A Logic of Information Flows:Basic Concepts and Definable Operations

Eugenia TernovskaSimon Fraser University

ter@sfu.ca

September 2017

Abstract

Motivated by the fact that studying information flows is very important in Com-puter Science, we introduce a Logic of Information Flows. We take a classicallogic over modules (decision procedures, classes of structures) and add informa-tion propagation, that is, we specify inputs and outputs of atomic modules. Theintuition is that most practical systems, declarative and imperative procedures, useinputs and outputs, or directionality in linking pieces of data. This directionalityis formalized by the Model Expansion task: expand the input structure to satisfy aspecification. We demonstrate that many constructs of algebras of binary relations,including the main imperative programming constructs, are definable in the Logicof Information Flows.

1 IntroductionOur goal is to introduce a logic of information flows. We do it in two stages. The firstidea is that we can use first-order logic as a versatile language for applying and combin-ing modules – which are classes of structures – web services, declarative specificationswith associated solvers, Integer Liner Programs, Constraint Satisfaction Problems etc.1

While the syntax of our formalism is first-order, the semantics is second-order becausevariables range over relations. We use a version of Codd relational algebra instead offirst-order logic, but the idea is the same. We also add least fixed points. Essentially, weredefine FO(LFP) over a vocabulary of modules that replaces a relational vocabulary.This gives us the first logic.

The second stage is adding information flows, to develop a logic where modulesare input-output relations. Toward this goal, we describe the Model Expansion task[22, 19], a fundamental computational task solved in many declarative approaches toconstraint solving. The task is directly connected with information propagation. The in-tuition behind the task is as follows. Recall that a decision procedure (a boolean query)corresponds to a class of structures and can be represented as a formula φ in some logic

1In database terminology, a module is a boolean query.

1

L. The well-studied Model Checking task is: given τ -structure A and formula φ in thesame vocabulary, check A |= φ. In practice, especially in constraint solving, we oftenspecify input vocabulary and ask the decision procedure to generate interpretation ofthe output vocabulary. For example, if φ axiomatizes all proper 3-Colourings of allgraphs, we may specify that we will have graphs on the input and ask the procedure togenerate all proper 3-Colourings (or the other way around, colours on the input, graphson the output). Formally, the Model Expansion (MX) task consists of expanding an in-put structure to satisfy a specification written in some language. Given formula φ issome logic L and structureA for a part of vocab(φ), expandA to a vocab(φ)-structureB so that B |= φ. We can consider decision (is there an expansion?) as well as search(find an expansion) versions of this task. Complexity-wise, for the same formula, MXis in-between the related tasks of Model Checking (MC) and Satisfiability (SAT). InModel Checking, the structure for the entire vocabulary of a specification is given, inSatisfiability, no part of a structure is given, we are asked to find it, and in Model Ex-pansion, we are given a part of the structure, at least a domain. A complexity-theoreticcomparison of the three task for various logics including Guarded Fragments and var-ious versions of fixed points logics for data and combined complexity was performedin [19]. We summarize the results of that work in this paper.

Model Expansion initiates information flows. To take information propagation intoaccount, we partition the relational variables of atomic modules into inputs and outputs,thus viewing the modules as solving model expansion tasks. As a result, FO(LFP)expressions that were multi-dimensional, in terms of the variable, are forced into binaryby adding information flows. This partitioning gives us a generalized algebra of binaryrelations.

Algebras of binary relations have been studied before. A calculus of binary relationswas first introduced by De Morgan. It has been extensively developed by Peirce andthen Schroder. It was abstracted to relation algebra RA by Jonson and Tarski [17].More recently, relation algebras were studied by Fletcher, Van den Bussche, Surinx andtheir collaborators in a series of paper, see, e.g. [6]. The algebras of relations considervarious subsets of operations on binary relations as primitive, and other as derivable.

In this paper, we show that the operations studied in the algebras of binary relationsare, in fact, definable in our logic, where we take classical logic and add informationflows. For example, we can define Domain, Image, Unary Negation (or Antidomain),Sequential Composition. The classic operations of imperative programming such asWhile Loops and If-Then-Else are definable. We can also express reachability, regularexpressions over directional data links, etc. Thus, information flows are a basic and afundamental concept, and other frequently used constructs are definable.

To formalize information flows correctly, we must take into account the Law ofInertia: whatever is not modified as a result of an action, remains the same. This law hasbeen studied extensively in the Reasoning about Actions sub-area of AI some years agounder the name of the Frame Problem. A natural solution to the problem was given byRaymond Reiter in the formalism of the Situation Calculus [26]. However we believethat the significance of the Law of Inertia goes beyond the area of Reasoning aboutActions. In particular, it is essential for formalizing reasoning about computations. Forexample, whatever is not modified as a result of an assignment operation, remains the

2

same.2

The paper is organized as follows. In Section 2, we define the Model Expansiontask, a task that initiates information flows when an input is given. Then we introducean algebraic syntax for our logic, and provide two semantics, one is a static one, andthe other one is dynamic, where each atomic module is viewed as solving the ModelExpansion task. Definable constructs are presented in Section 4. Most of the definitionsdo not use the Converse operator, an operator that switches inputs and outputs, but wealso consider a version of the logic with this operator, in Subsection 4.5. Subsection4.6 is devoted to a Deterministic Fragment of the logic. In Section 5, we give an al-ternative (and equivalent) syntax for our logic, in a form of a modal logic. The logicbears a strong resemblance with the Dynamic Logic, where processes appear inside apossibility or a necessity modality. In the same section, we define imperative program-ming constructs and deterministic regular programs. We show that the modalities aredefinable in the Deterministic Fragment.

2 Model Expansion, Related TasksModel Expansion [23] is the task of expanding a structure to satisfy a specification(a formula in some logic). It is the central task in several declarative programmingparadigms: Answer Set Programming, Constraint Satisfaction Problem, Integer Lin-ear Programming, Constraint Programming, etc. We discuss model expansion in thecontext of several related problems.

2.1 Three Related Tasks: DefinitionsFor a formula φ in any logic L with model-theoretic semantics, we can associate thefollowing three tasks (all three for the same formula), satisfiability (SAT), model check-ing (MC) and model expansion (MX). We now define them for the case where φ has nofree object variables.

Definition 1 (Satisfiability (SATφ)). Given: Formula φ. Find: structure B such thatB |= φ. (The decision version is: Decide: ∃B s.t. B |= φ?)

Definition 2 (Model Checking (MC)). Given: Formula φ, structure A for vocab(φ).Decide: A |= φ?

There is no search counterpart for this task.The following task (introduced in [23]) is at the core of this paper. The decision

version of it can be seen as being of the form “guess and check”, where the “check”part is the model checking task we just defined.

Definition 3 (Model Expansion (MXσφ)). Given: Formula φ with designated inputvocabulary σ ⊆ vocab(φ) and σ-structure A. Find: structure B such that B |= φ andexpands σ-structure A to vocab(φ). (The decision version is: Decide: ∃B such thatB |= φ and expands σ-structure A to vocab(φ)?)

2We believe that even without Law of Inertia, our derived operations and the modal logic are applicablein other contexts, e.g., for reasoning about graph databases, networks of devices, etc.

3

Logic Model checking Model expansion SatisfiabilityCombined Data Combined Data (finite)

FO PSPACE-c[27]

≡BITAC0 [2] NEXP -c[31, 22]

≡ NP [4] undec [30]

FO(LFP ) EXP -c [31] ≡s P [15, 31,21]

NEXP -c ≡ NP undec

FO(ID) EXP -c∗ ≡s P ∗ NEXP -c∗ ≡ NP [22] undecFOk P -c ∈ AC0 NP -c NP -c, 6≡ NP k ≥ 3: undec

[32, 11] [32] k = 2: NEXP -c[10]

k = 1: EXP -cGFk P -c ∈ AC0 NEXP -c∗ k ≥ 2: ≡ NP ∗ k ≥ 2: undec

[11, 8] k = 1: NP -c k = 1: 2EXP -cRGFk:NP -c∗ RGFk:NP -c, 6≡ NP ∗ [9]

µGF UP ∩ co-UP ∈ P NEXP -c NP -c 2EXP -c [12][18]

GFk(ID) ∈ EXP ∈ P NEXP -c k ≥ 2: ≡ NP k ≥ 2: undec

Table 1: Complexity of model checking, model expansion and satisfiability problemsfor some logics, from [19].

Vocabulary σ can be empty, in which case the input structureA consists of a domainonly. When σ = vocab(φ), model expansion collapses to model checking, MXσφ =MCφ. Note that, in general, the domain of the input structure in MC and MX can beinfinite.

Let φ be a sentence, i.e., has no free object variables. Data complexity [31] is mea-sured in terms of the size of the finite active domain. For the decision versions of theproblems, data complexity of MX lies in-between model checking (full structure isgiven) and satisfiability (no structure is given):

MCφ ≤ MXσφ ≤ SATφ.

For example, for FO logic, MC is non-uniform AC0, MX captures NP (Fagin’s the-orem), and SAT is undecidable. In SAT, the domain is not given. In MC and MX, atleast, the (active) domain is always given, which significantly reduces the complexityof these tasks compared to SAT. The relative complexity of the three tasks for severallogics (including ID-logic of [3] and guarded logics) has been studied in [19]. We re-produce a table from that work here, see Table 2.1. Results from [19] are marked with*; results without references or the * marks are easy corollaries of the other results. Weuse ≡C K to denote that model checking or model expansion for a logic captures acomplexity class K on a class C of finite structures.

4

2.2 Similar Task: Query EvaluationIn database literature, a task similar to MX is query evaluation. We define it for non-boolean queries, i.e., those with free object variables y.

Definition 4 (Query Evaluation (QE)).Given: Formula φ(x) with free object variables x, tuple of domain elements a andσ-structure A, where σ = vocab(φ). Decide: A |= φ[a/x]?

For the same logic, these two tasks, MX and QE, (as we defined them) have verydifferent data complexity, e.g., for first-order logic, query evaluation is in AC0, modelexpansion is NP-complete.

3 AlgebrasFor essentially the same syntax, we produce two algebras, static and dynamic, by givingdifferent interpretations to the algebraic operations and to the elements of the algebras.In the second algebra, atomic modules have a direction of information propagation.The algebras correspond to classical and modal logics, respectively.3

3.1 SyntaxAssume we have a countable sequence Vars = (X1, X2, . . . ) of relational variableseach with an associated finite arity. For convenience, we useX , Y ,Z, etc. Let ModAt ={M1,M2, . . . } be a fixed vocabulary of atomic module symbols. Each Mi ∈ ModAthas an associated variable vocabulary vvoc(Mi) whose length can depend on Mi. Wemay writeMi(Xi1 , . . . , Xik), (orMi(X)), to indicate that vvoc(M) = (Xi1 , . . . , Xik).Similarly, ModVars = {Z1, Z2, . . . } is a countable sequence of module variables,where each Zj ∈ ModVars has its own vvoc(Zj). Algebraic expressions are built bythe grammar:

α ::= id |Mi | Zj | α ∪ α | α− | πδ(α) | σΘ(α) | µZj .α. (1)

Here, Mi is any symbol in ModAt, δ is any finite set of relational variables in Vars,Θ is any expression of the form X ≡ Y , for relational variables of equal arity thatoccur in α, Zj is a module variable in ModVars which must occur positively in theexpression α, i.e., under an even number of the complementation (−) operator.

3.2 Static (Unary) SemanticsFix a finite relational vocabulary τ . A variable assignment s is a function that assigns,to each relational variable, a symbol in τ of the same arity. Now fix a domain Dom.4

Let U be the set of all τ -structures over the domain Dom. Given a sub-vocabulary γof τ , a subset V ⊆ U is determined by γ if it satisfies

3Thanks to Brett McLean, Bart Bogaerts and anonymous referees of the previous versions who’s com-ments helped to improve the presentation.

4Usually, in applications, domain Dom is the (active) domain of an input structure for a task of interest.

5

for all A,B ∈ U such that A|γ = B|γ we have A ∈ V iff B ∈ V.

Given a well-formed algebraic expression α defined by (1), we say that structureA satisfies α (or that is a model of α) under variable assignment s, notation A |=s α,if A ∈ [α], where unary interpretation [ · ] is defined as follows. Given a variable as-signment s, function [ · ] assigns a subset [Mi] ⊆ U and a subset [Zj ] ⊆ U to eachMi ∈ ModAt and each Zj ∈ ModVars, with the property that [Mi] is determinedby s(vvoc(Mi)) (respectively, [Zj ] is determined by s(vvoc(Zj))). The unary inter-pretation of atomic modules [ · ] (parameterized with s) can be viewed as a functionthat provides “oracles” or decision procedures. We extend the definition of [ · ] to allalgebraic expressions.

[id] := U.[α1 ∪ α2] := [α1] ∪ [α2].[α−] := U \ [α].[πδ(α)] := {A ∈ U | ∃B (B ∈ [α] and A|τ = B|τ )}.[σX≡Y (α)] := {A | A ∈ [α] and A|s(X) = B|s(Y )}.[µZj .α] :=

⋂{R ⊆ U | [α][Z:=α] ⊆ R

}.

Here, [α][Z:=α] means an interpretation that is exactly like [ · ], except Z is inter-preted as α. Intuitively, to check whether a τ -structure A satisfies module Mi, weneed to first select predicate symbols Si1 , . . . , Sik from τ , whose arities match those ofX1, . . . , Xk, which is done by function s, and then “apply” the module to SAi1 , . . . , S

Aik

,as we would apply a decision procedure.

Example 1. Let MHC(V,X, Y ) and M2Col(V,X,Z, T ) be atomic modules “comput-ing” a Hamiltonian Circuit and a 2-Colouring. For example, MHC can be representedas an Answer Set Programming program, and M2Col be an imperative program or ahuman child with two pencils. The first module decides if Y forms a Hamiltonian Cir-cuit (represented as a set of edges) in the graph given by vertex set V and edge setX . The second module decides if unary relations Z, T specify a proper 2-colouring ofthe graph. The following expression determines whether or not there is a 2-colourableHamiltonian Circuit.

M2Col−HC(V,X,Z, T ) := πV,X,Z,T ((MHC(V,X, Y ) ∩M2Col(V, Y, Z, T )).

Note that communications between modules happen through second-order vari-ables, that represent communication channels.

The need for recursion is illustrated by a much longer specification of a dynamicprogramming algorithm on tree decompositions [29].

3.3 Dynamic (Binary) SemanticsLet ModAtI/O denote the set of all atomic module symbols M with all possible par-titions of vvoc(M) into inputs and outputs, i.e., I(M) ∪ O(M) = vvoc(M) and

6

I(M) ∩ O(M) = ∅.5 This set is larger than the set ModAt (unless both are empty)because the sameM can have several different input-output assignments. Similarly, wedefine ModVarsI/O. The well-formed algebraic expression α is defined, again, by (1),except, in the atomicx case, we have modules (resp. variables) from ModAtI/O (resp.from ModVarsI/O). Inputs I(α) and outputs O(α) of well-formed algebraic expres-sion α are defined as follows. Inputs and outputs of the atomic modules in αmust agreewith I(α) and O(α) on the free variables, and can be arbitrary on the other variables.6

Given a well-formed α, we say that pair of structures (A,B), satisfies α under vari-able assignment s, notation (A,B) |=s α, if (A,B) ∈ JαK, where binary interpretationJ · K is defined as follows. For atomic modules in ModAtI/O, we have:

JMK := {(A,B) ∈ U×U | A|τ\s(O(M)) = B|τ\s(O(M)) and B ∈ [M ]}. (2)

Similarly, for Z ∈ ModVarsI/O. Intuitively, atomic modules produce a replica of thecurrent database except the interpretation of the output vocabulary changes as specifiedby the action.7 An illustration of the binary semantics for atomic modules is given inan example below. We extend the binary interpretation J·K to all expressions α:

JidK := {(A,B) ∈ U×U | A = B}.Jα1 ∪ α2K := Jα1K ∪ Jα2K.Jα−K := U×U \ JαK.JµZj .αK :=

⋂{R ⊆ U×U : JαK[Z:=R] ⊆ R

}.

Jπδ(α)K := {(A,B) ∈ U×U | ∃ (A′,B′) ∈ JαK : A′|s(δ) = A|s(δ) and B′|s(δ) = B|s(δ)}.

JσX≡Y (α)K :=

(A,B) ∈ JαK

∣∣∣∣∣∣(s(X))A = (s(Y ))A if {X,Y } ⊆ I(α),(s(X))B = (s(Y ))B if {X,Y } ⊆ O(α),(s(X))A = (s(Y ))B) if X ∈ I(α) and Y ∈ O(α).

Operation id is sometimes called the “nil” action, or it can be seen as an empty

word denoted ε in the formal language theory.While this case is redundant, later on it will be convenient to extend the selection

operation to Θ ∈ {X ≡ Y,X 6≡ Y,X ≡ ∅, X 6≡ ∅} for any relational variables X andY appearing in α. The semantics extends in an obvious way.

Example 2. We now illustrate the binary semantics for atomic modules (2). Consider a3-Colouring module M3Col(X,Y , Z, T,W ). The inputs are underlined. Consider thecase where s(I(M3Col)) = (V,E) and s(O(M3Col)) = (R,G,B). Let an interpreta-tion of edges (E) and vertices (V ) be given on the input of this module, and colours(R, G, B) are obtained on the output. The action is, given a graph, produce all ofits 3-Colourings. Each output structure B, according to the semantics of atomic mod-ules (2), in this case, consists of: (1) B|{R,G,B}, that is an output of 3-Colouring, (2)A|{V,E}, which is the input graph, transferred to B1 by inertia, (3) the interpretationof all other symbols of τ , also transferred from A by inertia.

5Either one of these sets, I(α), O(α), can be empty.6Free variables are defined as in first-order logic, where ∃-quantified variables are those that are not

projected onto.7This is similar to the inertia law for actions in the Situation Calculus.

7

Example 3. In HC-2Col, in each atomic module, again, we underline designated in-put symbols: πV,X,Z,T (MHC(V ,X, Y ) ∩M2Col(V , Y , Z, T )). First, MHC(V ,X, Y )makes a transition by producing possibly several Hamiltonian Circuits. The interpreta-tion of the output Y changes, everything else is transferred by inertia. Each resultingstructure is taken as an input to M2Col(V , Y , Z, T ), where edges in the cycle, Y , are“fed” to M2Col, although this is hidden from the outside observer. The second moduleproduces non-deterministic transitions, one for each generated colouring, if they exist.

4 Definable ConstructsIn this section, we introduce several useful constructs that are definable in the algebraof binary relations, including common programming constructs, and we study some oftheir properties. Note that the only thing lacking in classical logic to define all theseconstructs is information propagation.8

4.1 Basic Operations: Set-Theoretic, Two Unary Negations, Imageand Domain

In the following, we assume that all structures range over universe U, and all pairs ofstructures over U×U.

4.1.1 Set-theoretic operations

di := id−, (diversity)> := id− ∪ id, (all)⊥ := >−, (empty)α ∩ β := (α− ∪ β−)−, (intersection)α− β := (α− ∪ β)−, (difference)α ∼ β := (α− ∪ β) ∩ (β− ∪ α). (similar)

By these definitions,

JdiK = {(A,B) | A 6= B},J>K = U×U,J⊥K = ∅,Jα ∩ βK = {(A,B) | (A,B) ∈ JαK and (A,B) ∈ JβK },Jα− βK = {(A,B) | (A,B) ∈ (U×U) \ JαK or (A,B) ∈ JβK },Jα ∼ βK = {(A,B) | (A,B) ∈ JαK and (A,B) ∈ JβK or

(A,B) ∈ (U×U) \ JαK and (A,B) ∈ (U×U) \ JβK }.

In particular, expression α ∼ β specifies the set of pairs of structures such that eachpair is either in both α and β, or it is in neither α or β. That is, it is the set of pairs ofstructures where α and β behave in exactly the same way – both defined and producethe same outputs on the same inputs, or are both undefined.

8Note that the definitions presented in this section are not dependent on the interpretations of the atomicmodules. In particular, while the Law of Inertia used in the interpretation of the atomic modules, the defini-tions in this section do not rely on it.

8

4.1.2 Projection onto the inputs (Domain)

Dom(α) := πI(α)(α).

This operation is also called “projection onto the first element of the binary rela-tion”. It identifies the states in V where there is an outgoing α-transition. Thus,

JDom(α)K = {(B,B) | ∃B′ (B,B′) ∈ JαK}.

4.1.3 Projection onto the outputs (Image)

Img(α) := πO(α)(α).

This operation can also be called “projection onto the second element of the binaryrelation”. It follows from the definition that

JImg(α)K = {(B,B) | ∃B′ (B′,B) ∈ JαK}.

4.1.4 Forward unary negation (Anti-Domain)

Regular complementation includes all possible transitions except α. We introduce astronger negation which is essentially unary (binary with equal elements in the pair)and excludes states where α originates.

yα := (πI(α)(α))− ∩ id.

It says “there is no outgoing α-transition”. By this definition,

JyαK = {(B,B) | ∀B′ (B,B′) 6∈ JαK}.

4.1.5 Backwards unary negation (Anti-Image)

We define a similar operation for the opposite direction.

xα := (πO(α)(α))− ∩ id.

It says “there is no incoming α-transition”. By this definition,

JxαK = {(B,B) | ∀B′ (B′,B) 6∈ JαK}.

4.2 Logical equivalence (equality of algebraic terms)We now define logical equivalence. It allows us to define certain operations implicitly,as we will see below. We say that α and β are logically equivalent, notation α = β if

(A,B) |=s α iff (A,B) |=s β,

for all τ -structures A, B, for any variable assignment s.9

9The reason we use the equality symbol (‘=’) for the meta-logic notion of logical equivalence (insteadof, say, ‘≡’) is that ‘=’ is used to specify equivalence of algebraic terms, in equational and quasiequationalaxiomatizations of classes of algebras, e.g. by Jackson and Stokes [16].

9

Proposition 1.

If α is a (partial) identity on U, thenDom(α) = Img(α),yα = xα.

Proof. The statement is an immediate consequence of the definitions of the operations.

Proposition 2.

yα = Dom(α)− ∩ id = Dom(α−)−Dom(α) = yDom(α) = xDom(α),xα = Img(α)− ∩ id = Img(α−)− Img(α) = y Img(α) = x Img(α),Dom(α) = yyα,Img(α) = xxα,id = y⊥ = x⊥,⊥ = y id = x id = y> = x>,> = yy id = xy id = yx id = xx id = y⊥ = x⊥,yyyα = yα,xxxα = xα.

Proof. The logical equivalences follow directly from the definitions of the operations.

4.3 Operations Involving Sequences, Intersections, Unions and It-erations

4.3.1 Sequential composition

The operation of sequential composition (α;β) is sometimes also called relative, dy-namic, or multiplicative conjunction as its properties are similar to the properties of thelogical (additive, static) conjunction (α ∩ β). The semantics of sequential compositionis given as follows.

Jα;βK := {(A,B) | ∃C((A, C) ∈ JαK and (C,B) ∈ JβK)}.

The operation is not definable using the other operations, but is a particular case ofintersection (∩), and it can be obtained by imposing a simple sufficient syntactic re-striction on the expressions combined, as the following proposition shows.

Proposition 3.

α ∩ β = α;βiff

the input/output assignments to the free variables of α and β are such thatO(α) ∩ I(β) 6= ∅, O(β) ∩ I(α) = ∅ and O(α) 6= O(β).

Thus, if there are neither output interference nor cyclic dependencies, then intersec-tion becomes sequential composition. The proposition can be viewed as a comparisonof logical (static) and relative (dynamic) versions of conjunction.

10

Proof: The proof consists of an analysis of all the cases of how the four sets I(α),O(α), I(β),O(β) can intersect with each other (or not), and concluding that the condi-tions in the statement of the theo1rem are indeed the necessary and sufficient conditionsfor intersection to behaive like sequantial composition, according to the semantics ofthe two operations.

The following two propositions summarize several well-known properties of se-quential composition, intersection and union. They hold in our case as well. Recall thatid is the Diagonal relation (true when the two arguments are equal), > is the relationAll that corresponds to all possible pairs, and ⊥ is the Empty binary relation.

Proposition 4. Identities and zeros:

Composition :α; id = id;α = α,α;⊥ = ⊥;α = ⊥.

Intersection :> ∩ α = α ∩ > = α,⊥ ∩ α = α ∩ ⊥ = ⊥,

Union :> ∪ α = α ∪ > = >,⊥ ∪ α = α ∪ ⊥ = α.

Proposition 5. Distributivity of intersection (∩) and composition (;) over union (∪):

Intersection :α ∩ (β ∪ γ) = (α ∩ β) ∪ (α ∩ γ),(α ∪ β) ∩ γ = (α ∩ γ) ∪ (β ∩ γ),

Composition :α; (β ∪ γ) = (α;β) ∪ (α; γ),(α ∪ β); γ = (α; γ) ∪ (β; γ).

4.3.2 Relative Disjunction

Just as logical disjunction (∪) is a De Morgan dual of logical conjunction (∩), relative(or dynamic) disjunction (+) is a De Morgan dual of relative conjunction (;):

α + β := (α−;β−)−.

4.3.3 Iteration (Kleene star)

This operator is the iteration operator, also called the Kleene star. The expression α∗

means “execute α some nondeterministically chosen finite number of times. We defineit as follows.

α∗ := µZ.(id ∪ Z;α).

4.3.4 Maximum Iterate

This operation is a determinization of the Kleene star. It outputs only the longest tran-sition out of all possible transitions produced by the Kleene star.

α↑ := µZ.(yα ∪ α;Z).

11

By this definition,α↑ =

⋃0≤n<ω

(αn; yα),

where α0 := id and αn+1 := α;αn.Another way of describing this construct is:

α↑ =⋃

1≤n<ω

αn,

whereα1 := yα,αn+1 := α;αn.

The computation proceeds as follows:

α1 :=y α,α2 := α ; y α,α3 := α ; α ; y α,. . .αn+1 := α ; α ; . . . ; α︸ ︷︷ ︸

n

; y α

(3)

We can view each tuple of relational variables X as one variable ranging overstructures (states in the transition system).

Proposition 6. Three generalised (structure) variables X , Y and Z are sufficient todescribe the process of computing Maximum Iterate.

Proof:

α1(X, Y ) :=yα(X, Y ),αn+1(X, Y ) := π{X,Y }(α(X, Z) ; π{Z,Y }(σX≡Z(αn(X, Y )) ).

Notice that, if α is a function, then α↑ is a function as well, unlike α∗ which pro-duces a relation.

4.3.5 Preferential union

This operation is defined as follows.

α t β := α ∪ (yα;β).

By this definition,

Jα t βK =

(A,B)

∣∣∣∣∣∣(A,B) ∈ JαK if (A,A) ∈ JDom(α)K,(A,B) ∈ JβK if (A,A) 6∈ JDom(α)K

and (A,A) ∈ JDom(β)K.

12

4.3.6 Safe Projection

sπδ(α) is a “safe” version of projection, where the set of symbols δ must include all ofthe inputs I(α) of α. Since, in this case, none of the inputs are existentially quantified,this operation does not introduce non-determinism.

4.4 More Operations: Inclusion, Fixset, Tie4.4.1 Inclusion

We define the following operation implicitly, using logical equivalence between alge-braic terms.

α ≤ β iff (α ∩ β) = α.

The definition gives us:

Jα ≤ βK = {(A,B) | If (A,B) ∈ JαK then (A,B) ∈ JβK }.

Expression α ≤ β specifies a set of pairs of structures such that if executing αproduces such a pair, then executing β produces such a pair as well. Thus, whenever αis a label of a transition in TSα, then β is a label of the same transition.

4.4.2 Fixset

This operation takes the diagonal of the fixed points of α. It is defined as follows:

Fix(α) := α ∩ id.

By this definition, the semantics of this operation is

JFix(α)K = {(A,A) | (A,A) ∈ JαK}.

4.4.3 Tie

This operation returns all the points where α and β do not disagree, that is, if startedfrom there, the images of both processes are the same, or they are both undefined. Wedefine it as follows.

α on β := Dom(α ∼ β).

This definition gives us

Jα on βK = {(A,A) | ∀B∀B′(If (A,B) ∈ JαK and (A,B′) ∈ JβK then B = B′)or neither of α, β is defined in A:

∀B( If B 6= A then (A,B) ∈ (U×U) \ JαK and (A,B) ∈ (U×U) \ JβK )}.

13

4.5 A Version if the Algebra with ConverseIn the version of the calculus of binary relations considered above above, we had twobasic functions functions I(α) andO(α) identifying inputs and outputs of atomic mod-ules. Using just these two functions, in addition to classical logic, we defined multipleoperations. However it is also interesting to consider another basic operation – Con-verse. This operation is used in, e.g., some Description Logics as well as in graphdatabases. It changes the direction of information propagation: it switches inputs andoutputs: inputs become outputs, and outputs become inputs. However we should usethis operation with caution. According to Pratt, already in the 4th century BC, Aristotlehad denied that every binary relation has a converse [25]. It is true now: e.g. not everyimperative program can be run “backwards”, from outputs to inputs.

4.5.1 Converse

The semantics of Converse is as follows.

Jα`K := {(A,B) | (B,A) ∈ α}.

It is not explicitly definable in the syntax presented above, but it is implicitly definable:

β = α` iffDom(α) = Img(β),Dom(β) = Img(α).

4.5.2 Residuation

With converse as a basic operation, several more operations become definable. In par-ticular, residuation, which is now understood as a form of division, is definable usingConverse.

Right Residuation: α\β := (α`;β−)−,

Left Residuation: α/β := (α−;β`)−.

Left residuation is a “converse DeMorgan dual” of the right residuation:

α/β = (α`\β`)`.

Residuation is an important operation in Lambek calculus [20].For earlier uses and a historic perspective please see Pratt’s informative historic

overview paper [25]. From the same paper, we learn that Converse, together with com-plementation, define linear negation, as in Linear Logic [7]:

α⊥ := α`−.

There are many theorems connecting the relations we defined here and in the pre-vious sections. See, e.g., the original Tarski’s paper [28].

14

4.6 An Algebra of Partial Functions: a Deterministic FragmentSeveral operations, when applied only to expressions that are (partial) functions on U,are also (partial) functions on U. This is an important class of operations since they donot introduce non-determinism. While many interesting constructs are definable, wefocus on those we will use later to define programming constructs.

α ::= id |Ma | α;α | yα | α t α | α↑ | sπδ(α) | σΘ(α), (4)

where Ma are deterministic modules (partial functions on U), and Θ ∈ {X ≡ Y,X 6≡Y,X ≡ ∅, X 6≡ ∅} for any relational variables X and Y appearing in α.

The constructs are restrictions of binary operations we introduced initially. Theybear a strong resemblance with the constructs of classical logic, however informationflows are needed to define them. To summarize, the constructs are:

• Sequential Composition, ;, is a restriction of intersection ∩ of two binary rela-tions,

• Preferential Union, t, is a restriction of the binary union ∪,

• Unary Negation, y, is a restriction of the binary complementation −,

• Selection σ, as before,

• Safe Projection, sπ, a restriction of the binary projection π,

• Maximum Iterate, ↑, a restriction of the binary fixed point construct.

Since none of these constructs introduce nondeterminism, the executions of pro-grams written using these constructs are strictly sequential.10

Theorem 1. The set of all partial functions on U is closed under the operations of theDeterministic fragment (4).

The theorem also holds for many other operations, including Dom, Img, x,>,⊥,Fix, on. We focus specifically on the fragment (4) because it is used in a later develop-ment. In particular, we will have a corollary of this theorem for the main programmingconstructs we are going to introduce.

Proof: Operations id and y are (partial) identities on U, which clearly producefunctions when applied to other functions. Thus, the statement of the theorem holds forthese operations. Composition α;β of partial functions α and β is a partial functionbecause when α is defined, and β is defined on the output of α, then α;β is a function.If either α or β are undefined, their composition is undefined as well. For the otheroperations, assume α and β are functions. Preferential union, α t β, behaves as α ifα is defined, otherwise it behaves as β. Thus, it is clearly a function. Safe projectionsπδ(α) is a function because it is exactly like α, but has fewer outputs. Selection σΘαis a function because it simply limits the domain and/or range of α by requiring thatsome values are equal to each other (or not) or to the empty relation we denote ∅.

10It is interesting that these programs satisfy the postulates used to formalize the notion of a sequentialalgorithm – sequential time, abstract state and bounded exploration [13].

15

Corollary 1. The set of all partial computable functions on U is closed under opera-tions of the Deterministic fragment (4).

Note that many operations we introduce here are taken as primitive and are axioma-tized by equational theories in Jackson and Stokes [?].11 In our logic, which is obtainedby adding information flow to classical logic, these operations are definable.

5 Modal LogicWe call this logic Lµµ, since it is similar to the mu-calculus Lµ, but has two fixedpoints, unary and binary.

5.1 Two-sorted Syntax, LµµThe algebra with information flows can be equivalently represented in a “two-sorted”syntax. This syntax gives us a modal logic, similar to Dynamic Logic. The syntax isgiven by the grammar:

α ::= id |Ma | Zj | α ∪ α |α− | πδ(α) | σΘ(α) | φ? | µZj .αφ ::= T |Mp | Xi | φ ∨ φ | ¬φ | |α〉 φ | 〈α| φ | µXi.φ.

(5)

The first line is essentially our original syntax (1). In the second line, we have twopossibility modalities, |α〉 is a forward “exists execution of α” modality, and 〈α| is abackwards “exists execution of α” modality. We can also introduce their duals, the twonecessity modalities, as follows: |α] φ := ¬( |α〉 ¬φ) and [α| φ := ¬(〈α| ¬φ). Sym-bols Ma stand for modules that are actions (model expansion modules), and Mp formodules-propositions (model checking modules). Modules-propositions are also calledatomic tests. Operation T represents a proposition that is true in every state. It replacesid under unary semantics.12 Operation φ? turns every unary operation in the secondline into a binary one by repeating the arguments, e.g. P (X) becomes P (X,X).

The formulae in the first line are called process formulae, and the formulae in thesecond line are called state formulae. We will see below that the state formulae areexpressible using the operations in the first line, that is using our algebra (1) under thebinary semantics.

The two-sorted syntax allows us to conveniently express quantification over execu-tions (sequences of transitions) by means of modalities. Despite state formulae beingredundant, they are useful for reasoning about properties of processes relativized tostates, as in modal temporal logics.

11Thanks to Brett McLean for introducing me to that work.12The new notation for the unary id is introduced to avoid notation clash, since in the modal logic, both

unary and binary id can be used. It is the same operation as id under the unary semantics presented earlier.Hence, [T] = [id] = U. Note that T cannot in general be expressed using Mp ∨ ¬Mp because the set ofatomic propositions can be empty. Also note that T here is unary, as every other state formula in the secondline, which makes it different from the binary > defined earlier.

16

5.2 Semantics of LµµThe modal logic is interpreted over transition system

T0 := (U; (MTa )i, (MTp )j),

where U is the set of τ structures over the same domain, and (MTa )i and (MTp )j areinterpretations of atomic modules-actions and modules-propositions, respectively, forall Mp,Ma ∈ ModAtI/O.State Formulae (line 2 of (5)): Atomic modules Mp and module variables Xi areinterpreted exactly like in the unary semantics. The rest of the formulae are interpretedexactly like in the µ-calculus, except we have a backwards modality in addition:

[T] := U,[φ1 ∨ φ2] := [φ1] ∪ [φ2],[¬φ] := U \ [φ],[|α〉φ] := {A | ∃B ( (A,B) ∈ JαK and B ∈ [φ] ) },[〈α|φ] := {B | ∃A ( (A,B) ∈ JαK and A ∈ [φ] ) },[µZj .φ] :=

⋂{R ⊆ U : [φ][Z:=R] ⊆ R

}.

Process Formulae (line 1 of (5)): These formulae are interpreted exactly like in theone-sorted semantics, and, in addition, tests are interpreted as in Dynamic Logic:

Jφ?K := {(A,A) | A ∈ [φ] }.

In particular, JT?K = JidK, where id is the relative multiplicative identity in the syntaxof Lµµ (5).

5.2.1 Satisfaction Relation for Lµµ

Given a well-formed state formula φ and process formula α as defined by (5), wesay that transition system T0 and state A, where A ∈ U, satisfy φ under variableassignment s, notation

T0,A |=s φ,

if A ∈ [φ]. For process formulae α, the definition of the satisfaction relation is exactlyas in the binary semantics.

5.3 Two-Sorted = Minimal SyntaxThe two representations of the algebra (one-sorted and two-sorted) are equivalent, aswe show below. The statement is analogous to the one in [1].

We show that all operations in the second line of (5) are reducible to the operationsin the first line.

Theorem 2. For every state formula φ in two-sorted syntax (5), there is a formula φin the minimal syntax (1) such that T0,B |=s φ iff T0, (B,B) |=s Dom/Img(φ). Forevery process formula α there is an equivalent formula α in the minimal syntax.

17

The notation Dom/Img means that either of the two operations can be used.Proof: We need to translate all the state formulae into process formulae. We do itby induction on the structure of the formula. Atomic constant modules and modulevariables remain unchanged by the transformation, except, monadic variables are nowconsidered as binary. Similarly, T is translated into binary as T := id.

• If φ = φ1 ∨ φ2, we set φ := φ1 ∪ φ2.

• If φ = ¬φ1, we set φ :=y (φ1). Equivalently, we can set φ :=x (φ1), sincestate formulae are unary and we are dealing with self-loops.

• If φ = |α1〉 φ1, we set φ := Dom(α1; φ1).

• If φ = 〈α1| φ1, we set φ := Img(φ1; α1).

• If φ = µX.(φ1), we set φ := µX.Dom(φ1). Equivalently, we can set φ :=

µX.Img(φ1), since, again, we are dealing with unary formulae here.

Operations y, x, Dom and Img are expressible using the basic operations of thealgebra, under the binary semantics. This gives us a transformation for the state formu-lae.

All process formulae α except test φ1? remain unchanged under this transforma-tion. For test, we have:

• If α = φ1?, we set α := Dom(φ1). Equivalently, we can set α := Img(φ1).

It is easy to see that, under this transformation, the semantic correspondence holds.

5.4 Examples of the Use of Modalities5.4.1 Equality Test

State formula |α∩β〉T specifies the set of states from where some executions of α andβ lead to the same state (the same data value). By the semantics, the meaning of thisformula is:

J|α ∩ β〉TK = {(B,B) |∃B′∃B′′ ( (B,B′) ∈ JαK and (B,B′′) ∈ JβK

and B′ = B′′)}.

This operation corresponds to an operation used in graph databases, XPath. By re-calling the translation from two-sorted to one-sorted syntax, we can also express thisoperation as follows:

|α ∩ β〉T =yy(α ∩ β) = Dom(α ∩ β).

This operation is stronger than Tie, which is expressible as α on β = Dom(α ∼ β).Non-equality test, which checks if some executions of the two processes lead to

different values, has (α ∩ β)− inside the modality.

18

5.4.2 Inclusion Test

State formula |α ≤ β]T specifies the set of states from where, for all information flows,if α reaches a state, then β reaches that state as well.

5.5 Imperative Programming ConstructsWe introduce some operations that will lead us to defining several programming con-structs. These constructs are standard in the research on the semantics of programminglanguages, and they can also be found in the literature on Dynamic Logic, e.g. in thebook by Harel, Kozen and Tiuryn [14]. We show that all these constructs are definableonce classical logic is augmented with information flow.

5.5.1 Regular Programs

For a given sets of atomic modules-actions and atomic tests, we define the set of regu-lar programs, denoted Reg, as follows. Any atomic module-action or atomic module-proposition is a program. If α and β are programs, then so are α;β and α∩ β. If α is aprogram, then α∗ is a program. These programs specify regular languages.

Propositional Dynamic logic [24, 5]

α ::= id |Ma | α;α | α ∪ α | α∗ | φ?φ ::= T | Xi | φ ∨ φ | ¬φ | |α〉 φ

is a fragment of Lµµ[Reg], and thus of Lµµ. Notice that in Propositional Dynamiclogic, only forward-facing modality is used, unlike Lµµ[Reg].

5.5.2 Deterministic Regular (While) Programs

We are interested in a restricted subclass of the regular programs. Deterministic regularprograms (also called deterministic While programs), denoted DetWhile, are defined by(1) requiring all atomic modules to be deterministic, and (2) restricting the constructs∪, ∗ and ? to appear only in the following expressions.

skip := T?,fail := (¬T)?,if φ then α else β := (φ?;α) ∪ ((¬φ)?;β),while φ do α := (φ?;α)∗; (¬φ)?.

Also, an unrestricted use of sequential composition is allowed. A common derivedoperation is repeat α intil φ := while ¬φ do α.

The class of nondeterministic while programs is the same, except the use of ∪ isunrestricted.

Notice that, in general, tests can be applied to formulae that have processes andother tests inside modalities, resulting in nested recursion. We define Atomic tests asatomic modules-propositions. Constant tests are T? and (¬T)?, which are expressible,

19

in the binary algebra, as id and y id, which is the same as ⊥. Following the terminol-ogy from Dynamic Logic, we define poor tests as boolean combinations of atomic andconstant tests.

We now demonstrate that deterministic regular (DetWhile) programs are express-ible using partial functions from the Deterministic fragment on U. Recall that tests arepartial identities on U.

Proposition 7. Assume φ is any partial identity on U. Then

skip := id,fail := y id,if φ then α else β = (φ;α) t β,while φ do α = (φ;α)↑; (yφ),repeat α intil φ = ((yφ);α)↑;φ.

Theorem 3. The set of all partial functions on U is closed under deterministic regularprograms.

Proof: The theorem follows from Proposition (7), where we express deterministicwhile programs by compositions of partial functions from the Deterministic fragment(4), and Theorem 1, the closure property of the set of partial functions on U under theapplications of these operations.

5.6 Modalities and the Deterministic FragmentIt will be useful to observe that the possibility and the necessity modalities are alsoexpressible using the operations in the Deterministic fragment (4).

Proposition 8.|α〉 φ = yy(α;φ),|α〉 T = yyα,|α〉 ¬T = ⊥,|α] φ = y(α; yφ),|α] T = id,|α]¬T = yα.

Proof: Recall, from the translation from the two-sorted to the one-sorted syntaxthat |α〉 φ = Dom(α;φ) = yy(α;φ). Also, |α〉 T = yy(α;T?) = yy(α; id) = yyα, and |α〉 ¬T = yy (α; (¬T)?) = yy (α;⊥) = yy⊥ =⊥. For the necessity modality, we have: |α] φ = ¬|α〉 ¬φ = ¬Dom(α;¬φ) = yyy(α; yφ) = y(α; yφ). For the more specific cases, |α]T = y(α; (¬T)?) =y(α; y id) = y(α;⊥) = y⊥ = id, and |α] ¬T = yDom(α; y(¬T)?) =yDom(α; id) = yDom(α) = yα.

Thus, if atomic modules are deterministic, then neither modalities, nor determinis-tic regular (While) programs add nondeterminism.

Observe also that the possibility modality turns any search problem α into a deci-sion problem |α〉 T.

20

6 AcknowledgementsComments by Bart Bogaerts, Brett McLean helped to improve the presentation and tofix numerous bugs. The paper has benefited from discussions with many colleagues atmy university and at conferences.

References[1] Faried Abu Zaid, Erich Gradel, and Stephan Jaax. Bisimulation safe fixed point

logic. In Rajeev Gore, Barteld P. Kooi, and Agi Kurucz, editors, Advances inModal Logic 10, invited and contributed papers from the tenth conference on”Advances in Modal Logic,” held in Groningen, The Netherlands, August 5-8,2014, pages 1–15. College Publications, 2014.

[2] D. M. Barrington, N. Immerman, and H. Straubing. On uniformity within NC1.Journal of Computer and System Sciences, 41(3):274 – 306, 1990.

[3] Marc Denecker and Eugenia Ternovska. A logic of non-monotone inductive def-initions. ACM transactions on computational logic (TOCL), 9(2):1–52, 2008.

[4] R. Fagin. Generalized first-order spectra and polynomial-time recognizable sets.Complexity of computation, SIAM-AMC proceedings, 7:43–73, 1974.

[5] Michael J. Fischer and Richard E. Ladner. Propositional dynamic logic of regularprograms. J. Comput. Syst. Sci., 18(2):194–211, 1979.

[6] D. Leinders D. Surinx J. Van den Bussche D. Van Gucht S. VansummerenG. Fletcher, M. Gyssens and Y. Wu. Relative expressive power of navigationalquerying on graphs. Information Sciences, 298:390–406, 2015.

[7] Jean-Yves Girard. Linear logic. Theor. Comput. Sci., 50:1–102, 1987.

[8] G. Gottlob, N. Leone, and F. Scarcello. Robbers, marshals, and guards: game the-oretic and logical characterizations of hypertree width. In PODS ’01: Proceed-ings of the twentieth ACM SIGMOD-SIGACT-SIGART symposium on Principlesof database systems, pages 195–206, 2001.

[9] E. Gradel. On the restraining power of guards. Journal of Symbolic Logic,64:1719–1742, 1999.

[10] E. Gradel, Ph. G. Kolaitis, and M. Y. Vardi. On the decision problem for two-variable first-order logic. Bulletin of Symbolic Logic, 3:53–69, 1997.

[11] E. Gradel and M. Otto. On logics with two variables. Theoretical ComputerScience, 224:73–113, 1999.

[12] E. Gradel and I. Walukiewicz. Guarded fixed point logic. In LICS’99, pages45–55, 1999.

[13] Yuri Gurevich. Sequential abstract-state machines capture sequential algorithms.ACM Trans. Comput. Logic, 1(1):77–111, July 2000.

21

[14] David Harel, Dexter Kozen, and Jerzy Tiuryn. Dynamic Logic (Foundations ofComputing). 2000.

[15] N. Immerman. Relational queries computable in polytime. In Fourteenth AnnualACM Symposium on Theory of Computing (STOC’82), pages 147 –152, 1982.

[16] Marcel Jackson and Timothy Stokes. Modal restriction semigroups: towards analgebra of functions. IJAC, 21(7):1053–1095, 2011.

[17] B. Jonsson and A. Tarski. Representation problems for relation algebras. Bull.Amer. Math. Soc., 74:127–162, 1952.

[18] M. Jurdzinski. Deciding the winner in parity games is in UP∩co-UP. InformationProcessing Letters, 69:119–124, 1998.

[19] Antonina Kolokolova, Yongmei Liu, David Mitchell, and Eugenia Ternovska.On the complexity of model expansion. In Proc., 17th Int’l Conf. on Logic forProgramming, Artificial Intelligence and Reasoning (LPAR-17), pages 447–458.Springer, 2010. LNCS 6397.

[20] Joachim Lambek. The mathematics of sentence stucture. Amer. Math. Monthly,65(3):154–170, 1958.

[21] A. B. Livchak. Languages for polynomial-time queries. In Computer-based mod-eling and optimization of heat-power and electrochemical objects, page 41, 1982.

[22] D. G. Mitchell and E. Ternovska. A framework for representing and solving NPsearch problems. In Proc. AAAI, pages 430–435, 2005.

[23] D. G. Mitchell and E. Ternovska. A framework for representing and solving NPsearch problems. In Proc. AAAI’05, pages 430–435, 2005.

[24] Vaughan R. Pratt. Semantical considerations on floyd-hoare logic. In 17th AnnualSymposium on Foundations of Computer Science, Houston, Texas, USA, 25-27October 1976, pages 109–121. IEEE Computer Society, 1976.

[25] Vaughan R. Pratt. Origins of the calculus of binary relations. In Proceedingsof the Seventh Annual Symposium on Logic in Computer Science (LICS ’92),Santa Cruz, California, USA, June 22-25, 1992, pages 248–254. IEEE ComputerSociety, 1992.

[26] Raymond Reiter. Knowledge in Action: Logical Foundations for Specifying andImplementing Dynamical Systems. MIT Press, 2001.

[27] L. Stockmeyer. The Complexity of Decision Problems in Automata Theory. PhDthesis, MIT, 1974.

[28] Alfred Tarski. On the calculus of relations. J. Symb. Log., 6(3):73–89, 1941.

[29] E. Ternovska. Static and dynamic views on the algebra of modular systems. InProc. of the 16th Int. Workshop on Non-Monotonic Reasoning (NMR 2016), pages153–162, 2016.

22

[30] B. Trahtenbrot. The impossibility of an algorithm for the decision problem forfinite domains. Doklady Academii Nauk SSSR, 70:569–572, 1950.

[31] M. Y. Vardi. The complexity of relational query language. In 14th ACM Symp.onTheory of Computing, Springer Verlag (Heidelberg, FRG and NewYork NY, USA)-Verlag, 1982.

[32] M. Y. Vardi. On the complexity of bounded-variable queries. In Proceedingsof the Fourteenth ACM SIGACT-SIGMOD-SIGART Symposium on Principles ofDatabase Systems, May 22-25, 1995, San Jose, California, pages 266–276. ACMPress, 1995.

23