Engelfriet.
Graph Structure and Monadic Second-Order Logic - A Language-Theoretic Approach , volume 138 of
Encyclopedia ofmathematics and its applications . Cambridge University Press, 2012. URL: https://hal.archives-ouvertes.fr/hal-00646514 , doi:10.1017/CBO9780511977619 .5. Reinhard Diestel. Graph Theory, 5th Edition , volume 173 of
Graduate texts inmathematics . Springer, 2017. URL: http://diestel-graph-theory.com , doi:10.1007/978-3-662-53622-3 .6. Ronald Fagin. Generalized first-order spectra and polynomial-time recognizable sets.In Richard M. Karp, editor, Complexity of Computation , volume 7 of
SIAM-AMSProceedings , pages 43–73, 1974. URL: .7. Laurent Feuilloley and Pierre Fraigniaud. Survey of distributed decision.
Bulletinof the EATCS , 119, 2016. URL: http://eatcs.org/beatcs/index.php/beatcs/article/view/411 .8. Erich Gr¨adel, Phokion G. Kolaitis, Leonid Libkin, Maarten Marx, Joel Spencer,Moshe Y. Vardi, Yde Venema, and Scott Weinstein.
Finite Model Theory and ItsApplications . Texts in Theoretical Computer Science. An EATCS Series. Springer,2007. doi:10.1007/3-540-68804-8 .9. St´ephane Grumbach and Zhilin Wu. Logical locality entails frugal distributedcomputation over graphs (extended abstract). In
Graph-Theoretic Concepts inComputer Science, 35th International Workshop, WG 2009, Montpellier, France,June 24-26, 2009. Revised Papers , volume 5911 of
Lecture Notes in ComputerScience , pages 154–165, 2009. doi:10.1007/978-3-642-11409-0\_14 .10. Lauri Hella, Matti J¨arvisalo, Antti Kuusisto, Juhana Laurinharju, TuomoLempi¨ainen, Kerkko Luosto, Jukka Suomela, and Jonni Virtema. Weak mod-els of distributed computing, with connections to modal logic. In Darek Kowalskiand Alessandro Panconesi, editors,
ACM Symposium on Principles of DistributedComputing, PODC ’12, Funchal, Madeira, Portugal, July 16-18, 2012 , pages 185–194. ACM, 2012. doi:10.1145/2332432.2332466 .11. Lauri Hella, Matti J¨arvisalo, Antti Kuusisto, Juhana Laurinharju, TuomoLempi¨ainen, Kerkko Luosto, Jukka Suomela, and Jonni Virtema. Weak mod-els of distributed computing, with connections to modal logic.
DistributedComputing , 28(1):31–53, 2015. URL: https://arxiv.org/abs/1205.2051 , doi:10.1007/s00446-013-0202-3 .dentifiers in Registers – Describing Network Algorithms with Logic 1712. Neil Immerman. Descriptive complexity . Graduate texts in computer science.Springer, 1999. doi:10.1007/978-1-4612-0539-5 .13. Michael Kaminski and Nissim Francez. Finite-memory automata.
Theor. Comput.Sci. , 134(2):329–363, 1994. doi:10.1016/0304-3975(94)90242-9 .14. Antti Kuusisto. Modal logic and distributed message passing automata. In SimonaRonchi Della Rocca, editor,
Computer Science Logic 2013 (CSL 2013), CSL 2013,September 2-5, 2013, Torino, Italy , volume 23 of
LIPIcs , pages 452–468. SchlossDagstuhl - Leibniz-Zentrum fuer Informatik, 2013. doi:10.4230/LIPIcs.CSL.2013.452 .15. Leonid Libkin.
Elements of Finite Model Theory . Texts in Theoretical ComputerScience. An EATCS Series. Springer, 2004. doi:10.1007/978-3-662-07003-1 .16. Fabian Reiter. Distributed graph automata. In , pages192–201. IEEE Computer Society, 2015. URL: https://arxiv.org/abs/1408.3030 , doi:10.1109/LICS.2015.27 .17. Fabian Reiter. Asynchronous distributed automata: A characterization of the modalmu-fragment. In Ioannis Chatzigiannakis, Piotr Indyk, Fabian Kuhn, and AncaMuscholl, editors, , volume 80 of LIPIcs ,pages 100:1–100:14. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, 2017. URL: http://arxiv.org/abs/1611.08554 , doi:10.4230/LIPIcs.ICALP.2017.100 .18. Moshe Y. Vardi. The complexity of relational query languages (extended abstract).In Harry R. Lewis, Barbara B. Simons, Walter A. Burkhard, and Lawrence H.Landweber, editors, Proceedings of the 14th Annual ACM Symposium on Theory ofComputing, May 5-7, 1982, San Francisco, California, USA , pages 137–146. ACM,1982. doi:10.1145/800070.802186 .8 B. Bollig, P. Bouyer, and F. Reiter
Algorithm 1
Transition maker of the automaton from Example 5 if ∃ neighbor nb ( nb . root < my . root ) : my . state ← my . parent ← nb . self ; my . root ← nb . root (cid:27) Rule 1 else if my . state = 1 ∧ ∀ neighbor nb (cid:20) nb . root = my . root ∧ ( nb . parent (cid:54) = my . self ∨ nb . state = 2) (cid:21) : my . state ← Rule 2 else if ( my . state = 2 ∧ my . root = my . self ) ∨ ( my . parent . state = 3) : my . state ← (cid:27) Rule 3 else do nothing
A Spanning-tree automaton
A.1 Run of the spanning-tree automaton
We consider again the spanning-tree automaton of Example 5 on page 7. Forconvenience, we recall its transition maker in Algorithm 1 above. An example runis illustrated in Figure 2. The natural number within a node is the current contentof its register root (which, at the beginning of the run, equals the identifier ofthe respective node). The parent -relation is represented by thick arrows, wherewe omit self loops. Moreover, white nodes are in state 1, gray ones in state 2,and black ones in state 3. Note that nodes 2 and 7 toggle between states 1 and 2before terminating in state 3. In the broadcast phase (last row), node 0 is thefirst one to enter state 3. The state is then propagated to all other nodes toannounce successful termination.
A.2 Correctness of the spanning-tree automaton
First, we observe that in every graph G = ( V, E ), there must be a node thateventually enters state 3. Indeed, it is straightforward to show by induction thatfor every node v at distance i of node 0, if v has not reached state 3 by time i − t ≥ i , we have v. root = 0 and v. parent points to some fixednode v (cid:48) at distance i − v = 0). Note that v willnever modify its registers again once v. root = 0, because the only rule that couldpotentially modify the registers, i.e., Rule 1, is not applicable. Hence, if no nodehas reached state 3 after at most diameter( G ) rounds of communication, thenthe parent pointers represent a valid spanning tree rooted at node 0. (Rememberthat G is by definition connected.) Since this tree remains forever unchanged, itis easy to verify that node 0 will eventually enter state 3, which causes all othernodes to eventually do the same, and thus the automaton to halt. What remainsto be shown is that no other node reaches state 3 before node 0 does.To this end, let us assume that u is the first node to enter state 3, and thatit does so in the ( t + 1)-th round. Therefore, according to Rule 3,at time t : (cid:0) u. state = 2 ∧ u. root = u (cid:1) . (a) dentifiers in Registers – Describing Network Algorithms with Logic 19 Fig. 2.
A run of the spanning-tree automaton from Example 5
Our goal is to show that u is necessarily node 0.For i ∈ N , let U i be the set of nodes at distance exactly i from u . Moreover, fornotational convenience, we set U − = U (which is { u } ). By a similar inductiveargument as above, we can easily see that for all i ∈ N and v ∈ U i +1 ,at every time t (cid:48) ∈ N : (cid:0) v. root = u = ⇒ v. parent ∈ U i (cid:1) . (b)Based on (a) and (b), we now prove the following property: Lemma 11.
For all i ∈ [ t ] , we haveat time t − i : ∀ v ∈ U i : (cid:0) v. state = 2 ∧ v. root = u (cid:1) . (P i ) Proof.
We proceed by induction. P is obvious, since it coincides with ourassumption (a). So suppose that P i holds. We will show P i +1 .Take any node v ∈ U i . By induction hypothesis, at time t − i , we have v. state = 2 and v. root = u . Suppose that v reaches such a local configuration forthe first time at time t (cid:48) ≤ t − i . Note that v cannot change its local configurationbetween times t (cid:48) and t − i (the only way to do so would be to choose anotherroot, but then it could not return to root u anymore). Let v (cid:48) ∈ U i +1 be adjacentto v . According to Rule 2, at time t (cid:48) −
1, we must have v (cid:48) . root = u . Moreover, v (cid:48) continues to have v (cid:48) . root = u until time t − ( i + 1) (otherwise, v would have adifferent root than u at time t − i ).Now, take any v (cid:48) ∈ U i +1 . We just showed that, at time t − ( i + 1), we have v (cid:48) . root = u . It remains to show that we also have v (cid:48) . state = 2 at time t − ( i + 1).Let v be v (cid:48) . parent at time t − ( i + 1). By (b), we know that v ∈ U i . Let t (cid:48) ≤ t − i be as above, i.e., be the first point in time where v. state = 2 and v. root = u .According to Rule 2, at time t (cid:48) −
1, we must have v (cid:48) . root = u . As v (cid:48) . root = u at time t − ( i + 1), too, v (cid:48) . parent is the same for all ˆ t ∈ [ t (cid:48) − t − ( i + 1)]. Inparticular, v (cid:48) . parent = v at time t (cid:48) −
1. By Rule 2, this implies v (cid:48) . state = 2 attime t (cid:48) −
1, and therefore also v (cid:48) . state = 2 at time t − ( i +1). This proves P i +1 . (cid:117)(cid:116) To conclude, we argue that Lemma 11 implies u = 0. It suffices to observethat for every node v , if v. root = u at any point in time, then u ≤ v . SinceLemma 11 tells us that every node v has u in its register root at some point intime, we can deduce that u ≤ v for every node v ∈ V , which implies u = 0. B Syntactic sugar for functional fixpoint logic
B.1 Encoding sets as functions
To simplify the exposition and some of the proofs, we have defined functionalfixpoint logic in such a way that the operator pfp can bind only function variables.However, since it is straightforward to encode sets of nodes as functions, we oftentake the liberty of writing formulas in which pfp binds both function and setvariables. We now justify this formally by showing how set variables can alwaysbe eliminated.To this end, let us fix an infinite supply S of set variables. We extend thesyntax of first-order logic to allow atomic formulas of the form t ∈ X , where t is a term and X is a set variable in S . Naturally, the semantics is that “ t is anelement of X ”, and we will use t / ∈ X as an abbreviation for ¬ ( t ∈ X ). Thedefinitions of free variables, variable assignment, interpretation, and satisfactionare generalized to set variables in the obvious way.Since we consider only graphs that have at least two nodes and are equippedwith a total order, any set of nodes U can be represented by a function thatmaps nodes in U to their direct successors and nodes outside of U to themselves.The reason for choosing the direct successor is simply because it is both easy tospecify and well-defined for all nodes in all graphs, assuming we consider theminimum node to be the direct successor of the maximum node. The followingfirst-order formula schema states that the node represented by term t is the directsuccessor of the node represented by term s : succ [ s, t ] := (cid:0) s < t ∧ ¬∃ z ( s < z ∧ z < t ) (cid:1) ∨ ∀ z ( t ≤ z ∧ z ≤ s )(We write, for instance, “ succ [ x, y ]” to instantiate this schema with node vari-ables x and y .)Now, let us consider a formula of the form pfp (cid:2) ( f i : ϕ i ) i ∈ ( (cid:96) ] , ( X : ϑ ) (cid:3) ψ , where X ∈ S , f , . . . , f (cid:96) ∈ F , and ϕ , . . . , ϕ (cid:96) , ϑ, ψ are formulas. We assume that the dentifiers in Registers – Describing Network Algorithms with Logic 21 variable out does not occur freely in ϑ . On an intuitive level, since X is a setvariable, the set membership defined by ϑ is with respect to a single specialvariable, namely in . A node v lies in the corresponding set precisely if ϑ is satisfiedby interpreting in as v . The stages of the partial fixpoint induction are computedas before, the only novelty being that X is initialized to the empty set (whilethe function variables f , . . . , f (cid:96) are still initialized to the identity function). Ifthe sequence of stages does not converge to a fixpoint, the partial fixpoint is thesame as the initial stage (i.e, ∅ for set variables and id V for function variables).We can easily eliminate X by replacing it with a fresh function variable f X .More precisely, we rewrite the preceding formula as pfp (cid:2) ( f i : ϕ (cid:48) i ) i ∈ ( (cid:96) ] , ( f X : ϑ (cid:48) ) (cid:3) ψ (cid:48) .To transform ( ϕ i ) i ∈ ( (cid:96) ] and ψ into their new forms ( ϕ (cid:48) i ) i ∈ ( (cid:96) ] and ψ (cid:48) , it suffices toreplace every occurrence of an atomic formula of the form t ∈ X with its encodedrepresentation f X ( t ) (cid:54) = t . That is, for instance, ψ (cid:48) := ψ (cid:2) t ∈ X (cid:55)→ f X ( t ) (cid:54) = t (cid:3) . Forthe subformula ϑ (cid:48) , we additionally have to ensure that f X is interpreted as afunction that maps a node to its direct successor if and only if it is contained inthe new interpretation of X . Thus, we define ϑ (cid:48) := ϑ (cid:2) t ∈ X (cid:55)→ f X ( t ) (cid:54) = t (cid:3) ∧ succ [ in , out ] . Notice that our encoding scheme preserves the partial fixpoint of the originalformula. In particular, if the sequence of stages does not converge, then f X isinterpreted as id V , which represents the empty set. B.2 Quantification over functions
Since partial fixpoint inductions allow us to iterate over various interpretations ofa function variable, they provide a way of expressing (second-order) quantificationover functions. To make this more convenient, we add function quantifiers as“syntactic sugar” to the language of functional fixpoint logic and show how theycan be converted into pfp operators.Consider a formula of the form ∃ f ϕ , where f is a function variable and ϕ isa formula. Obviously, the semantics is that “there exists a function f such that ϕ holds”. In the following, we simulate this existential quantification by a partialfixpoint induction that iterates over all possible interpretations of f . If thereexists no interpretation satisfying ϕ , then the sequence of stages of our inductioncycles forever through all functions, never reaching a fixpoint. Otherwise, it endsup looping on the first function that satisfies ϕ . This function therefore becomesthe interpretation assigned to f by the partial fixpoint operator.To perform the iteration described above, we need to define a cyclic orderon the set of all functions. This is easy because we restrict ourselves to graphswhose nodes are totally ordered. Thus, each function on a given input graph G = ( V, E ) can be thought of as a | V | -digit number written in base | V | , wherethe i -th least significant digit represents the value taken by the function at the i -th smallest node. Based on this, the direct successor of a function is simply thefunction that corresponds to its number incremented by 1. Additionally, to makethe order cyclic, we stipulate that the smallest function is the direct successor ofthe largest function; in other words, there is an “integer overflow”. It only remains to implement these ideas in functional fixpoint logic. Withoutloss of generality, we may assume that ϕ does not contain any free occurrencesof in and out . Hence, we can rewrite ∃ f ϕ as the partial fixpoint formulapfp[ f : ψ ] ϕ , where ψ := (cid:94) (cid:34) (cid:2) ϕ ∨ ∃ x, y (cid:0) x < in ∧ f ( x ) < y (cid:1)(cid:3) ⇒ out = f ( in ) ¬ (cid:2) ϕ ∨ ∃ x, y (cid:0) x < in ∧ f ( x ) < y (cid:1)(cid:3) ⇒ succ [ f ( in ) , out ] (cid:35) . The subformula ψ distinguishes between three cases in order to determine howto update the interpretation of f . First, as stated in the first line of the bigconjunction, if the current interpretation already satisfies ϕ , then it is maintained.Intuitively, this can be read as: “the new value out of f at in is equal to itscurrent value f ( in )”. Second, even if f (or rather the number representing it)has to be incremented, the function may retain its current value at some nodes.In fact, “the value of digit in remains unchanged as long as there is some lesssignificant digit x that can still be incremented”. Third, as stated in the secondline of the big conjunction, if none of the two previous cases apply, then “thevalue of digit in must be incremented if possible and otherwise reset”. We expressthis using the formula schema succ [ s, t ] from Section B.1 to ensure that “the newvalue out is the direct successor of the current value f ( in ).”Now, when we evaluate the formula pfp[ f : ψ ] ϕ on a structure ( G, q ) , σ , thereare two possibilities. Either there exists no interpretation of f that satisfies ϕ , inwhich case the partial fixpoint induction does not reach a fixpoint. This meansthat f defaults to id V and pfp[ f : ψ ] ϕ evaluates to false. Or ϕ can be satisfied,in which case the induction reaches a satisfying fixpoint. This fixpoint is chosenas the interpretation of f , and pfp[ f : ψ ] ϕ evaluates to true. In both cases, theresult is the same as when evaluating ∃ f ϕ on ( G, q ) , σ . C From automata to logic
We now prove the first part of Theorem 1 (stated in Section 1), by showing thatfunctional fixpoint logic is at least as expressive as distributed register automata:
Proposition (9).
For every distributed register automaton that decides a graphproperty, we can effectively construct an equivalent formula of functional fixpointlogic.
The rest of this section is devoted to the proof of Proposition 9. We considera distributed register automaton A = ( Q, R, ι, ∆, H, o ) with transition maker ∆ = ( ˜ Q, ˜ R, ˜ ι, ˜ δ, ˜ o ) and assume that A decides a graph property P over label set I .In the remainder of this section, we construct a formula ϕ A of functional fixpointlogic that defines P . As our exposition goes into full detail, it is a bit lengthy. Otherwise, we replace ∃ f ϕ with the equivalent formula ∃ x, y ( x = in ∧ y = out ∧∃ f ϕ [ in , out (cid:55)→ x, y ]), where ϕ ’s free occurrences of in and out are substituted withfresh node variables x and y .dentifiers in Registers – Describing Network Algorithms with Logic 23 To make it clear how all the pieces fit together, we present the construction in atop-down manner.For each state q ∈ Q , our formula uses a set variable X q to represent the set ofnodes of the input graph that are in state q . Furthermore, for each register r ∈ R ,it uses a function variable f r to represent the function that maps each node u tothe node v whose identifier is stored in u ’s register r . By means of a partial fixpointoperator, we will ensure that on any I -labeled graph ( G, q ), the interpretationsof ( X q ) q ∈ Q and ( f r ) r ∈ R represent the halting configuration reached by A on ( G, q ).Hence, the final formula is simply ϕ A := pfp (cid:20) ( X q : ϕ q ) q ∈ Q ( f r : ϕ r ) r ∈ R (cid:21) ∀ x (cid:16) (cid:95) p ∈ H : o ( p )= yes x ∈ X p (cid:17) , which states that all nodes end up in a halting state that outputs yes . C.1 Simulating the automaton
The real work is now to construct the formulas ( ϕ q ) q ∈ Q and ( ϕ r ) r ∈ R in sucha way that for all i ∈ N , the ( i + 1)-th stage of the partial fixpoint inductionrepresents the configuration reached by A in the i -th round. Note that in doingso, we make sure that the infinite sequence of stages reaches a fixpoint (givenour assumption that the automaton is a decider and thus eventually halts).For each state q ∈ Q , we update the set variable X q with the formula ϕ q := (cid:16) (cid:95) a ∈ I : ι ( a )= q (cid:104) a (cid:105) in ∧ (cid:94) p ∈ Q in / ∈ X p (cid:17) ∨ ϕ ∆q ∨ (cid:0) in ∈ X q (cid:1) . (cid:124) (cid:123)(cid:122) (cid:125) only if q ∈ H Note that this formula makes use of the syntactic sugar introduced in Subsec-tion B.1, which allows us to update set variables without any explicit referenceto the variable out . The first disjunct of ϕ q ensures that stage 1 of the partialfixpoint induction corresponds to the initial configuration of the automaton. Itdoes so by stating that a node (represented by the variable in ) will belong to X q in the next stage if its input label a maps to q and it does not belong to anyset X p in the current stage. The latter part holds only in stage 0, where all setvariables are initialized to ∅ . In the second disjunct, we use the subformula ϕ ∆q defined below to ensure that if node in is currently active, i.e., in a non-haltingstate, then in switches to state q when executing the transition maker ∆ . Finally,in case q is a halting state, the third disjunct of ϕ q states that in remains in q ifit is already there. This formalizes the fact that halting states are never left.To implement the above-mentioned subformula ϕ ∆q , we use another partialfixpoint induction, which simulates the behavior of the transition maker ∆ between two consecutive synchronous rounds. This second induction is thusnested within the main induction of ϕ A . Similarly to before, we introduce a setvariable Y ˜ q for each inner state ˜ q and a function variable g ˜ r for each inner register ˜ r .These variables serve to encode the inner configurations of the transition makerat each node, in the same way as the variables ( X q ) q ∈ Q and ( f r ) r ∈ R encode the local configurations of the automaton. Furthermore, we introduce a functionvariable g (cid:2) to represent the transition maker’s reading head at each node anda set variable Y end to represent the set of nodes that have finished scanningtheir neighborhood. We will make sure that once the nested partial fixpointhas been reached, the variables ( Y ˜ q ) ˜ q ∈ ˜ Q and ( g ˜ r ) ˜ r ∈ ˜ R represent the final innerconfigurations reached by the nodes. Relying on that, we define ϕ ∆q := (cid:16) (cid:95) p ∈ Q \ H in ∈ X p (cid:17) ∧ pfp ( Y ˜ q : ψ ˜ q ) ˜ q ∈ ˜ Q ( g ˜ r : ψ ˜ r ) ˜ r ∈ ˜ R g (cid:2) : ψ (cid:2) Y end : ψ end (cid:95) ˜ q ∈ ˜ Q ∃ ˜ β : ˜ o (˜ q )=( q, ˜ β ) in ∈ Y ˜ q . The first conjunct simply checks that in is currently in a non-halting state, whichmeans that it is allowed to run the transition maker ∆ . The second conjunctexpresses that after running the transition maker, in is in some inner state ˜ q from which ∆ outputs state q .Continuing with our top-down approach, we first complete the discussion ofthe outer partial fixpoint induction of ϕ A before turning to the nested one. Foreach register r ∈ R , the formula with which we update f r is ϕ r := ϕ ∆r ∨ (cid:16) (cid:95) p ∈ H in ∈ X p ∧ out = f r ( in ) (cid:17) . Here, the subformula ϕ ∆r states that in is still in a non-halting state and writesthe identifier of out to its register r after running the transition maker. Thesecond disjunct of ϕ r covers the case where in has already reached a halting state,forcing it to maintain its current valuation of r . Note that neither of the twodisjuncts is satisfied if all set variables are interpreted as the empty set, as is thecase in stage 0 of the (outer) partial fixpoint induction. Therefore, ϕ r does notdefine a functional relationship in stage 0, which means that the interpretationof f r in stage 1 defaults to the identity function. Rather conveniently, this isprecisely what we want, i.e., stage 1 represents the initial configuration of theautomaton. Here we rely on the assumption that A has no input registers (becauseit decides a graph property) and therefore initializes the registers of each node tothe node’s own identifier.The implementation of ϕ ∆r is very similar to that of ϕ ∆q . In particular, it usesthe same nested induction to simulate ∆ : ϕ ∆r := (cid:16) (cid:95) p ∈ Q \ H in ∈ X p (cid:17) ∧ pfp ( Y ˜ q : ψ ˜ q ) ˜ q ∈ ˜ Q ( g ˜ r : ψ ˜ r ) ˜ r ∈ ˜ R g (cid:2) : ψ (cid:2) Y end : ψ end (cid:95) ˜ q ∈ ˜ Q, ˜ r ∈ ˜ R ∃ q, ˜ β : ˜ o (˜ q )=( q, ˜ β ) ∧ ˜ β ( r )=˜ r (cid:0) in ∈ Y ˜ q ∧ out = g ˜ r ( in ) (cid:1) The only difference to ϕ ∆q is the big disjunction within the scope of the pfpoperator. It stipulates that in ends up in some inner state ˜ q that causes thetransition maker to update in ’s register r to the identifier of out . For this to betrue, the identifier of out must be stored in the inner register ˜ r that is used toupdate r . dentifiers in Registers – Describing Network Algorithms with Logic 25 C.2 Simulating the transition maker
We now come to the nested partial fixpoint induction. As briefly mentionedabove, it uses two helper variables g (cid:2) and Y end to keep track of the transitionmaker’s scanning process. In each stage of the induction, g (cid:2) is interpreted as afunction that maps each node u to the node v that is currently scanned by (thetransition maker at) u . In other words, this function gives us the current positionof each node’s reading head. Since every node starts by reading its own localconfiguration, it comes in handy that g (cid:2) is initialized to the identity function atstage 0 of the nested induction. The function is then updated with the followingformula: ψ (cid:2) := in (cid:93) out ∧ (cid:95) g (cid:2) ( in ) = in ∧ ∀ x (cid:0) in (cid:93) x ⇒ out ≤ x (cid:1) g (cid:2) ( in ) (cid:54) = in ∧ g (cid:2) ( in ) < out ∧ ∀ x (cid:0) in (cid:93) x ∧ g (cid:2) ( in ) < x ⇒ out ≤ x (cid:1) g (cid:2) ( in ) (cid:54) = in ∧ g (cid:2) ( in ) = out ∧ ∀ x (cid:0) in (cid:93) x ⇒ x ≤ out (cid:1) Here, the first conjunct ensures that the reading head of in can be moved only toa neighbor of in , while the big disjunction below is responsible for selecting thesmallest neighbor that has not yet been visited. The first line of the disjunctioncovers the initial step, where the reading head is still at in and must be movedto the smallest of all neighbors. The second line corresponds to the case wherethe head is moved from one neighbor to the next-smallest one. Finally, the thirdline states that once the head has reached the greatest neighbor, it remains there.This is important to ensure that the sequence of stages converges to a fixpoint.Also note that ψ (cid:2) always defines a total function because every node has at leastone neighbor. (This follows from our restriction to connected graphs with at leasttwo nodes.)Since the reading head of the transition maker remains at the last-visitednode, we must prevent that node from being processed more than once. Thisis the purpose of the set variable Y end , which will be interpreted as the set ofall nodes that have finished scanning their neighborhood. If in ’s reading headreaches the last neighbor in stage i , then in is added to Y end in stage i + 1: ψ end := g (cid:2) ( in ) (cid:54) = in ∧ ∀ x (cid:0) in (cid:93) x ⇒ x ≤ g (cid:2) ( in ) (cid:1) Having formalized how the transition maker ∆ scans its input, we now makeuse of the variables g (cid:2) and Y end to define how it updates its inner configuration.For each inner state ˜ q ∈ ˜ Q , the set variable Y ˜ q is updated with the formula ψ ˜ q := (cid:16) in ∈ Y end ∧ in ∈ Y ˜ q (cid:17) ∨ (cid:16) in / ∈ Y end ∧ (cid:95) ˜ p ∈ ˜ Q, p ∈ Q, ≺∈ ( ˜ R ∪ R )2 ∃ ˜ α : ˜ δ (˜ p,p, ≺ )=(˜ q, ˜ α ) ϑ curr(˜ p,p, ≺ ) (cid:17) . The first disjunct states that ∆ remains in ˜ q if it has reached the end of its inputand is currently in ˜ q , whereas the second disjunct describes an inner transition to ˜ q in case ∆ has not yet terminated. For such an inner transition to take place,˜ q must be the inner state that is obtained when applying ˜ δ to the current innerstate ˜ p of in , the current state p of g (cid:2) ( in ), and the relation ≺ that compares theinner register values of in with the register values of g (cid:2) ( in ). Our formula expressesthis as a disjunction over all possible choices of ˜ p , p , and ≺ that lead to ˜ q , usingthe subformula ϑ curr(˜ p,p, ≺ ) to check whether ˜ p , p , and ≺ do indeed correspond tothe current inner configuration of in and local configuration of g (cid:2) ( in ).Implementing ϑ curr(˜ p,p, ≺ ) for any ˜ p ∈ ˜ Q , p ∈ Q , and ≺ ∈ ( ˜ R ∪ R ) is straightfor-ward: ϑ curr(˜ p,p, ≺ ) := ϑ curr˜ p ∧ g (cid:2) ( in ) ∈ X p ∧ (cid:94) ˜ s ∈ ˜ R,s ∈ R : ˜ s ≺ s g ˜ s ( in ) < f s ( g (cid:2) ( in )) ∧ (cid:94) ˜ s ∈ ˜ R,s ∈ R : s ≺ ˜ s f s ( g (cid:2) ( in )) < g ˜ s ( in ) ∧ (cid:94) ˜ s, ˜ s (cid:48) ∈ ˜ R : ˜ s ≺ ˜ s (cid:48) g ˜ s ( in ) < g ˜ s (cid:48) ( in ) ∧ (cid:94) s,s (cid:48) ∈ R : s ≺ s (cid:48) f s ( g (cid:2) ( in )) < f s (cid:48) ( g (cid:2) ( in ))In the first line, we state that ˜ p is the inner state of in and p is the state of g (cid:2) ( in ).For the former, we use the little helper formula ϑ curr˜ p defined below. In theremaining two lines, we check that all inequalities specified by ≺ are satisfied.The reason for using the helper formula ϑ curr˜ p is that the inner state of in isnot represented explicitly in stage 0 of the nested induction. Therefore, if in doesnot belong to any set Y ˜ q , we assume that it is in the inner initial state ˜ ι : ϑ curr˜ p := (cid:40) in ∈ Y ˜ p ∨ (cid:86) ˜ q ∈ ˜ Q in / ∈ Y ˜ q if ˜ p = ˜ ι , in ∈ Y ˜ p otherwise.Note that since we represent each inner register ˜ r by a function variable g ˜ r , ourencoding does not take into account that inner registers can hold the undefinedvalue ⊥ . In particular, in stage 0 of the nested induction, g ˜ r is interpreted as theidentity function, whereas the transition maker initializes ˜ r to ⊥ . However, wemay assume without loss of generality that when the transition maker starts in itsinitial inner configuration (˜ ι, { ˜ r (cid:55)→ ⊥} ˜ r ∈ ˜ R ) and reads the first local configuration( p, ρ ) of its input sequence, then it updates each of its inner registers to some valueprovided by ρ (and thus distinct from ⊥ ) that depends only on p and the orderrelation between the register values of ρ . More formally, we assume that for everystate p ∈ Q and all binary relations ≺ , ≺ (cid:48) ⊆ ( ˜ R ∪ R ) such that r ≺ s if and onlyif r ≺ (cid:48) s for all r, s ∈ R , we are guaranteed that ˜ δ (˜ ι, p, ≺ ) = ˜ δ (˜ ι, p, ≺ (cid:48) ) = (˜ q, ˜ α )such that ˜ α (˜ r ) ∈ R for all ˜ r ∈ ˜ R . On that basis, we may substitute the initialinner configuration at node v with the indistinguishable inner configuration(˜ ι, { ˜ r (cid:55)→ v } ˜ r ∈ ˜ R ), which is precisely what we do in stage 0. dentifiers in Registers – Describing Network Algorithms with Logic 27 To complete our construction, it only remains to specify how the inner registersare updated. For each ˜ r ∈ ˜ R , we define the formula ψ ˜ r := (cid:0) in ∈ Y end ∧ out = g ˜ r ( in ) (cid:1) ∨ (cid:20) in / ∈ Y end ∧ (cid:16) (cid:95) ˜ p ∈ ˜ Q, p ∈ Q, ≺∈ ( ˜ R ∪ R )2 , ˜ s ∈ ˜ R ∃ ˜ q, ˜ α : ˜ δ (˜ p,p, ≺ )=(˜ q, ˜ α ) ∧ ˜ α (˜ r )=˜ s (cid:2) ϑ curr(˜ p,p, ≺ ) ∧ out = g ˜ s ( in ) (cid:3) ∨ (cid:95) ˜ p ∈ ˜ Q, p ∈ Q, ≺∈ ( ˜ R ∪ R )2 , s ∈ R ∃ ˜ q, ˜ α : ˜ δ (˜ p,p, ≺ )=(˜ q, ˜ α ) ∧ ˜ α (˜ r )= s (cid:2) ϑ curr(˜ p,p, ≺ ) ∧ out = f s ( g (cid:2) ( in )) (cid:3)(cid:17)(cid:21) , whose basic structure is very similar to that of ψ ˜ q . The first line just statesthat the transition maker ∆ retains the current value of ˜ r if it has reached theend of its input. The second line covers the case where ∆ has to update in ’sinner register ˜ r to a new value out , based on what it sees from the currentinner configuration of in and the current local configuration of g (cid:2) ( in ). When ∆ evaluates its inner transition function ˜ δ on the currently seen inner state ˜ p , state p ,and relation ≺ , there are two possibilities: either the new value of ˜ r is obtainedfrom some inner register ˜ s of in , or it is obtained from some register s of g (cid:2) ( in ).These two possibilities are expressed by the two big disjunctions in the secondline of ψ ˜ r . D From logic to automata
We will now take the opposite direction and go from formulas to automata. Hence,this section is devoted to the proof of the following result:
Proposition (10).
For every formula of functional fixpoint logic that definesa graph property, we can effectively construct an equivalent distributed registerautomaton.
We proceed by induction, i.e., we construct automata for subformulas, whichwill then be put together to produce automata for composed formulas. The invo-cation of automata as subroutines will be more convenient if they are centralized .Intuitively, this means that a dedicated root initiates an execution and, at theend, collects an acknowledgment from all the other processes before terminating.Consider the set of registers R tree = { parent , root } and suppose C ∈ C ( Q, R ) isa configuration such that R tree ⊆ R . We call C a spanning-tree configuration ifthe valuations of parent and root form a spanning tree in C as computed by thealgorithm from Example 5. Definition 12 (Centralized automaton). A centralized automaton is a dis-tributed register automaton A with input registers R in and output registers R out such that R tree ⊆ ( R in \ R out ) and all runs of A starting in a spanning-tree inputconfiguration satisfy the following properties:1. A non-root node can only leave its initial local configuration after its parentchanged its local state for the first time.
2. The run eventually halts and the root is the last node to terminate (i.e., nonode enters a halting state after the root does).3. The registers in ( R in \ R out ) are not modifed during the run. Essentially, the notion of centralized automaton provides a way to combineand reason about distributed register automata in a fully sequential way. Givena centralized automaton A = ( Q , R , ι , ∆ , H , o ) with input registers R in and output registers R out , we can construct another centralized automaton A = ( Q , R , ι , ∆ , H , o ) that uses A as a subroutine. To this end, we makesure that Q is a Cartesian product of the form S × { main , call } × Q andthat R includes R . In any execution of A , every node is initially in the main mode (by which we mean that the relevant component of its state is main ). Whilein this mode, a node behaves according to the algorithm implemented by A .The algorithm must be such that at some point in time, all nodes except theroot of the spanning tree are idle, and the current configuration of A yields adesired initial configuration of A if we project all states to their Q -componentand consider only those registers that belong to R . Then, the root can launcha nested execution of A by entering the call mode. While in this mode, anode must simulate automaton A , using only the Q -component of its stateand its R -registers. Whenever a node in the main mode sees that one of itsneighbors has entered the call mode, it does the same. Since A is centralized,by Definition 12 (1), this approach yields a faithful simulation of A , despitethe fact that the nodes do not enter the call mode simultaneously. Moreover,by Definition 12 (2), once the root has reached a halting state of A , it knowsthat the automaton has halted everywhere. The root can thus switch back tothe main mode and resume executing A . The other nodes do the same as soonas one of their neighbors has done so. As a result, automaton A can use theoutput configuration produced by A . Since by Definition 12 (3), A does notmodify the registers in R in \ R out , we can rely on them being the same as beforecalling A . In particular, the spanning tree represented by the registers in R tree remains unchanged.Note that while the preceding approach may lead to very inefficient algorithmsfrom the perspective of distributed computing, it is sufficient for the purposes ofthis paper, since we only want to characterize the fundamental expressive powerof distributed register automata.As our proof of Proposition 10 will proceed by induction on the structure offormulas, we will have to cope with the interpretations of free node and functionvariables. To this end, we are going to encode interpretations into configurations.Consider a spanning-tree configuration C = (( V, E ) , q , r ) ∈ C ( Q, R ), with root v , such that the set R contains variables from N ∪ F . Then, C defines a variableassignment σ as follows: For a node variable x ∈ R , we let x σ = r ( v )( x ). Thatis, the interpretation of variable x is the value of register x at the root. Moreover,each register f ∈ R ∩ F encodes an interpretation f σ of the function variable f by letting f σ ( v ) = r ( v )( f ) for all v ∈ V . dentifiers in Registers – Describing Network Algorithms with Logic 29 The next preparatory proposition states that there is a centralized automatonthat evaluates a term with respect to the variable assignment encoded in theinput configuration.
Proposition 13 (Automata for terms).
Let t be a term. There is a centralizedautomaton A t computing a transduction T A t : C ( , R tree ∪ free( t )) → C ( , { t } ) such that, given a spanning-tree input configuration C = ( G, q , r ) with G = ( V, E ) and root v ∈ V encoding a variable assignment σ , the automaton eventuallyoutputs a configuration C (cid:48) = ( G, q , r (cid:48) ) satisfying r (cid:48) ( v )( t ) = t σ .Proof. Let t = f (cid:96) ( . . . f ( f ( x )) . . . ). Note that free( t ) = { f , . . . , f (cid:96) , x } . The case (cid:96) = 0 is trivial, so suppose (cid:96) ≥
1. For i ∈ [1 : (cid:96) ], let t i = f i ( . . . f ( x ) . . . ).Given a spanning-tree input configuration C = (( V, E ) , q , r ), the automaton A t will use auxiliary registers t i to compute and store the intermediary values t σi = f σi ( . . . f σ ( x σ ) . . . ). The register t = t (cid:96) is the only output register. Wecompute the values for t , . . . , t (cid:96) successively. As an invariant, we maintain that,after computing t σi , the root stores t σi in its register t i .We reserve an auxiliary register self for storing the own identifier of a node.To compute t σi +1 , we proceed as follows. Starting from the root, the value of t σi ispropagated to all nodes along the spanning tree down to the leaves. The leaves, inturn, initiate a back-propagation phase, where an internal node waits for signalsfrom all its children, notifies its parent, and then terminates. However, duringthis back-propagation, the node whose identifier coincides with t i includes thecontents of its register f i +1 in its message to its parent node, which propagates itfurther, until the value reaches the root. The latter stores it in its register t i +1 . (cid:117)(cid:116) As further preparation for the inductive translation of formulas, we describea subroutine that allows the root to increment a register by one.
Proposition 14 (Register incrementation).
Let r be a register. There is acentralized automaton A r ++ computing a transduction T A r ++ : C ( , R tree ∪ { r } ) → C ( , { r } ) such that, given a spanning-tree input configuration C = ( G, q , r ) with G = ( V, E ) and root v ∈ V , the automaton eventually outputs a configuration C (cid:48) = ( G, q , r (cid:48) ) satisfying r (cid:48) ( v )( r ) = min { r ( v )( r ) + 1 , | V | − } .Proof. First, the current value w of v ’s register r is broadcast through theentire graph. Then, every node u sends to its parent in the spanning tree thesmallest value greater than w among the node identifiers in the subtree rootedat u (provided that this subtree contains such an identifier). This procedurestarts at the leaves and works its way up to the root. There, the smallest valueobtained must be w + 1. (cid:117)(cid:116) We are now ready to transform any formula into an equivalent automaton.
Proposition 15.
Let ϕ be a formula of functional fixpoint logic over some finiteset of labels I . There is a centralized automaton A ϕ computing a transduction T A ϕ : C ( I, R tree ∪ free( ϕ )) → C ( { yes , no } , ∅ ) such that, given a spanning-tree input configuration C = ( G, q , r ) with G = ( V, E ) and root v encoding a variable assignment σ , the automaton eventually outputs aconfiguration C (cid:48) = ( G, q (cid:48) , r (cid:48) ) satisfying q (cid:48) ( v ) = yes if and only if ( G, q ) , σ | = ϕ .Proof. We proceed by induction on the structure of formulas.
Case ϕ = (cid:104) a (cid:105) t . Given a spanning-tree input configuration C = (( V, E ) , q , r )encoding a variable assignment σ , the automaton A ϕ first applies, as a subroutine, A t from Proposition 13. The latter eventually outputs a configuration in C ( , { t } )such that the value of register t at the root is t σ . Similarly to the construction ofProposition 13, the root then broadcasts t σ to all other nodes along the spanningtree, down to the leaves. During a subsequent back-propagation phase, node t σ checks whether its label is equal to a . Accordingly, it sends either yes or no toits parent, which propagates it further until it reaches the root. Case ϕ = s < t . As a subroutine, the root first launches A s and then A t so thatit eventually stores, in (auxiliary) registers s and t , the interpretation s σ and t σ ,respectively. The root then compares both values and outputs the correspondingtruth value. Case ϕ = s (cid:93) t . Like in the previous case, the root first launches A s and then A t so that it eventually stores s σ and t σ in registers s and t , respectively. Both arethen propagated along the spanning tree. During a subsequent back-propagation,node s σ checks whether t σ is in its neighborhood. The corresponding truth valueis forwarded back to the root. Case ϕ = ¬ ψ . As a subroutine, A ¬ ψ first applies A ψ to the given spanning-treeinput configuration. Upon termination, the root will just flip the node labelfrom yes to no or vice versa. Case ϕ = ϕ ∨ ϕ . The automaton A ϕ first applies A ϕ as a subroutine. If theroot outputs yes , then it stops. Otherwise, A ϕ is launched. Case ϕ = ∃ x ψ . Automaton A ϕ has an auxiliary register x . It makes use of thesubroutine A x ++ from Proposition 14, which increments the value of x by oneevery time it is called. The root, initially storing its own identifier 0 in x , starts bylaunching A ψ . If the latter outputs yes (at the root), then the root outputs yes and stops. Otherwise, using A x ++ , the root will increment its register x by one,launch A ψ again, and so on. If no increment is possible anymore, A ϕ outputs no . dentifiers in Registers – Describing Network Algorithms with Logic 31 Algorithm 2 A ϕ for ϕ = pfp[ f i : ϕ i ] i ∈ [1 : (cid:96) ] ψ , as controlled by the root init ( A inc )2 repeat @every node do for i ∈ [1 : (cid:96) ] do f i ← f new i for i ∈ [1 : (cid:96) ] do update ( f new i )5 if @every node ( ∀ i ∈ [1 : (cid:96) ] : f new i = f i ) then goto until execute ( A inc ) returns no / ∗ until global counter at maximum ∗ /7 @every node do for i ∈ [1 : (cid:96) ] do f i ← self execute ( A ψ ) Algorithm 3 update ( f new i ), as controlled by the root (cid:48) for in ∈ V do (cid:48) out (cid:88) ← in ; found ← false (cid:48) for out ∈ V do (cid:48) if execute ( A ϕ i ) returns yes / ∗ ϕ i [ in , out ] satisfied ∗ /5 (cid:48) then if found = false (cid:48) then out (cid:88) ← out ; found ← true (cid:48) else out (cid:88) ← in ; goto (cid:48) (cid:48) @ in do f new i ← root . out (cid:88) Case ϕ = pfp[ f i : ϕ i ] i ∈ ( (cid:96) ] ψ . First of all, recall that free( ϕ ) is the union of allsets free( ϕ i ) \ { f , . . . , f (cid:96) , in , out } and free( ψ ) \ { f , . . . , f (cid:96) } . We are interestedin a transduction T A ϕ : C ( I, R tree ∪ free( ϕ )) → C ( { yes , no } , ∅ ). To implementthe partial fixpoint computation, we introduce auxiliary registers f , . . . , f (cid:96) (forthe current interpretation) and f new1 , . . . , f new (cid:96) (for the next interpretation). Wealso use auxiliary registers in and out , as well as a register self for storing theown identifier of each node. Furthermore, to test whether the partial fixpointcomputation has reached a cycle with a period greater than one, we includean additional set of auxiliary registers that will allow us to implement a globalcounter. Since there are precisely n (cid:96)n different (cid:96) -tuples of functions on an inputgraph with n nodes, it is sufficient to count from 0 to n (cid:96)n −
1. The counter istaken for granted for now, but it will be explained below, and we shall define ahelper automaton A inc that allows us to increment it by one.In the following, in the interest of clarity, we abstract away from manyimplementation details and only describe our construction informally. Recallthat A ϕ is a centralized automaton, which means that it is controlled by theroot. The root’s program is given by Algorithm 2, presented as pseudo code.First, the counter is initialized to zero in Line 1 (see below for an explanation).Then, in every iteration of the loop starting at Line 2, all registers f i and f new i are updated in such a way that they represent the current and next stage,respectively, of the partial fixpoint induction. For the former, it suffices that everynode copies, for all i , the contents of f new i to f i (Line 3). To update f new i , Line 4calls the subroutine provided by Algorithm 3 (which will be explained in the next paragraph). As a result of this algorithm, we have f new i = F ϕ i (( f i ) i ∈ ( (cid:96) ] ) forall i , where F ϕ i : ( V V ) (cid:96) → V V is the operator defined in Section 4. Line 5 checkswhether we have reached a fixpoint: The root asks every node to compare, for all i , its registers f new i and f i . The corresponding truth value is propagated back tothe root, where false is given preference over true . If the result is true , we exitthe loop and proceed with calling A ψ to evaluate ψ (Line 8). Otherwise, we try toincrement the global counter by executing A inc (Line 6). If the latter returns yes ,i.e., incrementation was possible, then another iteration takes place. However,if A inc returns no , then the counter has reached its maximum. This implies thatwe have not reached (and will not reach) a fixpoint so that, according to thepartial fixpoint semantics, each node writes its own identifier to every register f i (Line 7) before the automaton evaluates ψ (Line 8).Let us now describe the subprocedure update ( f new i ) given by Algorithm 3.Using A in ++ and A out ++ provided by Proposition 14, the root will graduallyincrement its register in and, in a nested fashion, out so as to let in and out range over V (lines 1 (cid:48) and 3 (cid:48) ). After each increment, it will launch A ϕ i toevaluate ϕ i with the current interpretations of in and out (line 4 (cid:48) ). If the resultis yes , then the root transfers the contents of out to out (cid:88) (Line 6 (cid:48) ). Moreover, itsets the flag found to true , which allows it to check whether the node henceforthstored in out (cid:88) is the only one to make ϕ i true for the given in . If it is not(i.e., the test in Line 5 (cid:48) eventually fails), we set out (cid:88) = in . Finally, the nodewhose identifier corresponds to in sets its register f new i to the computed value(Line 8 (cid:48) ). To implement Line 8 (cid:48) , the root will send out (cid:88) , along the spanningtree, to node in , which stores it in its register f new i . A distributed counter.
We now sketch how to implement A inc . On an underlyinggraph G = ( V, E ) of size | V | = n , this automaton can be used to count in adistributed manner from 0 to n (cid:96)n −
1. The basic idea is somewhat similar to theconstruction presented in Section B.2, as we will identify a register valuationfunction with a number written in base n . More precisely, each of the n nodeswill have (cid:96) registers r , . . . , r (cid:96) − , each storing a number between 0 and n − r : V → V { r ,...,r (cid:96) − } can be seen as a (cid:96)n -digitnumber written in base n , where the i -th least significant digit is stored inregister r ( i mod (cid:96) ) of the (cid:98) i/(cid:96) (cid:99) -th node, with respect to some total order (cid:118) on V .In the following, given a spanning tree of G , we will choose (cid:118) to be the orderin which the nodes are visited in the post-order traversal of the tree (where thechildren of each node are visited in ascending identifier order). This way, the (cid:96) most significant digits are stored in the root.Formally, A inc computes a transduction T A inc : C ( , R tree ∪ { max , r , . . . , r (cid:96) − } ) → C ( { yes , no } , { r , . . . , r (cid:96) − } ) . It expects as input is a spanning-tree configuration C = ( G, q , r ) that encodessome number m ∈ [0 : n (cid:96)n −
1] in the registers r , . . . , r (cid:96) − (as described above).In addition, the largest identifier of G (i.e., n −
1) must be stored in each node’sregister max . If m < n (cid:96)n −
1, then the output configuration C (cid:48) produced by A inc dentifiers in Registers – Describing Network Algorithms with Logic 33 is such that the new values of r , . . . , r (cid:96) − represent the number m + 1 and theroot outputs yes , indicating that the incrementation was successful. Otherwise,all registers are set to zero and the root outputs no .In order to generate the first valid input configuration for A inc , the command init ( A inc ) in Algorithm 2 (Line 1) sets all registers r i to 0 (thereby initializingthe counter to zero) and all registers max to n −
1. While 0 is already known byeach node (since this is the root’s identifier), n − v sends to its parent in the spanning tree the greatest value amongthe node identifiers in the subtree rooted at v , which ensures that the largestvalue received by the root is n − A inc performs incrementation by one as follows.First, the root sends the command “increment” in the direction of the leaf u that stores the least significant digits. More precisely, it sends the command toits smallest child (i.e., the one with the smallest identifier), and every node thatreceives the command forwards it to its own smallest child.Upon receiving the command “increment”, leaf u checks whether at least oneof its registers r , . . . , r (cid:96) − contains a value smaller than max . If not, it sets allof them to zero by copying the value 0 from register root . Then, u sends thecommand “increment” back to its parent, which will forward the “carry digit”to the next node in the order (cid:118) . On the other hand, if there exists a smallestindex i such that r i contains a value smaller than max , then u sets to zeroonly the registers r , . . . , r i − and increments r i by executing a subroutine thatwe will describe below. As soon as that subroutine has terminated, u sends anacknowledgment to the root, which then instructs all other nodes to terminatebefore switching itself to the halting state yes .More generally, whenever a node v receives the command “increment”, v triesto forward it to the smallest child that has not yet received it. (In particular, acommand received from one child will be forwarded to the next smallest child.)If this is not possible, either because v is a leaf or because all of its children havealready sent back the command, then v performs an incrementation itself. To doso, it proceeds in exactly the same way as described above for node u .Since the root stores the most significant digit in its register r (cid:96) − , it is ableto detect the integer overflow that occurs if the input value m is equal to n (cid:96)n − no .It only remains to explain the subroutine that allows a node v to increment itsregister r i by one. To do so, v will send a request to the root including the valueof register r i . The root stores the latter in some auxiliary register s , launches A s ++ from Proposition 14, and then sends the result back to v , which writes it into r i .This completes the induction and thereby the proof of Proposition 15. (cid:117)(cid:116) We now have the main building block to prove the result of this section:
Proof (Proof of Proposition 10).
Let ϕ be a formula of functional fixpoint logicwithout free variables. The automaton deciding the graph property defined by ϕ proceeds as follows: It first constructs a spanning tree on the given input graphby executing a variant of the automaton from Example 5 (where the root must bethe last node to enter a halting state). Then, it launches A ϕ from Proposition 15,with set of input registers R tree . Finally, the root informs the other nodes, alongthe spanning tree, about the outcome, i.e., yes or no ..