Leafy Automata for Higher-Order Concurrency
Alex Dixon, Ranko Lazi?, Andrzej S. Murawski, Igor Walukiewicz
aa r X i v : . [ c s . F L ] J a n Leafy automata for higher-order concurrency
Alex Dixon ( B ), Ranko Lazi´c , Andrzej S. Murawski , andIgor Walukiewicz University of Warwick, UK, [email protected] University of Warwick, UK, [email protected] University of Oxford, UK, [email protected] CNRS, Universit´e de Bordeaux, France
Abstract.
Finitary Idealized Concurrent Algol (
FICA ) is a prototypicalprogramming language combining functional, imperative, and concurrentcomputation. There exists a fully abstract game model of
FICA , which inprinciple can be used to prove equivalence and safety of
FICA programs.Unfortunately, the problems are undecidable for the whole language, andonly very rudimentary decidable sub-languages are known.We propose leafy automata as a dedicated automata-theoretic formalismfor representing the game semantics of
FICA . The automata use an infi-nite alphabet with a tree structure. We show that the game semantics ofany
FICA term can be represented by traces of a leafy automaton. Con-versely, the traces of any leafy automaton can be represented by a
FICA term. Because of the close match with
FICA , we view leafy automata asa promising starting point for finding decidable subclasses of the lan-guage and, more generally, to provide a new perspective on models ofhigher-order concurrent computation.Moreover, we identify a fragment of
FICA that is amenable to verificationby translation into a particular class of leafy automata. Using a localityproperty of the latter class, where communication between levels is re-stricted and every other level is bounded, we show that their emptinessproblem is decidable by reduction to Petri nets reachability.
Keywords:
Finitary Idealized Concurrent Algol, Higher-Order Concur-rency, Automata over Infinite Alphabets, Game Semantics
Game semantics is a versatile paradigm for giving semantics to a wide spectrumof programming languages [4,37]. It is well-suited for studying the observationalequivalence of programs and, more generally, the behaviour of a program in anarbitrary context. About 20 years ago, it was discovered that the game semanticsof a program can sometimes be expressed by a finite automaton or another simplecomputational model [21]. This led to algorithmic uses of game semantics forprogram analysis and verification [1,17,22,6,28,27,29,36,18,19]. Thus far, theseadvances concerned mostly languages without concurrency.
A. Dixon, R. Lazi´c, A. S. Murawski and I. Walukiewicz
In this work, we consider Finitary Idealized Concurrent Algol (
FICA ) and itsfully abstract game semantics [23]. It is a call-by-name language with higher-order features, side-effects, and concurrency implemented by a parallel composi-tion operator and semaphores. It is finitary since, as it is common in this context,base types are restricted to finite domains. Quite surprisingly, the game seman-tics of this language is arguably simpler than that for the language withoutconcurrency. The challenge comes from algorithmic considerations.Following the successful approach from the sequential case [21,39,35,38,13],the first step is to find an automaton model abstracting the phenomena ap-pearing in the semantics. The second step is to obtain program fragments fromstructural restrictions on the automaton model. In this paper we take both steps.We propose leafy automata : an automaton model working on nested data.Data are used to represent pointers in plays, while the nesting of data reflectsstructural dependencies in the use of pointers. Interestingly, the structural de-pendencies in plays boil down to imposing a tree structure on the data. We showa close correspondence between the automaton model and the game semantics of
FICA . For every program, there is a leafy automaton whose traces (data words)represent precisely the plays in the semantics of the program (Theorem 3). Con-versely, for every leafy automaton, there is a program whose semantics consistsof plays representing the traces of the automaton (Theorem 5). (The latter resultholds modulo a saturation condition we explain later.) This equivalence showsthat leafy automata are a suitable model for studying decidability questions for
FICA .Not surprisingly, due to their close connection to
FICA , leafy automata turnout to have an undecidable emptiness problem. We use the undecidability ar-gument to identify the source, namely communication across several unboundedlevels, i.e., levels in which nodes can produce an unbounded number of childrenduring the lifetime of the automaton. To eliminate the problem, we introducea restricted variant of leafy automata, called local , in which every other levelis bounded and communication is allowed to cross only one unbounded node.Emptiness for such automata can be decided via reduction to a number of in-stances of Petri net reachability problem.We also identify a fragment of
FICA , dubbed local
FICA ( LFICA ), whichmaps onto local leafy automata. It is based on restricting the distance betweensemaphore and variable declarations and their uses inside the term. This is afirst non-rudimentary fragment of
FICA for which some verification tasks aredecidable. Overall, this makes it possible to use local leafy automata to analyse
LFICA terms and decide associated verification tasks.
Related work
Concurrency, even with only first-order recursion, leads to unde-cidability [41]. Intuitively, one can encode the intersection of languages of twopushdown automata. From the automata side, much research on decidable caseshas concentrated on bounding interactions between stacks representing differentthreads of the program [40,31,5]. From the game semantics side, the only knowndecidable fragment of
FICA is Syntactic Control of Concurrency (SCC) [24],which imposes bounds on the number of threads in which arguments can be used. eafy automata for higher-order concurrency 3
This restriction makes it possible to represent the game semantics of programsby finite automata. In our work, we propose automata models that correspondto unbounded interactions with arbitrary
FICA contexts, and importantly thatremains true also when we restrict the terms to
LFICA . Leafy automata are amodel of computation over an infinite alphabet. This area has been explored ex-tensively, partly motivated by applications to database theory, notably XML [43].In this context, nested data first appeared in [8], where the authors consideredshuffle expressions as the defining formalism. Later on, data automata [10] andclass memory automata [9] have been adapted to nested data in [16,14]. They aresimilar to leafy automata in that the automaton is allowed to access states re-lated to previous uses of data values at various depths. What distinguishes leafyautomata is that the lifetime of a data value is precisely defined and follows aquestion and answer discipline in correspondence with game semantics. Leafyautomata also feature run-time “zero-tests”, activated when reading answers.For most models over nested data, the emptiness problem is undecidable. Toachieve decidability, the authors in [16,14] relax the acceptance conditions sothat the emptiness problem can eventually be recast as a coverability problemfor a well-structured transition system. In [12], this result was used to showdecidability of equivalence for a first-order (sequential) fragment of ReducedML. On the other hand, in [8] the authors relax the order of letters in words,which leads to an analysis based on semi-linear sets. Both of these restrictionsare too strong to permit the semantics of
FICA , because of the game-semantic
WAIT condition, which corresponds to waiting until all sub-processes terminate.Another orthogonal strand of work on concurrent higher-order programs isbased on higher-order recursion schemes [25,30]. Unlike
FICA , they feature re-cursion but the computation is purely functional over a single atomic type o . Structure of the paper:
In the next two sections we recall
FICA and its gamesemantics from [23]. The following sections introduce leafy automata ( LA ) andtheir local variant ( LLA ), where we also analyse the associated decision problemsand, in particular, show that the non-emptiness problem for
LLA is decidable.Subsequently, we give a translation from
FICA to LA (and back) and define afragment LFICA of FICA which can be translated into
LLA . FICA ) Idealized Concurrent Algol [23] is a paradigmatic language combining higher-order with imperative computation in the style of Reynolds [42], extended toconcurrency with parallel composition ( || ) and binary semaphores. We considerits finitary variant FICA over the finite datatype { , . . . , max } ( max ≥
0) withloops but no recursion. Its types θ are generated by the grammar θ ::= β | θ → θ β ::= com | exp | var | sem where com is the type of commands; exp that of { , . . . , max } -valued expres-sions; var that of assignable variables; and sem that of semaphores. The typing A. Dixon, R. Lazi´c, A. S. Murawski and I. Walukiewicz Γ ⊢ skip : com Γ ⊢ div θ : θ Γ ⊢ i : exp Γ ⊢ M : exp Γ ⊢ op ( M ) : exp Γ ⊢ M : com Γ ⊢ N : βΓ ⊢ M ; N : β Γ ⊢ M : com Γ ⊢ N : com Γ ⊢ M || N : com Γ ⊢ M : exp Γ ⊢ N , N : βΓ ⊢ if M then N else N : β Γ ⊢ M : exp Γ ⊢ N : com Γ ⊢ while M do N : com Γ, x : θ ⊢ x : θ Γ, x : θ ⊢ M : θ ′ Γ ⊢ λx.M : θ → θ ′ Γ ⊢ M : θ → θ ′ Γ ⊢ N : θΓ ⊢ MN : θ ′ Γ ⊢ M : var Γ ⊢ N : exp Γ ⊢ M := N : com Γ ⊢ M : var Γ ⊢ ! M : exp Γ ⊢ M : sem Γ ⊢ release ( M ) : com Γ ⊢ M : sem Γ ⊢ grab ( M ) : com Γ, x : var ⊢ M : com , exp Γ ⊢ newvar x := i in M : com , exp Γ, x : sem ⊢ M : com , exp Γ ⊢ newsem x := i in M : com , exp Fig. 1:
FICA typing rulesjudgments are displayed in Figure 1. skip and div θ are constants representingtermination and divergence respectively, i ranges over { , · · · , max } , and op represents unary arithmetic operations, such as successor or predecessor (sincewe work over a finite datatype, operations of bigger arity can be defined us-ing conditionals). Variables and semaphores can be declared locally via newvar and newsem . Variables are dereferenced using ! M , and semaphores are manip-ulated using two (blocking) primitives, grab ( s ) and release ( s ), which grab andrelease the semaphore respectively. The small-step operational semantics of FICA is reproduced in Appendix A. In what follows, we shall write div for div com .We are interested in contextual equivalence of terms. Two terms are contex-tually equivalent if there is no context that can distinguish them with respect tomay-termination. More formally, a term ⊢ M : com is said to terminate, writ-ten M ⇓ , if there exists a terminating evaluation sequence from M to skip . Then contextual (may-)equivalence ( Γ ⊢ M ∼ = M ) is defined by: for all contexts C such that ⊢ C [ M ] : com , C [ M ] ⇓ if and only if C [ M ] ⇓ . The force of this notionis quantification over all contexts.Since contextual equivalence becomes undecidable for FICA very quickly [24],we will look at the special case of testing equivalence with terms that alwaysdiverge, e.g. given Γ ⊢ M : θ , is it the case that Γ ⊢ M ∼ = div θ ? Intuitively,equivalence with an always-divergent term means that C [ M ] will never converge(must diverge) if C uses M . At the level of automata, this will turn out tocorrespond to the emptiness problem.In verification tasks, with the above equivalence test, we can check whetheruses of M can ever lead to undesirable states. For example, for a given term eafy automata for higher-order concurrency 5 x : var ⊢ M : θ , the term f : θ → com ⊢ newvar x := 0 in ( f ( M ) || if ! x = 13 then skip else div )will be equivalent to div only when x is never set to 13 during a terminatingexecution. Note that, because of quantification over all contexts, f may use M an arbitrary number of times, also concurrently or in nested fashion, which is avery expressive form of quantification. Game semantics for programming languages involves two players, called Oppo-nent (O) and Proponent (P), and the sequences of moves made by them can beviewed as interactions between a program (P) and a surrounding context (O). Inthis section, we briefly present the fully abstract game model for
FICA from [23],which we rely on in the paper. The games are defined using an auxiliary conceptof an arena.
Definition 1. An arena A is a triple h M A , λ A , ⊢ A i where: – M A is a set of moves ; – λ A : M A → { O, P } × {
Q, A } is a function determining for each m ∈ M A whether it is an Opponent or a
Proponent move , and a question or an answer ; we write λ OPA , λ
QAA for the composite of λ A with respectively the firstand second projections; – ⊢ A is a binary relation on M A , called enabling , satisfying: if m ⊢ A n for no m then λ A ( n ) = ( O, Q ) , if m ⊢ A n then λ OPA ( m ) = λ OPA ( n ) , and if m ⊢ A n then λ QAA ( m ) = Q . We shall write I A for the set of all moves of A which have no enabler; such movesare called initial . Note that an initial move must be an Opponent question.In arenas used to interpret base types all questions are initial and P-movesanswering them are detailed in the table below, where i ∈ { , · · · , max } .Arena O-question P-answers Arena O-question P-answers J com K run done J exp K q i J var K read i J sem K grb okwrite ( i ) ok rls ok More complicated types are interpreted inductively using the product ( A × B )and arrow ( A ⇒ B ) constructions, given below. M A × B = M A + M B λ A × B = [ λ A , λ B ] ⊢ A × B = ⊢ A + ⊢ B M A ⇒ B = M A + M B λ A ⇒ B = [ h λ P OA , λ
QAA i , λ B ] ⊢ A ⇒ B = ⊢ A + ⊢ B + { ( b, a ) | b ∈ I B and a ∈ I A } where λ P OA ( m ) = O iff λ OPA ( m ) = P . We write J θ K for the arena corresponding totype θ . Below we draw (the enabling relations of) A = J com → com → com K A. Dixon, R. Lazi´c, A. S. Murawski and I. Walukiewicz and A = J ( var → com ) → com K respectively, using superscripts to distinguishcopies of the same move (the use of superscripts is consistent with our futureuse of tags in Definition 9). O run ♣♣♣❣❣❣❣❣❣❣❣❣ P run run done O done done O run ♣♣♣ P run ♥♥♥❢❢❢❢❢❢❢❢❢❢❢❢ done O read write ( i ) done P i ok Given an arena A , we specify next what it means to be a legal play in A . Fora start, the moves that players exchange will have to form a justified sequence ,which is a finite sequence of moves of A equipped with pointers. Its first moveis always initial and has no pointer, but each subsequent move n must have aunique pointer to an earlier occurrence of a move m such that m ⊢ A n . We saythat n is (explicitly) justified by m or, when n is an answer, that n answers m .If a question does not have an answer in a justified sequence, we say that it is pending in that sequence. Below we give two justified sequences from A and A respectively. run run run done done done run run read write (1) ok read Not all justified sequences are valid. In order to constitute a legal play, a justi-fied sequence must satisfy a well-formedness condition that reflects the “static”style of concurrency of our programming language: any started sub-processesmust end before the parent process terminates. This is formalised as follows,where the letters q and a to refer to question- and answer-moves respectively,while m denotes arbitrary moves. Definition 2.
The set P A of plays over A consists of the justified sequences s over A that satisfy the two conditions below. FORK : In any prefix s ′ = · · · q · · · m of s , the question q must be pending when m is played. WAIT : In any prefix s ′ = · · · q · · · a of s , all questions justified by q must beanswered. It is easy to check that the justified sequences given above are plays. A subset σ of P A is O-complete if s ∈ σ and so ∈ P A imply so ∈ σ , when o is an O-move. Definition 3. A strategy on A , written σ : A , is a prefix-closed O-completesubset of P A . Suppose Γ = { x : θ , · · · , x l : θ l } and Γ ⊢ M : θ is a FICA -term. Let uswrite J Γ ⊢ θ K for the arena J θ K × · · · × J θ l K ⇒ J θ K . In [23] it is shown how toassign a strategy on J Γ ⊢ θ K to any FICA -term Γ ⊢ M : θ . We write J Γ ⊢ M K to refer to that strategy. For example, J Γ ⊢ div K = { ǫ, run } and J Γ ⊢ skip K = eafy automata for higher-order concurrency 7 { ǫ, run , run done } . Given a strategy σ , we denote by comp ( σ ) the set of non-empty complete plays of σ , i.e. those in which all questions have been answered.The game-semantic interpretation J · · · K turns out to provide a fully abstractmodel in the following sense. Theorem 1 ([23]). Γ ⊢ M ∼ = M iff comp ( J Γ ⊢ M K ) = comp ( J Γ ⊢ M K ) . In particular, since we have comp ( J Γ ⊢ div θ K ) = ∅ , Γ ⊢ M : θ is equivalent to div θ iff comp ( J Γ ⊢ M K ) = ∅ . We would like to be able to represent the game semantics of
FICA using automata.To that end, we introduce leafy automata ( LA ). They are a variant of automataover nested data, i.e. a type of automata that read finite sequences of letters ofthe form ( t, d d · · · d j ) ( j ∈ N ), where t is a tag from a finite set Σ and each d i (0 ≤ i ≤ j ) is a data value from an infinite set D .In our case, D will have the structure of a countably infinite forest andthe sequences d · · · d j will correspond to branches of a tree. Thus, instead of d · · · d j , we can simply write d j , because d j uniquely determines its ancestors: d , . . . , d j − . The following definition captures the technical assumptions on D . Definition 4. D is a countably infinite set equipped with a function pred : D →D ∪ {⊥} (the parent function) such that the following conditions hold. – Infinite branching: pred − ( { d ⊥ } ) is infinite for any d ⊥ ∈ D ∪ {⊥} . – Well-foundedness: for any d ∈ D , there exists i ∈ N , called the level of d ,such that pred i +1 ( d ) = ⊥ . Level- data values will be called roots . In order to define configurations of leafy automata, we will rely on finite subtreesof D , whose nodes will be labelled with states. We say that T ⊆ D is a subtree of D iff T is closed ( ∀ x ∈ T : pred ( x ) ∈ T ∪{⊥} ) and rooted ( ∃ ! x ∈ T : pred ( x ) = ⊥ ).Next we give the formal definition of a level- k leafy automaton. Its set ofstates Q will be divided into layers, written Q ( i ) (0 ≤ i ≤ k ), which will be usedto label level- i nodes. We will write Q ( i , ··· ,i k ) to abbreviate Q ( i ) × · · · × Q ( i k ) ,excluding any components Q ( i j ) where i j <
0. We distinguish Q (0 , − = {†} . Definition 5.
A level- k leafy automaton ( k - LA ) is a tuple A = h Σ, k, Q, δ i ,where – Σ = Σ Q + Σ A is a finite alphabet, partitioned into questions and answers; – k ≥ is the level parameter; – Q = P ki =0 Q ( i ) is a finite set of states, partitioned into sets Q ( i ) of level- i states; – δ = δ Q + δ A is a finite transition function, partitioned into question- andanswer-related transitions; – δ Q = P ki =0 δ ( i ) Q , where δ ( i ) Q ⊆ Q (0 , , ··· ,i − × Σ Q × Q (0 , , ··· ,i ) for ≤ i ≤ k ; A. Dixon, R. Lazi´c, A. S. Murawski and I. Walukiewicz – δ A = P ki =0 δ ( i ) A , where δ ( i ) A ⊆ Q (0 , , ··· ,i ) × Σ A × Q (0 , , ··· ,i − for ≤ i ≤ k . Configurations of LA are of the form ( D, E, f ), where D is a finite subset of D (consisting of data values that have been encountered so far), E is a finite subtreeof D , and f : E → Q is a level-preserving function, i.e. if d is a level- i datavalue then f ( d ) ∈ Q ( i ) . A leafy automaton starts from the empty configuration κ = ( ∅ , ∅ , ∅ ) and proceeds according to δ , making two kinds of transitions. Eachkind manipulates a single leaf: for questions one new leaf is added, for answersone leaf is removed. Let the current configuration be κ = ( D, E, f ). – On reading a letter ( t, d ) with t ∈ Σ Q and d D a fresh level- i data, theautomaton adds a new leaf d in a configuration and updates the states onthe branch to d . So it changes its configuration to κ ′ = ( D ∪ { d } , E ∪ { d } , f ′ )provided that pred ( d ) ∈ E and f ′ satisfies:( f ( pred i ( d )) , · · · , f ( pred ( d )) , t, f ′ ( pred i ( d )) , · · · , f ′ ( pred ( d )) , f ′ ( d )) ∈ δ ( i ) Q , dom ( f ′ ) = dom ( f ) ∪{ d } , and f ′ ( x ) = f ( x ) for all x
6∈ { pred ( d ) , · · · , pred i ( d ) } . – On reading a letter ( t, d ) with t ∈ Σ A and d ∈ E a level- i data which is aleaf, the automaton deletes d and updates the states on the branch to d . Soit changes its configuration to κ ′ = ( D, E \ { d } , f ′ ) where f ′ satisfies:( f ( pred i ( d )) , · · · , f ( pred ( d )) , f ( d ) , t, f ′ ( pred i ( d )) , · · · , f ′ ( pred ( d ))) ∈ δ ( i ) A , dom ( f ′ ) = dom ( f ) \{ d } and f ′ ( x ) = f ( x ) for all x
6∈ { pred ( d ) , · · · , pred i ( d ) } . – Initially D , E , and f are empty; we proceed to κ ′ = ( { d } , { d } , { d q (0) } ) if( t, d ) is read where † t −−→ q (0) ∈ δ (0) Q . The last move is treated symmetrically.In all cases, we write κ ( t,d ) −−−→ κ ′ . Note that a single transition can only changestates on the branch ending in d . Other parts of the tree remain unchanged. Example 1.
Below we illustrate the effect of LA transitions. Let D = { d , d , d ′ } and d D . Let κ = ( D , E , f ), κ = ( D ∪ { d } , E , f ), κ = ( D ∪{ d } , E , f ), where the trees E , E are displayed below and node annotationsof the form ( q ) correspond to values of f , f , e.g. f ( d ) = q (0) . d ( q (0) ) sss ▼▼▼ E , f : d ′ ( q ) d ( q (1) ) d ( r (0) ) ✈✈✈✈ ❑❑❑❑ E , f : d ′ ( q ) d ( r (1) ) d ( r (2) )For κ to evolve into κ (on ( t, d )), we need ( q (0) , q (1) , t, r (0) , r (1) , r (2) ) ∈ δ (2) Q .On the other hand, to go from κ to κ (on ( t, d )), we want ( r (0) , r (1) , r (2) , t,q (0) , q (1) ) ∈ δ (2) A . eafy automata for higher-order concurrency 9 Definition 6. A trace of a leafy automaton A is a sequence w = l · · · l h ∈ ( Σ × D ) ∗ such that κ l −−→ κ . . . κ h − l h −−→ κ h where κ = ( ∅ , ∅ , ∅ ) . A configuration κ = ( D, E, f ) is accepting if E and f are empty. A trace w is accepted by A ifthere is a non-empty sequence of transitions as above with κ h accepting. The setof traces (resp. accepted traces) of A is denoted by Tr ( A ) (resp. L ( A ) ).Remark 1. When writing states, we will often use superscripts ( i ) to indicate theintended level. So, ( q (0) , · · · , q ( i − ) t −−→ ( r (0) , · · · , r ( i ) ) refers to ( q (0) , · · · , q ( i − , t,r (0) , · · · , r ( i ) ) ∈ δ ( i ) Q ; similarly for δ ( i ) A transitions. For i = 0, this degenerates to † t −−→ r (0) and r (0) t −−→† . Example 2.
Consider the 1- LA over Σ Q = { start , inc } , Σ A = { dec , end } . Let Q (0) = { } , Q (1) = { } and define δ by: † start −−−→
0, 0 inc −−→ (0 , , dec −−→ end −−→† . The accepted traces of this 1- LA have the form ( start , d ) ( || ni =0 ( inc , d i )( dec , d i )) ( end , d ), i.e. they are valid histories of a single non-negative counter(histories such that the counter starts and ends at 0). In this case, all traces aresimply prefixes of such words. Remark 2.
Note that, whenever a leafy automaton reads ( t, d ) ( t ∈ Σ Q ) and thelevel of d is greater than 0, then it must have read a unique question ( t ′ , pred ( d ))earlier. Also, observe that an LA trace contains at most two occurrences of thesame data value, such that the first is paired with a question and the secondis paired with an answer. Because the question and the answer share the samedata value, we can think of the answer as answering the question, like in gamesemantics. Indeed, justification pointers from answers to questions will be rep-resented in this way in Theorem 3. Finally, we note that LA traces are invariantunder tree automorphisms of D . Lemma 1.
The emptiness problem for - LA is undecidable. For - LA , it is re-ducible to the reachability problem for VASS in polynomial time and there is a re-verse reduction in exponential time, so it is decidable in Ackermannian time [33]but not elementary [15].Proof. For 2- LA we reduce from the halting problem on two-counter-machines.Two counters can be simulated using configurations of the form q ♦♦♦♦♦ ❖❖❖❖❖ c ⑤⑤ ❇❇ c ⑤⑤ ❇❇ PPPPP ⋆ ⋆ ⋆ ⋆ ⋆ ⋆ ⋆ where there are two level-1 nodes, one for each counter. The number of childrenat level 2 encodes the counter value. Zero tests can be implemented by removingthe corresponding level-1 node and creating a new one. This is possible onlywhen the node is a leaf, i.e., it does not have children at level 2. The state of the2-counter machine can be maintained at level 0, the states at level 1 indicate thename of the counter, and the level-2 states are irrelevant. The translation from 1- LA to VASS is straightforward and based on repre-senting 1- LA configurations by the state at level 0 and, for each state at level 1,the count of its occurrences. The reverse translation is based on the same ideaand extends the encoding of a non-negative counter in Example 2, where theexponential blow up is simply due to the fact that vector updates in VASS aregiven in binary whereas 1- LA transitions operate on single branches. ⊓⊔ Lemma 2. - LA equivalence is undecidable.Proof. We provide a direct reduction from the halting problem for 2-countermachines, where both counters are required to be zero initially as well as finally.The main obstacle is that implementing zero tests as in the proof of the firstpart of Lemma 1 is not available because we are restricted to leafy automatawith levels 0 and 1 only. To overcome it, we exploit the power of the equivalenceproblem where one of the 1- LA will have the task not of correctly simulatingzero tests but recognising zero tests that are incorrect. The full argument canbe found in Appendix B. ⊓⊔ LLA ) Here we identify a restricted variant of LA for which the emptiness problem isdecidable. We start with a technical definition. Definition 7. A k - LA is bounded at level i ( ≤ i ≤ k ) if there is a bound b such that each node at level i can create at most b children during a run. Werefer to b as the branching bound . Note that we are defining a “global” bound on the number of children that anode at level i may create across a whole run, rather than a “local” bound onthe number of children a node may have in a given configuration.To motivate the design of LLA , we observe that the undecidability argument(for the emptiness problem) for 2- LA used two consecutive levels (0 and 1) thatare not bounded. For the node at level 0, this corresponded to the number of zerotests, while an unbounded counter is simulated at level 1. In the following we willeliminate consecutive unbounded levels by introducing an alternating patternof bounded and unbounded levels. Even-numbered layers ( i = 0 , , ... ) will bebounded, while odd-numbered layers will be unbounded. Observe in particularthat the root (layer 0) is bounded. As we will see later, this alternation reflects theterm/context distinction in game semantics: the levels corresponding to termsare bounded, and the levels coresponding to contexts are unbounded.With this restriction alone, it is possible to reconstruct the undecidabilityargument for 4- LA , as two unbounded levels may still communicate. Thus weintroduce a restriction on how many levels a transition can read and modify. – when adding or removing a leaf at an odd level 2 i + 1, the automaton willbe able to access levels 2 i , 2 i − i −
2; while eafy automata for higher-order concurrency 11 – when adding or removing a leaf at an even level 2 i , the automaton will beable to access levels 2 i − i − δ ( i ) Q , δ ( i ) Q can be presented in a more concise form, given below. δ ( i ) Q ⊆ ( Q ( i − ,i − × Σ Q × Q ( i − ,i − ,i ) if i is even Q ( i − ,i − ,i − × Σ Q × Q ( i − ,i − ,i − ,i ) if i is odd δ ( i ) A ⊆ ( Q ( i − ,i − ,i ) × Σ A × Q ( i − ,i − if i is even Q ( i − ,i − ,i − ,i ) × Σ A × Q ( i − ,i − ,i − if i is oddIn terms of the previous notation developed for LA , ( q ( i − , q ( i − , x, r ( i − , r ( i − ,r ( i ) ) ∈ δ ( i ) Q represents all tuples of the form ( ~q, q ( i − , q ( i − , x, ~q, r ( i − , r ( i − , r ( i ) ),where ~q ranges over Q (0 , ··· ,i − . Definition 8.
A level- k local leafy automaton ( k - LLA ) is a k - LA whose transi-tion function admits the above-mentioned presentation and which is bounded atall even levels. Theorem 2.
The emptiness problem for
LLA is decidable.Proof (Sketch).
Let b be a bound on the number of children created by eacheven node during a run.The critical observation is that, once a node d at even level 2 i has beencreated, all subsequent actions of descendants of d access (read and/or write)the states at levels 2 i − i − b times. The shape of the transitionfunction dictates that this can happen only when child nodes at level 2 i + 1 areadded or removed. In addition, the locality property ensures that the automatonwill never access levels < i − d or its descendants.We will make use of these facts to construct summaries for nodes on evenlevels which completely describe such a node’s lifetime, from its creation as aleaf until its removal, and in between performing at most 2 b reads-writes of theparent and grandparent states. A summary is a sequence quadruples of states:two pairs of states of levels 2 i − i −
1. The first pair are the states weexpect to find on these levels, while the second are the states to which we updatethese levels. Hence a summary at level 2 i is a complete record of a valid sequenceof read-writes and stateful changes during the lifetime of a node on level 2 i .We proceed by induction and show how to calculate the complete set ofsummaries at level 2 i given the complete set of summaries at level 2 i + 2. Weconstruct a program for deciding whether a given sequence is a summary at level2 i . This program can be evaluated via Vector Addition Systems with States(VASS). Since we can finitely enumerate all candidate summaries at level 2 i ,this gives us a way to compute summaries at level 2 i . Proceeding this way, wefinally calculate summaries at level 2. At this stage, we can reduce the emptinessproblem for the given LLA to a reachability test on a VASS.The complete argument is given in Appendix C. ⊓⊔ Let us remark also that the problem becomes undecidable if we remove eitherboundedness restriction, or allow transitions to look one level further.
Recall from Section 3 that, to interpret base types, game semantics uses movesfrom the set M = M J com K ∪ M J exp K ∪ M J var K ∪ M J sem K = { run , done , q , read , grb , rls , ok } ∪ { i, write ( i ) | ≤ i ≤ max } . The game semantic interpretation of a term-in-context Γ ⊢ M : θ is a strategyover the arena J Γ ⊢ θ K , which is obtained through product and arrow construc-tions, starting from arenas corresponding to base types. As both constructionsrely on the disjoint sum, the moves from J Γ ⊢ θ K are derived from the base typespresent in types inside Γ and θ . To indicate the exact occurrence of a base typefrom which each move originates, we will annotate elements of M with a spe-cially crafted scheme of superscripts. Suppose Γ = { x : θ , · · · , x l : θ l } . Thesuperscripts will have one of the two forms, where ~i ∈ N ∗ and ρ ∈ N : – ( ~i, ρ ) will be used to represent moves from θ ; – ( x v ~i, ρ ) will be used to represent moves from θ v (1 ≤ v ≤ l ).The annotated moves will be written as m ( ~i,ρ ) or m ( x v ~i,ρ ) , where m ∈ M . Wewill sometimes omit ρ on the understanding that this represents ρ = 0. Similarly,when ~i is omitted, the intended value is ǫ . Thus, m stands for m ( ǫ, .The next definition explains how the ~i superscripts are linked to moves from J θ K . Given X ⊆ { m ( ~i,ρ ) | ~i ∈ N ∗ , ρ ∈ N } and y ∈ N ∪ { x , · · · , x l } , we let yX = { m ( y~i,ρ ) | m ( ~i,ρ ) ∈ X } . Definition 9.
Given a type θ , the corresponding alphabet T θ is defined as follows T β = { m ( ǫ,ρ ) | m ∈ M J β K , ρ ∈ N } β = com , exp , var , sem T θ h → ... → θ → β = S hu =1 ( u T θ u ) ∪ T β For Γ = { x : θ , · · · , x l : θ l } , the alphabet T Γ ⊢ θ is defined to be T Γ ⊢ θ = S lv =1 ( x v T θ v ) ∪ T θ .Example 3. The alphabet T f : com → com ,x : com ⊢ com is { run ( f ,ρ ) , done ( f ,ρ ) , run ( f,ρ ) , done ( f,ρ ) , run ( x,ρ ) , done ( x,ρ ) , run ( ǫ,ρ ) , done ( ǫ,ρ ) | ρ ∈ N } . To represent the game semantics of terms-in-context, of the form Γ ⊢ M : θ ,we are going to use finite subsets of T Γ ⊢ θ as alphabets in leafy automata. Thesubsets will be finite, because ρ will be bounded. Note that T θ admits a naturalpartitioning into questions and answers, depending on whether the underlyingmove is a question or answer. eafy automata for higher-order concurrency 13 We will represent plays using data words in which the underpinning sequenceof tags will come from an alphabet as defined above. Superscripts and data areused to represent justification pointers. Intuitively, we represent occurrences ofquestions with data values. Pointers from answers to questions just refer to thesevalues. Pointers from questions use bounded indexing with the help of ρ .Initial question-moves do not have a pointer and to represent such questionswe simply use ρ = 0. For non-initial questions, we rely on the tree structureof D and use ρ to indicate the ancestor of the currently read data value thatwe mean to point at. Consider a trace w ( t i , d i ) ending in a non-initial question,where d i is a level- i data value and i >
0. In our case, we will have t i ∈ T Γ ⊢ θ ,i.e. t i = m ( ··· ,ρ ) . By Remark 2, trace w contains unique occurrences of questions( t , d ) , · · · , ( t i − , d i − ) such that pred ( d j ) = d j − for j = 1 , · · · , i . The pointerfrom ( t i , d i ) goes to one of these questions, and we use ρ to represent the scenarioin which the pointer goes to ( t i − (1+ ρ ) , d i − (1+ ρ ) ).Pointers from answer-moves to question-moves are represented simply byusing the same data value in both moves (in this case we use ρ = 0).We will also use ǫ -tags ǫ Q (question) and ǫ A (answer), which do not contributemoves to the represented play. Each ǫ Q will always be answered with ǫ A . Notethat the use of ρ, ǫ Q , ǫ A means that several data words may represent the sameplay (see Examples 4, 6). Example 4.
Suppose that d = pred ( d ) , d = pred ( d ) = pred ( d ′ ) , d = pred ( d ), d ′ = pred ( d ′ ). Then the data word ( run , d ) ( run f , d ) ( run f , d ) ( run f , d ′ )( run ( x, , d ) ( run ( x, , d ′ ) ( done x , d ), which is short for ( run ( ǫ, , d ) ( run ( f, , d )( run ( f , , d ) ( run ( f , , d ′ ) ( run ( x, , d ) ( run ( x, , d ′ ) ( done ( x, , d ), representsthe play run run f run f run f run x run x done x O P O O P P O.
Example 5.
Consider the LA A = h Q, , Σ, δ i , where Q (0) = { , , } , Q (1) = { } , Q (2) = { , , } , Q (3) = { } , Σ Q = { run , run f , run f , run ( x, } , Σ A = { done , done f , done f , done x } , and δ is given by † run −−→ run f −−−→ (1 ,
0) (1 , done f −−−−→ done −−−→ † (1 , run f −−−→ (1 , , , , run ( x, −−−−−→ (1 , , ,
0) (1 , , , done ( x, −−−−−−→ (1 , ,
2) (1 , , done f −−−−→ (1 , Tr ( A ) represent all plays from σ = J f : com → com , x : com ⊢ f x K , including the play from Example 4, and L ( A ) represents comp ( σ ). Example 6.
One might wish to represent plays of σ from the previous Exam-ple using data values d , d , d ′ , d ′′ , d , d ′ such that d = pred ( d ) = pred ( d ′ ) = pred ( d ′′ ), d = pred ( d ) = pred ( d ′ ), so that the play from Example 4 is rep-resented by ( run ( ǫ, , d ) ( run ( f, , d ) ( run ( f , , d ) ( run ( f , , d ′ ) ( run ( x, , d ′ )( run ( x, , d ′′ ) ( done ( x, , d ′ ). Unfortunately, it is impossible to construct a 2- LA that would accept all representations of such plays. To achieve this, the automa-ton would have to make sure that the number of run f s is the same as that of run x s. Because the former are labelled with level-2 values and the latter with in-comparable level-1 values, the only point of communication (that could be usedfor comparison) is the root. However, the root cannot accommodate unboundedinformation, while plays of σ can feature an unbounded number of run f s, whichcould well be consecutive.Before we state the main result linking FICA with leafy automata, we notesome structural properties of the automata. Questions will create a leaf, andanswers will remove a leaf. P-moves add leaves at odd levels (questions) andremove leaves at even levels (answers), while O-moves have the opposite effectat each level. Finally, when removing nodes at even levels we will not need tocheck if a node is a leaf. We call the last property even-readiness .Even-readiness is a consequence of the WAIT condition in the game seman-tics. The condition captures well-nestedness of concurrent interactions – a termcan terminate only after subterms terminate. In the leafy automata setting, thisis captured by the requirement that only leaf nodes can be removed, i.e. a nodecan be removed only if all of its children have been removed beforehand. It turnsout that, for
P-answers only, this property will come for free. Formally, wheneverthe automaton arrives at a configuration κ = ( D, E, f ), where d ∈ E and thereis a transition( f ( pred (2 i ) ( d )) , · · · , f ( pred ( d )) , f ( d ) , t, f ′ ( pred (2 i ) ( d )) , · · · , f ′ ( pred ( d ))) ∈ δ (2 i ) A , then d is a leaf. In contrast, our automata will not satisfy the same propertyfor O-answers (the environment) and for such transitions it is crucial that theautomaton actually checks that only leaves can be removed. Theorem 3.
For any
FICA -term Γ ⊢ M : θ , there exists an even-ready leafy au-tomaton A M over a finite subset of T Γ ⊢ θ + { ǫ Q , ǫ A } such that the set of plays rep-resented by data words from Tr ( A M ) is exactly J Γ ⊢ M : θ K . Moreover, L ( A M ) represents comp ( J Γ ⊢ M : θ K ) in the same sense.Proof (Sketch). Because every
FICA -term can be converted to βη -normal form,we use induction on the structure of such normal forms. The base cases are: Γ ⊢ skip : com ( Q (0) = { } ; † run −−→
0, 0 done −−−→† ), Γ ⊢ div : com ( Q (0) = { } ; † run −−→ Γ ⊢ i : exp ( Q (0) = { } ; † q −−→
0, 0 i −−→† ).The remaining cases are inductive. When referring to the inductive hypoth-esis for a subterm M i , we shall use subscripts i to refer to the automata com-ponents, e.g. Q ( j ) i , m −−→ i etc. In contrast, Q ( j ) , m −−→ will refer to the automatonthat is being constructed. Inference lines will indicate that the transitionslisted under the line should be added to the new automaton provided the tran-sitions listed above the line are present in the automaton obtained via inductionhypothesis. We discuss a selection of technical cases below. Γ ⊢ M || M In this case we need to run the automata for M and M concur-rently. To this end, their level-0 states will be combined ( Q (0) = Q (0)1 × Q (0)2 ), butnot deeper states ( Q ( j ) = Q ( j )1 + Q ( j )2 , ≤ j ≤ k ). The first group of transitions eafy automata for higher-order concurrency 15 activate and terminate the two components respectively: † run −−→ q (0)1 † run −−→ q (0)2 † run −−→ ( q (0)1 ,q (0)2 ) , q (0)1 done −−−→ † q (0)2 done −−−→ † ( q (0)1 ,q (0)2 ) done −−−→ † . The remaining transitions advance each component: ( q (0)1 , ··· ,q ( j )1 ) m −−→ ( r (0)1 , ··· ,r ( j ′ )1 ) q (0)2 ∈ Q (0)2 (( q (0)1 ,q (0)2 ) , ··· ,q ( j )1 ) m −−→ (( r (0)1 ,q (0)2 ) , ··· ,r ( j ′ )1 ) , q (0)1 ∈ Q (0)1 ( q (0)2 , ··· ,q ( j )2 ) m −−→ ( r (0)2 , ··· ,r ( j ′ )2 )(( q (0)1 ,q (0)2 ) , ··· ,q ( j )2 ) m −−→ (( q (0)1 ,r (0)2 ) , ··· ,r ( j ′ )2 ) ,where m = run , done . Γ ⊢ newvar x : = i in M By [23], the semantics of this term is obtained fromthe semantics of J Γ, x ⊢ M K by1. restricting to plays in which the moves read x , write ( n ) x are followed imme-diately by answers,2. selecting those plays in which each answer to a read x -move is consistent withthe preceding write ( n ) x -move (or equal to i , if no write ( n ) x was made),3. erasing all moves related to x , e.g. those of the form m ( x,ρ ) .To implement 1., we will lock the automaton after each read x - or write ( n ) x -move,so that only an answer to that move can be played next. Technically, this will bedone by adding an extra bit (lock) to the level-0 state. To deal with 2., we keeptrack of the current value of x , also at level 0. This makes it possible to ensurethat answers to read x are consistent with the stored value and that write ( n ) x transitions cause the right change. Erasing from condition 3 is implemented byreplacing all moves with the x subscript with ǫ Q , ǫ A -tags.Accordingly, we have Q (0) = ( Q (0)1 + ( Q (0)1 × { lock } )) × { , · · · , max } and Q ( j ) = Q ( j )1 (1 ≤ j ≤ k ). As an example of a transition, we give the transitionrelated to writing: ( q (0)1 , ··· ,q ( j )1 ) write ( z )( x,ρ ) −−−−−−−−→ ( r (0)1 , ··· ,r ( j ′ )1 ) 0 ≤ n,z ≤ max (( q (0)1 ,n ) , ··· ,q ( j )1 ) ǫ Q −−→ (( r (0)1 , lock ,z ) , ··· ,r ( j ′ )1 ) . Γ ⊢ f M h · · · M : com with ( f : θ h → · · · → θ → com ) Here we will need Q (0) = { , , } , Q (1) = { } , Q ( j +2) = P hu =1 Q ( j ) u (0 ≤ j ≤ k ). The first group oftransitions corresponding to calling and returning from f : † run −−→
0, 0 run f −−−→ (1 , , done f −−−−→
2, 2 done −−−→† . Additionally, in state (1 ,
0) we want to enable the en-vironment to spawn an unbounded number of copies of each of Γ ⊢ M u : θ u (1 ≤ u ≤ h ). This is done through rules that embed the actions of the automatafor M u while (possibly) relabelling the moves in line with our convention for rep-resenting moves from game semantics. Such transitions have the general form ( q (0) u , ··· ,q ( j ) u ) m ( t,ρ ) −−−−→ u ( q (0) u , ··· ,q ( j ′ ) u )(1 , ,q (0) u , ··· ,q ( j ) u ) m ( t ′ ,ρ ′ ) −−−−−→ (1 , ,q (0) u , ··· ,q ( j ′ ) u ) . Note that this case also covers f : com ( h = 0).More details and the remaining cases are covered in Appendix D. In Ap-pendix D.2 we give an example of a term and the corresponding LA . ⊓⊔ FICA
In this section we identify a family of
FICA terms that can be translated into
LLA rather than LA . To achieve boundedness at even levels, we remove while .To achieve restricted communication, we will constrain the distance between avariable declaration and its use. Note that in the translation, the application offunction-type variables increases LA depth. So in LFICA we will allow the linkbetween the binder newvar / newsem x and each use of x to “cross” at mostone occurrence of a free variable. For example, the following terms – newvar x := 0 in x := 1 || f ( x := 2), – newvar x := 0 in f ( newvar y in f ( y := 1) || x :=! y )will be allowed, but not newvar x := 0 in f ( f ( x := 1)).To define the fragment formally, given a term Q in βη -normal form, we usea notion of the applicative depth of a variable x : β ( β = var , sem ) inside Q ,written ad x ( Q ) and defined inductively by the table below. The applicative depthis increased whenever a functional identifier is applied to a term containing x .shape of Q ad x ( Q ) x y ( y = x ) , skip , div , i op ( M ) , ! M, release ( M ) , grab ( M ) ad x ( M ) M ; N, M || N, M := N, while M do N max( ad x ( M ) , ad x ( N )) if M then N else N max( ad x ( M ) , ad x ( N ) , ad x ( N )) λy.M , newvar /newsem y := i in M ad x ( M [ z/y ]) , where z is fresh f M · · · M k ad x ( M ) , · · · , ad x ( M k ))Note that in our examples above, in the first two cases the applicative depthof x is 2; and in the third case it is 3. Definition 10 (Local
FICA ). A FICA -term Γ ⊢ M : θ is local if its βη -normalform does not contain any occurrences of while and, for every subterm of thenormal form of the shape newvar / newsem x : = i in N , we have ad x ( N ) ≤ .We write LFICA for the set of local
FICA terms.
Theorem 4.
For any
LFICA -term Γ ⊢ M : θ , the automaton A M obtained fromthe translation in Theorem 3 can be presented as a LLA .Proof (Sketch).
We argue by induction that the constructions from Theorem 3preserve presentability as a
LLA .The case of parallel composition involves running copies of M and M inparallel without communication, with their root states stored as a pair at level 0.Note, though, that each of the automata transitions independently of the stateof the other automaton. In consequence, if the automata M and M are LLA , so The automaton for while M do N may repeatedly visit the automata for M and N ,generating an unbounded number of children at level 0 in the process.eafy automata for higher-order concurrency 17 will be the automaton for M || M . The branching bound after the constructionis the sum of the two bounds for M and M .For Γ ⊢ newvar x := i in M , because the term is in LFICA , so is
Γ, x : var ⊢ M and we have ad x ( M ) ≤
2. Then we observe that in the translation of Theo-rem 3 (
Γ, x : var ⊢ M : θ ) the questions related to x , (namely write ( i ) ( x,ρ ) and read ( x,ρ ) ) correspond to creating leaves at levels 1 or 3, while the correspondinganswers ( ok ( x,ρ ) and i ( x,ρ ) respectively) correspond to removing such leaves. Inthe construction for Γ ⊢ newvar x in M , such transitions need access to the root(to read/update the current state) and the root is indeed within the allowablerange: in an LLA transitions creating/destroying leaves at level 3 can read/writeat level 0. All other transitions (not labelled by x ) proceed as in M and neednot consult the root for additional information about the current state, as itis propagated. Consequently, if M is represented by a LLA then the interpreta-tion of newvar x := i in M is also a LLA . The construction does not affect thebranching bound, because the resultant runs can be viewed as a subset of runsof the automaton for M , i.e. those in which reads and writes are related.For f M h · · · M , we observe that the construction first creates two nodes atlevels 0 and 1, and the node at level 1 is used to run an unbounded number ofcopies of (the automaton for) M i . The copies do not need access to the statesstored at levels 0 and 1, because they are never modified when the copies arerunning. Consequently, if each M i can be translated into a LLA , the outcomeof the construction in Theorem 3 is also a
LLA . The new branching bound isthe maximum over bounds from M , · · · , M h , because at even levels children areproduced as in M i and level 0 produces only 1 child. ⊓⊔ Corollary 1.
For any
LFICA -term Γ ⊢ M : θ , the problem of determining whether comp ( J Γ ⊢ M K ) is empty is decidable. Theorems 1 and 2 imply the above. Thanks to Theorem 1, it is decidable if a
LFICA term is equivalent to a term that always diverges (cf. example on page 4).In case of inequivalence, our results could also be applied to extract the dis-tinguishing context, first by extracting the witnessing trace from the argumentunderpinning Theorem 2 and then feeding it to the Definability Theorem (The-orem 41 [23]). This is a valuable property given that in the concurrent settingbugs are difficult to replicate.
In this section, we show how to represent leafy automata in
FICA . Let A = h Σ, k, Q, δ i be a leafy automaton. We shall assume that Σ, Q ⊆ { , · · · , max } sothat we can encode the alphabet and states using type exp . We will representa trace w generated by A by a play play ( w ), which simulates each transitionwith two moves, by O and P respectively. The child-parent links in D will berepresented by justification pointers. We refer the reader to Appendix F fordetails. Below we just state the lemma that identifies the types that correspondto our encoding, where we write θ max +1 → β for θ → · · · → θ | {z } max +1 → β . Lemma 3.
Let A be a k - LA and w ∈ Tr ( A ) . Then play ( w ) is a play in J θ k K ,where θ = com max +1 → exp and θ i +1 = ( θ i → com ) max +1 → exp ( i ≥ ). Before we state the main result, we recall from [23] that strategies correspondingto
FICA terms satisfy a closure condition known as saturation : swapping twoadjacent moves in a play belonging to such a strategy yields another play fromthe same strategy, as long as the swap yields a play and it is not the case thatthe first move is by O and the second one by P. Thus, saturated strategiesexpress causal dependencies of P-moves on O-moves. Consequently, one cannotexpect to find a
FICA -term such that the corresponding strategy is the smalleststrategy containing { play ( w ) | w ∈ Tr ( A ) } . Instead, the best one can aim for isthe following result. Theorem 5.
Given a k - LA A , there exists a FICA term ⊢ M A : θ k such that J ⊢ M A : θ k K is the smallest saturated strategy containing { play ( w ) | w ∈ Tr ( A ) } .Proof (Sketch). Our assumption Q ⊆ { , · · · , max } allows us to maintain A -states in the memory of FICA -terms. To achieve k -fold nesting, we rely on thehigher-order structure of the term: λf (0) .f (0) ( λf (1) .f (1) ( λf (2) .f (2) ( · · · λf ( k ) .f ( k ) ))).In fact, instead of the single variables f ( i ) , we shall use sequences f ( i )0 · · · f ( i ) max ,so that a question t ( i ) Q read by A at level i can be simulated by using variable f ( i ) t ( i ) Q (using our assumption Σ ⊆ { , · · · , max } ). Additionally, the term containsstate-manipulating code that enables moves only if they are consistent with thetransition function of A . ⊓⊔ We have introduced leafy automata, LA , and shown that they correspond to thegame semantics of Finitary Idealized Concurrent Algol ( FICA ). The automataformulation makes combinatorial challenges posed by the equivalence problemexplicit. This is exemplified by a very transparent undecidability proof of theemptiness problem for LA . Our hope is that LA will allow to discover interestingfragments of FICA for which some variant of the equivalence problem is decid-able. We have identified one such instance, namely local leafy automata (
LLA ),and a fragment of
FICA that can be translated to them. The decidability ofthe emptiness problem for
LLA implies decidability of a simple instance of theequivalence problem. This in turn allows to decide some verification questions asin the example on page 4. Since these types of questions involve quantificationover all contexts, the use of a fully-abstract semantics appears essential to solvethem.The obvious line of future work is to find some other subclasses of LA withdecidable emptiness problem. Another interesting target is to find an automatonmodel for the call-by-value setting, where answers enable questions [2,26]. Itwould also be worth comparing our results with abstract machines [20], theGeometry of Interaction [32], and the π -calculus [7]. eafy automata for higher-order concurrency 19 References
1. Abramsky, S., Ghica, D.R., Murawski, A.S., Ong, C.H.L.: Applying game semanticsto compositional software modelling and verification. In: Proceedings of TACAS,Lecture Notes in Computer Science, vol. 2988, pp. 421–435. Springer-Verlag (2004)2. Abramsky, S., McCusker, G.: Call-by-value games. In: Proceedings of CSL. LectureNotes in Computer Science, vol. 1414, pp. 1–17. Springer-Verlag (1997)3. Abramsky, S., McCusker, G.: Linearity, sharing and state: a fully abstract gamesemantics for Idealized Algol with active expressions. In: O’Hearn, P.W., Tennent,R.D. (eds.) Algol-like languages, pp. 297–329. Birkha¨user (1997)4. Abramsky, S., McCusker, G.: Game semantics. In: Schwichtenberg, H., Berger, U.(eds.) Logic and Computation. Springer-Verlag (1998), proceedings of the NATOAdvanced Study Institute, Marktoberdorf5. Aiswarya, C., Gastin, P., Kumar, K.N.: Verifying communicating multi-pushdownsystems via split-width. In: Automated Technology for Verification and Analysis -12th International Symposium, ATVA 2014. Lecture Notes in Computer Science,vol. 8837, pp. 1–17. Springer (2014)6. Bakewell, A., Ghica, D.R.: On-the-fly techniques for games-based software modelchecking. In: Proceedings of TACAS, Lecture Notes in Computer Science, vol. 4963,pp. 78–92. Springer (2008)7. Berger, M., Honda, K., Yoshida, N.: Sequentiality and the pi-calculus. In: Proceed-ings of TLCA, Lecture Notes in Computer Science, vol. 2044, pp. 29–45. Springer-Verlag (2001)8. Bj¨orklund, H., Boja´nczyk, M.: Shuffle expressions and words with nested data. In:Proceedings of MFCS. Lecture Notes in Computer Science, vol. 4708, pp. 750–761(2007)9. Bj¨orklund, H., Schwentick, T.: On notions of regularity for data languages. Theor.Comput. Sci. (4-5), 702–715 (2010)10. Boja´nczyk, M., David, C., Muscholl, A., Schwentick, T., Segoufin, L.: Two-variablelogic on data words. ACM Trans. Comput. Log. (4), 27:1–27:26 (2011)11. Castellan, S., Clairambault, P., Rideau, S., Winskel, G.: Games and strategies asevent structures. Logical Methods in Computer Science (3) (2017)12. Cotton-Barratt, C., Hopkins, D., Murawski, A.S., Ong, C.L.: Fragments of MLdecidable by nested data class memory automata. In: Proceedings of FOSSACS.Lecture Notes in Computer Science, vol. 9034, pp. 249–263. Springer (2015)13. Cotton-Barratt, C., Murawski, A.S., Ong, C.L.: ML, visibly pushdown class mem-ory automata, and extended branching vector addition systems with states. ACMTrans. Program. Lang. Syst. (2), 11:1–11:38 (2019)14. Cotton-Barratt, C., Murawski, A.S., Ong, C.L.: Weak and nested class memoryautomata. In: Proceedings of LATA. LNCS, vol. 8977, pp. 188–199. Springer (2015)15. Czerwi´nski, W., Lasota, S., Lazic, R., Leroux, J., Mazowiecki, F.: The reachabilityproblem for Petri nets is not elementary. In: Proceedings of STOC. pp. 24–33.ACM (2019)16. Decker, N., Habermehl, P., Leucker, M., Thoma, D.: Ordered navigation on multi-attributed data words. In: Proceedings of CONCUR. LNCS, vol. 8704, pp. 497–511.Springer (2014)17. Dimovski, A., Ghica, D.R., Lazic, R.: A counterexample-guided refinement tool foropen procedural programs. In: Proceedings of SPIN. Lecture Notes in ComputerScience, vol. 3925, pp. 288–292. Springer-Verlag (2006)0 A. Dixon, R. Lazi´c, A. S. Murawski and I. Walukiewicz18. Dimovski, A.S.: Symbolic game semantics for model checking program families.In: Proceedings of SPIN. Lecture Notes in Computer Science, vol. 9641, pp. 19–37.Springer (2016)19. Dimovski, A.S.: Probabilistic analysis based on symbolic game semantics andmodel counting. In: Proceedings of GandALF. EPTCS, vol. 256, pp. 1–15 (2017)20. Fredriksson, O., Ghica, D.R.: Abstract machines for game semantics, revisited. In:Proceedings of LICS. pp. 560–569 (2013)21. Ghica, D.R., McCusker, G.: Reasoning about Idealized Algol using regular expres-sions. In: Proceedings of ICALP, Lecture Notes in Computer Science, vol. 1853,pp. 103–115. Springer-Verlag (2000)22. Ghica, D.R., Murawski, A.S.: Compositional model extraction for higher-order con-current programs. In: Proceedings of TACAS, Lecture Notes in Computer Science,vol. 3920, pp. 303–317. Springer (2006)23. Ghica, D.R., Murawski, A.S.: Angelic semantics of fine-grained concurrency. Annalsof Pure and Applied Logic , 89–114 (2008)24. Ghica, D.R., Murawski, A.S., Ong, C.H.L.: Syntactic control of concurrency. The-oretical Computer Science pp. 234–251 (2006)25. Hague, M.: Saturation of concurrent collapsible pushdown systems. In: Proceedingsof FSTTCS. LIPIcs, vol. 24, pp. 313–325. Schloss Dagstuhl - Leibniz-Zentrum f¨urInformatik (2013)26. Honda, K., Yoshida, N.: Game-theoretic analysis of call-by-value computation.Theoretical Computer Science (1–2), 393–456 (1999)27. Hopkins, D., Murawski, A.S., Ong, C.H.L.: Hector: An Equivalence Checker for aHigher-Order Fragment of ML. In: Proceedings of CAV, Lecture Notes in Com-puter Science, vol. 7358, pp. 774–780. Springer (2012)28. Hopkins, D., Ong, C.H.L.: Homer: A Higher-order Observational equivalence ModelcheckER. In: Proceedings of CAV, Lecture Notes in Computer Science, vol. 5643,pp. 654–660. Springer (2009)29. Kiefer, S., Murawski, A.S., Ouaknine, J., Wachter, B., Worrell, J.: APEX: AnAnalyzer for Open Probabilistic Programs. In: Proceedings of CAV, Lecture Notesin Computer Science, vol. 7358, pp. 693–698. Springer (2012)30. Kobayashi, N., Igarashi, A.: Model-checking higher-order programs with recursivetypes. In: Proceedings of ESOP. Lecture Notes in Computer Science, vol. 7792, pp.431–450. Springer (2013)31. La Torre, S., Madhusudan, P., Parlato, G.: Reducing context-bounded concurrentreachability to sequential reachability. In: Proceedings of CAV. Lecture Notes inComputer Science, vol. 5643, pp. 477–492. Springer (2009)32. Lago, U.D., Tanaka, R., Yoshimizu, A.: The geometry of concurrent interaction:handling multiple ports by way of multiple tokens. In: Proceedings of LICS. pp.1–12 (2017)33. Leroux, J., Schmitz, S.: Reachability in vector addition systems is primitive-recursive in fixed dimension. In: Proceedings of LICS. pp. 1–13. IEEE (2019)34. Minsky, M.L.: Computation: Finite and Infinite Machines. Prentice-Hall (1967)35. Murawski, A.S.: Games for complexity of second-order call-by-name programs.Theoretical Computer Science , 207–236 (2005)36. Murawski, A.S., Ramsay, S.J., Tzevelekos, N.: Game semantic analysis of equiv-alence in IMJ. In: Proceedings of ATVA. Lecture Notes in Computer Science,vol. 9364, pp. 411–428. Springer (2015)37. Murawski, A.S., Tzevelekos, N.: An invitation to game semantics. SIGLOG News (2), 56–67 (2016)eafy automata for higher-order concurrency 2138. Murawski, A.S., Walukiewicz, I.: Third-order Idealized Algol with iteration is de-cidable. Theoretical Computer Science (2-3), 214–229 (2008)39. Ong, C.H.L.: Observational equivalence of 3rd-order Idealized Algol is decidable.In: Proceedings of IEEE Symposium on Logic in Computer Science. pp. 245–256.Computer Society Press (2002)40. Qadeer, S., Rehof, J.: Context-bounded model checking of concurrent software. In:Proceedings of TACAS. Lecture Notes in Computer Science, vol. 3440, pp. 93–107.Springer (2005)41. Ramalingam, G.: Context-sensitive synchronization-sensitive analysis is un-decidable. ACM Trans. Program. Lang. Syst. (2), 416–430 (2000).https://doi.org/10.1145/349214.349241, https://doi.org/10.1145/349214.34924142. Reynolds, J.C.: The essence of Algol. In: de Bakker, J.W., van Vliet, J. (eds.)Algorithmic Languages, pp. 345–372. North Holland (1978)43. Schwentick, T.: Automata for XML - A survey. J. Comput. Syst. Sci. (3), 289–315 (2007) A Additional material for Section 2
A.1 Operational semantics of
FICA
The operational semantics is defined using a (small-step) transition relation
V ⊢
M, s −→ M ′ , s ′ , where V is a set of variable names denoting active memory cells and semaphore locks . s, s ′ are states, i.e. functions s, s ′ : V → { , · · · , max } , and M, M ′ are terms. We write s ⊗ ( v i ) for the state obtained by augmenting s with ( v i ), assuming v dom ( s ). The basic reduction rules are givenin Figure 2, where c stands for any language constant ( i or skip ) and c op : { , · · · , max } → { , · · · , max } is the function corresponding to op . In-contextreduction is given by the schemata: V , v ⊢ M [ v/x ] , s ⊗ ( v i ) −→ M ′ , s ′ ⊗ ( v i ′ ) M = c V ⊢ newvar x := i in M, s −→ newvar x := i ′ in M ′ [ x/v ] , s ′ V , v ⊢ M [ v/x ] , s ⊗ ( v i ) −→ M ′ , s ′ ⊗ ( v i ′ ) M = c V ⊢ newsem x := i in M, s −→ newsem x := i ′ in M ′ [ x/v ] , s ′ V ⊢
M, s −→ M ′ , s ′ V ⊢ E [ M ] , s −→ E [ M ′ ] , s ′ where reduction contexts E [ − ] are produced by the grammar: E [ − ] ::= [ − ] | E ; N | ( E || N ) | ( M || E ) | E N | op ( E ) | if E then N else N | ! E | E := m | M := E | grab ( E ) | release ( E ) . ⊢ M : com is said to terminate, written M ⇓ , if ∅ ⊢ ∅ , M −→ ∗ ∅ , skip .Idealized Concurrent Algol [23] also features variable and semaphore con-structors, called mkvar and mksem respectively, which play a technical rolein the full abstraction argument, similarly to [3]. We omit them in the mainbody of the paper, because they do not present technical challenges, but theyare covered in the Appendix for the sake of completeness. V ⊢ skip || skip , s −→ skip , s V ⊢ if i then N else N , s −→ N , s, i = 0 V ⊢ skip ; c, s −→ c, s V ⊢ if then N else N , s −→ N , s V ⊢ op ( i ) , s −→ c op ( i ) , s V ⊢ ( λx.M ) N, s −→ M [ N/x ] , s V ⊢ newvar x := i in c, s −→ c, s V ⊢ ! v, s ⊗ ( v i ) −→ i, s ⊗ ( v i ) V ⊢ newsem x := i in c, s −→ c, s V ⊢ v := i ′ , s ⊗ ( v i ) −→ skip , s ⊗ ( v i ′ ) V ⊢ grab ( v ) , s ⊗ ( v −→ skip , s ⊗ ( v V ⊢ release ( v ) , s ⊗ ( v i ) −→ skip , s ⊗ ( v , i = 0 V ⊢ while M do N, s −→ if M then ( N ; while M do N ) else skip , s Fig. 2: Reduction rules for
FICA
Typing rules Γ ⊢ M : exp → com Γ ⊢ N : exp Γ ⊢ mkvar ( M, N ) : var Γ ⊢ M : com Γ ⊢ N : com Γ ⊢ mksem ( M, N ) : sem
Reduction rules
V ⊢ ( mkvar ( M, N )) := M ′ , s −→ M M ′ , s V ⊢ !( mkvar ( M, N ) , s −→ N, s
V ⊢ grab ( mksem M N ) , s −→ M, s
V ⊢ release ( mksem M N ) , s −→ N, sη rules for var , sem M −→ mkvar (( λx exp .M := x ) , ! M ) M −→ mksem ( grab ( M ) , release ( M ))Using mkvar and mksem , one can define div θ as syntactic sugar using div = div com only. div θ = div θ = comdiv ; 0 θ = expmkvar ( λx exp . div , div exp ) θ = varmksem ( div , div ) θ = sem λx θ . div θ θ = θ → θ B Additional material for Section 4
B.1 Proof of Lemma 2
We proceed by reducing from the halting problem for deterministic two-countermachines [34, pp. 255–258].The input to the halting problem is a deterministic two-counter machine C = ( Q C , q , q F , T ), where Q C is the set of states, q , q F ∈ Q C are the initial eafy automata for higher-order concurrency 23 and final states respectively, and T : Q C \ { q F } → ( INC ∪ JZDEC ) is the stepfunction. Steps in
INC are of the form ( i, q ′ ) ∈ { , } × Q C (increment counter i and go to state q ′ ). Steps in JZDEC are of the form ( i, q ′ , q ′′ ) ∈ { , }× Q C × Q C (ifcounter i is zero then go to state q ′ ; else decrement counter i and go to state q ′′ ).The question is whether, starting from q with both counters zero, C eventuallyreaches q F with both counters zero.We first construct a 1- LA that recognises the language of all data words suchthat: – the underlying word (i.e., the projection onto the finite alphabet) encodes apath through the transition relation of C from the initial state to the finalstate, in other words a pseudo-run where the non-negativity of counters andthe correctness of zero tests are ignored; – the occurrences of the letters that encode increments and decrements of C form pairs that are labelled by the same level-1 data values, where eachincrement is earlier than the corresponding decrement, which assuming thatboth counters are zero initially ensures their non-negativity throughout thepseudo-run and their being zero finally.The second 1- LA is slightly more complex. It accepts data words that havethe same properties as those accepted by the first 1- LA , and in addition: – there exists some increment followed by a zero test of the same counter beforea decrement with the same data value has occurred, in other words there isat least one incorrect zero test in the pseudo-run.The two sets of accepted traces will be equal if and only if all pseudo-runsthat satisfy the initial, non-negativity and final conditions necessarily containsome incorrect zero test, i.e. if and only if C does not halt as required. We givethe formal construction below.The two LAs we compute are A ( C ) = h Σ, , Q, δ i and A ( C ) = h Σ, , Q, δ i .The alphabet, Σ = Σ Q ∪ Σ A , is defined as follows: Σ Q = { start , inc , inc , zero , zero } Σ A = { end , dec , dec , zero ′ , zero ′ } Traces of A ( C ) and A ( C ) represent pseudo-runs of C , i.e. sequences of stepsof the machine. Aside from start and end , each letter in the trace correspondsto the machine performing either an INC step ( inc ), the “then” of a
JZDEC step( zero ), or the “else” of a
JZDEC step ( dec ). The zero ′ transition is a necessitywhich allows us to erase leaves added by zero . Each of inc , dec , zero , zero ′ hastwo variants which encode i , the counter number in the corresponding step. Wewill say that two letters match if they have the same data value.By construction A ( C ) will accept exactly the traces with the following prop-erties, which correspond to the high-level description of our first 1- LA : – The first letter in the trace is start and the last is a matching end . – For each occurrence of inc i , there is a matching dec i later in the trace. – For each occurrence of zero i , there is a matching zero ′ i later in the trace. – The letters in the trace (excluding start and end ) form a sequence ( a , . . . , a n − );there exists some sequence of states ( s , . . . , s n ) ∈ Q n +1 C such that for all i ∈ (0 , . . . , n − s i +1 appears as the second or third component of T ( s i ),and a i is a step which may be performed at state s i (irrespective of countervalues).The state space of the root, Q (0) = Q C ×{◦ , ⋆, , } , comprises pairs where thefirst component corresponds to a state of C and the second tracks an observationof some invalid sequence. The second component is only used in A ( C ). Wedenote the pair at the root by square brackets. The states of the leaves at level1 are Q (1) = S (cid:8) { i, i , i⋆ } (cid:12)(cid:12) i ∈ { , } (cid:9) , where 0 i denotes a temporary leafgenerated by zero i , i denotes a counter, and i⋆ denotes a counter being observedin A ( C ).The transition function δ of A ( C ) is defined as follows. † start −−−→ [ q , ◦ ] [ q F , ◦ ] end −−→ † q INC −−→ ( i, q ′ ) ∈ T [ q, ◦ ] inc i −−→ ([ q ′ , ◦ ] , i ) q JZDEC −−−−→ ( i, q ′ , q ′′ ) ∈ T ([ q, ◦ ] , i ) dec i −−→ [ q ′′ , ◦ ] [ q, ◦ ] zero i −−−→ ([ q ′ , ◦ ] , i ) q ∈ Q C ([ q, ◦ ] , i ) zero ′ i −−−→ [ q, ◦ ]By construction A ( C ) accepts exactly those traces of A ( C ) where at leastone zero i letter occurs in between an inc i letter and the matching letter dec i .In other words, the “then” of a JZDEC step has been taken while the counterwas nonzero. This is not a legal step, and so such a trace does not representa computation of C . This implements the high-level description of our second1- LA .In order to accept a word, A ( C ) must change the second component of theroot’s state from ⋆ to ◦ . It does this by nondeterministically choosing to observesome inc transition. From here, it proceeds as in A ( C ) until either it meets thematching dec , in which case the automaton rejects, or it meets an ifz transitionon the same counter, at which point it marks the second component with ◦ andproceeds as in A ( C ).The transition function δ of A ( C ) is defined as follows: † start −−−→ [ q , ⋆ ] [ q F , ◦ ] end −−→ † q INC −−→ ( i, q ′ ) ∈ T x ∈ {◦ , ⋆, , } [ q, x ] inc i −−→ ([ q ′ , x ] , i ) [ q, ⋆ ] inc i −−→ ([ q, i ] , i⋆ ) q JZDEC −−−−→ ( i, q ′ , q ′′ ) ∈ T x ∈ {◦ , ⋆, , } [ q, x ] zero i −−−→ ([ q ′ , x ] , i ) [ q, i ] zero i −−−→ ([ q ′ , ◦ ] , i ) q ∈ Q C x ∈ {◦ , ⋆, , } ([ q, x ] , i ) zero ′ i −−−→ [ q, x ] eafy automata for higher-order concurrency 25 q JZDEC −−−−→ ( i, q ′ , q ′′ ) ∈ T x ∈ {◦ , ⋆, , } ([ q, x ] , i ) dec i −−→ [ q ′′ , x ] ([ q, ◦ ] , i⋆ ) dec i −−→ [ q ′′ , ◦ ] A ( C ) captures every correctness condition for halting computations of C except the legality of zero steps. Hence, A ( C ) accepts exactly those acceptedtraces of A ( C ) which are not halting computations of C , and so C performs ahalting computation if and only if A ( C ) = A ( C ). C Additional material for Section 5
C.1 Proof of Theorem 2
We present a proof of decidability of the emptiness problem for
LLA , Theorem 2.There are two main steps in the proof. The first step uses a notion of summaryfor some even layer 2 i . This allows to restrict an automaton to first 2 i layers. Thesecond step is a method for computing a summary for layer 2 i from a summaryfor layer 2 i + 2. Summaries
The structure of transitions of
LLA provides a notation of a domain for datavalues. The domain of a data value d ∈ D is the set of data values whoseassociated state may be modified by a transition that adds or removes d , i.e.,when reading a letter annotated by d . dom ( d ) = ( { pred ( d ) , pred ( d ) , d } if d is at an even level { pred ( d ) , pred ( d ) , pred ( d ) , d } if d is at an odd levelDomains give us a notion of independence: Two letters ( t , d ), ( t , d ) are independent if the domains of d and d are disjoint. We remark that if w is a trace of some LLA then every sequence obtained by permuting adjacentindependent letters of w is also a trace of the same LLA ending in the sameconfiguration.Let us fix an k - LLA automaton A = h Σ A , k A , Q A , δ A i , and let b be its even-layer bound.Suppose, on an accepting trace on A , we encounter some data value d ateven layer 2 i . On an accepting trace value d occurs twice: the first occurrencecorresponds to adding d , the second to deleting d . Let w be the part of the tracein between, and including, these two occurrences of d .We can classify letters ( t ′ , d ′ ) in w into one of three categories:1. d -internal , when dom ( d ′ ) is included in the subtree rooted at d ;2. d -external , when dom ( d ′ ) is disjoint from the subtree rooted at d ; d -frontier , when dom ( d ′ ) contains d and its parent.Note that these three categories partition the set of all letters in w . Thefrontier letters are the ones with data value d , as well as those with children of d . The later are from layer 2 i + 1. Letters with data values from bigger layersare either d -internal or d -external.At this point we use branching bound b of the automaton. The number ofchildren of d is bounded by b , and every child of d appears twice in w . Hence,the number of d -frontier letters in w is at most b + 2, counting the letters with d .The d -frontier letters divide w into subwords, giving us a sequence of transi-tions: κ m −−→ κ ′ w −−→ κ m −−→ κ ′ w −−→ . . . κ l m l −−→ κ ′ l w l −−→ κ l +1 m l +1 −−−→ κ ′ l +1 (1)where m , . . . , m l are d -frontier letters; m adds node d while m l +1 deletes d .Configuration κ ′ is the first in which d appears in the tree, so d is a leaf nodein κ ′ . Likewise, κ l is the last configuration in which d appears, as it is removedby m l +1 , so d is a leaf node in κ l +1 .We now use independence properties. Every word w j contains only d -internaland d -external letters. Due to independence, w j is equivalent to some u j v j , with u j containing only d -internal letters of w j and v j containing only the d -externalletters of w j . (Actually u and u l are empty but we do not need to make a casedistinction in the rest of the argument)From here, we can see that the d -internal parts u , · · · , u l of w only interactwith the d -external parts at a bounded number of positions, and those positionsexactly correspond to the frontier transitions m , · · · , m l . Hence, if we couldcharacterize the interactions that can occur at level 2 i , then we could replacethe sequences of transitions on every u j by a single short-cut transition. Thiswould eliminate the need for levels ≥ i in the automaton.We introduce a notion of a summary to implement the idea of short-cuttransitions. A summary for level 2 i is a function f : { , . . . , l + 1) } → Q i − × Q i − ; for some l ≤ b +1. Intuitively, from some trace w expanded as in Equation1, we can extract f such that f (2 j −
1) is a pair of states labelling pred ( d ) and pred ( d ) in κ j , while f (2 j ) is a pair of states labelling these nodes in κ ′ j . This isonly the intuition because we do not have runs of A at hand to compute f .To formalise the idea of summaries for a given automaton, we will intro-duce the notion of a cut automaton . Intuitively, the behaviour of a cut automa-ton A ↓ (2 i, f ) will represent the behaviours of A contained within some subtreerooted in a data value at layer 2 i .The states and transitions of A ↓ (2 i, f ) are those of A but lifted up so thatlevel 2 i becomes the root level: Q ↓ ( l − i ) = Q ( l ) δ ↓ ( l − i ) Q = δ ( l ) Q δ ↓ ( l − i ) A = δ ( l ) A for l ≥ i + 2The two to layers, 0 and 1, are special as just lifting transitions would makethem stick above the root. Here is also the place where we use the summary f . Q ↓ (0) = Q (2 i ) × dom ( f ) Q ↓ (1) = Q (2 i +1) eafy automata for higher-order concurrency 27 The extra component at layer 0 will be used for layer 1 transitions.Before defining transitions we introduce some notation. For a summary f we write max( dom ( f )) for the maximal element in the domain of f . We use anabbreviated notation for transitions. If f ( j ) = ( q (2 i − , q (2 i − ), and f ( j + 1) =( q ′ (2 i − , q ′ (2 i − ) then we write f ( j ) a −−→ ( f ( j + 1) , q ′ (2 i ) ) instead of ( q (2 i − , q (2 i − ) a −−→ ( q ′ (2 i − , q ′ (2 i − , q ′ (2 i ) ) . Transitions at levels 0 and 1 are adaptations of those of levels 2 i and 2 i + 1in the original automaton. A node that was at level 2 i is now the root so ithas no predecessors anymore. The initial and final moves of A ↓ (2 i, f ) create anddestroy the root. They use f to predict what are states of predecessors in acorresponding move of A . δ ↓ (0) Q contains † a −−→ ( q ′ (2 i ) , f (1) a −−→ ( f (2) , q ′ (2 i ) ) in δ (2 i ) Q δ ↓ (0) A contains ( q, r ) a −−→† if r = max( dom ( f )) − f ( r ) , q ) a −−→ f ( r + 1) in δ (2 i ) A Finally, we have transitions that add and delete nodes on level 1:in δ ↓ (1) Q we have ( q (2 i ) , r ) a −−→ (( q ′ (2 i ) , r + 2) , q ′ (2 i +1) )if ( f ( r ) , q (2 i ) ) a −−→ ( f ( r + 1) , q ′ (2 i ) , q ′ (2 i +1) ) ∈ δ (2 i +1) Q in δ ↓ (1) A we have (( q (2 i ) , r ) , q (2 i +1) ) a −−→ (( q ′ (2 i ) , r + 2))if ( f ( r ) , q (2 i ) , q (2 i +1) ) a −−→ ( f ( r + 1) , q ′ (2 i ) ) ∈ δ (2 i +1) A We can now formally define the set of summaries for an even layer 2 i : Summary ( A , i ) = { f : A ↓ (2 i, f ) accepts some trace } The next step is to define an automaton that uses such a set of summaries.The idea is that when a node of layer 2 i is created it is assigned a summaryfrom the set of summaries. Then all moves below this node are simulated byconsulting this summary. So we will never need layers below 2 i .Let S be a set of summaries at level 2 i . We will now define A ↑ (2 i, S ). It willbe (2 i + 1)- LLA automaton. The states and transitions of A ↑ (2 i, S ) are exactlythe states and transitions of A for levels 0 to 2 i −
1. The set of states at level 2 i is Q (2 i ) = { ( f, r ) : f ∈ S , r ∈ dom ( f ) } . So a state at layer 2 i is a summary function and a use counter indicating thepart of the summary that has been used.For technical reasons we will also need one state at layer 2 i + 1. We set Q (2 i +1) = {•} . The transitions δ ↑ (2 i ) Q and δ ↑ (2 i ) A are defined as follows.in δ ↑ (2 i ) Q we have f (1) a −−→ ( f (2) , ( f, f ∈ S in δ ↑ (2 i ) A we have ( f ( r ) , ( f, r )) a −−→ f ( r + 1) if r = max( dom ( f )) − i , the automatonguesses a summary and sets the summary’s use counter to 3. It is 3 and not 1because the first two values of f are used for the creation of the node. The nodecan be deleted once this bounded counter value is maximal.Finally, we define the transitions in δ ↑ (2 i +1) Q and δ ↑ (2 i +1) A :In δ ↑ (2 i +1) Q we have ( f ( r ) , ( f, r )) a −−→ ( f ( r + 1) , ( f, r + 2) , • )if r < max( dom ( f )) − δ ↑ (2 i +1) A we have ( f ( r ) , ( f, r ) , • ) a −−→ ( f ( r ) , ( f, r ))if r = max( dom ( f )) − δ ↑ (2 i +1) A provides transitions for deleting children at layer2 i + 1. No other transitions are applicable at this point. Once there are nochildren, the root can be removed by a δ ↑ (2 i ) A transition.The next lemma states formally the relation between the two automata wehave introduced and the original one. Recall that A ↓ is used to define a set ofsummaries. The lemma is proved by stitching runs of A ↑ and A ↓ . Lemma 4.
For every k -level automaton A and level i < k , A accepts a traceiff A ↑ (2 i, Summary ( A , i )) accepts a trace. The next lemma shows how to use summaries of level 2 i + 1 to computesummaries at level 2 i . Lemma 5.
Take a summary f of some level i , and consider B = A ↓ (2 i, f ) .Then B accepts some trace iff B ↑ (2 , Summary ( A , i + 2)) accepts some trace.Proof. Follows from
Summary ( A , i + 2) = Summary ( B ,
2) and the previouslemma.The lemma reduces the task of computing summaries to checking emptinessof automata with 3 layers. In the next subsection we show how to reduce the laterproblem to the reachability problem in VASS. With this lemma we can compute
Summary ( A , i ) inductively. Once we compute Summary ( A , A ↑ (2 , Summary ( A , eafy automata for higher-order concurrency 29 Computing summaries
We compute
Summary ( A , i ) assuming that we know Summary ( A , i + 2). Forthis we use Lemma 5. We reduce testing emptiness of B ↑ (2 , Summary ( A , i +2)) from that lemma to VASS reachability. Since presenting a VASS directlywould be quite unreadable, we present a nondeterministic program that willuse variables ranging over bounded domains and some fixed set of non-negativecounters. By construction, every counter will be tested for 0 only at the end of thecomputation. This structure allows us to emulate our nondeterministic programin a VASS, such that acceptance by the program is equivalent to reachability ofa particular configuration in the VASS.We fix a summary b f of level 2 i . Observe that the number of summaries atlevel 2 i is bounded, and so it is sufficient to check whether a given candidatesummary b f is a valid summary.The variables of the program are as follows: b r ∈ dom ( b f ) state ∈ Q i ∪ {⊥} state [ j ] ∈ Q i +1 ∪ {⊥ , ⊤} j ∈ { , . . . , b } children [ j, f, r ] ∈ N f summary at level (2 i + 2), r ∈ dom ( f )Intuitively, state and b r represent a state from Q (0) of B ↑ (2 , Summary ( A , i + 2)).The initial configuration is empty so state = ⊥ . Variable state [ j ], represents thestate of j -th child of the root. By boundedness, the root can have at most b chil-dren. Value state [ j ] = ⊥ means that the child has not yet been yet created, and state [ j ] = ⊤ that the child has been deleted. Counter children [ j, f, r ] indicatesthe number of children of the j -th child of the root with a particular summary f of level 2 i + 2 and usage counter r .Following these intuitions the initial values of the variables are b r = 1, state = ⊥ , state [ j ] = ⊥ for every j , and children [ j, f, r ] = 0 for every j , f and r .The program TEST ( b f ) we are going to write is a set of rules that are executednondeterministically. Either the program will eventually accept , or it will blockwith no further rules that can be applied. We later show that the program hasan accepting run for b f iff b f ∈ Summary ( A , i ). The rules of the program refer totransitions of A and simulate the definition of B ↑ (2 , Summary ( A , i + 2)) fromLemma 5. They are defined as follows. Initializing the root
We have a rule if state = ⊥ then state = q ′ (2 i ) b r = 3for every transition f (1) a −−→ ( f (2) , q ′ (2 i ) ) in δ (2 i ) Q . Removing the root and accepting.
The program is able to accept when it hascompleted all of its interaction with the outside world. Observe that this is theonly time that the counters are tested for zero. Since this occurs at the end ofthe program, it can be easily checked by VASS reachability. if state = q (2 i ) b r = max( dom ( b f )) − ∀ j : state [ j ] = ⊤∀ ( j, f, r ) : children [ j, f, r ] = 0 then accept for every ( f ( b r ) , q (2 i ) ) a −−→ f ( b r + 1) in δ (2 i ) A . Adding a node at level i + 1 . We ensure that we are in the correct state andensure that the summary we are testing aligns with some transition from theautomaton. if state = q (2 i ) b f ( b r ) = ( q (2 i − , q (2 i − ) b f ( b r + 1) = ( q ′ (2 i − , q ′ (2 i − ) b r + 2 < max( dom ( b f )) ∃ j : state [ j ] = ⊥ then state := q ′ (2 i ) state [ j ] := q ′ (2 i +1) b r = b r + 2for every transition( q (2 i − , q (2 i − , q (2 i ) ) t −→ ( q ′ (2 i − , q ′ (2 i − , q ′ (2 i ) , q ′ (2 i +1) ) ∈ δ (2 i +1) Q Removing a node at level i + 1 . We delete a child according to some transitionfrom δ (2 i +1) Q . While the zero test (ensuring j is a leaf) is not performed heredirectly, no further operations will be made on children counters of this childand hence the zero test performed at the end of the simulation does the job. if state = q (2 i ) b f ( b r ) = ( q (2 i − , q (2 i − ) b f ( b r + 1) = ( q ′ (2 i − , q ′ (2 i − ) b r + 2 < max( dom ( b f )) ∃ j : state [ j ] = q (2 i +1) then state := q ′ (2 i ) state [ j ] := ⊤ b r = b r + 2 eafy automata for higher-order concurrency 31 for every transition( q (2 i − , q (2 i − , q (2 i ) , q (2 i +1) ) t −→ ( q ′ (2 i − , q ′ (2 i − , q ′ (2 i ) ) ∈ δ (2 i +1) A Adding a node at level i + 2 . Firstly we ensure that there is some child j wheresuch a node can be appended. We simulate creation of a child by nondeterministi-cally choosing a summary and increasing the corresponding unbounded counter.Index 3 in children [ j, f,
3] means that this child is after the first interaction withits ancestors at levels 2 i and 2 i + 1, that happened at its creation. if state = q (2 i ) ∃ j : state [ j ] = q (2 i +1) then state = q ′ (2 i ) state [ j ] = q ′ (2 i +1) children [ j, f,
3] += 1for some f ∈ Summary (2 i + 2) s.t. f (1) = ( q (2 i ) , q (2 i +1) ) and f (2) = ( q ′ (2 i ) , q ′ (2 i +1) ) Progressing a child at level i + 2 . We identify an appropriate child j which itselfhas a child in state ( f, r ). We use the test r + 2 < max( dom ( f )) to ensure thatthe last interaction of the node is reserved for deletion of our root node. if state = q (2 i ) ∃ ( j, f, r ) : state [ j ] = q (2 i +1) and f ( r ) = ( q (2 i ) , q (2 i +1) )and f ( r + 1) = ( q ′ (2 i ) , q ′ (2 i +1) )and ( r + 2) < max( dom ( f ))and children [ j, f, r ] ≥ then state := q ′ (2 i ) state [ j ] := q ′ (2 i +1) children [ j, f, r + 2] += 1 children [ j, f, r ] -= 1Observe that the test children [ j, f, r ] ≥ children [ j, f, r ] -= 1 in the statement that follows. Removing a node at level i +2 . We find a child which has completed its summaryto the point that it can now be removed. We use the last values in f to determine how to remove the node. if state = q (2 i ) ∃ ( j, f, r ) : state [ j ] = q (2 i +1) and f ( r ) = ( q (2 i ) , q (2 i +1) )and f ( r + 1) = ( q ′ (2 i ) , q ′ (2 i +1) )and ( r + 1) = max( dom ( f ))and children [ j, f, r ] ≥ then state := q ′ (2 i ) state [ b ] := q ′ (2 i +1) children [ j, f, r ] -= 1 Lemma 6.
Program
TEST ( b f ) accepts iff b f ∈ Summary ( A , i ) .Proof. By definition, b f ∈ Summary ( A , i ) if automaton B = A ↓ (2 i, b f ) acceptsa trace. By Lemma 5 this is equivalent to B ↑ (2 , Summary ( A , i + 2)) acceptingsome trace. It can be checked that the instructions of TEST ( b f ) correspond one-to-one to transitions of B ↑ (2 , Summary ( A , i + 2)). So an accepting run of TEST ( b f )can be obtained from a trace accepted by B ↑ (2 , Summary ( A , i + 2)), and viceversa. D Additional material for Section 6
D.1 Proof of Theorem 3
Because every
FICA -term can be converted to βη -normal form, we use inductionon the structure of such normal forms. The base cases are: – Γ ⊢ skip : com : Q (0) = { } , † run −−→
0, 0 done −−−→† ; – Γ ⊢ div com : com : Q (0) = { } , † run −−→ – Γ ⊢ div θ : θ : Q (0) = { } , † m −−→
0, assuming θ = θ l → · · · → θ → β and m ranges over question-moves from M J β K ; – Γ ⊢ i : exp : Q (0) = { } , † q −−→
0, 0 i −−→† .Observe that they are clearly even-ready, because only one node is ever created.The remaining cases are inductive. Note that we will use m to range over T Γ ⊢ θ + { ǫ Q , ǫ A } , i.e. not only M J Γ ⊢ θ K , and recall our convention that m ∈ M J Γ ⊢ θ K stands for m ( ǫ, .When referring to the inductive hypothesis, i.e. the automaton constructedfor some subterm M i , we will use the subscript i to refer to its components,e.g. Q ( j ) i , m −−→ i etc. In contrast, we shall use Q ( j ) , m −−→ to refer to the automatonthat is being constructed. The construction will often use inference linesto indicate that the transitions listed under the line should be added to the eafy automata for higher-order concurrency 33 new automaton as long as the transitions listed above the line are present inan automaton given by the inductive hypothesis. Sometimes we will invoke theinductive hypothesis for several terms, which can provide several automata ofdifferent depths. Without loss of generality, we will then assume that they allhave the same depth k , because an automaton of lower depth can be viewed asone of higher depth. – Γ ⊢ op ( M ) : exp : Q ( j ) = Q ( j )1 (0 ≤ j ≤ k ). In order to interpret unaryoperators it suffices to modify transitions carrying the final answer in theautomaton for M . Formally, this is done as follows.( q (0)1 , · · · , q ( j )1 ) m −−→ ( r (0)1 , · · · , r ( j ′ )1 ) m = i ( q (0)1 , · · · , q ( j )1 ) m −−→ ( r (0)1 , · · · , r ( j ′ )1 ) q (0)1 i −−→ † q (0)1 c op ( i ) −−−→† Above, j ranges over {− , , · · · , k } , so that ( q (0)1 , · · · , q ( j )1 ) can also stand for † . Even-readiness is preserved by the construction, because the configurationgraph of the original automaton is preserved. – Γ ⊢ M || M : com : Q (0) = Q (0)1 × Q (0)2 , Q ( j ) = Q ( j )1 + Q ( j )2 (1 ≤ j ≤ k ).The first group of transitions activate and terminate the two componentsrespectively: † run −−→ q (0)1 † run −−→ q (0)2 † run −−→ ( q (0)1 , q (0)2 ) q (0)1 done −−−→ † q (0)2 done −−−→ † ( q (0)1 , q (0)2 ) done −−−→† . The remaining transitions allow each component to progress.( q (0)1 , · · · , q ( j )1 ) m −−→ ( r (0)1 , · · · , r ( j ′ )1 ) q (0)2 ∈ Q (0)2 m = run , done (( q (0)1 , q (0)2 ) , · · · , q ( j )1 ) m −−→ (( r (0)1 , q (0)2 ) , · · · , r ( j ′ )1 ) q (0)1 ∈ Q (0)1 ( q (0)2 , · · · , q ( j )2 ) m −−→ ( r (0)2 , · · · , r ( j ′ )2 ) m = run , done (( q (0)1 , q (0)2 ) , · · · , q ( j )2 ) m −−→ (( q (0)1 , r (0)2 ) , · · · , r ( j ′ )2 )Even-readiness at even levels different from 0 follows from even-readiness ofthe automata obtained in IH, because the construction simply runs themconcurrently without interaction at these levels. For level 0, we observe that,whenever the root reaches state ( q (0)1 , q (0)2 ), even-readiness of the two au-tomata implies that each of them has removed all nodes below the root, i.e.the root will be a leaf. – Γ ⊢ M ; M : com : Q ( i ) = Q ( i )1 + Q ( i )2 (0 ≤ i ≤ k ). We let the automatonfor M run first (except for the final step done ): † run −−→ q (0)1 † run −−→ q (0)1 ( q (0)1 , · · · , q ( j )1 ) m −−→ ( r (0)1 , · · · , r ( j ′ )1 ) m = done ( q (0)1 , · · · , q ( j )1 ) m −−→ ( r (0)1 , · · · , r ( j ′ )1 ) . Whenever the automaton M can terminate, we pass control to the automa-ton for M via q (0)1 done −−−→ † † run −−→ q (0)2 q (0)2 m −−→ ( r (0)2 , · · · , r ( j ′ )2 ) m = run q (0)1 m −−→ ( r (0)2 , · · · , r ( j ′ )2 )and allow it to continue( q (0)2 , · · · , q ( j )2 ) m −−→ ( r (0)2 , · · · , r ( j ′ )2 ) m = run ( q (0)2 , · · · , q ( j )2 ) m −−→ ( r (0)2 , · · · , r ( j ′ )2 ) . Note that the construction relies crucially on even-readiness of the automa-ton for M , because we move to the automaton for M as soon as theautomaton M arrives at a configuration with level-0 state q (0)1 such that q (0)1 done −−−→ † . Thanks to even-readiness, we can conclude that the root will bethe only node in the configuration then and the transition can indeed fire,i.e. M is really finished.Even-readiness of the new automaton follows from the fact that the originalautomata were even-ready, because we are re-using their transitions (andwhen the automaton for M is active, that for M has not left any nodes). – Γ ⊢ M ; M : β The general case is nearly the same as the com case presented above exceptthat we need to keep track of what initial move has been played in orderto perform the transition to M correctly. This is especially important for β = var , sem , where there are multiple initial moves. This extra informationwill be stored at level 0, while the automaton corresponding to M is active.Below we present a general construction parameterized by the set I of initialmoves. The set I is defined as follows. • β = com : I = { run }• β = exp : I = { q }• β = var : I = { read , write (0) , · · · , write ( max ) }• β = sem : I = { grb , rls } States Q (0) = ( Q (0)1 × I ) + Q (0)2 Q ( i ) = Q ( i )1 + Q ( i )2 (0 < i ≤ k )Transitions † run −−→ q (0)1 x ∈ I † x −−→ ( q (0)1 , x )( q (0)1 , · · · , q ( j )1 ) m −−→ ( r (0)1 , · · · , r ( j ′ )1 ) m = done x ∈ I (( q (0)1 , x ) , · · · , q ( j )1 ) m −−→ (( r (0)1 , x ) , · · · , r ( j ′ )1 ) .q (0)1 done −−−→ † † x −−→ q (0)2 q (0)2 m −−→ ( r (0)2 , · · · , r ( j ′ )2 ) x ∈ I m I ( q (0)1 , x ) m −−→ ( r (0)2 , · · · , r ( j ′ )2 ) eafy automata for higher-order concurrency 35 ( q (0)2 , · · · , q ( j )2 ) m −−→ ( r (0)2 , · · · , r ( j ′ )2 ) m I ( q (0)2 , · · · , q ( j )2 ) m −−→ ( r (0)2 , · · · , r ( j ′ )2 )None of the M ; M cases requires an adjustment of pointers, because theinherited indices are accurate. – Γ ⊢ newvar x := i in M : β . By [23], J Γ ⊢ newvar x := i in M K can beobtained by • first restricting J Γ, x ⊢ M K to plays in which the moves read x , write ( n ) x are followed immediately by answers, • selecting only those plays in which each answer to a read x -move is con-sistent with the preceding write ( n ) x -move (or equal to i , if no preceding write ( n ) x was made), • erasing all moves related to x , e.g. those of the form m ( x,ρ ) .To implement the above recipe, we will lock the automaton after each read x -or write ( n ) x -move, so that only an answer to that move can be played next.Technically, this will be done by annotating the level-0 state with a lock -tag.Moreover, at level 0, we will also keep track of the current value of x . Thiswill help us ensure that answers to read x are consistent with the stored valueand that write ( n ) x transitions cause the right change. Eventually, all moveswith the x subscript will be replaced with ǫ Q , ǫ A to model hiding.Accordingly, we take Q (0) = ( Q (0)1 + ( Q (0)1 × { lock } )) × { , · · · , max } and Q ( j ) = Q ( j )1 (1 ≤ j ≤ k ). First, we make sure that the state component isinitialised to i and that it can be arbitrary at the very end: † m −−→ q (0)1 † m −−→ ( q (0)1 , i ) q (0)1 m −−→ † ≤ n ≤ max ( q (0)1 , n ) m −−→† . Transitions involving moves different from write ( z ) x , ok x , read x , z x (and themoves handled above) progress unaffected while preserving n (the currentvalue of x recorded at level 0):( q (0)1 , · · · , q ( j )1 ) m −−→ ( r (0)1 , · · · , r ( j ′ )1 ) m = read x , z x , write ( z ) x , ok x ≤ j, j ′ ≤ n ≤ max (( q (0)1 , n ) , · · · , q ( j )1 ) m −−→ (( r (0)1 , n ) , · · · , r ( j ′ )1 ) . Transitions using read x , write ( z ) x add a lock at level 0. The lock can belifted only if a corresponding answer is played (because of the lock, a unique write ( z ) x or read x will be pending). Its value must be consistent with thevalue of x recorded at level 0.( q (0)1 , · · · , q ( j )1 ) write ( z ) ( x,ρ ) −−−−−−−−→ ( r (0)1 , · · · , r ( j ′ )1 ) 0 ≤ n, z ≤ max (( q (0)1 , n ) , · · · , q ( j )1 ) ǫ Q −−→ (( r (0)1 , lock , z ) , · · · , r ( j ′ )1 )( q (0)1 , · · · , q ( j )1 ) read ( x,ρ ) −−−−−→ ( r (0)1 , · · · , r ( j ′ )1 ) 0 ≤ n ≤ max (( q (0)1 , n ) , · · · , q ( j )1 ) ǫ Q −−→ (( r (0)1 , lock , n ) , · · · , r ( j ′ )1 )) ( r (0)1 , · · · , r ( j ′ )1 ) ok x −−→ ( t (0)1 , · · · , t ( j )1 ) 0 ≤ n ≤ max (( r (0)1 , lock , n ) , · · · , r ( j ′ )1 ) ǫ A −−→ (( t (0)1 , n ) , · · · , t ( j )1 )( r (0)1 , · · · , r ( j ′ )1 ) n x −−→ ( t (0)1 , · · · , t ( j )1 ) 0 ≤ n ≤ max (( r (0)1 , lock , n ) , · · · , r ( j ′ )1 ) ǫ A −−→ (( t (0)1 , n ) , · · · , t ( j )1 )As the construction involves running the original automaton and transi-tions corresponding to P-answers are not modified, even-readiness followsdirectly from IH. For the same reason, the indices corresponding to justifi-cation pointers need no adjustment. – The case of newsem x := i in M is similar to newvar x := i in M . We rep-resent the state of the semaphore using an additional bit at level 0, where 0means free and 1 means taken. We let Q (0) = ( Q (0)1 + ( Q (0)1 × { lock } )) × { , } and Q ( j ) = Q ( j )1 (1 ≤ j ≤ k ). First, we make sure the bit is initialised to i and can be arbitrary at the very end. † m −−→ q (0)1 i = 0 † m −−→ ( q (0)1 , † m −−→ q (0)1 i > † m −−→ ( q (0)1 , q (0)1 m −−→ † z ∈ { , } ( q (0)1 , z ) m −−→† Transitions involving moves other than rls ( x,ρ ) , grb ( x,ρ ) and ok x proceed asbefore, while preserving the state of the semaphore.( q (0)1 , · · · , q ( j )1 ) m −−→ ( r (0)1 , · · · , r ( j ′ )1 ) z ∈ { , } m = rls ( x,ρ ) , grb ( x,ρ ) , ok x (( q (0)1 , z ) , · · · , q ( j )1 ) m −−→ (( r (0)1 , z ) , · · · , r ( j ′ )1 )Transitions using rls ( x,ρ ) , grb ( x,ρ ) proceed only if they are compatible withthe current state of the semaphore, as represented by the extra bit. At thesame time, each time grb ( x,ρ ) or rls ( x,ρ ) is played, we lock the automatonso that the corresponding answer can be played next. The moves are thenhidden and replaced with ǫ Q and ǫ A .( q (0)1 , · · · , q ( j )1 ) grb ( x,ρ ) −−−−−→ ( r (0)1 , · · · , r ( j ′ )1 )(( q (0)1 , , · · · , q ( j )1 ) ǫ Q −−→ (( r (0)1 , lock , , · · · , r ( j ′ )1 )( q (0)1 , · · · , q ( j )1 ) rls ( x,ρ ) −−−−→ ( r (0)1 , · · · , r ( j ′ )1 )(( q (0)1 , , · · · , q ( j )1 ) ǫ Q −−→ (( r (0)1 , lock , , · · · , r ( j ′ )1 )( r (0)1 , · · · , r ( j ′ )1 ) ok x −−→ ( t (0)1 , · · · , t ( j )1 ) z ∈ { , } (( r (0)1 , lock , z ) , · · · , r ( j ′ )1 ) ǫ A −−→ (( t (0)1 , z ) , · · · , t ( j )1 ) – Γ ⊢ f M h · · · M : com with ( f : θ h → · · · → θ → com ) ∈ Γ . Note that thisalso covers the case f : com . Q (0) = { , , } , Q (1) = { } , Q ( j +2) = Q ( j ) (0 ≤ j ≤ k ). First we add transitions corresponding to calling and returningfrom f : † run −−→
0, 0 run f −−−→ (1 , , done f −−−−→
2, 2 done −−−→† . eafy automata for higher-order concurrency 37 In state (1 ,
0) we want to enable the environment to spawn an unboundednumber of copies of each of Γ ⊢ M u : θ u (1 ≤ u ≤ h ). This is done throughthe following rules, which embed the actions of the automata for M u whilerelabelling the moves. • Moves from M u corresponding to θ u obtain an additional annotation f u ,as they are now the u th argument of f : θ h → · · · → θ → com .( q (0) u , · · · , q ( j ) u ) m ( ~i,ρ ) −−−−→ u ( q (0) u , · · · , q ( j ′ ) u )(1 , , q (0) u , · · · , q ( j ) u ) m ( fu~i,ρ ) −−−−−→ (1 , , q (0) u , · · · , q ( j ′ ) u )Note that above we mean j, j ′ to range over {− , , · · · , k } , so that( q (0) u , · · · , q ( j ) u ) and ( q (0) u , · · · , q ( j ′ ) u ) can also stand for † . The pointerstructure is simply inherited in this case, but an additional pointer needsto be created to run f from the old initial move for M u , i.e. m ( ǫ, , whichdid not have a pointer earlier. Fortunately, because we also use ρ = 0in initial moves to represent the lack of a pointer, by copying 0 now weindicate that the move m fu,ρ points one level up, i.e. at the new run f move, as required. • The moves from M u that originate from Γ , i.e. moves of the form m ( x v ~i,ρ ) (1 ≤ v ≤ l ), where ( x v ∈ θ v ) ∈ Γ , need no relabelling except for questionmoves that should point at the initial move. These moves correspondto question-tags of the form m ( x v ,ρ ) . Leaving ρ unchanged in this casewould mean pointing at m fu, , whereas we need to point at run instead.To readjust such pointers, we simply add 2 to ρ , and preserve ρ in othermoves.( q (0) u , · · · , q ( j ) u ) m ( xv,ρ ) −−−−−→ u ( q (0) u , · · · , q ( j ′ ) u ) m is a question(1 , , q (0) u , · · · , q ( j ) u ) m ( xv,ρ +2) −−−−−−−→ (1 , , q (0) u , · · · , q ( j ′ ) u )( q (0) u , · · · , q ( j ) u ) m ( xv~i,ρ ) −−−−−→ u ( q (0) u , · · · , q ( j ′ ) u ) ~i = ǫ or ( ~i = ǫ and m is an answer)(1 , , q (0) u , · · · , q ( j ) u ) m ( xv~i,ρ ) −−−−−→ (1 , , q (0) u , · · · , q ( j ′ ) u )The construction clearly preserves even-readiness at level 0. For other evenlevels, this follows directly from IH as we are simply running copies of theautomata from IH. – Γ ⊢ f M h · · · M : exp . Here we follow the same recipe as for com exceptthat the initial and final transitions need to be changed from † run −−→ run f −−−→ (1 ,
0) (1 , done f −−−−→ done −−−→† to † q −−→ q f −−→ (1 ,
0) (1 , i f −−→ i i i −−→ † . – Γ ⊢ f M h · · · M : var . Here a slightly more complicated adjustment is neededto account for the two kinds of initial moves. Consequently, we need to dis-tinguish two copies of 1, i.e. 1 r and 1 w . † read −−→ read f −−−→ (1 r ,
0) (1 r , i f −−→ i i i −−→ † . † write ( i ) −−−−→ i i write ( i ) f −−−−−→ (1 w ,
0) (1 w , ok −−→ ok −−→ † . All the other rules allowing for transitions between states of the form (1 , , · · · )need to be replicated for (1 r , , · · · ) and (1 w , , · · · ). – Γ ⊢ f M h · · · M : sem . This is similar to the previous case. To account forthe two kinds of initial moves, we use states 1 g and 1 r . † grb −−→ g g grb f −−−→ (1 g ,
0) (1 g , ok f −−→ g g ok −−→†† rls −−→ r r rls f −−→ (1 r ,
0) (1 r , ok f −−→ r r ok −−→† All the other rules allowing for transitions between states of the form (1 , , · · · )need to be replicated for (1 r , , · · · ) and (1 g , , · · · ). – Γ ⊢ λx.M : θ h → · · · → θ → β : This is simply dealt with by renaminglabels in the automaton for Γ, x : θ h ⊢ M : θ h − → · · · → θ → β : tags ofthe form m ( x~i,ρ ) must be renamed as m ( h~i,ρ ) . – Γ ⊢ if M then M else M : β This case is similar to M ; M except that M of type exp , so the associatedmove is q rather than run . Morever, once M terminates, the automaton foreither M or M must be activated, as appropriate.States Q (0) = ( Q (0)1 × I ) + Q (0)2 + Q (0)3 Q ( i ) = Q ( i )1 + Q ( i )2 + Q ( i )3 (0 < i ≤ k )Transitions † q −−→ q (0)1 x ∈ I † x −−→ ( q (0)1 , x )( q (0)1 , · · · , q ( j )1 ) m −−→ ( r (0)1 , · · · , r ( j ′ )1 ) m
6∈ { , · · · , max } x ∈ I (( q (0)1 , x ) , · · · , q ( j )1 ) m −−→ (( r (0)1 , x ) , · · · , r ( j ′ )1 ) .q (0)1 i −−→ † i > † x −−→ q (0)2 q (0)2 m −−→ ( r (0)2 , · · · , r ( j ′ )2 ) x ∈ I m I ( q (0)1 , x ) m −−→ ( r (0)2 , · · · , r ( j ′ )2 ) q (0)1 0 −−→ † † x −−→ q (0)3 q (0)3 m −−→ ( r (0)3 , · · · , r ( j ′ )3 ) x ∈ I m I ( q (0)1 , x ) m −−→ ( r (0)3 , · · · , r ( j ′ )3 )( q (0)2 , · · · , q ( j )2 ) m −−→ ( r (0)2 , · · · , r ( j ′ )2 ) m I ( q (0)2 , · · · , q ( j )2 ) m −−→ ( r (0)2 , · · · , r ( j ′ )2 ) eafy automata for higher-order concurrency 39 ( q (0)3 , · · · , q ( j )3 ) m −−→ ( r (0)3 , · · · , r ( j ′ )3 ) m I ( q (0)3 , · · · , q ( j )3 ) m −−→ ( r (0)3 , · · · , r ( j ′ )3 )None of the cases requires an adjustment of pointers, because the inheritedindices are accurate. Even-readiness follows directly from IH. – Γ ⊢ while M do M : com :States Q ( j ) = Q ( j )1 + Q ( j )2 ≤ j ≤ k Transitions † q −−→ q (0)1 † run −−→ q (0)1 q (0)1 0 −−→ † q (0)1 done −−−→† ( q (0)1 , · · · , q ( j )1 ) m −−→ ( r (0)1 , · · · , r ( j ′ )1 ) m
6∈ { q , , · · · , max } ( q (0)1 , · · · , q ( j )1 ) m −−→ ( r (0)1 , · · · , r ( j ′ )1 ) q (0)1 i −−→ † i > † run −−→ q (0)2 m −−→ ( r (0)2 , r (1)2 ) m = done q (0)1 m −−→ ( r (0)2 , r (1)2 ) q (0)1 i −−→ † i > † run −−→ q (0)2 done −−−→ † † q −−→ r (0)1 m −−→ ( u (0)1 , u (1)1 ) m
6∈ { , · · · , max } q (0)1 m −−→ ( u (0)1 , u (1)1 ) q (0)1 i −−→ † i > † run −−→ q (0)2 done −−−→ † † q −−→ r (0)1 0 −−→ † q (0)1 done −−−→† — ( q (0)2 , · · · , q ( j )2 ) m −−→ ( r (0)2 , · · · , r ( j ′ )2 ) m
6∈ { run , done } ( q (0)2 , · · · , q ( j )2 ) m −−→ ( r (0)2 , · · · , r ( j ′ )2 ) q (0)2 done −−−→ † † q −−→ q (0)1 m −−→ ( r (0)1 , r (1)1 ) m
6∈ { , · · · , max } q (0)2 m −−→ ( r (0)1 , r (1)1 ) q (0)2 done −−−→ † † q −−→ q (0)1 0 −−→ † q (0)2 done −−−→† q (0)2 done −−−→ † † q −−→ q (0)1 i −−→ † i > † run −−→ r (0)2 m −−→ ( u (0)2 , u (1)2 ) m = done q (0)2 m −−→ ( u (0)2 , u (1)2 )As before, no pointers need adjustment, even-readiness is inherited. – Γ ⊢ ! M : exp To model dereferencing, it suffices to explore the plays that start with read in the automaton for M , the read gets relabelled to q .States Q ( j ) = Q ( j )1 (0 ≤ j ≤ k )Transitions † read −−→ q (0)1 † q −−→ q (0)1 ( q (0)1 , · · · , q ( j )1 ) m −−→ ( r (0)1 , · · · , r ( j ′ )1 ) m = read , write ( i ) , ok ( q (0)1 , · · · , q ( j )1 ) m −−→ ( r (0)1 , · · · , r ( j ′ )1 )Note that the second rule will also handle transitions with the tag i . Nopointer readjustment is needed, as the inherited pointers are accurate. Even-readiness follows from IH. – Γ ⊢ M := M : com For assignment, we first direct the computation into the automaton for M and, depending on the final move i , continue in the automaton for M as if write ( i ) was played. This is similar to M ; M .States Q ( i ) = Q ( i )1 + Q ( i )2 (0 ≤ i ≤ k )Transitions † q −−→ q (0)2 † run −−→ q (0)2 ( q (0)2 , · · · , q ( j )2 ) m −−→ ( r (0)2 , · · · , r ( j ′ )2 ) m
6∈ { , · · · , max } ( q (0)2 , · · · , q ( j )2 ) m −−→ ( r (0)2 , · · · , r ( j ′ )2 ) q (0)2 i −−→ † i ∈ { , · · · , max } † write ( i ) −−−−→ q (0)1 q (0)1 m −−→ ( r (0)1 , · · · , r ( j ′ )1 ) m = ok q (0)2 m −−→ ( r (0)1 , · · · , r ( j ′ )1 )( q (0)1 , · · · , q ( j )1 ) m −−→ ( r (0)1 , · · · , r ( j ′ )1 ) m
6∈ { read , write (0) , · · · , write ( max ) , , · · · , max , ok } ( q (0)1 , · · · , q ( j )1 ) m −−→ ( r (0)1 , · · · , r ( j ′ )1 ) q (0)1 ok −−→ † q (0)1 done −−−→† None of the cases requires an adjustment of pointers, because the inheritedindices are accurate. – Γ ⊢ grab ( M ) : com : Q ( j ) = Q ( j )1 (0 ≤ j ≤ k ). Here we simply need todirect the automaton to perform the same transitions as M would, startingfrom grb . At the same time, grb and the corresponding answer ok have to berelabelled as run and done respectively. † grb −−→ q (0)1 † run −−→ q (0)1 ( q (0)1 , · · · , q ( j )1 ) m −−→ ( r (0)1 , · · · , r ( j ′ )1 ) m = grb , rls , ok ( q (0)1 , · · · , q ( j )1 ) m −−→ ( r (0)1 , · · · , r ( j ′ )1 ) q (0)1 ok −−→ † q (0)1 done −−−→† eafy automata for higher-order concurrency 41 – Γ ⊢ release ( M ) : com : Q ( j ) = Q ( j )1 (0 ≤ j ≤ k ). Here we simply need todirect the automaton to perform the same transitions as M would, startingfrom rls . At the same time, rls and the corresponding answer ok have to berelabelled as run and done respectively. † rls −−→ q (0)1 † run −−→ q (0)1 ( q (0)1 , · · · , q ( j )1 ) m −−→ ( r (0)1 , · · · , r ( j ′ )1 ) m = grb , rls , ok ( q (0)1 , · · · , q ( j )1 ) m −−→ ( r (0)1 , · · · , r ( j ′ )1 ) q (0)1 ok −−→ † q (0)1 done −−−→† – Γ ⊢ mkvar ( M , M ) : var . Recall that Γ ⊢ M : exp → com . Because weare using terms in normal form M = λx exp .M ′ . For 0 ≤ i ≤ max , consider N i = M ′ [ i/x ], which is of smaller size than M . Let us apply IH to N i andwrite Q ( j )1 i and −−→ i for components of the resultant automaton.Let Q ( j ) = P max i =0 Q ( j )1 i + Q ( j )2 (0 < j ≤ k ). In this case, after write ( i ) we redi-rect transitions to the automaton for N i , and after read - to M , relabellingthe initial and final moves as appropriate. † run −−→ i q (0)1 i ≤ i ≤ max † write ( i ) −−−−→ q (0)1 i q (0)1 i done −−−→ i † ≤ i ≤ max q (0)1 i ok −−→† ( q (0)1 , · · · , q ( j )1 ) m −−→ i ( r (0)1 , · · · , r ( j ′ )1 ) m = run , done ( q (0)1 , · · · , q ( j )1 ) m −−→ ( r (0)1 , · · · , r ( j ′ )1 ) † q −−→ q (0)2 † read −−→ q (0)2 ( q (0)2 , · · · , q ( j )2 ) m −−→ ( r (0)2 , · · · , r ( j ′ )2 ) m = q , i ( q (0)2 , · · · , q ( j )2 ) m −−→ ( r (0)2 , · · · , r ( j ′ )2 ) q (0)2 i −−→ † q (0)2 i −−→† – Γ ⊢ mksem ( M , M ) : sem . Q ( j ) = Q ( j )1 + Q ( j )2 (0 ≤ j ≤ k ). In this case,after grb we redirect transitions to the automaton for M , and after rls - to M . † run −−→ q (0)1 † grb −−→ q (0)1 ( q (0)1 , · · · , q ( j )1 ) m −−→ ( r (0)1 , · · · , r ( j ′ )1 ) m = run , done ( q (0)1 , · · · , q ( j )1 ) m −−→ ( r (0)1 , · · · , r ( j ′ )1 ) q (0)1 done −−−→ † q (0)1 ok −−→†† run −−→ q (0)2 † rls −−→ q (0)2 ( q (0)2 , · · · , q ( j )2 ) m −−→ ( r (0)2 , · · · , r ( j ′ )2 ) m = run , done ( q (0)2 , · · · , q ( j )2 ) m −−→ ( r (0)2 , · · · , r ( j ′ )2 ) q (0)2 done −−−→ † q (0)2 ok −−→† D.2 Example
Here is a worked example of Theorem 3 for the term t = f : com → com ⊢ newvar x := 0 in ( f ( x := 1 || x := 13) || if ! x = 13 then skip else div ) We will show some simple subterms of this term, and then how to combinethem using || and introduce newvar . We will first construct the sub-automatonrepresenting the following subterm: f ( x := 1 || x := 13)For convenience we will call this subterm w as in “write”. The states for A ( w ) are as follows: Q (0) w = { w , w , w } Q (1) w = { w } Q (2) w = { , , } × { , , } Q (3) w = { , } Note: in the standard construction, the subterms will not be annotated withthe subscripts given. We show them here to emphasise that the union operationperformed by combining branches is the disjoint union of the states from eachside.The transitions for A ( w ) are as follows. When we write transitions here,places where values are symbolic (e.g. u or v ) represent one transition for everypossible value that may appear in those places. † run −−→ w w done −−−→† w run ( f, −−−−−→ (1 w , w ) (1 w , w ) done ( f, −−−−−→ w (1 w , w ) run ( f , −−−−−→ (1 w , w , (0 , )) (1 w , w , (2 , )) done ( f , −−−−−−→ (1 w , w )(1 w , w , (0 , v )) write (1) ( x, −−−−−−−→ (1 w , w , (1 , v ) , ) (1 w , w , (1 , v ) , ) ok ( x, −−−−→ (1 w , w , (2 , v ))(1 w , w , ( u, )) write (1) ( x, −−−−−−−→ (1 w , w , ( u, ) , ) (1 w , w , ( u, ) , ) ok ( x, −−−−→ (1 w , w , ( u, ))where u ∈ { , , } and v ∈ { , , } .We now do the same for the following term, r (for “read”): if ! x = 13 then skip else div The states for A ( r ) are simpler, as this term is shallow. Q (0) r = { r , r , r , · · · , max r } Q (1) r = { r } The transitions for A ( r ) are as follows. † run −−→ r r done −−−→† r read ( x, −−−−−→ (1 r , r ) (1 r , r ) z ( x, −−−−→ zr where z ∈ { , · · · , max } . Observe that only reaching state 2 r (hence, reading avalue 13 from x ) will allow this automaton to terminate. eafy automata for higher-order concurrency 43 Combining these two automata is relatively simple. We will first apply theprocedure for parallel composition ( || ), and then apply the newvar context. SeeTheorem 3 for the precise workings of these steps. The final automaton A ( t ) forour term t is as follows.States: Q (0) = ( Q ′ (0) + Q ′ (0) × { lock } ) × X where Q ′ (0) = Q (0) w × Q (0) r and X = { , · · · , max } Q (1) = Q (1) r + Q (1) w Q (2) = Q (2) w Q (3) = Q (3) w Transitions: † run −−→ ((0 r , w ) ,
0) ((2 w , r ) , n ) done −−−→† ((0 w , b ) , n ) run ( f, −−−−−→ (((1 w , b ) , n ) , w ) (((1 w , b ) , n ) , w ) done ( f, −−−−−→ ((2 w , b ) , n )(((1 w , b ) , n ) , w ) run ( f , −−−−−→ (((1 w , b ) , n ) , w , (0 , ))(((1 w , b ) , n ) , w , (2 , )) done ( f , −−−−−−→ (((1 w , b ) , n ) , w )(((1 w , b ) , n ) , w , (0 , v )) ǫ Q −−→ (((1 w , b ) , lock, , w , (1 , v ) , )(((1 w , b ) , lock, n ) , w , (1 , v ) , ) ǫ A −−→ (((1 w , b ) , n ) , w , (2 , v ))(((1 w , b ) , n ) , w , ( u, )) ǫ Q −−→ (((1 w , b ) , lock, , w , ( u, ) , )(((1 w , b ) , lock, n ) , w , ( u, ) , ) ǫ A −−→ (((1 w , b ) , n ) , w , ( u, ))(( a, r ) , n ) ǫ Q −−→ ((( a, r ) , lock, n ) , r )((( a, r ) , lock, n ) , r ) ǫ A −−→ (( a, nr ) , n )where u ∈ { , , } , v ∈ { , , } , a ∈ { w , w , w } and b ∈ { r , r , r } . E Additional material for Section 7
E.1 Proof of Theorem 4
We start with a technical lemma that identifies the level of moves correspond-ing to free variables of type var and sem . Given x : var , moves of the form write ( i ) ( x,ρ ) and read ( x,ρ ) (by P) will be referred to as the associated questions,while ok ( x,ρ ) and i ( x,ρ ) (by O) will be called the associated answers. We use anal-ogous terminology for x : sem : the associated questions are grb ( x,ρ ) and rls ( x,ρ ) ,while the associated answer is ok ( x,ρ ) . Lemma 7.
Given a
FICA -term Γ ⊢ M : θ in βη -normal form, let A M be the au-tomaton produced by Theorem 3. For any x : var or x : sem such that ad x ( M ) = i , the transitions corresponding to the moves associated with x add/remove leavesat odd levels , , · · · , i − .Proof. We reason by induction on M , inspecting each construction in turn.For M ≡ skip , div , i , the result holds vacuously, because there are no movesassociated with x ( i = 0).In the following cases, ad x ( M ) is calculated by taking the maximum of ad x ( M ′ ) for subterms and the automata constructions never modify the level oftransitions in automata obtained by IH. Consequently, the lemma can be estab-lished by appeal to IH: M || M , M ; M , if M then M else M , while M do M ,! M , M := M , grab ( M ), release ( M ), newvar y in M , newsem y in M .The remaining case is M ≡ f M h · · · M . – Note that this case also covers f ≡ x , in which case ad x ( M ) = 1 andtransitions associated with x involved leaves at level 2 · − – If f x then ad x ( M ) = 1 + max( ad x ( M ) , · · · , ad x ( M h )). In this case, theautomata construction lowers transitions associated with x by exactly twolevels, so by IH, they will appear at levels 1 + 2 , · · · , (2 i −
1) + 2. Note that(2 i −
1) + 2 = 2( i + 1) −
1, i.e. the lemma holds.Observe that subterms of
LFICA terms are in
LFICA , i.e. we can reason bystructural induction.
Lemma 8.
Suppose Γ ⊢ M : θ is from LFICA . The automaton A M obtainedfrom the translation in Theorem 3 is presentable as a LLA .Proof.
In many cases, the construction merely relabels the given automaton.Then a simple appeal to the inductive hypothesis will suffice. The relevantcases are: ! M , op ( M ) , release ( M ) , grab ( M ) , λx.M . M ≡ M || M The case of parallel composition involves running copies of M and M in parallel without communication, with their root states storedas a pair at level 0. Note, though, that each of the automata transitionsindependently of the state of the other automaton, which means that, if theautomata M and M are LLA , so will be the automaton for M || M . Thebranching bound after the construction is the sum of the two bounds for M and M . M ≡ M ; M The construction schedules the automaton for M first and there isa transition to (a disjoint copy of) the second one only after the configurationof the first automaton consists of the root only. Otherwise the automatanever communicate. As the transition from the first to the second automatonhappens at the root, it can be captured as a LLA transition. Consequently,if the automata for M , M are LLA , so is the automaton for M . Here thebranching bound is simply the maximum of the bounds for M and M .The same argument applies to if M then M else M , M := M . eafy automata for higher-order concurrency 45 M ≡ newvar x : = i in M Transitions not associated with x are embedded intothe automaton for M except that at level 0, the new automaton keeps trackof the current value stored in x . Because these transitions proceed uniformlywithout ever depending on the value stored at the root, this is consistentwith LLA behaviour.For transitions associated with x , we note that, because M is from LFICA ,we have ad x ( M ) ≤
2. By Lemma 7, this means that the transitions relatedto x correspond to creating/removing leaves at either level 1 or 3. Thesetransitions need to read/write the root but, because they concern nodesat level 0 or 3, they will be consistent with the definition of a LLA . Allother transitions (not labelled by x ) proceed as in M and need not consultthe additional information about the current state stored in the root (theextra information is simply propagated). Consequently, if M is representedby a LLA then the interpretation of newvar x := i in M is also a LLA . Theconstruction does not affect the branching bound, because the resultant runscan be viewed as a subset of runs of the automaton for M , i.e. those in whichreads and writes are related.The case of M ≡ newsem x := i in M is analogous. M ≡ f M h · · · M For f M h · · · M , we observe that the construction first createstwo nodes at levels 0 and 1, and the node at level 1 is used to run an un-bounded number of copies of (the automaton for) M i . The copies do not needaccess to the states stored at levels 0 and 1, because they are never modifiedwhen the copies are running. Consequently, if each M i can be translated intoa LLA , the outcome of the construction in Theorem 3 is also a
LLA . The newbranching bound is the maximum over bounds from M , · · · , M h , becauseat even levels children are produced as in M i and level 0 produces only 1child. F Additional material for Section 8
Word representation
Let A = h Σ, k, Q, δ i be a leafy automaton. We shall assumethat Σ, Q ⊆ { , · · · , max } so that we can encode the alphabet and states usingtype exp . First we discuss how to assign a play play ( w ) to a trace w of A . Thebasic idea is to simulate each transition with two moves, by O and P respectively.The child-parent links in D will be represented by justification pointers. – Suppose w = w ′ ( t, d ) with t ∈ Σ Q . We will represent ( t, d ) by a segment ofthe form q ~i run t~i . If w ′ = ǫ , we let play ( w ) = q run t , i.e. ~i = ǫ . If w ′ = ǫ then,because w is a trace, w ′ must contain a unique occurrence of ( t ′ , pred ( d )) forsome t ′ ∈ Σ Q . Then, if ( t ′ , pred ( d )) was represented by q ~i ′ run t ′ ~i ′ in play ( w ′ ),we let play ( w ) = play ( w ′ ) q t ′ ~i ′ run t t ′ ~i ′ , where q t ′ ~i ′ points at run t ′ ~i ′ . – Suppose w = w ′ ( t, d ) with t ∈ Σ A . Because w is a trace, w ′ must containa unique occurrence ( t ′ , d ) for some t ′ ∈ Σ Q . If ( t ′ , d ) is represented by thesegment q ~i run t ′ ~i in play ( w ′ ), we set play ( w ) = play ( w ′ ) done t ′ ~i t ~i , where thetwo answer-moves are justified by run t ′ ~i and q ~i respectively. Because w is a trace, we can be sure that after processing w ′ , A enters a configuration inwhich d is a leaf. Thus, the two answers will satisfy the game-semantic WAIT condition, and play ( w ) will be well-defined.The FORK condition is satisfied for play ( w ), because reading an answer removesthe corresponding data value from the configuration and, hence, it cannot be usedas a justifier afterwards. In what follows, we write θ n → β for θ → · · · → θ | {z } n → β for n ∈ N . The lemma below identifies the types that correspond to our encodingof traces. Lemma 9.
Let N = max + 1 . Suppose A is a k - LA and w ∈ Tr ( A ) . Then play ( w ) is a play in J θ k K , where θ = com N → exp and θ i +1 = ( θ i → com ) N → exp ( i ≥ ). F.1 Saturation
The game model [23] of
FICA consists of saturated strategies only: the saturationcondition stipulates that all possible (sequential) observations of (parallel) inter-actions must be present in a strategy: actions of the environment (O) can alwaysbe observed earlier if possible, actions of the program (P) can be observed later.To formalize this, for any arena A , we define a preorder (cid:22) on P A , as the leasttransitive relation (cid:22) satisfying s o m s ′ (cid:22) s m o s ′ and s m p s ′ (cid:22) s p m s ′ for all s, s ′ , where o and p are an O- and a P-move respectively (in the above pairs ofplays moves on the left-hand-side of (cid:22) are assumed to have the same justifiersas on the right-hand-side). Definition 11.
A strategy σ : A is saturated iff, for all s, s ′ ∈ P A , if s ∈ σ and s ′ (cid:22) s then s ′ ∈ σ .Remark 3. Definition 11 states that saturated strategies are stable under cer-tain rearrangements of moves. Note that s p o s s o p s , while other move-permutations are allowed. Thus, saturated strategies express causal dependen-cies of P-moves on O-moves. This partial-order aspect is captured explicitly inconcurrent games based on event structures [11]. F.2 Proof of Theorem 5
Proof.
Our assumption Q ⊆ { , · · · , max } allows us to maintain A -states in thememory of FICA -terms. A question t ( i ) Q read by A at level i is represented bythe variable f ( i ) t ( i ) Q , the corresponding answers t ( i ) A are represented by constants t ( i ) A (using our assumption Σ ⊆ { , · · · , max } ). The level i of the data tree is encodedby the order of the variable f ( i ) t ( i ) Q . For 0 ≤ i < k , the variables f ( i ) t are meant tohave type θ k − i − → com and f ( k ) t : com . This ensures that questions and an-swers respect the tree structure on data. To achieve nesting, we rely on a higher-order structure of the term: λf (0) .f (0) ( λf (1) .f (1) ( λf (2) .f (2) ( · · · λf ( k ) .f ( k ) ))). Re-call that the semantics of f M consists of an arbitrary number of interleavings eafy automata for higher-order concurrency 47 of M . This feature is used to mimic the fact that a leafy automaton can spawnunboundedly many offspring. Finally, instead of single variables f ( i ) , we will ac-tually use sequences f ( i )0 · · · f ( i ) max , which will be used to induce the right move run t~i when representing t ∈ Σ Q ⊆ { , · · · , max } . Additionally, the term containsstate-manipulating code that enables P -moves only if they are consistent withthe transition function of A . To achieve this, every level is equipped with a localvariable X ( i ) of type exp , so that states on a single branch are represented by −−→ X ( i ) = ( X (0) , · · · , X ( i ) ).Given α ∈ { Q , A } and − ≤ j ≤ k , we write −→ r ( j ) α for a tuple of values( r (0) α , · · · , r ( j ) α ) on the understanding that −−−→ r ( − α = † . A similar convention willapply to −−→ u ( j ) α . Then we use −−−−−−−−−−→ X ( i ) [ u ( j ′ ) α /r ( j ) α ], where − ≤ j, j ′ ≤ i , as shorthandfor FICA code that checks componentwise whether the values of −−→ X ( j ) equal −→ r ( j ) α and, if so, updates −−−→ X ( j ′ ) to −−→ u ( j ′ ) α (if the check fails, the code should diverge). For j = − j ′ = − −−−−−−−−−−→ X ( i ) [ u ( j ′ ) α /r ( j ) α ] will be protected by a semaphore to ensure mutual exclusion.Consequently, they will induce exactly the causal dependencies (cf. Remark 3)consistent with sequences of A -transitions, i.e. with the shape of play ( w ) for some w ∈ Tr ( A ). To select transitions at each stage, we rely on non-deterministicchoice L , which can be encoded in FICA .Below we define inductively a family of terms ⊢ M i : θ k − i (0 ≤ i ≤ k ). Term M A is then obtained by making a simple change to M . For any 0 ≤ i ≤ k , let M i be the term λf ( i )0 · · · f ( i ) max . newvar X ( i ) := 0 in L ( −−−−→ r ( i − Q , t ( i ) Q , −−→ u ( i ) Q ) ∈ δ ( i ) Q (cid:16) grab ( s ); −−−−−−−−−−−→ X ( i ) [ u ( i ) Q /r ( i − Q ]; release ( s ); f ( i ) t ( i ) Q M i +1 ; L ( −−→ r ( i ) A , t ( i ) A , −−−−→ u ( i − A ) ∈ δ ( i ) A (cid:0) grab ( s ); −−−−−−−−−−−→ X ( i ) [ u ( i − A /r ( i ) A ]; release ( s ); t ( i ) A (cid:1)(cid:17) . We write M k +1 for empty space (this is for a good reason, because f ( k ) t : com ).The above term M i declares a new variable to store the state, and then makesa non-deterministic choice for question transitions that create data values atlevel i . The update of the state is protected by a semaphore. Then the ap-propriate f ( i ) t is applied to term M i +1 that simulates moves of the automa-ton on data in the subtree of the freshly created node. This is followed bythe code making a non-deterministic choice over all answer transitions. To de-fine M A , it now suffices to declare the semaphore in M , i.e. given M = λf (0)0 · · · f (0) max . newvar X (0) := 0 in M we let M A be λf (0)0 · · · f (0) max . newsem s := 0 in newvar X (0) := 0 in M. M ⊕ M = newvar X := 0 in (( X := 0 || X := 1); if ! X then M else M ).8 A. Dixon, R. Lazi´c, A. S. Murawski and I. Walukiewicz Example 7.
We illustrate the outcome of the construction from Theorem 5 for k = 1. λf (0)0 · · · f (0) max . newsem s := 0 in newvar X (0) := 0 in L ( † ,t (0) Q ,u (0) Q ) ∈ δ (0) Q grab ( s ); −−−−−−−−→ X (0) [ u (0) Q / † ]; release ( s ); f (0) t (0) Q (cid:18) λf (1)0 · · · f (1) max . newvar X (1) := 0 in L ( r (0) Q ,t (1) Q , −−→ u (1) Q ) ∈ δ (1) Q (cid:16) grab ( s ); −−−−−−−−−−→ X (1) [ u (1) Q /r (0) Q ]; release ( s ); f (1) t (1) Q ; L ( −−→ r (1) A ,t (1) A ,u (0) A ) ∈ δ (1) A (cid:0) grab ( s ); −−−−−−−−−−→ X (1) [ u (0) A /r (1) A ]; release ( s ); t (1) A (cid:1)(cid:17)(cid:19) ; L ( r (0) A ,t (0) A , † ) ∈ δ (0) A (cid:0) grab ( s ); −−−−−−−−→ X (0) [ † /r (0) A ]; release ( s ); t (0) A ) ! where −−−−−−−−→ X (0) [ u (0) Q / † ] = X (0) := u (0) Q −−−−−−−−−−→ X (1) [ u (1) Q /r (0) Q ] = if ( X (0) = r (0) Q ) then ( X (0) := u (0) Q ; X (1) := u (1) Q ) else Ω −−−−−−−−−−→ X (1) [ u (0) A /r (1) A ] = if (( X (0) = r (0) A ) ∧ ( X (1) = r (1) A )) then ( X (0) := u (0) A ) else Ω −−−−−−−−→ X (0) [ † /r (0) A ] = if ( X (0) = r (0) A ) then skip else ΩΩ = while1