On the modularity of Quasi-interpretations - CiteSeerX

Download PDF
3 downloads 0 Views 190KB Size Report
Comment
arguments are compared with the product extension of ≺rpo. Otherwise, the ... An assembly is ordered by ≺rpo if there are a precedence ≼F and a status st such.
On the modularity of Quasi-interpretations Guillaume Bonfante, Jean-Yves Marion and Romain P´echoux Loria, Calligramme project, B.P. 239, 54506 Vandœuvre-l`es-Nancy Cedex, France, ´ and Ecole Nationale Sup´erieure des Mines de Nancy, INPL, France. [email protected] [email protected] [email protected]

Abstract. Quasi-interpretations have shown their interest to deal with the complexity of programming languages with rewriting semantics. For instance, with the help of Product Path Orderings, we characterize all polynomial time functions. Secondly, finding quasi-interpretations is decidable, and so, there are automatic methods to certify the complexity of programs and extract resource upper bounds. The current proposition deals with the question of modularity of quasiinterpretations. We show that in the case of constructor-sharing and hierarchical unions, the existence of quasi-interpretations is not a modular property. However, we can still certify the complexity of programs. As a consequence, modularity helps to augment the intentionality of quasiinterpretations. Another consequence is that modularity improves the quasi-interpretation synthesis.

1

Introduction

The development of secure mobile computing platforms necessitates modular security policies because of complex and dynamic application manipulations. Resource control (i.e. memory/space or time) is one part of the overall story, but a critically important one. From a security perspective, a virtual machine (like CLR or JVM) may enforce restrictions on executing code and prevent it from behaving unexpectedly. In particular, a virtual machine ensures that a code cannot access or jump to an arbitrary address in memory, outside of the resource code boundary. However, the dynamic allocation is usually disabled and we usually need to thoughtfully estimate the resource code boundary before loading a code into it. Our objective is to provide a static analysis of the space, and also time, resource of a program, in order to be able to decide what applications that we should be able to run within say some memory space. There are several studies of various kinds on this subject. Among them, it is worth to mention the stimulating Regehr’s paper [35], and also [12]. Our approach is different and should be rather compared to the one of the implicit computational complexity (ICC) community, which proposes syntactic characterizations of complexity classes, which lean on a data ramification principle like safe recursion [6], lambda-calculus [29] or data tiering [28]. It bears stressing to discuss on the two main difficulties that

2

we have to face in order to provide a compelling resource static analysis. The first is that the method should capture a broad class of programs in order to be useful. From a theoretical perspective, this means that we are trying to characterize a large class of programs, which represent functions in some complexity classes. The traditional results focus on capturing all functions of a complexity class and we could call this approach extensional whereas our approach is intentional. This change of point of view is difficult because we have to keep in mind that the set of polynomial time programs is not recursively enumerable. The second difficulty is related to the complexity of the static analysis suggested. The resource analysis procedure should be decidable and easily checkable. But inversely, a too “easy” resource analysis procedure won’t, certainly, delineate a meaningful class of programs. There are at least four directions inspired by ICC approaches which are related with our topic and that we briefly review. The first direction deals with linear type disciplines in order to restrict computational time and began with the seminal work of Girard [18] which defined Light Linear Logic. The interesting reader should consult the recent results of Baillot-Terui [5], Lafont [27], or yet Coppola-Ronchi [14]. The second direction is due to Hofmann [20, 21, 4], who introduced a resource atomic type, the diamond type, into linear type systems for higher order functional programming. The main achievement is to be able to type a large class of programs and so to have and to target practical results with the European project Embounded. Unlike the two former approaches and the next one, the third one considers imperative programming language and is developed by Niggl [34] and Marion-Moyen [33, 31]. Lastly, the fourth approach is the one on which we focus in this paper. It concerns term rewriting systems and quasi-interpretations. A quasi-interpretation of a first order functional program provides an upper bound on the size of any value computed. The paper [9] is a comprehensive introduction to quasi-interpretations. Combined with recursive path orderings, it allows characterizing complexity classes such as the set of polynomial time functions or yet the set of polynomial space functions. The main features of quasi-interpretations (abbreviated QI) are the following. 1. QI analysis includes a broad class of algorithms, even some that have an exponentially length derivation but denote a polynomial time computable function using dynamic programming techniques. See [30, 8, 10] 2. Resource verification of bytecode programs obtained by compiling first order functional and reactive programs which admit quasi-interpretations. See for example [3, 2, 16]. 3. It is decidable in exponential time whether or not program admit a quasiinterpretation over real numbers [11]. Moreover, Amadio in [1] showed that some rich classes of QI are in NP. QI provide a methodology in order to determine and control the involved resources in a computation. From a developer perspective, a virtual machine runs and manages codes that we shall call assemblies (a loose analogy with .net terminology). We attach to each assembly a quasi-interpretation. As assemblies are loaded for execution, each assembly has its own quasi-interpretation. So the

3

virtual machine, which executes an assembly, knows an upper bound on necessary resources. So, the virtual machine may predict and be aware of, say, the size of stack frames, which could be of great importance for execution efficiency. Moreover, the virtual machine may check if the QI attached to an assembly is correct in order to avoid attacks like buffer overflows which is surveyed in [13]. We see that in this scenario, modularity plays a central role. Indeed, we can think of libraries of assemblies with QI, which are dynamically loaded, and so the space could be organised w.r.t. the QI and the virtual machine resource security policy. We are currently implementing this scenario on an ATMEL microcontroller. In this paper, an assembly is a first order functional program, which defines a class of functions over a constructor set. We study the modularity of three kinds of program subclasses w.r.t. QI. The study of modularity is nowadays a classical approach to solve problems, like confluence or termination, by dividing the problem into smaller parts. The reader should consult [25, 19, 37, 36, 32] to read an overview on this subject. In this context, we first consider the disjoint union case where both functions defined by the assemblies and their computational domains are disjoint. We establish that the property of having a QI is modular when assemblies are isolated. Then, we study the constructor-sharing case in which functions defined by assemblies share constructors. We show that QI are not modular but we can use QI in order to predict resource bounds. The consequence is that we are able to analyse the complexity of more programs. Indeed, suppose that an assembly does not admit a QI, and then a strategy is to cut it into two assemblies, which just have some constructors in common. Then, we can try to find QI to both sub-assemblies. We demonstrate that in this case we can still determine an upper bound on the amount of resource involved in a computation. Another consequence is a new characterization of the set of polynomial time functions and of polynomial space functions. The last one is the hierarchical case. We study modularity in the case where constructors of an assembly are defined function symbols of another assembly. Again the fact of admitting a QI is not modular, but again we are able, under some conditions, to analyse resource bounds. There is also an interesting consequence on the complexity of the decision procedure to find QI. Indeed, the results lead us to divide assemblies in order to find QI. And even if QI are not modular, we are able to guarantee the space or time usage, w.r.t. paper’s results. Moreover, the time complexity of the QI search algorithm decreases drastically, following the well-known pattern of a divide-and-conquer algorithm.

2 2.1

First order functional programming Syntax of assemblies

An assembly is a program library which is defined formally as a quadruple hX , C, F , Ri with X , F and C three disjoint sets which represent respectively the variables, the function symbols and the constructors symbols, and R a finite set of rules defined below:

4

(Constructor terms) T (C) ∋ v ::= (terms) T (C, F , X ) ∋ t ::= (patterns) P∋p ::= (rules) R∋r ::=

c | c(v1 , · · · , vn ) c | x | c(t1 , · · · , tn ) | f(t1 , · · · , tn ) c | x | c(p1 , · · · , pn ) f(p1 , · · · , pn ) → t

where x ∈ X , f ∈ F, and c ∈ C. ∗ The set of rules induces a rewriting relation →. The relation → is the reflexive and transitive closure of →. Throughout, we consider only orthogonal assemblies, that is, rule patterns are disjoint and linear. So each assembly is confluent [22]. The size |t| of a term t defined to be the number of symbols of arity strictly greater than 0 occurring in it. 2.2

Semantics

The domain of computation of an assembly hX , C, F , Ri is the constructor algebra T (C). A substitution σ is a mapping from variables to terms and a ground substitution is one which ranges over constructor terms of T (C). Observe that constructor terms are normal forms for the assembly. For each function symbol f ∈ F, the assembly hX , C, F , Ri computes a partial function JfK : T (C)n → T (C) defined by: For all vi ∈ T (C), JfK(v1 , · · · , vn ) = w ∗ iff f(v1 , · · · , vn )→w and w is in T (C). Otherwise JfK(v1 , · · · , vn ) is undefined. A term t which contains n variables x1 , · · · , xn defines a function φt such that for all vi ∈ T (C), φt (v1 , · · · , vn ) = JtσK where σ is a ground substitution such that xi σ = vi for any i. 2.3

Path orderings

Path orderings are well-known decidable simplification orderings which are defined from a precedence and a status given to function symbols. A precedence F (strict precedence ≺F ) is a quasi-ordering (strict partial ordering) on the set F of function symbols. Define the equivalence relation ≈F as f ≈F g iff f F g and g F f. This precedence F on function symbols extends canonically to C ∪ F with the following relations ∀f ∈ F, ∀c ∈ C, c ≺F f. We associate to each function symbol f a status st(f) in {p, l} and satisfying if f ≈F g then st(f) = st(g). The status indicates how to compare recursive calls. When st(f) = p, the status of f is said to be product. In that case, the arguments are compared with the product extension of ≺rpo . Otherwise, the status is said to be lexicographic. Definition 1. The product extension ≺p and the lexicographic extension ≺l of ≺ over sequences are defined by: – (m1 , · · · , mk ) ≺p (n1 , · · · , nk ) if and only if (i) ∀i ≤ p, mi  ni and (ii) ∃j ≤ k such that mj ≺ nj .

5

– (m1 , · · · , mk ) ≺l (n1 , · · · , nl ) if and only if ∃j such that ∀i < j, mi  ni and mj ≺ nj Definition 2. Given a precedence F and a status st, we define the recursive path ordering ≺rpo as follows: u rpo ti u ≺rpo f (. . . , ti , . . .)

f ∈F

S

C

ui ≺rpo f(t1 , · · · , tn )

g ≺F f

g(u1 , · · · , um ) ≺rpo f(t1 , · · · , tn )

st(f) (u1 , · · · , un ) ≺rpo (t1 , · · · , tn )

f ≈F g

g∈F

S

C

uj ≺rpo f(t1 , · · · , tn )

g(u1 , · · · , un ) ≺rpo f(t1 , · · · , tn ) An assembly is ordered by ≺rpo if there are a precedence F and a status st such that for each rule l → r, the inequality r ≺rpo l holds. Theorem 1. An assembly ordered by ≺rpo is terminating. Proof. The proof of the well-foundedness of ≺rpo is due to Dershowitz [17] and Kamin and Levy [24] and relies on Kruskal theorem. An effective proof of the well-foundedness of the multiset path ordering by Coupet-Grimal and Delobel can be found in [15].

3

Quasi-interpretations

3.1

The definition of Quasi-interpretations S An assignment of a symbol b ∈ F C of arity n is a function LbM : (R)n → R. An assignment satisfies the subterm property if for any i = 1, n and any X1 , · · · , Xn in R+ , we have LbM(X1 , · · · , Xn ) ≥ Xi

(1)

A direct consequence of the subterm property is that for any ground term s and any subterm t of s, LsM ≥ LtM. An assignment is weakly monotone if for any symbol b, LbM is an increasing (not necessarily strictly) function with respect to each variable. That is, for every symbol b and all X1 , · · · , Xn , Y1 , · · · , Yn of R with Xi ≤ Yi , we have LbM(X1 , · · · , Xn ) ≤ LbM(Y1 , · · · , Yn ). We extend assignment L−M to terms canonically. Given a term t with n variables, the assignment LtM is a function (R)n → R defined by the rules: Lb(t1 , · · · , tn )M = LbM(Lt1 M, · · · , Ltn M) LxM = X where X is a fresh variable ranging over reals. Roughly speaking, we may see that a quasi-interpretation is a quasi-reduction ordering which is compatible with reductions rules.

6

Definition 3 (Quasi-interpretation). A quasi-interpretation L−M of an assembly hX , C, F , Ri is a weakly monotonic assignment satisfying the subterm property such that for each rule l → r ∈ R, and for every constructor substitution σ LlσM ≥ LrσM Definition 4. An assignment L−M is said to be polynomial if for each symbol S b ∈ F C, LbM is a function bounded by a polynomial. A quasi-interpretation L−M is polynomial if the assignment L−M is polynomial. 3.2

Additive Quasi-Interpretations

Now, say that an assignment of a symbol b of arity n > 0 is additive if LbM(X1 , · · · , Xn ) =

n X

Xi + α with α ≥ 1

i=1

An assignment of an assembly p is additive if each constructor symbol of p has an additive assignment. An assembly is additive if it admits a quasi-interpretation which is an additive assignment. Example 1. Consider the assembly which computes the logarithm function and described by the following rules: log(0) → 0 log(S(0)) → 0 log(S(S(y))) → S(log(S(half(y))))

half(0) → 0 half(S(0)) → 0 half(S(S(y))) → S(half(y))

It admits the following additive quasi-interpretation: L0M = 0 LSM(X) = X + 1 LlogM(X) = LhalfM(X) = X 3.3

Key properties

Proposition 1. Assume that L−M is a quasi-interpretation of an assembly p. ∗ For any terms u and v such that u→v, we have LuM ≥ LvM Proof. A context is a particular term that we write C[⋄] where ⋄ is a new variable. The substitution of ⋄ in C[⋄] by a term t is noted C[t]. The proof goes by induction on the derivation length n. For this, suppose that u = u0 → . . . → un = v. If n = 0 then the result is immediate. Otherwise n > 0 and in this case, there is a rule f(p1 , · · · , pn ) → t and a constructor substitution σ such that u0 = C[f(p1 , · · · , pn )σ] and u1 = C[tσ]. Since L−M is a quasi-interpretation, we have LtσM ≤ Lf(p1 , · · · , pn )σM. The weak monotonicity property implies that LC[tσ]M ≤ LC[f(p1 , · · · , pn )σ]M. We conclude by induction hypothesis. ⊓ ⊔

7

Proposition 2. Assume that L M is an additive assignment. 1. For any constructor term t in T (C), we have |t| ≤ LtM. 2. For any constructor term t in T (C), we have LtM ≤ k × |t|. Proof. The proof goes by induction on the size of t.

⊓ ⊔

Proposition 3. Assume that L M is an additive quasi-interpretation of an assembly hX , C, F , Ri. For any term u and any constructor term t ∈ T (C), if ∗ u→t, we have |t| ≤ LuM. Proof. It is a consequence of Propositions 1 and 2.

⊓ ⊔

From the above results, we deduce a polynomial upper bound on the size of the values computed by function symbols of an additive assembly. Lemma 1 (Fundamental Lemma). Assume that hX , C, F , Ri is an additive assembly admitting a quasi-interpretation L−M. There is a polynomial P such that for any term t which has n variables x1 , · · · , xn and for any ground substitution σ such that xi σ = vi : |JtσK| ≤ P |t| ( max |vi |) i=1..n

where P 1 (X) = P (X) and P k+1 (X) = P (P k (X)). A proof of the lemma is written in [30]. Notice that the complexity just depends on the inputs and not on the term t which is of fixed size. We now state the main characterizations of complexity classes by quasiinterpretations [8, 9]. Theorem 2 (time). The set of functions computed by additive assemblies ordered by ≺rpo where each function symbol has a product status is exactly the set of functions computable in polynomial time. Proof. We give here the main ingredients of the proof. It is fully written in [9]. Due to the ≺rpo ordering with product status, any recursive subcall of some f(v1 , · · · , vn ), with f function symbol and vi constructor terms, will be done on subterms of the vi . A consequence of the Fundamental Lemma is that any other subcalls will be done on arguments of polynomial size. So one may use a memoization technique a la Jones [23], which leads us to define a call-by-value interpreter with cache in Figure 1. ⊓ ⊔ Theorem 3 (space). The set of functions computed by additive assemblies ordered by ≺rpo is exactly the set of functions computable in polynomial space. Proof. The proof is a consequence of the ≺rpo ordering and the Fundamental Lemma. ⊓ ⊔

8

c∈C

σ(x) = w

R, σ ⊢ hCi−1 , ti i → hCi , wi i

(V ariable) R, σ ⊢ hC, xi → hC, wi f∈F

(Cons) R, σ ⊢ hC0 , c(t1 , · · · , tn )i → hCn , c(w1 , · · · , wn )i

R, σ ⊢ hCi−1 , ti i → hCi , wi i

(f(w1 , · · · , wn ), w) ∈ Cn (Cache reading)

R, σ ⊢ hC0 , f(t1 , · · · , tn )i → hCn , wi R, σ ⊢ hCi−1 , ti i → hCi , wi i

f(p1 , · · · , pn ) → r ∈ R

R, σ ⊢ hC0 , f(t1 , · · · , tn

[ )i → hC

pi σ′ = wi

R, σ′ ⊢ hCn , ri → hC, wi (P ush)

(f(w1 , · · · , wn ), w), wi

Fig. 1. Evaluation of a rewriting system with memoization of intermediate evaluations

4

Modularity by Disjoint union

Two assemblies hX1 , C1 , F1 , R1 i and hX2 , C2 , F2 , R2 i are disjoint if F 1 ∩ F2 = C1 ∩ C2 = F 1 ∩ C2 = F 2 ∩ C1 = ∅ U The disjoint union of two assemblies hX1 , C1 , F1 , R1 i hX2 , C2 , F2 , R2 i is defined as the assembly hX1 ∪ X2 , C1 ∪ C2 , F1 ∪ F2 , R1 ∪ R2 i Kurihara and Ohuchi have shown in [26] that to be simplifying, that is the property of having a rewrite relation contained in some simplification ordering, is a modular property of Term Rewriting Systems. Proposition 4. Assume that hX1 , C1 , F1 , R1 i is an assembly ordered by ≺rpo with a status function st1 and hX2 , C2 , F2 , R2 i is an assembly ordered by ≺rpo with a status function st2 . Assume also U that hX1 , C1 , F1 , R1 i and hX2 , C2 , F2 , R2 i are disjoint. Then, hX1 , C1 , F1 , R1 i hX2 , C2 , F2 , R2 i is ordered by ≺rpo with a status function st defined as follows: st(f) = sti (f)

f ∈ Fi

i ∈ {1, 2}

Suppose that both assemblies are ordered by ≺rpo where each symbol is of product status, the above proposition says that the disjoint union is also ordered by ≺rpo where the status of each symbol is still product. Notice also that precedences play no special role here, that is why we omit them. Now we are going to study modularity of quasi-interpretations with respect to disjoint union. Proposition 5. The property of having a quasi-interpretation is modular. In other words, given two disjoint assemblies hX1 , C1 , F1 , R1 i and hX2 , C2 , F2 , R2 i, the assemblies hX1 ,U C1 , F1 , R1 i and hX2 , C2 , F2 , R2 i admit a quasi-interpretation iff hX1 , C1 , F1 , R1 i hX2 , C2 , F2 , R2 i admits a quasi-interpretation.

9

U Proof. Given two assemblies p1 and p2 , if p1 p2 has a quasi-interpretation L−M, then L−M is a quasi-interpretation of p1 and p2 . Conversely, suppose that p1 has a quasi-interpretation L−M1 and p2 has a quasi-interpretation L−M2 . Since the set of function symbols and the set of constructor symbols of both assemblies are respectively disjoint, for each symbol b ∈ Ci ∪ Fi we define LbMp1 U p2 = LbMi . It is a routine to check that L−Mp1 U p2 is U a quasi-interpretation for p1 p2 . ⊓ ⊔ Moreover, the modularity property respects the fact that a quasi-interpretation is additive. Corollary 1. The property of having an additive quasi-interpretation is modular. Proposition 6. The Fundamental Lemma holds for the disjoint union of additive assemblies. In other words, assume that hX1 , C1 , F1 , R1 i and hX2 , C2 , F2 , R2 i are two disjoint assemblies, which admit an additive quasi-interpretation. There U is a polynomial P such that for any term t of hX1 , C1 , F1 , R1 i hX2 , C2 , F2 , R2 i which has n variables x1 , · · · , xn and for any ground substitution σ such that xi σ = vi : |JtσK| ≤ P |t| ( max |vi |) i=1..n

Proof. The proof is a consequence of Corollary 1 and Fundamental Lemma 1. Theorem 4. The set of functions computed by disjoint union of additive assemblies ordered by ≺rpo where each function symbol has a product status is exactly the set of functions computable in polynomial time. Proof. Proposition 4 implies that the property of being ordered by ≺rpo with product status is modular. Corollary 1 implies that the disjoint union of additive assemblies admits an additive quasi-interpretation. It remains to use the proof of Theorem 2 in this particular case. ⊓ ⊔ Theorem 5. The set of functions computed by disjoint union of additive assemblies ordered by ≺rpo is exactly the set of functions computable in polynomial space. Proof. Proposition 4 and Corollary 1 implies that we can apply the proof of Theorem 3 which yields a characterization of polynomial space computable functions. ⊓ ⊔

5

Constructor-sharing union

Two assemblies hX1 , C1 , F1 , R1 i and hX2 , C2 , F2 , R2 i are constructor-sharing if F1 ∩ F2 = F1 ∩ C2 = F2 ∩ C1 = ∅ and C1 ∩ C2 6= ∅

10

In other words, two assemblies are constructor-sharing if their only shared symbols are constructor symbols. F The constructor-sharing union hX1 , C1 , F1 , R1 i hX2 , C2 , F2 , R2 i of two assemblies is defined as the assembly hX1 ∪ X2 , C1 ∪ C2 , F1 ∪ F2 , R1 ∪ R2 i Proposition 7. Assume that hX1 , C1 , F1 , R1 i is an assembly ordered by ≺rpo with a status function st1 and hX2 , C2 , F2 , R2 i is an assembly ordered by ≺rpo with a status function st2 . Assume also that hX1 ,F C1 , F1 , R1 i and hX2 , C2 , F2 , R2 i are constructor-sharing. Then, hX1 , C1 , F1 , R1 i hX2 , C2 , F2 , R2 i is ordered by ≺rpo with a status function st defined as follows: st(f) = sti (f)

f ∈ Fi

i ∈ {1, 2}

The previous result obviously holds if each symbol is of product status. As in the case of disjoint union, precedences play no special role here. Now we are showing a negative result for the modularity of quasi-interpretations in the case of constructor-sharing union: Proposition 8. The property of having an additive quasi-interpretation is not a modular property. Proof. We show it exhibiting a counter-example. We consider two assemblies, p0 and p1 . The constructor symbols set of p0 and p1 are equal to {0, S0 , S1 }. Thus, the three shared constructors are 0, S0 and S1 . For k ∈ {0, 1} we define the rules of pk to be: maxk (x, 0) → x maxk (0, y) → y maxk (Sk (x), Sk (y)) → Sk (maxk (x, y)) maxk (S1−k (x), S1−k (y)) → Sk (Sk (maxk (x, y))) fk (Sk (x)) → maxk (fk (x), fk (x)) We know that for k ∈ {0, 1}, the assembly pk admits the following quasiinterpretation: L0M = 0 LSk M(X) = X + 1 LS1−k M(X) = X + 2 Lmaxk M(X, Y ) = max(X, Y ) Lfk M(X) = X F Now consider the constructor-sharing union p0 p1 and suppose that it admits the additive quasi-interpretation L−M. Since L−M is additive, we know that: ∀k ∈ {0, 1} , LSk M(X) = X + ak , ak ≥ 1

11

For k ∈ {0, 1}, the rule fk (Sk (x)) → maxk (fk (x), fk (x)) forces the quasi-interpre tation of maxk to be of the form Lmaxk M(X, Y ) = max(X, Y ) + ck , for some constant ck . Writing n for S0 (. . . S0 (0) . . .), observe that: | {z } n times S0



max0 (max1 (n, n), max1 (n, n))→4n As a consequence, a0 n + c0 + c1 + L0M = Lmax0 (max1 (n, n), max1 (n, n))M ≥ L4nM = 4na0 + L0M So, ∀n : c0 + c1 ≥ 3na0 . Since c0 + c1 ≥ 3na0 should hold for any n, we see that this constraint F can not be satisfied. So, there is a contradiction and we conclude that p0 p1 has no quasi-interpretation, even if p0 and p1 have a quasi-interpretation. ⊓ ⊔ At first glance, this negative result seems to be the dead end in our will to split assemblies into sub-assemblies in order to obtain complexity bound certificates. However, even if the constructor-sharing union does not admit a quasiinterpretation, the complexity bounds remain correct: Proposition 9. The Fundamental Lemma holds for the constructor-sharing union of additive assemblies. In other words, given two constructor-sharing assemblies p1 = hX1 , C1 , F1 , R1 i F and p2 = hX2 , C2 , F2 , R2 i which admit an additive quasi-interpretation and p1 p2 their constructor-sharing union, there is a polynomial P such that for any term t which has n variables x1 , · · · , xn and for any ground substitution σ such that xi σ = vi : |JtσK| ≤ P |t| (|v1 |, . . . , |vn |) Proof. Consider any constructor terms v1 , · · · , vn ∈ T (C1 ∪C2 ). Observe that the ∗ evaluation of f(v1 , · · · , vn )→v, for some f ∈ Fj , is performed using only rules of the assembly hXj , Cj , Fj , Rj i. As a consequence, the Fundamental Lemma 1 holds for such a term and we have |v| ≤ P (maxi=1..n |vi |) for some polynomial P . We end the proof by induction on the structure of the term t. The case t = x is trivial. For t = g(t1 , · · · , tn ), use the remark above together with the fact that the composition of polynomials is polynomially bounded. ⊓ ⊔ Theorem 6. The set of functions computed by constructor-sharing union of additive assemblies ordered by ≺rpo where each function symbol has a product status is exactly the set of functions computable in polynomial time. Proof. Proposition 7 implies that the property of being ordered by ≺rpo with product status is modular. We know by proposition 9 that the Fundamental Lemma holds. Thus, using a call-by-value with cache similar to the one in figure 1, it yields a characterization of all functions computing in polynomial time. ⊓ ⊔ Theorem 7. The set of functions computed by constructor-sharing union of additive assemblies ordered by ≺rpo is exactly the set of functions computable in polynomial space. Proof. Propositions 7 and 9 yield a characterization of polynomial space computable functions. ⊓ ⊔

12

6

Hierarchical union

Two assemblies hX1 , C1 , F1 , R1 i and hX2 , C2 , F2 , R2 i are hierarchical if F1 ∩ F2 = F2 ∩ C1 = ∅ and C1 ∩ C2 6= ∅ and F1 ∩ C2 6= ∅ W The hierarchical union of two assemblies hX1 , C1 , F1 , R1 i hX2 , C2 , F2 , R2 i is defined as the assembly hX1 ∪ X2 , C1 ∪ C2 − F1 , F1 ∪ F2 , R1 ∪ R2 i Notice that the hierarchical union is no longer a commutative operation, on the contrary of disjoint and constructor-sharing unions. It underlines the fact that the assembly hX2 , C2 , F2 , R2 i is calling function symbols of the assembly hX1 , C1 , F1 , R1 i. Throughout the following section, we only consider assemblies having defined semantics. In other words, we suppose that the rewriting systems has normal forms in the constructor algebras. By this requirement, we know that the normal form of a function symbol f applied to constructor terms v1 , · · · , vn can be ∗ ∗ obtained through this way f(v1 , · · · , vn )→2 u→1 v. Proposition 10. Assume that hX1 , C1 , F1 , R1 i is an assembly ordered by ≺rpo with a status function st1 and a precedence ≺F1 and hX2 , C2 , F2 , R2 i is an assembly ordered by ≺rpo with a status function st2 and a precedence ≺F2 . Assume also that W hX1 , C1 , F1 , R1 i and hX2 , C2 , F2 , R2 i are hierarchical. Then, hX1 , C1 , F1 , R1 i hX2 , C2 , F2 , R2 i is ordered by ≺rpo with a status function st and a precedence F1 ∪F2 defined as follows: st(f) = sti (f) g F1 ∪F2 f g ≺F1 ∪F2 f

f ∈ Fi if g Fi f if f ∈ F2 and g ∈ F1 ∩ C2

i ∈ {1, 2} i ∈ {1, 2}

The previous result also holds if each symbol is of product status. Proposition 11. The property of having a quasi-interpretation is not modular. Proof. This comes from the fact that constructor-sharing unions are a particular case of hierarchical union. As a consequence the counter-example of the preceding section may be used here. ⊓ ⊔ Definition 5 (Kinds). Let b be a symbol of arity n > 0. A quasi-interpretation of b is: Pn – additive if LbM(X1 , · · · , Xn ) = Pn i=1 Xi + α with α ≥ 1 – affine if LbM(X1 , · · · , Xn ) = i=1 αi Xi + α with α ≥ 1 – multiplicative if LbM(X1 , · · · , Xn ) = Q(X1 , · · · , Xn ) + α with Q polynomial and α ≥ 1

13

Previous studies of polynomial interpretations and quasi-interpretations [7, 9] have shown the crucial role of a distinction between constructor symbols according to their Kind. By definition, constructor symbols keep their (additive) Kind for disjoint union and constructor-sharing union. It is no longer the case for hierarchical union. A symbol in F1 ∩C2 may have an affine or a multiplicative quasi-interpretation in hX1 , C1 , F1 , R1 i whereas it has (necessarily) an additive quasi-interpretation in hX2 , C2 , F2 , R2 i. For that reason, we have to distinguish hierarchical unions according to the way Kinds of symbols are mixed. Let us show on an example that even if two assemblies can be computed in polynomial time, their hierarchical union may not. Example 2. The programs p1 and p2 are given by the rules: d(S(x)) → S(S(d(x))) d(0) → 0

exp(S(x)) → d(exp(x)) exp(0) → S(0)

Constructor symbols of p1 are S and 0. The function symbol is d. For assembly p2 , constructor symbols are {S, d, 0} and the function symbol is exp. p1 and p2 admit the following quasi-interpretation: L0M1 = 0 L0M2 = 0 LSM1 (X) = X + 1 LSM2 (X) = LdM2 (X) = X + 1 LexpM2 (X) = X LdM1 (X) = 2X Proposition 12. Given hX1 , C1 , F1 , R1 i and hX2 , C2 , F2 , R2 i, two additive assemblies, suppose that any symbol b ∈ F1 ∩C2 has an additive quasi-interpretation in hX1 , C1 , F1 , R1 i. Then, the Fundamental Lemma holds: There is a polynomial P such that for any term f(x1 , · · · , xn ) with f a function symbol and x1 , · · · , xn variables, and for any ground substitution σ such that xi σ = vi : |JfK(x1 σ, . . . , xn σ)| ≤ P ( max |vi |) i=1..n

Proof. For simplicity, we suppose that (C2 − F1 ) ⊆ C1 . Given the assemblies hX1 , C1 , F1 , R1 i and hX2 , C2 , F2 , R2 i with their respective quasi-interpretations L−M1 and L−M2 , suppose that we have a term f(x1 , · · · , xn ) with f a function symbol. Consider f(x1 , · · · , xn )σ for some ground substitution σ, f(x1 , · · · , xn )σ ∗ ∗ →2 u →1 v. As rewriting is done entirely within p2 , the Fundamental Lemma can be applied wrt f(x1 , · · · , xn )σ and u. We obtain |u| ≤ Q(maxi=1..n |vi |) with Q some polynomial. Now, observe that u is a term with only additive symbols. In that case, Proposition 2 holds. So, |v| ≤ LvM1 ≤ LuM1 ≤ k|u| ≤ kQ( max |vi |) i=1..n

Take P (X) = kQ(X).

⊓ ⊔

Proposition 13. Given hX1 , C1 , F1 , R1 i and hX2 , C2 , F2 , R2 i, two additive assemblies, suppose that any symbol b ∈ F1 ∩ C2 has an affine (resp. multiplicative) quasi-interpretation in hX1 , C1 , F1 , R1 i. Then, the following holds:

14

There is a polynomial P such that for any term f(x1 , · ·W · , xn ), with f a function symbol and x1 , · · · , xn variables, in hX1 , C1 , F1 , R1 i hX2 , C2 , F2 , R2 i and for any ground substitution σ such that xi σ = vi : |JfK(x1 σ, . . . , xn σ)| ≤ Ψ (P ( max |vi |)) i=1..n

X

where Ψ (X) = 2X (resp. 22 ). Proof. We begin as in the previous proof. Consider the affine case. Observe that symbols in u are additive or affine in hX1 , C1 , F1 , R1 i. In that case, we have LuM1 ≤ 2k|u| for some constant k. See [9] for a proof. We conclude by |v| ≤ LvM1 ≤ LuM1 ≤ k|u| 2k|u| ≤ 2P (maxi=1..n |vi |) . For the multiplicative case, the inequality LuM1 ≤ 22 yields the result. ⊓ ⊔ Theorem 8. The set of functions computed by a hierarchical union of two assemblies p1 and p2 such that 1. p1 and p2 are ordered by ≺rpo and each function symbol has a product status, 2. p1 has an additive quasi-interpretation L−M1 and p2 has an additive quasiinterpretation L−M2 , 3. each symbol in C2 ∩ F1 has an additive quasi-interpretation in p1 is exactly the set of functions computable in polynomial time. Moreover, if condition (1) is replaced by: p1 and p2 are ordered by ≺rpo then we characterize exactly the class of polynomial space functions. Proof. Again, it is a consequence of the fact that we have the Fundamental Lemma 12 and the ≺rpo ordering with product status, still using a call-by-value with cache. ⊓ ⊔ Theorem 9. The set of functions computed by a hierarchical union of two assemblies p1 and p2 such that 1. p1 and p2 are ordered by ≺rpo and each function symbol has a product status, 2. p1 has an additive quasi-interpretation L−M1 and p2 has an additive quasiinterpretation L−M2 , 3. each symbol in C2 ∩F1 has an affine (resp. multiplicative) quasi-interpretation in p1 is exactly the set of functions computable in exponential time (resp. doubly exponential time). Moreover, if condition (1) is replaced by: p1 and p2 are ordered by ≺rpo then we characterize exactly the class of exponential (resp. doubly exponential) space functions.

15

References 1. R. Amadio. Max-plus quasi-interpretations. In Martin Hofmann, editor, Typed Lambda Calculi and Applications, 6th International Conference, TLCA 2003, Valencia, Spain, June 10-12, 2003, Proceedings, volume 2701 of Lecture Notes in Computer Science, pages 31–45. Springer, 2003. 2. R. Amadio and S. Dal-Zilio. Resource control for synchronous cooperative threads. In Concur, pages 68–82, 2004. 3. R.M. Amadio, S. Coupet-Grimal, S. Dal Zilio, and L. Jakubiec. A functional scenario for bytecode verification of resource bounds. In CSL, 2004. to appear. 4. D. Aspinall and A. Compagnoni. Heap Bounded Assembly Language. Journal of Automated Reasoning (Special Issue on Proof-Carrying Code), 31:261–302, 2003. 5. P. Baillot and K. Terui. A feasible algorithm for typing in elementary affine logic. In Springer, editor, TLCA, volume 3461 of Lecture Notes in Computer Science, pages 55–70, 2005. 6. S. Bellantoni and S. Cook. A new recursion-theoretic characterization of the polytime functions. Computational Complexity, 2:97–110, 1992. 7. G. Bonfante, A. Cichon, J.-Y. Marion, and H. Touzet. Algorithms with polynomial interpretation termination proof. Journal of Functional Programming, 11(1):33–53, 2001. 8. G. Bonfante, J.-Y. Marion, and J.-Y. Moyen. On lexicographic termination ordering with space bound certifications. In PSI 2001, Akademgorodok, Novosibirsk, Russia, Ershov Memorial Conference, volume 2244 of Lecture Notes in Computer Science. Springer, Jul 2001. 9. G. Bonfante, J.-Y. Marion, and J.-Y. Moyen. Quasi-interpretation a way to control resources. Submitted to Theoretical Computer Science, 2005. http://www.loria. fr/∼marionjy. 10. G. Bonfante, J.-Y. Marion, and J.-Y. Moyen. Quasi-interpretations and small space bounds. In J¨ urgen Giesl, editor, Term Rewriting and Applications, 16th International Conference, RTA 2005, Nara, Japan, April 19-21, 2005, Proceedings, volume 3467 of Lecture Notes in Computer Science, pages 150–164. Springer, 2005. 11. G. Bonfante, J.-Y. Marion, J.-Y. Moyen, and R. P´echoux. Synthesis of quasiinterpretations. Workshop on Logic and Complexity in Computer Science, LCC2005, Chicago, 2005. http://www.loria/∼ pechoux. 12. K. Chatterjee, D. Ma, R. Majumdar, T. Zhao, T.A. Henzinger, and J. Palsberg. Stack size analysis for interrupt-driven programs. In SAS 03: Static Analysis, Lecture Notes in Computer Science 2694, pages 109–126. Springer-Verlag, 2003. 13. E. Chien and P. Szor. Blended attacks: Exploits, vulnerabilities and buffer-overflow techniques in computer viruses. In Virus Bulletin Conference, pages 1–35, 2002. 14. P. Coppola and S. Ronchi Della Rocca. Principal typing for lambda calculus in elementary affine logic. Fundamenta Informaticae, 65(1-2):87–112, 2005. 15. S. Coupet-Grimal and W. Delobel. An effective proof of the well-foundedness of the multiset path ordering. Rapport de recherche, LIF, 2005. 16. S. Dal-Zilio and R. Gascon. Resource bound certification for a tail-recursive virtual machine. In APLAS 2005 – 3rd Asian Symposium on Programming Languages and Systems, volume 3780 of Lecture Notes in Computer Science, pages 247–263. Springer-Verlag, November 2005. 17. N. Dershowitz. Orderings for term-rewriting systems. Theoretical Computer Science, 17(3):279–301, 1982.

16 18. J.-Y. Girard. Light linear logic. Information and Computation, 143(2):175–204, 1998. prsent ` a LCC’94, LNCS 960. 19. B. Gramlich. Generalized sufficient conditions for modular termination of rewriting. In In Proceedings of the Third International Conference on Algebraic and Logic Programming, volume 632, pages 53–68, 1992. 20. M. Hofmann. A type system for bounded space and functional in-place update. Nordic Journal of Computing, 7(4):258–289, 2000. 21. M. Hofmann. The strength of Non-Size Increasing computation. In Proceedings of POPL’02, pages 260–269, 2002. 22. G. Huet. Confluent reductions: Abstract properties and applications to term rewriting systems. Journal of the ACM, 27(4):797–821, 1980. 23. N. D. Jones. Computability and complexity, from a programming perspective. MIT press, 1997. 24. S. Kamin and J-J L´evy. Attempts for generalising the recursive path orderings. Technical report, Univerity of Illinois, Urbana, 1980. Unpublished note. Accessible on http://perso.ens-lyon.fr/pierre.lescanne/not accessible.html. 25. J.W. Klop. Term rewriting systems. In D. Gabbay S. Abramsky and T. Maibaum, editors, Handbook of logic in Computer Science, volume 2, pages 1–116, 1992. 26. M. Kurihara and A. Ohuchi. Modularity of simple termination of term rewriting systems with shared constructors. Theoretical Computer Science, 103:273–282, 1992. 27. Y. Lafont. Soft linear logic and polynomial time. Theoretical Computer Science, 318:163–180, 2004. 28. D. Leivant. Predicative recurrence and computational complexity I: Word recurrence and poly-time. In Peter Clote and Jeffery Remmel, editors, Feasible Mathematics II, pages 320–343. Birkh¨ auser, 1994. 29. D. Leivant and J.-Y. Marion. Lambda calculus characterizations of poly-time. Fundamenta Informaticae, 19(1,2):167,184, September 1993. 30. J.-Y. Marion and J.-Y. Moyen. Efficient first order functional program interpreter with time bound certifications. In Michel Parigot and Andrei Voronkov, editors, Logic for Programming and Automated Reasoning, 7th International Conference, LPAR 2000, Reunion Island, France, volume 1955 of Lecture Notes in Computer Science, pages 25–42. Springer, Nov 2000. 31. J.-Y. Marion and J.-Y. Moyen. Heap analysis for assembly programs. Technical report, Loria, 2006. 32. A. Middeldorp. Modular properties of term rewriting Systems. PhD thesis, Vrije Universiteit te Amsterdam, 1990. 33. J.-Y. Moyen. Analyse de la complexit´e et transformation de programmes. Th`ese d’universit´e, Nancy 2, Dec 2003. 34. K.-H. Niggl and H. Wunderlich. Certifying polynomial time and linear/polynomial space for imperative programs. SIAM Journal on Computing. to appear. 35. J. Regehr. Say no to stack overflow. Embedded systems programming, 2004. 36. Y. Toyama. Counterexamples for the direct sum of term rewriting systems. Information Processing Letters, 25:141–143, 1987. 37. Y. Toyama. On the church-rosser property for the direct sum of term rewriting systems. Journal of the ACM, 34(1):128–143, 1987.