PDF

HANDBOOK OF LOGIC
IN COMPUTER SCIENCE
Editors
S. Abramsky, Dov M. Gabbay, T. S. E. Maibaum
HANDBOOKS OF LOGIC IN COMPUTER SCIENCE
and
ARTIFICIAL INTELLIGENCE AND LOGIC PROGRAMMING
Executive Editor
Dov M. Gabbay
Administrator
Jane Spurr
Handbook of Logic in Computer Science

Volume 1
Volume 2
Volume 3
Volume 4
Volume 5
Volume 6
Background: Mathematical structures

Background: Computational structures
Semantic structures
Semantic modelling
Logic and algebraic methods
Logical methods in computer science
Handbook of Logic in Artificial Intelligence and

Logic Programming
Volume 1
Volume 2
Volume 3
Volume 4
Volume 5
Logical foundations
Deduction methodologies
Nonmonotonic reasoning and uncertain reasoning
Epistemic and temporal reasoning
Logic programming
Handbook of Logic
in Computer Science
Volume 5
Logic and Algebraic Methods
Edited by
S.ABRAMSKY
Christopher Stanley Professor of Computing
University of Oxford
DOV M. GABBAY
Augustus De Morgan Professor of Logic
King's College, London
and
T. S. E. MAIBAUM
Professor of the Foundation of Software Engineering
King's College, London
Volume Co-ordinator
DOV M. GABBAY
CLARENDON PRESS OXFORD

2000
OXFORD
UNIVERSITY PRESS
Great Clarendon Street, Oxford 0x2 6DP

Oxford University Press is a department of the University of Oxford.
It furthers the University's objective of excellence in research, scholarship,
and education by publishing worldwide in
Oxford New York
Athens Auckland Bangkok Bogota Buenos Aires Calcutta
Cape Town Chennai Dares Salaam Delhi Florence Hong Kong Istanbul
Karachi Kuala Lumpur Madrid Melbourne Mexico City Mumbai
Nairobi Paris Sao Paulo Shanghai Singapore Taipei Tokyo Toronto Warsaw
with associated companies in Berlin Ibadan
Oxford is a registered trade mark of Oxford University Press
in the UK and in certain other countries
Published in the United States
by Oxford University Press Inc., New York
The contributors listed on pp. xvii-xviii 2000
The moral rights of the authors have been asserted
Database right Oxford University Press (maker)
First published 2000
All rights reserved. No part of this publication may be reproduced,
stored in a retrieval system, or transmitted, in any form or by any means,
without the prior permission in writing of Oxford University Press,
or as expressly permitted by law, or under terms agreed with the appropriate
reprographics rights organization. Enquiries concerning reproduction
outside the scope of the above should be sent to the Rights Department,
Oxford University Press, at the address above
You must not circulate this book in any other binding or cover
and you must impose this same condition on any acquirer
A catalogue record for this book is available from the British Library
Library of Congress Cataloging in Publication Data
ISBN 0-19-853781-6
Typeset by the authors and Jane Spurr using LaTeX
Printed in Great Britain
on acid-free paper by
Biddies Ltd., Guildford & King's Lynn
Preface
We are happy to present Volume 5 of the Handbook of Logic in Computer Science, on Logic and Algebraic Methods, The first two volumes
of the Handbook presented the background on fundamental mathematical
structuresconsequence relations, model theory, recursion theory, category
theory, universal algebra, topology; and on computational structures
term-rewriting systems, A-calculi, modal and temporal logics and algorithmic proof systems. The computational structures considered thus far have
been predominantly syntactic in character; while the discussion of mathematical structures has been quite general and free-standing.
In Volumes 3 and 4 these threads were drawn together. We looked at
how mathematical structures are used to model computational processes.
In Volume 3, the focus is on general approaches: Domain theory, denotational and algebraic semantics, and the semantics of types. In Volume
4, some more specific topics are considered, and the emphasis shifts from
structures to the actual modelling of some key computational features.
The present Volume 5 continues with logical and algebraic methodologies basic to computer science. Chapter 1 covers Martin-L0f's type theory,
originally developed to clarify the foundations of constructive mathematics it now plays a major role in theoretical computer science. The second
chapter covers categorial logic, the interaction area between category theory and mathematical logic. It builds on the basic concepts introduced
in the chapter 'Basic Category Theory' in Volume 1 of this Handbook series. The third chapter presents methods for obtaining lower bounds on
the computational complexity of logical theories. Many such theories show
up in the landscape of logic and computation. The fourth chapter covers
algebraic specification and types. It treats the subject using set theoretical
notions only and is thus accessible to a wide range of readers. The last
(fifth) chapter deals with computability on abstract data types. It develops a theory of computable functions on abstract many-sorted algebras, a
general enough notion for the needs of computer science.
The Handbooks
We see the creation of this Handbook and its companion, the Handbook of
Logic in Artificial Intelligence and Logic Programming as a combination of
authoritative exposition, comprehensive survey, and fundamental research
exploring the underlying unifying themes hi the various areas. The intended
vi
Preface
audience is graduate students and researchers in the areas of computing

and logic, as well as other people interested in the subject. We assume as
background some mathematical sophistication. Much of the material will
also be of interest to logicians and mathematicians.
The tables of contents of the volumes were finalized after extensive discussions between Handbook authors and second readers. The first two
volumes present the BackgroundMathematical Structures and Computational Structures.
The chapters, which in many cases are of monographic length and scope,
are written with emphasis on possible unifying themes. The chapters have
an overview, introduction, and main body. A final part is dedicated to
more specialized topics.
Chapters are written by internationally renowned researchers in their
respective areas. The chapters are co-ordinated and their contents were discussed in joint meetings. Each chapter has been written using the following
procedures:
1. A very detailed table of contents was discussed and co-ordinated at
several meetings between authors and editors of related chapters.
The discussion was in the form of a series of lectures by the authors.
Once an agreement was reached on the detailed table of contents, the
authors wrote a draft and sent it to the editors and to other related
authors. For each chapter there is a second reader (the first reader is
the author) whose job it has been to scrutinize the chapter together
with the editors. The second reader's role is very important and has
required effort and serious involvement with the authors.
2. Once this process was completed (i.e. drafts seen and read by a large
enough group of authors), there were other meetings on several chapters in which authors lectured on their chapters and faced the criticism of the editors and audience. The final drafts were prepared after
these meetings.
3. We attached great importance to group effort and co-ordination in the
writing of chapters. The first two parts of each chapter, namely the
introduction-overview and main body, are not completely under the
discretion of the author, as he/she had to face the general criticism
of all the other authors. Only the third part of the chapter is entirely
for the authors' own personal contribution.
The Handbook meetings were generously financed by OUP, by SERC
contract SO/809/86, by the Department of Computing at Imperial College,
and by several anonymous private donations. Recently I have moved, together with the Editorial Office to King's College, London. I thank King's
College for their open ended support of our publications efforts.
We would like to thank our colleagues, authors, second readers, and
students for their effort and professionalism in producing the manuscripts
Preface
vii
for the Handbook. We would particularly like to thank the staff of OUP for
their continued and enthusiastic support, and Mrs Jane Spurr, our OUP
Administrator, for her dedication and efficiency.
A View
Finally, fifteen years after the start of the Handbook project, I would like
to take this opportunity to put forward my current views about logic in
computer science. In the early 1980s the perception of the role of logic in
computer science was that of a specification and reasoning tool and that of
a basis for possibly neat computer languages. The computer scientist was
manipulating data structures and the use of logic was one of his options.
My own view at the time was that there was an opportunity for logic
to play a key role in computer science and to exchange benefits with this
rich and important application area and thus enhance its own evolution.
The relationship between logic and computer science was perceived as very
much like the relationship of applied mathematics to physics and engineering. Applied mathematics evolves through its use as an essential tool, and
so we hoped for logic. Today my view has changed. As computer science
and artificial intelligence deal more and more with distributed and interactive systems, processes, concurrency, agents, causes, transitions, communication and control (to name a few), the researcher in this area is having
more and more in common with the traditional philosopher who has been
analysing such questions for centuries (unrestricted by the capabilities of
any hardware).
The principles governing the interaction of several processes, for example, are abstract and similar to principles governing the cooperation of two
large organisations. A detailed rule based effective but rigid bureaucracy
is very much similar to a complex computer program handling and manipulating data. My guess is that the principles underlying one are very much
the same as those underlying the other.
I believe the day is not far away in the future when the computer
scientist will wake up one morning with the realisation that he is actually
a kind of formal philosopher!
London
April 1999
D. M. Gabbay
This page intentionally left blank
Contents
List of contributors
Martin-L6f s type theory
B. Nordstrtim, K. Petersson and J. M. Smith

1
2
3
4
5
Introduction
1.1 Different formulations of type theory
1.2 Implementations
Propositions as sets
Semantics and formal rules
3.1 Types
3.2 Hypothetical judgements
3.3 Function types
3.4 The type Set
3.5 Definitions
Prepositional logic
Set theory
5.1 The set of Boolean values
5.2 The empty set
5.3 The set of natural numbers
5.4 The set of functions
(Cartesian product of a family of sets)
5.5 Prepositional equality
5.6 The set of lists
5.7 Disjoint union of two sets29
5.8 Disjoint union of a family of sets
5.9 The set of small sets
The ALF series of interactive editors for type theory
1
3
4
4
7
7
9
12
14
15
16
19
20
21
21
23
26
28
29
30
32
Contents
Categorial logic
39
Andrew M. Pitts
1 Introduction
2 Equational logic
2.1 Syntactic considerations
2.2 Categorical semantics
2.3 Internal languages
3 Categorical datatypes
3.1 Disjoint union types
52
3.2 Product types
57
3.3 Function types
3.4 Inductive types

3.5 Computation types
4 Theories as categories
4.1 Change of category
4.2 Classifying category of a theory
4.3 Theory-category correspondence
4.4 Theories with datatypes
5
60
62
65
67
68
68
73
75
Predicate logic
77
5.1 Formulas and sequents
77
5.2 Hyperdoctrines
78
5.3 Satisfaction
5.4 Prepositional connectives
5.5 Quantification
82
84
89
5.6 Equality
5.7 Completeness
6 Dependent types
40
43
44
45
48
50
93
97
100
101
107
6.3 Type-categories
6.5 Dependent products
109
114
119
Further reading
123
Contents
A uniform method for proving lower bounds

on the computational complexity of
logical theories
xi
129
K. Compton and C. Ward Henson

1
2
3
4
5
6
7
8
9
10
Introduction
Preliminaries
Reductions between formulas
Inseparability results for first-order theories
Inseparability results for monadic second-order theories
Tools for NTIME lower bounds
Tools for linear ATIME lower bounds
Applications
Upper bounds
Open problems
Algebraic specification of abstract data types
129
135
140
151
158
164
173
180
196
204
217
J. Loeckx, H.-D. EhrichandM. Wolf
1
2
Introduction
Algebras
2.1 The basic notions
2.2 Homomorphisms and isomorphisms
2.3 Abstract data types
2.4 Subalgebras
2.5 Quotient algebras
Terms
3.1 Syntax
3.2 Semantics
3.3 Substitutions
3.4 Properties
Generated algebras, term algebras
4.1 Generated algebras
4.2 Freely generated algebras
4.3 Term algebras
4.4 Quotient term algebras
Algebras for different signatures
5.1 Signature morphisms
5.2 Reducts
5.3 Extensions
219
220
220
223
224
225
225
227
227
228
229
229
230
230
233
234
235
235
235
237
238
xii
6
9
10
11
12
13
Contents
Logic
6.1 Definition
6.2 Equational logic
6.3 Conditional equational logic
6.4 Predicate logic
Models and logical consequences
7.1 Models
7.2 Logical consequence
7.3 Theories
7.4 Closures
7.5 Reducts
7.6 Extensions
Calculi
8.1 Definitions
8.2 An example
8.3 Comments
Specification
Loose specifications
10.1 Genuinely loose specifications
10.2 Loose specifications with constructors
10.3 Loose specifications with free constructors
Initial specifications
11.1 Initial specifications in equational logic
11.2 Examples
11.3 Properties
11.4 Expressive power of initial specifications
11.5 Proofs
11.6 Term rewriting systems and proofs
11.7 Rapid prototyping
11.8 Initial specifications in conditional equational
logic
11.9 Comments
Constructive specifications
Specification languages
13.1A simple specification language
13.2 Two further language constructs
13.3 Adding an environment
13.4 Flattening
13.5 Properties and proofs
13.7 Further language constructs
13.8 Alternative semantics description
239
239
240
241
241
243
243
244
245
246
248
248
249
249
250
251
252
253
253
255
256
257
257
258
260
260
261
263
265
266
266
267
270
271
274
278
281
282
282
282
283
Contents
14
15
16
Modularization and parameterization

14.1 Modularized abstract data types
14.2 Atomic module specifications
14.3 A modularized specification language
14.4 A parameterized specification language
14.5 Comments
14.6 Alternative parameter mechanisms
Further topics
15.1 Behavioural abstraction
15.2 Implementation
15.3 Ordered sorts
15.4 Exceptions
15.5 Dynamic data types
15.6 Objects
15.7 Bibliographic notes
The categorical approach
16.1 Categories
16.2 Institutions
xiii
284
284
285
287
290
294
295
297
297
299
301
302
304
306
308
309
309
309
Computable functions and semicomputable sets

on many-sorted algebras
397
/. V Tucker and J. I. Zucker
1
Introduction
1.1 Computing in algebras
1.2 Examples of computable and non-computable functions
1.3 Relations with effective algebra
1.4 Historical notes on computable functions on algebras
1.5 Objectives and structure of the chapter
1.6 Prerequisites
Signatures and algebras
2.1 Signatures
2.2 Terms and subalgebras
2.3 Homomorphisms, isomorphisms and abstract data types
2.4 Adding Booleans: Standard signatures and algebras
2.5 Adding counters: V-standard signatures and algebras
2.6 Adding the unspecified value u; algebras Au of signature Su
2.7 Adding arrays: Algebras A* of signature _*
2.8 Adding streams: Algebras A of signature
319
322
325
329
335
340
343
344
344
349
350
351
353
355
356
359
xiv
3
Contents
While computability on standard algebras

3.1 Syntax of While()361
3.2 States
3.3 Semantics of terms
3.4 Algebraic operational semantics
3.5 Semantics of statements for While(E,)
3.6 Semantics of procedures
3.7 Homomorphism invariance theorems
3.8 Locality of computation
3.9 The language While Proc(S)
3.10 RelativeWhile computability
3.11 For(E) computability
3.12 WhileN and ForN computability
3.13 While* and For* computability
3.14 Remainder set of a statement; snapshots
3.15 E*/E conservativity for terms
4 Representations of semantic functions; universality
4.1 Godel numbering of syntax
4.2 Representation of states
4.3 Representation of term evaluation
4.4 Representation of the computation step function
4.5 Representation of statement evaluation
4.6 Representatipn of procedure evaluation
4.7 Computability of semantic representing functions; term
evaluation property
4.8 Universal WhileN procedure for While
4.9 Universal WhileN procedure for While*
4.10 Snapshot representing function and sequence
4.11 Order of a tuple of elements
4.12 Locally finite algebras
4.13 Representing functions for specific terms or programs
5 Notions of semicomputability
5.1 While semicomputability
5.2 Merging two procedures: Closure theorems
5.3 Projective While semicomputability: semicomputability
with search
5.4 WhileN semicomputability
5.5 Projective WhileN semicomputability
5.6 Solvability of the halting problem
5.7 While* semicomputability
5.8 Projective While* semicomputability
5.9 Homomorphism invariance for semicomputable sets
5.10 The computation tree of a While statement
5.11 Engeler's lemma
360
363
363
364
366
368
371
372
374
375
376
377
378
380
383
387
388
389
389
390
392
393
394
397
401
402
404
405
406
407
408
409
413
414
416
416
420
421
422
423
425
Contents
5.12 Engeler's lemma for While* semicomputabitity
5.13 1*definability: Input/output and halting formulae
5.14 The projective equivalence theorem
5.15 Halting sets of While procedures with random assignments
6 Examples of semicomputable sets of real and complex numbers
6.1 Computability on R and C
6.2 The algebra of reals; a set which is projectively While
semicomputable but not While* semicomputable
6.3 The ordered algebra of reals; sets of reals which are While
semicomputable but not While* computable
6.4 A set which is projectively While* semicomputable but not
projectively WhileN semicomputable
6.5 Dynamical systems and chaotic systems on R; sets which
are WhileN semicomputable but not While* computable
6.6 Dynamical systems and Julia sets on C; sets which are
WhileN semicomputable but not While* computable
7 Computation on topological partial algebras
7.1 The problem
7.2 Partial algebras and While computation
7.3 Topological partial algebras
7.4 Discussion: Two models of computation on the reals
7.5 Continuity of computable functions
7.6 Topological characterisation of computable sets in compact
algebras
7.7 Metric partial algebra
7.8 Connected domains: computability and explicit definability
7.9 Approximable computability
7.10 Abstract versus concrete models for computing on the real
numbers
8 A survey of models of computability
8.1 Computability by function schemes
8.2 Machine models
8.3 High-level programming constructs; program schemes
8.4 Axiomatic methods
8.5 Equational definability
8.6 Inductive definitions and fixed-point methods
8.7 Set recursion
8.8 A generalised Church-Turing thesis for computability
8.9 A Church-Turing thesis for specification
8.10 Some other applications
Index
xv
429
431
434
435
438
439
441
443
445
447
449
451
452
453
455
458
460
464
465
465
470
475
479
479
484
488
490
490
492
493
493
496
500
525
Contributors
B. Nordstrom, Kent Petersson and Jan Smith
Department of Computer Science
Chalmers Tekniska Hogskola
Institutionen for Datavetenskap
S-412 96 Goteborg
Sweden
A. Pitts
University of Cambridge Computer Laboratory
New Museums Site
Pembroke Street
Cambridge
CB2 3QG
J. Loeckx
University des Saarlandes
D-66041 Saarbrucken
Germany
H.-D. Ehrich
Technische Universitat Braunschweig
D-38023 Braunschweig
Germany
M.Wolf
Universitatdes Saarlandes
D-66041 Saarbrucken
Germany
K. Compton
University of Aarhus
Ny Munkegade, Bldg 540
DK-8000 Aarhus C
Denmark
C. Ward Benson
Department of Mathematics
University of Illinois
1409 Green St.
Urbana, IL 61801
USA
Contributors
J.V.Tucker
University of Swansea
Singleton Park
Swansea
Wales
J. I. Zucker
Department of Computing and Software
Faculty of Engineering
McMaster Univeristy
1280 Main Street West, JHE-327
Hamilton, Ontario, L8S 4L7
Canada
Martin-L0f 's type theory

B. Nordstrom, K. Petersson and J. M. Smith
Contents
1
2
3
4
5
Introduction
1.1 Different formulations of type theory
1.2 Implementations
3.1 Types
3.2 Hypothetical judgements
3.3 Function types
3.4 The type Set
3.5 Definitions
Propositional logic
Set theory
5.1 The set of Boolean values
5.2 The empty set
5.3 The set of natural numbers
5.4 The set of functions (cartesian product of a family of sets)
5.5 Propositional equality
5.6 The set of lists
5.7 Disjoint union of two sets
5.8 Disjoint union of a family of sets
5.9 The set of small sets
1
3
4
4
7
7
9
12
14
15
16
19
20
21
21
23
26
28
29
29
30
32
1 Introduction
The type theory described in this chapter has been developed by Martin-L6f
with the original aim of being a clarification of constructive mathematics.
Unlike most other formalizations of mathematics, type theory is not based
on predicate logic. Instead, the logical constants are interpreted within type
theory through the Curry-Howard correspondence between propositions
and sets [Curry and Feys, 1958; Howard, 1980]: a proposition is interpreted
as a set whose elements represent the proofs of the proposition.
It is also possible to view a set as a problem description in a way similar to Kolmogorov's explanation of the intuitionistic propositional calculus
[Kolmogorov, 1932]. In particular, a set can be seen as a specification of a
programming problem; the elements of the set are then the programs that
satisfy the specification.
An advantage of using type theory for program construction is that it
is possible to express both specifications and programs within the same
formalism. Furthermore, the proof rules can be used to derive a correct
program from a specification as well as to verify that a given program has
a certain property. As a programming language, type theory is similar to
typed functional languages such as ML [Gordon et al., 1979; Milner et al.,
1990] and Haskell [Hudak et al, 1992], but a major difference is that the
evaluation of a well-typed program always terminates.
The notion of constructive proof is closely related to the notion of computer program. To prove a proposition (Vx A)(By E B)P(x,y) constructively means to give a function / which when applied to an element a
in A gives an element b in B such that P(a, b) holds. So if the proposition (VxE A)(ByB)P(x,y) expresses a specification, then the function /
obtained from the proof is a program satisfying the specification. A constructive proof could therefore itself be seen as a computer program and
the process of computing the value of a program corresponds to the process
of normalizing a proof. It is by this computational content of a constructive
proof that type theory can be used as a programming language; and since
the program is obtained from a proof of its specification, type theory can be
used as a programming logic. The relevance of constructive mathematics
to computer science was pointed out by Bishop [1970].
Several implementations of type theory have been made which can serve
as logical frameworks, that is, different theories can be directly expressed
in the implementations. The formulation of type theory we will describe
in this chapter form the basis for such a framework, which we will briefly
present in the last section.
The chapter is structured as follows. First we will give a short overview
of different formulations and implementations of type theory. Section 2 will
explain the fundamental idea of propositions as sets by means of Heyting's
explanation of the intuitionistic meaning of the logical constants. The
following section will give a rather detailed description of the basic rules
and their semantics; on a first reading some of this material may just be
glanced at, in particular the subsection on hypothetical judgements. In
section 4 we illustrate type theory as a logical framework by expressing
propositional logic in it. Section 5 introduces a number of different sets
and the final section give a short description of ALF, an implementation
of the type theory of this chapter.
Although self-contained, this chapter can be seen as complement to our
book, Programming in Martin-Lof's Type Theory. An Introduction [Nord-
Martin-Lof's type theory
strom et a/., 1990], in that we here give a presentation of Martin-Lof's

monomorphic type theory in which there are two basic levels, that of types
and that of sets. The book is mainly concerned with a polymorphic formulation where instead of a level of types there is a theory of expressions. One
major difference between these two formulations is that in the monomorphic formulation there is more type information in the terms, which makes
it possible to implement a type checker [Magnusson and Nordstrom, 1994];
this is important when type theory is used as a logical framework where
type checking is the same as proof checking.
1.1
Different formulations of type theory
One of the basic ideas behind Martin-Lof's type theory is the CurryHoward interpretation of propositions as types, that is, in our terminology,
propositions as sets. This view of propositions is closely related to Heyting's
explanation of intuitionistic logic [Heyting, 1956] and will be explained in
detail below.
Another source for type theory is proof theory. Using the identification
of propositions and sets, normalizing a derivation corresponds to computing
the value of the proof term expressing the derivation. One of Martin-Lof's
original aims with type theory was that it could serve as a framework
in which other theories could be interpreted. And a normalization proof
for type theory would then immediately give normalization for a theory
expressed in type theory.
In Martin-Lof's first formulation of type theory in 1971 [Martin-L6f,
1971a], theories like first-order arithmetic, Godel's T [Godel, 1958], secondorder logic and simple type theory [Church, 1940] could easily be interpreted. However, this formulation contained a reflection principle expressed
by a universe V and including the axiom V E V, which was shown by Girard
to be inconsistent. Coquand and Huet's 'Calculus of Constructions' [Coquand and Huet, 1986] is closely related to the type theory in [Martin-L6f,
1971a]: instead of having a universe V, they have the two types Prop and
Type and the axiom Prop Type, thereby avoiding Girard's paradox.
Martin-Lof's later formulations of type theory have all been predicat
ive; in particular, second-order logic and simple type theory cannot be
interpreted in them. The strength of the theory considered in this chapter
instead comes from the possibility of defining sets by induction.
The formulation of type theory from 1979 in 'Constructive Mathematics
and Computer Programming' [Martin-L6f, 1982] is polymorphic and extensional. One important difference with the earlier treatments of type theory
is that normalization is not obtained by metamathematical reasoning; instead, a direct semantics is given, based on Tait's computability method.
A consequence of the semantics is that a term, which is an element in a
set, can be computed to normal form. For the semantics of this theory,
lazy evaluation is essential. Because of a strong elimination rule for the set
expressing the propositional equality, judgemental equality is not decidable. This theory is also the one in Intuitionistic Type Theory [Martin-Lof,
1984]. It is also the theory used in the NuPRL system [Constable et al.,
1986] and by the group in Groningen [Backhouse et al., 1989].
The type theory presented in this chapter was put forward by Martin-Lof
in 1986 with the specific intention that it should serve as a logical framework.
1.2
Implementations
One major application of type theory is its use as a programming logic in

which you derive programs from specifications. Such derivations easily become long and tedious and, hence, error-prone, so it is essential to formalize
the proofs and to have computerized tools to check them.
There are several examples of computer implementations of proof checkers for formal logics. An early example is the AUTOMATH system [de
Bruijn, 1970; de Bruijn, 1980] which was designed by de Bruijn to check
proofs of mathematical theorems. Quite large proofs were checked by the
system, for example the proofs in Landau's book Grundlagen der Analysis
[Jutting, 1979]. Another system, which is more intended as a proof assistant, is the Edinburgh (Cambridge) LCF system [Gordon et a/., 1979;
Paulson, 1987]. The proofs are constructed in a goal directed fashion, starting from the proposition the user wants to prove and then using tactics to
divide it into simpler propositions. The LCF system also introduced the
notion of metalanguage (ML) in which the user could implement her own
proof strategies. Based on the LCF system, a system for Martin-Lof's type
theory was implemented in Goteborg 1982 [Petersson, 1982, 1984]. Another, more advanced, system for type theory was developed by Constable
et al. at Cornell University [Constable et al., 1986].
In recent years, several logical frameworks based on type theory have
been implemented: the Edinburgh LF [Harper et al., 1993], Coq from INRIA [Dowek et al., 1991], LEGO from Edinburgh [Luo and Pollack, 1992],
and ALF from Goteborg [Augustsson et al., 1990; Magnusson and Nordstrom, 1994]. Coq and LEGO are both based on Coquand and Huet's
calculus of constructions, while ALF is an implementation of the theory we
describe in this chapter. A brief overview of the ALF system is given in
section 6.
The basic idea of type theory to identify propositions with sets goes back
to Curry [Curry and Feys, 1958], who noticed that the axioms for positive
implicational calculus, formulated in the Hilbert style,

(A D B D C) D (A D B) D A D C
correspond to the types of the basic combinators K and 5,
Modus ponens then corresponds to functional application. Tait [Tait,

1965] noticed the further analogy that removing a cut in a derivation corresponds to a reduction step of the combinator representing the proof.
Howard [Howard, 1980] extended these ideas to first-order intuitionistic
arithmetic. Another way to see that propositions can be seen as sets is
through Heyting's [Heyting, 1956] explanations of the logical constants.
The constructive explanation of logic is in terms of proofs: a proposition
is true if we know how to prove it. For implication we have:
A proof of A D B is a function (method, program) which to
each proof of A gives a proof of B.
The notion of function or method is primitive in constructive mathematics
and a function from a set A to a set B can be viewed as a program which
when applied to an element in A gives an element in B as output. The
idea of propositions as sets is now to identify a proposition with the set of
its proofs. In case of implication we get:
A D B is identified with A -> B, the set of functions from A
to B.
The elements in the set A -> B are of the form
where 6 6 B and b
may depend on x A.
Heyting's explanation of conjunction is that a proof of A A B is a pair
whose first component is a proof of A and whose second component is a
proof of B. Hence, we get the following interpretation of a conjunction as
a set.
A/\B is identified with A x B, the cartesian product of A and B.
The elements in the set A x B are of the form (a, b), where a A and
A disjunction is constructively true if and only if we can prove one of
the disjuncts. So a proof of A V B is either a proof of A or a proof of B.
Hence,
A V B is identified with A + B, the disjoint union of A and B.
The elements in the set A + B are of the form inl(a) and inr(b), where a 6 A
and b 6 B.
The negation of a proposition A can be defined by:
where stands for absurdity, that is a proposition which has no proof. If

we let {} denote the empty set, we have
-<A is identified with the set A - {}
using the interpretation of implication.
In order to interpret propositions defined using quantifiers, we need
operations defined on families of sets, i.e. sets B depending on elements x in
some set A. We let B [x-(-a] denote the expression obtained by substituting
a for all free occurrences of x in B. Heyting's explanation of the existential
quantifier is the following:
A proof of (3x A)B consists of a construction of an element a
in the set A together with a proof of B [x < a].
So, a proof of (3x A)B is a pair whose first component a is an element
in the set A and whose second component is a proof of B [x < a]. The
set corresponding to this is the disjoint union of a family of sets, denoted
by (Ea; G A)B. The elements in this set are pairs (a, b) where a e A
and b 6 B [x < a]. We get the following interpretation of the existential
quantifier:
(3xeA)B is identified with the set (xeA)B.
Finally, we have the universal quantifier.
A proof of (Vx 6 A)B is a function (method, program) which to
each element a in the set A gives a proof of B [x x a].
The set corresponding to the universal quantifier is the cartesian product
of a family of sets, denoted by (IIx A)B. The elements in this set are
functions which, when applied to an element a in the set A, give an element
in the set B[x<-a]. Hence,
(VxA)B is identified with the set ( I I A ) B .
The elements in the set (IIx A)B are of the form lx.b, where b B and
both b and B may depend on x e A. Note that if B does not depend on x
then (IIxE A)B is the same as A > B, so > is not needed as a primitive
when we have cartesian products over families of sets. In the same way,
CxA)B is nothing but A x B when B does not depend on x.
Except for the empty set, we have not yet introduced any sets that
correspond to atomic propositions. One such set is the equality set a =A b,
which says that a and b are equal elements in the set A. Recalling that a
proposition is identified with the set of its proofs, we see that this set is
non-empty if and only if a and b are equal. If a and b are equal elements
in the set A, we postulate that the constant id (a) is an element in the set
a =A b.
When explaining the sets interpreting propositions we have used an
informal notation to express elements of the sets. This notation differs from
the one we will use in type theory in that that notation will be monomorphic
in the sense that the constructors of a set will depend on the set. For
instance, an element of A - B will be of the form \(A,B,b) and an
element of A x B will be of the form (A, B, a, b).
We will in this section first introduce the notion of type and the judgement
forms this explanation gives rise to. We then explain what a family of
types is and introduce the notions of variable, assumption and substitution
together with the rules that follow from the semantic explanations. Next,
the function types are introduced with their semantic explanation and the
formal rules which the explanation justifies. The rules are formulated in
the style of natural deduction [Prawitz, 1965].
3.1
Types
The basic notion in Martin-Lof's type theory is the notion of type. A type
is explained by saying what an object of the type is and what it means for
two objects of the type to be identical. This means that we can make the
judgement
A is a type,
which we in the formal system write as
A type,
when we know the conditions for asserting that something is an object of
type A and when we know the conditions for asserting that two objects
of type A are identical. We require that the conditions for identifying two
objects must define an equivalence relation.
When we have a type, we know from the semantic explanation of what
it means to be a type what the conditions are to be an object of that type.
So, if A is a type and we have an object a that satisfies these conditions
then
a is an object of type A,
which we formally write
a A.
Furthermore, from the semantics of what it means to be a type and the
knowledge that A is a type we also know the conditions for two objects
of type A to be identical. Hence, if A is a type and a and b are objects
of type A and these objects satisfy the equality conditions in the semantic
explanation of A then
a and b are identical objects of type A,
which we write
a = b A.
Two types are equal when an arbitrary object of one type is also an
object of the other and when two identical objects of one type are identical
objects of the other. If A and B are types we know the conditions for being
an object and the conditions for being identical objects of these types. Then
we can investigate if all objects of type A are also objects of type B and if
all identical objects of type A are also objects of type B and vice versa. If
these conditions are satisfied then
A and B are identical types,
which we formally write
A = B.
The requirement that the equality between objects of a type must be
an equivalence relation is formalized by the rules:
Reflexivity of objects
ae A
a a A
Symmetry of objects
a = b <E A
b=ae A
Transitivity of objects
a = b A
b = ce A
a =ce A
The corresponding rules for types are easily justified from the meaning
of what it means to be a type:
Reflexivity of types
A type
A=A
Symmetry of types
A=B
B=A

Transitivity of types
A =B
B =C
The meaning of the judgement forms a A, a = 6 A and A = B

immediately justifies the following:
Type equality rules
A
A =B
a = bA
A =B
a B
a= eB
3.2
Hypothetical judgements
The judgements we have introduced so far do not depend on any assumptions. In general, a hypothetical judgement is made in a context of the
form
X1 AI,
X2 A2, . . . , Xn An
where we already know that A\ is a type, A2 is a type in the context

X1 A1, . . . , and An is a type in the context x1 AI, x2 A2, ..,,
xn-1e An. The explanations of hypothetical judgements are made by
induction on the length of a context. We have already given the meaning
of the judgement forms in the empty context; hence we could now directly
explain the judgement forms in a context of length n. However, in order
not to hide the explanations under heavy notation, we will give them for
hypothetical judgements only depending on one assumption and then illustrate the general case with the judgement that A is a type in a context of
length n.
Let C be a type which does not depend on any assumptions. That A
is a type when x e C, which we write
A type [ x C ] ,
means that, for an arbitrary object c of type C, A[x c] is a type, that is,
A is a type when c is substituted for x. Furthermore, we must also know
that if c and d are identical objects of type C then A [x 4 c] and A [x d\
are the same types. When A is a type depending on x e C we say that A
is a family of types over type C.
That A and B are identical families of types over type C,
A = B [x e C],
means that A [x 4 c] and A [x < c] are equal types for an arbitrary object
c of type C.
10

That a is an object of type A when x C,
a 6 A [x C],
means that we know that a [x c] is an object of type A [x < c] for an
arbitrary object c of type C. We must also know that a [x -f- c] and a [x f- d]
are identical objects of type A [x 4 c] whenever c and d are identical objects
of type C.
That a and 6 are identical objects of type A depending on x e C,
a = b 6 A [x e C],
means that a a[x < c] and b [x c] are the same objects of type A [x - c] for
an arbitrary object c of type (7.
We will illustrate the general case by giving the meaning of the judgement that A is a type in a context of length n; the other hypothetical
judgements are explained in a similar way. We assume that we already
know the explanations of the judgement forms in a context of length n 1.
Let
x1 AI, x2 e A2, . . . , xn An
be a context of length n. We then know that
A1 type
A2 type [x1 E AI]
An type [x1 e A1, x2 6 A2, ..., xn-1 A n - 1 ]
To know the hypothetical judgement
A type [x1 e A1, x-2 E A2, ..., xn E An]
means that we know that the judgement
type
. . . , xn e .4ra [xi <-a] ]
holds for an arbitrary object a of type A1 in the empty context. We must

also require that if a and b are arbitrary identical objects of type AI then
the judgement
A [x1 <- a] = A [x1 <- b]

[x2 .A2[x1<- a], . . . , xn E An [x1 <- a] ]
holds. This explanation justifies two rules for substitution of objects in
types. We can formulate these rules in different ways, simultaneously sub-
11
stituting objects for one or several of the variables in the context. Formulating the rules so they follow the semantical explanation as closely as
possible gives us:
Substitution in types
The explanations of the other hypothetical judgement forms give the

following substitution rules. Let A and B be types in the context x\ AI,
x2 E A2, . . . , xn e An.
Substitution in equal types
Let A be a type in the context x1 A1, x2 A2, ... , xn E An.

Substitution in objects
Let A be a type and c and d be objects of type A in the context x1 E AI,

x2eA2,...,xn An.
Substitution in equal objects
The explanations of the hypothetical judgement forms justify the following rule for introducing assumptions.
Assumption
12
In this rule all premises are explicit. In order to make the rules shorter and
more comprehensible we will often leave out that part of the context which
is the same in the conclusion and each premise.
The rules given in the previous section without assumptions can also
be justified for hypothetical judgements.
3.3
Function types
One of the basic ways to form a new type from old ones is to form a function
type. So, if we have a type A and a family B of types over A, we want
to form the dependent function type (x A)B of functions from A to B.
In order to do this, we must explain what it means to be an object of
type (x A)B and what it means for two objects of type (x A)B to be
identical. The function type is explained in terms of application.
To know that an object c is of type (x A)B means that we know that
when we apply it to an arbitrary object a of type A we get an object c(a)
in B [x < a] and that we get identical objects in B [x a] when we apply
it to identical objects a and b of A.
That two objects c and d of (x 6 A)B are identical means that when
we apply them to an arbitrary object a of type A we get identical objects
of type B [x < a].
Since we have now explained what it means to be an object of a function
type and for the conditions for two objects of a function type to be equal,
we can justify the rule for forming the function type:
Function type
We also obtain the rule for forming equal function types:

Equal function types
We will use the abbreviation (A)B for (x A)B when B does not depend
on x. We will also write (x A;y 6 B)C instead of (x e A)(y B)C and
(x,y A)B instead of (x A;y A)C.
We can also justify the following two rules for application:
Application
And we have the following rules for showing that two functions are equal:
13
Application
Extensionality
x must occur free neither in c nor in d

Instead of writing repeated applications as c(a1)(a 2 ) (a n ) we will use the
simpler form c(a1 , a2 , . . . , an) .
One fundamental way to introduce a function is to abstract a variable
from an expression:
Abstraction
We will write repeated abstractions as [x1,x2, . . . ,xn]b and also exclude

the outermost parentheses when there is no risk of confusion.
How do we know that this rule is correct, i.e. how do we know that [x]b
is a function of the type (x A}B? By the semantics of function types,
we must know that when we apply [x]b of type (x A)B to an object a
of type A, then we get an object of type B[x < a]; the explanation is by
B-conversion:
B-conversion
We must also know that when we apply an abstraction [x]b, where b

B[x.A],to two identical objects a1 and a2 of type A, then we get identical
results of type B [x-< a] as results. We can see this in the following way.
By B-conversion we know that ([x]6)(a1) = b [ x - a 1 ] B [ x 4 - a 1 ] and
([x]6)(a 2 ) = b [ x < - a 2 ] B[x<-a 2 ]- By the meaning of the judgements
B type [x A] and 6 6 B [x A] we know that B[x <- a1] = B[x -- a2]
and that b[x<- a1] = b[x-< a2] B[x< a1]. Hence, by symmetry and
transitivity, we get ([x]6)(a1) = ([x]b(a2) 6 B[x*-a1] from a1 = a2 A.
To summarize: to be an object / in a functional type (x A)B means
that it is possible to make an application f(a) if a e A. Then by looking
at b-conversion as the definition of what it means to apply an abstracted
expression to an object it is possible to give a meaning to an abstracted
expression. Hence, application is more primitive then abstraction on this
14
type level. Later we will see that for the set of functions, the situation is
different.
By the rules we have introduced, we can derive the following:
n-conversion
x must not occur free in c
3.4
The type Set
The objects in the type Set consist of inductively defined sets. In order
to explain a type we have to explain what it means to be an object in it
and what it means for two such objects to be the same. So, to know that
Set is a type we must explain what a set is and what it means for two
sets to be the same: to know that A is an object in Set (or equivalently
that A is a set) is to know how to form canonical elements in A and when
two canonical elements are equal. A canonical element is an element on
constructor form; examples are zero and the successor function for natural
numbers.
Two sets are the same if an element of one of the sets is also an element
of the other and if two equal elements of one of the sets are also equal
elements of the other.
This explanation justifies the following rule:
Set-formation
Set type
If we have a set A we may form a type El(A) whose objects are the
elements of the set A:
Notice that it is required that the sets are built up inductively: we

know exactly in what ways we can build up the elements in the set and
different ways corresponding to different constructors. As an example, for
the ordinary definition of natural numbers, there are precisely two ways of
building up elements, one using zero and the other one using the successor
function. This is in contrast with types which in general are not built
up inductively. For instance, the type Set can obviously not be defined
inductively. It is always possible to introduce new sets (i.e. objects in
15
Set). The concept of type is open; it is possible to add more types to the
language, for instance adding a new object A to Set gives the new type
El(A)).
In what follows, we will often write A instead of El(A) since it will
always be clear from the context if A stands for the set A or the type of
elements of A.
3.5 Definitions
Most of the generality and usefulness of the language comes from the possibilities of introducing new constants. It is in this way that we can introduce
the usual mathematical objects like natural numbers, integers, functions,
tuples etc. It is also possible to introduce more complicated inductive sets
like sets for proof objects: it is in this way that rules and axioms of a theory
are represented in the framework.
A distinction is made between primitive and defined constants. The
value of a primitive constant is the constant itself. So, the constant has only
a type and not a definition; instead it gets its meaning by the semantics
of the theory. Such a constant is also called a constructor. Examples
of primitive constants are N, succ and 0; they can be introduced by the
following declarations:
A defined constant is defined in terms of other objects. When we apply

a defined constant to all its arguments in an empty context, for instance,
c(e1,..., en), then we get an expression which is a definiendum, that is, an
expression which computes in one step to its definiens (which is a well-typed
object).
A defined constant can be either explicitly or implicitly defined. We
declare an explicitly defined constant c by giving it as an abbreviation of
an object a in a type A:
For instance, we can make the following explicit definitions:
The last example is the monomorphic identity function which, when applied
to an arbitrary set A, yields the identity function on A. It is easy to see
16
if an explicit definition is correct: you just check that the definiens is an

object in the correct type.
We declare an implicitly defined constant by showing what definiens it
has when we apply it to its arguments. This is done by pattern-matching
and the definition may be recursive. Since it is not decidable if an expression defined by pattern-matching on a set really defines a value for each
element of the set, the correctness of an implicit definition is in general
a semantical issue. We must be sure that any well-typed expression of
the form c(e1,..., en) is a definiendum with a unique well-typed definiens.
Here are two examples, addition and the operator for primitive recursion
in arithmetic:
Prepositional logic
Type theory can be used as a logical framework, that is, it can be used to
represent different theories. In general, a theory is presented by a list of
typings
where c1,..., cn are new primitive constants, and a list of definitions
where d1,..., dm are new defined constants.

The basic types of Martin-L6f's type theory are Set and the types of
elements of the particular sets we introduce. In the next section we will give
a number of examples of sets, but first we use the idea of propositions as sets
to express that prepositional logic with conjunction and implication; the
other connectives can be introduced in the same way. When viewed as the
type of propositions, the semantics of Set can be seen as the constructive
explanation of propositions: a proposition is defined by laying down what
counts as a direct (or canonical) proof of it. To put it a different way: a
proposition is defined by its introduction rules. Given a proposition A, that
is, an object of the type Set, then El(A) is the type of proofs of A. From
the semantics of sets we get that two proofs are the same if they have the
same form and identical parts; we also get that two propositions are the
same if a proof of one of the propositions is also a proof of the other and
17
if identical proofs of one of the propositions are also identical proofs of the
other.
The primitive constant & for conjunction is introduced by the following
declaration:
& (Set; Set) Set
Prom this declaration we obtain, by repeated function application, the
clause for conjunction in the usual inductive definition of formulas in the
propositional calculus:
& -formation
where we have used infix notation, that is, we have written A&B instead
We must now define what counts as a proof of a conjunction, and that
is done by the following declaration of the primitive constant &I:
This declaration is the inductive definition of the set &(A, B), that is, any
element in the set is equal to an element of the form &/(A, B, a, b), where
A and B are sets and a A and b B. A proof of the syntactical form
&I&1,(A, B,a, b) is called a canonical proof of A&B.
By function application, we obtain the introduction rule for conjunction
from the declaration of &/:
&-introduction
A e Set
To obtain the two elimination rules for conjunction, we introduce the

two defined constants
(A,
and
by the defining equations
and
respectively. Notice that it is the definition of the constants which justifies
their typings. To see that the typing of & E1 is correct, assume that A and
18
B are sets, and that p A&B. We must then show that &i(A, B,p)
is an element in A. But since p A&B, we know that p is equal to an
element of the form &I(A, B,a, b), where a 6 A and b 6 B. But then we
have that &EI (A, B, p) &E1i(A,B,&i(A,B,a,b)) which is equal to a by
the defining equation of &EI .
Prom the typings of &E1 and &E2 we obtain, by function application,
the elimination rules for conjunction:
&-elimination 1
and
&-elimination 2
The defining equations for &EI and &E2 correspond to Prawitz's reduction
rules in natural deduction:
A&B
and
A&B
B
respectively. Notice the role which these rules play here. They are used
to justify the correctness, that is, the well-typing of the elimination rules.
The elimination rules are looked upon as methods which can be executed,
and it is the reduction rules which define the execution of the elimination
rules.
The primitive constant D for implication is introduced by the declaration
D e (Set; Set)Set
As for conjunction, we obtain from this declaration the clause for implication in the inductive definition of formulas in the prepositional calculus:
19
Ds-formation
A canonical proof of an implication is formed by the primitive constant

DI, declared by
By function application, the introduction rule for implication is obtained
from the declaration of D/:
D-introduction
So, to get a canonical proof of A D B we must have a function 6 which

when applied to a proof of A gives a proof of B, and the proof then obtained
isD/(A,B,6).
To obtain modus ponens, the elimination rule for D, we introduce the
denned constant
which is defined by the equation
In the same way as for conjunction, we can use this definition to show that
D is well-typed.
The defining equation corresponds to the reduction rule
By function application, we obtain from the typing of DE

D-elimination
Set theory
We will in this section introduce a theory of sets with natural numbers,

lists, functions, etc. which could be used when specifying and implementing
20
computer programs. We will also show how this theory is represented in

the type theory framework.
When defining a set, we first introduce a primitive constant for the set
and then give the primitive constants for the constructors, which express
the different ways elements of the set can be constructed. The typing rule
for constants denoting the set is called the formation rule of the set and the
typing rules for the constructors are called the introduction rules. Finally,
we introduce a selector as an implicitly defined constant to express the
induction principle of the set; the selector is defined by pattern-matching
and may be recursive. The type rule for the selector is called the elimination
rule and the defining equations are called equality rules.
Given the introduction rules, it is possible to mechanically derive the
elimination rule and the equality rules for a set; how this can be done has
been investigated by Martin-L6f [l971b], Backhouse [1987], Coquand and
Paulin [1989], and Dybjer[l994].
5.1
The set of Boolean values
The set of Boolean values is an example of an enumeration set. The values

of an enumeration set are exactly the same as the constructors of the set
and all constructors yield different elements. For the Booleans this means
that there are two ways of forming an element and therefore also two constructors: true and false. Since we have given the elements of the set and
their equality, we can introduce a constant for the set and make the type
declaration
Bool E Set
We can also declare the types of the constructor constants

true E Bool
false 6 Bool
The principal selector constant of an enumeration set is a function that

performs case analysis on Boolean values. For the Booleans we introduce
the if constant with the type
and the defining equations
In these two definitional equalities we have omitted the types since they
can be obtained immediately from the typing of if. Henceforth, we will
often write just a = b instead of o = b A when the type A is clear from
the context.
21
5.2 The empty set

To introduce the empty set, {}, we just define a set with no constructors
at all. First we make a type declaration for the set
Since there are no constructors we immediately define the selector case and
its type by the declaration
The empty set corresponds to the absurd proposition and the selector corresponds to the natural deduction rule for absurdity:
5.3
The set of natural numbers
In order to introduce the set of natural numbers, N, we must give the rules
for forming all the natural numbers as well as all the rules for forming
two equal natural numbers. These are the introduction rules for natural
numbers.
There are two ways of forming natural numbers 0 is a natural number
and if n is a natural number then succ(n) is a natural number. There are
also two corresponding ways of forming equal natural numbers the natural
number 0 is equal to 0, and if the natural number n is equal to m, then
succ(n) is equal to succ(m). So we have explained the meaning of the
natural numbers as a set, and can therefore make the type declaration
and form the introduction rules for the natural numbers, by declaring the
types of the constructor constants 0 and succ:
The general rules in the framework make it possible to give the introduction
rules in this simple form.
We will introduce a very general form of selector for natural numbers,
natrec, as a defined constant. It can be used both for expressing elements
by primitive recursion and proving properties by induction. The functional
constant natrec takes four arguments: the first is a family of sets that
determines the set which the result belongs to; the second and third are
the results for the zero and successor case, respectively; and the fourth is the
22
natural number which is the principal argument of the selector. Formally,

the type of natrec is
The defining equations for the natrec constant are
The selector for natural numbers could, as already mentioned, be used for
introducing ordinary primitive recursive functions. Addition and multiplication could, for example, be introduced as two defined constants
Using the rules for application together with the type and the definitional
equalities for the constant natrec it is easy to derive the type of the righthand side of the equalities above as well as the following equalities for
addition and multiplication:
In general, if we have a primitive recursive function / from N to A
where d E A and e is a function in (N; A)A, we can introduce it as a defined

constant
using the defining equation
23
where d' and e' are functions in type theory which correspond to d and e
in the definition of /.
The type of the constant natrec represents the usual elimination rule
for natural numbers
which can be obtained by assuming the arguments and then applying the
constant natrec to them. Note that, in the conclusion of the rule, the
expression natrec(C, d, e, x) contains the family C. This is a consequence
of the explicit declaration of natrec in the framework.
5.4
The set of functions (cartesian product of a family

of sets)
We have already introduced the type (x A) B of functions from the type

A to the type B. We need the corresponding set of functions from a set to
another set. If we have a set A and a family of sets B over A, we can form
the cartesian product of a family of sets, which is denoted U(A, B). The
elements of this set are functions which when applied to an element a in
A yield an element in B(a). The elements of the set I I ( A , B ) are formed
by applying the constructor A to the sets A and B and an object of the
corresponding function type.
The constant IT is introduced by the type declaration
and the constant A by
These constant declarations correspond to the rules
Notice that the elements of a cartesian product of a family of sets, II(4, B),
are more general than ordinary functions from A to B in that the result of
applying an element of II(A, B) to an argument can be in a set which may
depend on the value of the argument.
24
The most important defined constant in the H-set is the constant for
application. In type theory this selector takes as arguments not only an
element of II(A, B) and an object of type A but also the sets A and B
themselves. The constant is introduced by the type declaration
and the definitional equality
The cartesian product of a family of sets is, when viewed as a proposition, the same as universal quantification. The type of the constructor
corresponds to the introduction rule
and the type of the selector corresponds to the elimination rule
The cartesian product of a family of sets is a generalization of the ordinary function set. If the family of sets B over A is the same for all elements
of A, then the cartesian product is just the set of ordinary functions. The
constant -> is introduced by the following explicit definition:
The set of functions is, when viewed as a proposition, the same as

implication since the type of the constructor is the same as the introduction
rule for implication
and the type of the selector is the same as the elimination rule
Given the empty set and the set of functions, we can define a constant
for negation in the following way:
25
Example 5.1. Let us see how to prove the p r o p o s i t i o n . In

order to prove the proposition we must find an element in the set
We start by making the assumptions X A and y A > {} and then

obtain an element in {}
and therefore
Example 5.2. Using the rules for natural numbers, Booleans and functions we will show how to define a function, eqN e (N, N)Bool, that decides
if two natural numbers are equal. We want the following equalities to hold:
It is impossible to define eqN directly just using natural numbers and recursion on the arguments. We have to do recursion on the arguments
separately and first use recursion on the first argument to compute a function which, when applied to the second argument, gives us the result we
want. So we first define a function / (N) (N - Bool) which satisfies the
equalities
where
If we use the recursion operator explicitly, we can define / as
26
The function / is such that f ( n ) is equal to a function which gives true

if applied to n and false otherwise, that is, we can use it to define eqN as
follows:
It is a simple exercise to show that
and that it satisfies the equalities we want it to satisfy.
5.5
Prepositional equality
The equality on the judgement level a = b 6 A is a definitional equality

and two objects are equal if they have the same normal form. In order
to express the fact that, for example, addition of natural numbers is a
commutative operation it is necessary to introduce a set for propositional
equality.
If a and b are elements in the set A, then \d(A, a, b) is a set. We express
this by introducing the constant Id and its type
The only constructor of elements in equality sets is id and it is introduced
by the type declaration
To say that id is the only constructor for ld (A, a, b) is the same as to say
that ld(A, a,b) is the least reflexive relation. Transitivity, symmetry and
congruence can be proven from this definition. We use the name idpeel for
the selector, and it is introduced by the type declaration
and the equality
The intuition behind this constant is that it expresses a substitution rule

for elements which are propositionally equal.
Example 5.3. The type of the constructor in the set ld(A, a,b) corresponds to the reflexivity rule of equality. The symmetry and transitivity
rules can easily be derived.
27
Let A be a set and a and 6 two elements of A. Assume that
In order to prove symmetry, we must construct an element in ld(A, b, a).

By applying idpeel to A, [ x , y , e ] l d ( A , y,x), a, b, d and [x]id(A,x) we get,
by simple type-checking, an element in the set \d(A,b,a):
The derived rule for symmetry can therefore be expressed by the constant
symm defined by
Transitivity is proved in a similar way. Let A be a set and a, b and c

elements of A. Assume that
By applying idpeel to A, [ x , y , z ] l d ( A , z , c ) - l d ( A , z , c ) , a, b, d and the identity function [x]A(ld(A, x, c ) , l d ( A , x , c ) , [ w ] w ) we get an element in the set
\d(A,b, c ) - l d ( A , a,c). This element is applied to e in order to get the
desired element in \d(A,a,c):
Example 5.4. Let us see how we can derive a rule for substitution in set
expressions. We want to have a rule
To derive such a rule, first assume that we have a set A and elements a
and b of A. Furthermore, assume that c 6 \d(A,a,b), P(x) 6 Set [x A]
and p P(a). Type checking gives us that
28
We can now apply the function above to p to obtain an element in P(b). So

we can define a constant subst that expresses the substitution rule above.
The type of subst is
and the defining equation
5.6
The set of lists
The set of lists List(A) is introduced in a similar way to the natural numbers, except that there is a parameter A that determines which set the
elements of a list belongs to. There are two constructors to build a list, nil
for the empty list and cons to add an element to a list. The constants we
have introduced so far have the following types:
The selector listrec for types is a constant that expresses primitive recursion
for lists. The selector is introduced by the type declaration
29
The defining equations for the listrec constant are
5.7
Disjoint union of two sets
If we have two sets A and B we can form the disjoint union A+B. The elements of this set are either of the form inl(A, B, a) or of the form inr(A, B, b)
where a A and b E B. In order to express this in the framework we introduce the constants
The selector when is introduced by the type declaration
and defined by the equations
Seen as a proposition, the disjoint union of two sets expresses disjunction.

The constructors correspond to the introduction rules
and the selector when corresponds to the elimination rule.
5.8
Disjoint union of a family of sets
In order to be able to deal with the existential quantifier and to have a set
of ordinary pairs, we will introduce the disjoint union of a family of sets.
The set is introduced by the type declaration
30
There is one constructor in this set, pair, which is introduced by the type
declaration
The selector of a set E(A, B) splits a pair into its parts. It is defined by
the type declaration
and the defining equation
Given the selector split, it is easy to define the two projection functions
that give the first and second component of a pair:
When viewed as a proposition the disjoint union of a family of sets

E(A,B) corresponds to the existential quantifier (3 x E A)B(x). The types
of constructor pair and when correspond to the natural deduction rules for
the existential quantifier
5.9
The set of small sets
A set of small sets U, or a universe, is a set that reflects some part of the set
structure on the object level. It is of course necessary to introduce this set
if one wants to do some computation using sets, for example to specify and
prove a type checking algorithm correct, but it is also necessary in order to
31
prove inequalities such as 0 succ(O). Furthermore, the universe can be

used for defining families of sets using recursion, for example non-empty
lists and sets such as Nn.
We will introduce the universe simultanously with a function S that
maps an element of U to the set the element encodes. The universe we will
introduce has one constructor for each set we have defined. The constants
for sets are introduced by the type declaration
Then we introduce the constructors in U and the defining equations for S
Example 5.5. Let us see how we can derive an element in the set
or, in other words, how we can find an expression in the set
We start by assuming that
32
Then we construct a function, Iszero, that maps a natural number to an

element in the universe:
It is easy to see that
and therefore
Finally, we have the element we are looking for:
It is shown in Smith [Smith, 1988] that without a universe no negated

equalities can be proved.
At the Department of Computing Science in Goteborg, we have developed

a series of interactive editors for objects and types in type theory. The
editors are based on direct manipulation, that is, the things which are
being built are shown on the screen, and editing is done by pointing and
clicking on the screen.
The proof object is used as a true representative of a proof. The process of proving the proposition A is represented by the process of building
a proof object of A. The language of type theory is extended with placeholders (written as indexed question marks). The notation ? A stands
for the problem of finding an object in A. An object is edited by replacing
the placeholders by expressions which may contain placeholders. It is also
possible to delete a subpart of an object by replacing it with a placeholder.
There is a close connection between the individual steps in proving A
and the steps to build a proof object of A. When we are making a topdown proof of a proposition A, then we try to reduce the problem A to some
subproblems B1 ,..., Bn by using a rule c which takes proofs of B1,..., Bn
to a proof of A. Then we continue by proving B1, ..., Bn. For instance,
we can reduce the problem A to the two problems C D A and C by using
modus ponens. In this way we can continue until we have only axioms and
33
assumptions left. This process corresponds exactly to the way we can build
a mathematical object from the outside in. If we have a problem
then it is possible to refine the placeholder in the following ways:

The placeholder can be replaced by an application c(?1,,..., ?n) where
c is a constant, or x(?1,..., ?), where x is a variable. In the case
that we have a constant, we must have that c(?1,..., ?n) E A, which
holds if the type of the constant c is equal to (x1 E A1 ;...; xn G An)B
and ?1 E A1,?2 A2 [x1-?1],... ,xn E An[Xl <-?1,... ,x n -1 -?n_i]
and
So, we have reduced the problem A to the subproblems A1 , A2 [x1 ?1],
. . . , A n [x1 -?1,... , xn-1 -?n_1], and further refinements must satisfy the constraint B [ X 1 -?!,..., xn-1 -?n-1] = A. The number n of
new placeholders can be computed from the arity of the constant c
and the expected arity of the placeholder. As an example, if we start
with ? A and A is not a function type and if we apply the constant
c of type (xB)C, then the new term will be
where the new placeholder ?1 must have the type B (since all arguments to c must have that type) and, furthermore, the type of c(?1)
must be equal to A, that is, the following equality must hold:
These kinds of constraint will in general be simplified by the system.

So, the editing step from ? E A to c(?1) A is correct if ?1 E B and
C[x-?1] = A. This operation corresponds to applying a rule when
we are constructing a proof. The rule c reduces the problem A to the
problem B.
The placeholder is replaced by an abstraction [x]?1. We must have
that
which holds if A is equal to a function type (y B)C. The type of
the variable x must be B and we must keep track of the fact that
?1 may be substituted by an expression which may depend on the
variable x. This corresponds to making a new assumption, when we
are constructing a proof. We reduce the general problem (y E B)C to
the problem C [y x] under the assumption that xEB. The assumed
34

object x can be used to construct a solution to C, that is, we may
use the knowledge that we have a solution to the problem B when
we are constructing a solution to the problem C.
The placeholder is replaced by a constant c. This is correct if the
type of c is equal to A.
The placeholder is replaced by a variable x. The type of x must be
equal to A. But we cannot replace a placeholder with any variable of
the correct type, the variable must have been abstracted earlier.
To delete a part of a proof object corresponds to regretting some earlier

steps in the proof. Notice that the deleted steps do not have to be the last
steps in the derivation, by moving the pointer around in the proof object it
is possible to undo any of the preceeding steps without altering the effect
of following steps. However, the deletion of a subobject is a non-trivial
operation; it may cause the deletion of other parts which are depending on
this.
The proof engine, which is the abstract machine representing an ongoing
proof process (or an ongoing construction of a mathematical object) has two
parts: the theory (which is a list of constant declarations) and the scratch
area. Objects are built up in the scratch area and moved to the theory part
when they are completed. There are two basic operations which are used to
manipulate the scratch area. The insertion command replaces a placeholder
by a new (possibly incomplete) object and the deletion command replaces
a sub-object by a placeholder.
When implementing type theory we have to decide what kind of inductive definitions and definitional equalities to allow. The situation is similar
for both'; we could give syntactic restrictions which guarantee that only
meaningful definitions and equalities are allowed. We could, for instance,
impose the restriction that an inductive definition has to be strictly positive
and a definional equality has to be primitive recursive. We know, however,
that any such restriction would disallow meaningful definitions. We have
therefore - for the moment - no restrictions at all. This means that the
correctness of a definition is the user's responsibility.
Among the examples developed in ALF, we can mention a proof that
Ackermann's function is not primitive recursive [Szasz, 1991], functional
completeness of combinatorial logic [Gaspes, 1992], Tait's normalization
proof for Godel's T [Gaspes and Smith, 1992], the fundamental theorem
of arithmetic [von Sydow, 1992], a constructive version of Ramsey's theorem [Fridlender, 1993] and a semantical analysis of simply typed lambda
calculus with explicit substitution [Coquand, 1994].
We are currently working on Agda and Alfa, the successors of ALF. We
are moving towards a language for proving and programming. A more detailed description of ongoing research can be found at the group's homepage
www.cs.Chalmers.se/Cs/Research/Logic/.
35
References
[Augustsson et al., 1990] L. Augustsson, T. Coquand, and B. Nordstrom.
A short description of Another Logical Framework. In Proceedings of the
First Workshop on Logical Frameworks, Antibes, pages 39-42, 1990.
[Backhouse, 1987] Roland Backhouse. On the meaning and construction
of the rules in Martin-Lof's theory of types. In Proceedings of the Workshop on General Logic, Edinburgh. Laboratory for the Foundations of
Computer Science, University of Edinburgh, February 1987.
[Backhouse et al, 1989] Roland Backhouse, Paul Chisholm, Grant Malcolm, and Erik Saaman. Do-it-yourself type theory. Formal Aspects of
Computing, 1:19-84, 1989.
[Bishop, 1970] Errett Bishop. Mathematics as a numerical language. In
J. Myhill, A. Kino, and R. E. Vesley, editors, Intuitionism and Proof
Theory, pages 53-71, North Holland, 1970.
[Church, 1940] A. Church. A formulation of the simple theory of types.
Journal of Symbolic Logic, 5:56-68, 1940.
[Constable et al., 1986] R. L. Constable , S. F. Allen, H. M. Bromely, W. R.
Cleaveland, J. F. Cremer, R. W. Harper, D. T. Howe, T. B. Knoblox, N.
P. Mendler, P. Panangaden, J. T. Sasaki and S. F. Smith. Implementing
Mathematics with the NuPRL Proof Development System. Prentice Hall,
1986.
[Coquand, 1994] Catarina Coquand. From semantics to rules: a machine
assisted analysis. In E. Borger, Y. Gurevich, and K. Meinke, editors,
Computer Science Logic, 7th Workshop, Lecture Notes in Computer Science 832, pages 91-105. Springer-Verlag, 1994.
[Coquand and Huet, 1986] Thierry Coquand and Gerard Huet. The calculus of constructions. Technical Report 530, INRIA, Centre de Rocquencourt, 1986.
[Coquand and Paulin, 1989] Thierry Coquand and Christine Paulin. Inductively defined types. In Proceedings of the Workshop on Programming
Logic, Bastad, 1989.
[Curry and Feys, 1958] H. B. Curry and R. Feys. Combinatory Logic, volume I. North-Holland, 1958.
[de Bruijn, 1970] N. G. de Bruijn. The Mathematical Language AUTOMATH, its usage and some of its extensions. In M. Laudet, D. Lacombe, L. Nolin, and M. Schutzenberger, editors, Symposium on Automatic Demonstration, Lecture Notes in Mathematics 125, pages 29-61,
Springer-Verlag, 1970.
[de Bruijn, 1980] N. G. de Bruijn. A survey of the project AUTOMATH.
In J. P. Seldin and J. R. Hindley, editors, To H. B. Curry: Essays on
Combinatory Logic, Lambda Calculus, and Formalism, pages 589-606,
Academic Press, 1980.
36
[Dowek et al., 1991] G. Dowek, A. Felty, H. Herbelin, H. Huet, G. P.

Murthy, C. Parent, C. Paulin-Mohring, and B. Werner. The Coq proof
assistant user's guide version 5.6. Technical report 134, INRIA, December 1991.
[Dybjer, 1994] Peter Dybjer. Inductive families. Formal Aspects of Computing, 6, 440-465, 1994.
[Fridlender, 1993] Daniel Fridlender. Ramsey's theorem in type theory.
Licentiate thesis, Chalmers University of Technology and University of
Goteborg, Sweden, October 1993.
[Gaspes, 1992] Veronica Gaspes. Formal proofs of combinatorial completeness. In Proceeding from the logical framework workshop at Bastad, June
1992.
[Gaspes and Smith, 1992] Veronica Gaspes and Jan M. Smith. Machine
checked normalization proofs for typed combinator calculi. In Proceeding
from the logical framework workshop at Bastad, June 1992.
[Godel, 1958] Kurt Godel. Uber eine bisher noch nicht benutzte Erweiterung des finiten Standpunktes. Dialectica, 12, 1958.
[Gordon et al., 1979] M. Gordon, R. Milner, and C. Wadsworth. Edinburgh
LCF, Lecture Notes in Computer Science, 78. Springer-Verlag, 1979.
[Harper et al., 1993] Robert Harper, Furio Honsell, and Gordon Plotkin. A
framework for defining logics. Journal of the Association for Computing
Machinery, 40(1):143-184, 1993.
[Heyting, 1956] Arend Heyting. Intuitionism: An Introduction. NorthHolland, 1956.
[Howard, 1980] W. A. Howard. The formulae-as-types notion of construction. In J. P. Seldin and J. R. Hindley, editors, To H.B. Curry: Essays
on Combinatory Logic, Lambda Calculus and Formalism, pages 479-490.
Academic Press, London, 1980.
[Hudak et al., 1992] Paul Hudak et al. Report on the Programming Language Haskell: A Non-Strict, Purely Functional Language, March 1992.
Version 1.2. Also in Sigplan Notices, May 1992.
[Jutting, 1979] L. S. van Benthem Jutting. Checking Landau's 'Grundlagen' in the AUTOMATH system, Mathematical Centre Tracts 83. Mathematisch Centrum, Amsterdam, 1979.
[Kolmogorov, 1932] A. N. Kolmogorov. Zur Deutung der intuitionistischen
Logik. Matematische Zeitschrift, 35:58-65, 1932.
[Luo and Pollack, 1992] Z. Luo and R. Pollack. LEGO proof cevelopment
system: user's manual. Technical report, LFCS Technical Report ECSLFCS-92-211, 1992.
[Magnusson and Nordstrom, 1994] Lena Magnusson and Bengt Nordstrom. The ALF proof editor and its proof engine. In H. barendregt
37
and t. Nipkow, editors, Types for Proofs and Programs, Lecture Notes
in Computer Science 806, Springer-Verlag, 1994.
[Martin-Lof, 1971a] Per Martin-Lof. A theory of types. Technical Report
71-3, University of Stockholm, 1971.
[Martin-Lof, 1971b] Per Martin-Lof. Hauptsatz for the intuitionistic theory
of iterated inductive definitions. In J. E. Fenstad, editor, Proceedings
of the Second Scandinavian Logic Symposium, pages 179-216. NorthHolland, 1971.
[Martin-Lof, 1982] Per Martin-Lof. Constructive mathematics and computer programming. In Logic, Methodology and Philosophy of Science,
VI, 1979, pages 153-175. North-Holland, 1982.
[Martin-Lof, 1984] Per Martin-Lof. Intuitionistic Type Theory. Bibliopolis,
Napoli, 1984.
[Milner et al., 1990] R. Milner, M. Tofte, and R. Harper. The Definition
of Standard ML. MIT Press, 1990.
[Nordstrom et al., 1990] Bengt Nordstrom, Kent Petersson, and Jan M.
Smith. Programming in Martin-Lof's Type Theory. An Introduction.
Oxford University Press, 1990.
[Paulson, 1987] Lawrence C. Paulson. Logic and Computation. Cambridge
University Press, 1987.
[Petersson, 1982, 1984] Kent Petersson. A programming system for type
theory. PMG report 9, Chalmers University of Technology, S-412 96
Goteborg, 1982, 1984.
[Peyton Jones, 1999] S. Peyton Jones (ed.). Haskell 98:A non-strict, purely
functional langauge, February 1999. URL: www.haskell.org/onlinereport
[Prawitz, 1965] D. Prawitz. Natural Deduction. Almquist & Wiksell, 1965.
[Smith, 1988] Jan M. Smith. The independence of Peano's fourth axiom
from Martin-Lof's type theory without universes. Journal of Symbolic
Logic, 53(3), 1988.
[Szasz, 1991] Nora Szasz. A machine checked proof that Ackermann's function is not primitive recursive. Licentiate thesis, Chalmers University of
Technology and University of Goteborg, Sweden, June 1991. Also in G.
Huet and G. Plotkin, editors, Logical Frameworks, Cambridge University
Press.
[Tait, 1965] W. Tait. Infinitely long terms of transfinite type. In Formal
Systems and Recursive Functions, pages 176-185, North-Holland, 1965.
[von Sydow, 1992] Bjorn von Sydow. A machine-assisted proof of the fundamental theorem of arithmetic. PMG Report 68, Chalmers University
of Technology, June 1992.
Categorical logic
Andrew M. Pitts
Contents
1
2
Introduction
Equational logic
2.3 Internal languages
Categorical datatypes
3.1 Disjoint union types
3.2 Product types
3.3 Function types
3.4 Inductive types
3.5 Computation types
Theories as categories
4.1 Change of category
4.3 Theorycategory correspondence
4.4 Theories with datatypes
Predicate logic
5.1 Formulas and sequents
5.2 Hyperdoctrines
5.3 Satisfaction
5.5 Quantification
5.6 Equality
5.7 Completeness
Dependent types
6.3 Type-categories
6.5 Dependent products
Further reading
40
43
44
45
48
50
52
57
60
62
65
67
68
68
73
75
77
77
78
82
84
89
93
97
100
101
107
109
114
119
123
40
Andrew M. Pitts
1 Introduction
This chapter provides an introduction to the interaction between category
theory and mathematical logic. Category theory describes properties of
mathematical structures via their transformations, or 'morphisms'. On the
other hand, mathematical logic provides languages for formalizing properties of structures directly in terms of their constituent partselements of
sets, functions between sets, relations on sets, and so on. It might seem that
the kind of properties that can be described purely in terms of morphisms
and their composition would be quite limited. However, beginning with the
attempt of Lawvere [1964; 1966; 1969; 1970] to reformulate the foundations
of mathematics using the language of category theory, the development of
categorical logic over the last three decades has shown that this is far from
true. Indeed it turns out that many logical constructs can be characterized in terms of relatively few categorical ones, principal among which is
the concept of adjoint functor. In this chapter we will see such categorical
characterizations for, amongst other things, the notions of variable, substitution, prepositional connectives and quantifiers, equality, and various
type-theoretic constructs. We assume that the reader is familiar with some
of the basic notions of category theory, such as functor, natural transformation, (co)limit, and adjunction: see Poigne's [1992] chapter on Basic
Category Theory in Vol. I of this handbook, or any of the several available
introductions to category theory slanted towards computer science, such as
[Barr and Wells, 1990] and [Pierce, 1991].
Overview
There are three recurrent themes in the material we present.
Categorical semantics. Many systems of logic can only be modelled in a
sufficiently complete way by going beyond the usual set-based structures of
classical model theory. Categorical logic introduces the idea of a structure
valued in a category C, with the classical model-theoretic notion of structure
[Chang and Keisler, 1973] appearing as the special case when C is the
category of sets and functions. For a particular logical concept, one seeks
to identify what properties (or extra structure) are needed in an arbitrary
category to interpret the concept in a way that respects given logical axioms
and rules. A well-known example is the interpretation of simply typed
lambda calculus in cartesian closed categories (see Section 3.3).
Such categorical semantics can provide a completely general and often
quite simple formulation of what is required to model (a theory in) the
logic. This has proved useful in cases where more traditional, set-theoretic
methods of defining a notion of model either lack generality, or are inconveniently complicated to describe, or both. Seely's [1987] modelling of
various impredicative type theories, such as the GirardReynolds polymorphic lambda calculus [Girard, 1986], [Reynolds, 1983] is an example of this:
Categorical logic
41
see [Reynolds and Plotkin, 1993] and [Pitts, 1987; 1989] for instances of
the use of categorical models in this case.
Internal languages. Category theory has evolved a characteristic form of
proof by 'diagram-chasing' to establish properties expressible in category
theoretic terms. In complex cases, such arguments can be difficult to construct and hard to follow, because of the rather limited forms of expression
of purely category-theoretic language. Categorical logic enables the use
of richer (and more familiar) forms of expression for establishing properties of particular kinds of category. One first defines a suitable 'internal
language' naming the relevant constituents of the category and then applies a categorical semantics to turn assertions in a suitable logic over the
internal language into corresponding categorical statements. Such a procedure has become most highly developed in the theory of toposes, where the
internal language of a topos, coupled with the semantics of intuitionistic
higher-order logic in toposes, enables one to reason about the objects and
morphisms of a topos 'as though they were sets and functions' (provided
one reasons constructively): see [Mac Lane and Moerdijk, 1992, VI.5], [Bell,
1988] or [McLarty, 1992, Chp. 14]. This technique has been particularly
helpful for working with toposes that contain 'sets' that have properties
incompatible with classical logic: cases in point are the modelling of the
untyped lambda calculus in terms of objects that retract onto their own
function space by D. Scott [1980], and the Moggi-Hyland modelling of the
Girard-Reynolds polymorphic lambda calculus by an internal full subcategory of the effective topos of Hyland [1988].
Term-model constructions. In many cases, the categorical semantics of a
particular kind of logic provides the basis for a correspondence between
formal theories in the logic and instances of the appropriate kind of category. In one direction, the correspondence associates to such a category the
theory induced by its internal language. In the other direction, one has to
give a 'term-model' construction manufacturing an instance of the required
categorical structure out of the syntax of the theory. An example of such a
correspondence is that between theories in bn-equational logic over simply
typed lambda calculus and cartesian closed categories. Another example
is the correspondence between theories in extensional higher-order intuitionistic logic and toposes. These are both examples in which a variety
of category theory was discovered to correspond to a pre-existing type of
logic, with interesting consequences for both sides of the equation. On the
other hand, some varieties of category, embodying important mathematical
constructs, have required the invention of new types of logic to establish
such a theory-category correspondence. A prime example of this is the
notion of category with finite limits (variously termed a cartesian or a lex
category), for which a number of different logics have been devised: the essentially algebraic theories of Freyd [1972], the lim-theories of Coste [1979,
42
Andrew M. Pitts
section 2], and the generalized algebraic theories of Cartmell (see section 6)
can all be used for this purpose, although each has its drawbacks.
Categories arising from theories via term-model constructions can usually be characterized up to equivalence by a suitable universal property
(cf. Theorem 4.6, for example). This has enabled metatheoretic properties
of logics to be proved via categorical algebra. For example, Freyd's proof
of the existence and disjunction properties in intuitionistic logic is a case
in point (see [Freyd and Scedrov, 1990, Appendix B.32]). It makes use of
a categorical construction variously called sconing or glueing. The same
construction was used by Lafont to prove a strong conservativity result for
the simply typed lambda calculus generated by an algebraic theory: see
[Crole, 1993, Section 4.10]. A categorical construction closely related to
glueing was used in [Crole and Pitts, 1992] to prove an existence property
for a logic for fixed-point recursion. One of the strengths of the categorical
approach to logic is that the same categorical construction can sometimes
be applied to obtain results for a number of different logics.
Contents of this chapter

We will not attempt a complete survey of all aspects of categorical logic
that have been used, or might be used, in computer science applications.
The author doubts that this can be done within the confines of a single
chapter whilst avoiding superficiality. Instead we present a basic core of
material in some detail.
Section 1 explains the categorical semantics of many-sorted equational
logic in a category with finite products. Although the material involved
is quite straightforward, we treat it carefully and in some detail since it
provides the foundation for what we do in the rest of the chapter. Even
at this simple level some important general features emergesuch as the
role of finite products for modelling terms with several variables (independently of the presence of product types in the logic). Section 2 considers
the categorical semantics of some simple type constructors. We attempt to
demonstrate that the necessary categorical structure for a particular type
constructor can be derived from its introduction, elimination and equality
rules in a systematic way, given the basic framework of Section 2a 'doit-yourself categorical logic', to echo the title of [Backhouse et a/., 1989].
Then in section 4 we consider a term-model construction for equational
logic (with or without simple types) and the resulting theory-category correspondence.
The rest of the chapter builds on this material in two orthogonal directions. In section 5 we consider the categorical semantics of first-order
predicate logic, using a version of Lawvere's 'hyperdoctrines'. In section 6
we present the author's distillation of several related approaches to equational logic with dependent types. Finally, section 7 gives pointers to the
literature on aspects of categorical logic not treated here.
Categorical logic
43
Equational logic
It has proved useful in many situations to generalize the usual notion of

algebraic structure by endowing the carrier set (or sets, in the many-sorted
case) with some extra mathematical structure and insisting that the operations of the algebra preserve that structure. An example from the realm of
programming semantics is the use of algebras whose carriers are domains
and whose operations are continuoussee [Goguen et al., 1977]. Organizing the relevant mathematical structures and structure-preserving functions
into a category C, algebras with such extra structure can be viewed as a
natural generalization of the usual notion of algebra: instead of using algebras valued in the category Set of sets and functions, one is using algebras
valued in the particular category C. To make sense of this notion for a
general category, it is sufficient that it possess finite products. To motivate
the interpretation of algebraic structure at this level of generality, let us
see how to recast the usual set-based semantics in a way that emphasizes
functions between sets rather than elements of sets.
Suppose, then, that we are given a many-sorted signature Sg, consisting
of some sort symbols, a, and some typed function symbols
Fixing disjoint, countably infinite sets of variables for each sort symbol, the
(open) terms over Sg and their sorts are defined in the usual way: if x is a
variable of sort , then x is a term of sort a; and if F : 1\,..., n > T is a
function symbol and M1,..., Mn are terms of sorts 1 , . . . , n respectively,
then F ( M 1 , . . . , Mn) is a term of sort . (In the case n = 0, F is just a
constant and we abbreviate F() to F.) We will write M : to indicate
that M is a term of sort a.
Recall that a set-valued structure for Sg is specified by giving a set []
for each sort symbol a and a function [F] : [1] x x [n] > [T] for
each function symbol F : 1 , . . . , n > T. The set [1] x x [n] is the
cartesian product of the sets |i] and so consists of n-tuples ( a 1 , . . . , an)
with ai i. In the case n = 0, this cartesian product contains just
one element, the 0-tuple (), and so specifying the function |F] amounts to
picking a particular element of [.
Given such a structure for Sg, the usual environment-style semantics
for terms is defined by structural induction:
where the 'environment' p is a finite partial function assigning elements

of the structure to variables (respecting their sorts). Then an equation
44
Andrew M. Pitts
between two terms, M = N, is satisfied by the structure if, for all environments defined on the variables occurring in M and N, [M]p and [N]p are
equal elements of the structure
This explanation of the meaning of terms and equations is couched in
terms of elements of sets. However, we can reformulate it in terms of functions between sets and using only category-theoretic properties of Set. This
reformulation will allow us to replace the category Set of sets and functions
by other suitable categories. First note that for any fixed list of distinct
variables [x : 1 , . . . ,xn
], the set of environments defined just on this
set of variables is in bijection with the cartesian product [1] x x [n].
Then the mapping p
[M]p determines a function [1] x x [n] > [T]
(assuming M has sort r) which captures the meaning of the term M in the
structure. In particular, the satisfaction of an equation amounts to the
equality of the corresponding functions. So we can get a semantics expressed via functions rather than elements if we give meaning not to a
naked term, but rather to a 'term-in-context', that is, to a term together
with a list of distinct variables containing at least those which actually occur in the term. This also allows us to drop the syntactic convention that
occurrences of variables in terms be explicitly typed, by recording the sort
of a variable just once, in the context. The next section summarizes this
approach to the syntax.
2.1
Syntactic considerations
Suppose, given a many-sorted signature Sg as above and a fixed, countably

infinite set of variables, Var.
Definition 2.1. A context, F, is a finite list [x1 : 1 , . . . , x n 'n] of
(variable, sort) pairs, subject to the condition that x1,... ,xn are distinct;
we will write war(l) for the finite set {x1,...,xn} of variables in l. We
will write F, x : a to indicate the result of extending by assigning the sort
to a variable x v a r ( ) ; similarly, the result of appending two contexts
whose sets of variables are disjoint will be indicated by
'.
A term-in-context takes the form
M : a []
(2.1)
where M is a term, is a sort, and is a context over the given signature

Sg. The well-formed terms-in-context are inductively generated by the two
rules
(2.2)
Categorical logic
45
where in (2.3), F : 1, ... n

T is any function symbol in the given
signature.
A rule for substitution is derivable from rules (2.2) and (2.3):
where N[M/x] denotes the result of substituting M for x in N. A rule for

weakening contexts is a special case of (2.4):
M : a []
M :a [
(2.5)
An equation-in-context takes the form M = M' : [] where is a

context, is a sort and M, M' are terms satisfying M : a [] and M' :
a []. We will consider a (many-sorted) algebraic theory, Th, to consist
of a signature Sg together with a collection of equations-in-context over
Sg, called the axioms of Th. The theorems of Th are the equations-incontext over Sg that are provable from the axioms of Th using the rules of
equational logic. These rules are shown in Fig. 1.
2.2
Categorical semantics
Throughout this section C will be a fixed category with finite products.

The product of a finite list [ X 1 , . . . , Xn] of objects in C will be denoted by
X1 x x Xn, with product projection morphisms
Given morphisms fi : Y > Xi,
Fig. 1. Equational logic
46
Andrew M. Pitts
will denote the unique morphism whose compositions with each i, is fi.
For definiteness we will assume that the product Xi x - - - x Xn is denned
by induction on the length of the list [ X 1 , . . . , Xn] using a terminal object,
1, and binary products, x . Thus the product of the empty list is 1;
and, inductively, the product of a list [ X 1 , . . . , Xn, .Xn+1] of length n + 1 is
given by the binary product (X1 x - - - x Xn) x Xn+i.
A structure in C for a given signature Sg is specified by giving an object
[] in C for each sort a, and a morphism [F] : [ 1] x x [n] > [T] in
C for each function symbol F : <1, ..., an > T. (In the case n = 0, this
means that a structure assigns a global element [c| : > [T] to a constant
c : T.) Given such a structure, for each context l = x1 : 1, ... ,xn : n,
term M and sort T for which M : T [L] holds, we will define a morphism in
C:
where |L] denotes the product [1] x x [ n ] - Note that the rules for
deriving well-formed terms-in-context are such that for each L, M and r,
there is at most one way to derive M : T[L]. The definition of [M : T[L]]
can therefore be given by induction on the structure of this derivation.
Since it is also the case that T is uniquely determined by L and M, we
will abbreviate [M : T[L] to |M[F]J. The definition has two clauses,
corresponding to rules (2.2) and (2.3):
Lemma 2.2 (Semantics of substitution) . In the categorical semantics

of terms-in-context, substitution of a term for a variable in a term is interpreted via composition in the category. Specifically, if Mi : i [L] for
then
where N[M /x\ denotes the result of simultaneously substituting Mi for Xi

(i = l,...,n) in N. (Note that (N[M /x\) : T [L'] holds by repeated use of
(2.4)-)
The lemma is proved by induction on the structure of N. By taking
the terms Mi to be suitable variables one obtains the following result as a
special case.
Corollary 2.3 (Semantics of weakening) . Suppose that N : T [L] and
that L' is another context that contains L = [x1 : 1 , . . . , xn : nn] as a
sublist. Then
where
with
m(i)
the position in L'' of the variable Xi .
Categorical logic
47
Suppose M = M' : a [L] is an equation-in-context over a given signature, Sg. Since M : a [L] and M : a [L] are required to hold, a
structure in C for Sg gives rise, via the above definition, to morphisms
[M[L]], [M'[L]] : [L] > []. The structure is said to satisfy the equationin-context if these morphisms are equal. If Th is an algebraic theory over
Sg, then the structure is a Th-algebra in C if it satisfies all the axioms of Th.
There are very many different categories with finite products, and algebras
for an algebraic theory in one may have very different detailed structure
from algebras for the same theory in another category. Nevertheless, the
following proposition shows that whatever the underlying category, we can
still use the familiar kind of equational reasoning embodied by the rules in
Fig. 1 whilst preserving satisfaction of equations.
Theorem 2.4 (Soundness). Let C be a category with finite products
and Th an algebraic theory. Then a Th-algebra in C satisfies any equationin-context which is a theorem of Th.
Proof. The properties of equality of morphisms in C imply that the collection of equations-in-context satisfied by the TTi-algebra is closed under
rules (2.6), (2.7) and (2.8) in Fig. 1. Closure under rule (2.9) is a consequence of Lemma 2.2.
The converse of this theorem, namely the completeness of the categorical semantics for equational logic, will be a consequence of the material in
Section 4.2.
Summary. We conclude this section by summarizing the important features of the categorical semantics of terms and equations in a category with
finite products.
Sorts are interpreted as objects.
A term is only interpreted in a context (an assignment of sorts to
finitely many variables) containing at least the variables mentioned
in the term, and such a term-in-context is interpreted as a morphism
with:
* the codomain of the morphism determined by the sort of the
term;
* the domain of the morphism determined by the context;
* variables interpreted as product projection morphisms (identity
morphisms being a special case of these);
* substitution of terms for variables interpreted via composition
and pairing;
* weakening of contexts interpreted via composition with a product projection morphism.
An equation is only considered in a context (containing at least the
variables mentioned), and such an equation-in-context is satisfied if
48
Andrew M. Pitts
the two morphisms interpreting the equated terms-in-context are actually equal in the category.
2.3
Internal languages
The interpretation of equational logic described in the the previous section

provides a means of describing certain properties of a category C with finite
products as though its objects were sets of elements and its morphisms
functions between those sets. To do this we use the terms over a manysorted signature Sgc naming the objects and morphisms of C. The sorts
of Sgc are the objects of C; and for each non-empty list X 1 , . . . ,Xn,Y of
objects, the function symbols of type X 1 , . . . , Xn > Y are the morphisms
/ : X1 x - x Xn > Y in C. Of course the size of this signature depends on
the size of C: it will have a set of symbols, rather than a proper class, only
if C is small (i.e. has only a set of morphisms). For the sake of clarity, we
are not making a notational distinction between a symbol in Sgc and the
element of C that it names; as a result a morphism / : X1 x x Xn > Y
occurs in Sgc both as an n-ary function symbol of type X 1 , . . . , Xn > Y
and as a unary one of type X1 x x Xn > Y.
The terms-in-context over this signature constitute a language for describing morphisms of Ca so-called internal language for C . The connection between these terms-in-context and the morphisms they describe is
given by means of the evident structure for Sgc in C which maps symbols in Sgc to the corresponding objects and morphisms in C. Given
M : Y [x1 : X1,...,x n : Xn], the definitions of section 2.2 applied to
this structure yield a morphism
inC.
We will not refer to this structure for Sgc in C by name, but simply say
that 'C satisfies M = N : X [L]'if the structure satisfies this equation-incontext. The following results are easy exercises in the use of the categorical
semantics.
Proposition 2.5.
(i) Two parallel morphisms in C, f,, g : X > X, are equal if and only if
C satisfies f(x) = g(x) : X [x : X],
(ii) A morphism f : X
X in C is the identity on X if and only if C
satisfies f(x) = x : X [x : X].
(in) A morphism f : X >Z is the composition of g : X
Y and
h:Y > Z if and only if C satisfies f ( x ) = h(g(x)) : Z (x : X}.
(iv) An object T is a terminal object in C if and only if there is some
morphism t : 1 > T satisfying x = t :T [x : T].
(v) X < Z ->- Y is a binary product diagram in C if and only if there
Categorical logic
49
is some morphism r : X x Y > Z satisfying
The internal language of C makes it look like a category of sets and

functions: given an object X, its 'elements' in the language are the terms
M of sort X; and a morphism / : X > Y yields a function sending
'elements' M of sort X to 'elements' f(M) of sort y. However, in the
internal language the 'elements' of X depend upon the context; and these
elements are interpreted as morphisms to X in C whose domain is the
interpretation of the context. Thus we can think of morphisms x : I > X
in C as generalized elements of X at stage I and will write x I X to
indicate this.
A particular case is when I is the terminal object 1: the generalized
elements of an object at stage 1 are more normally called its global elements.
In general, it is not sufficient to restrict attention to global elements in order
to describe properties of C. For example, each morphism / : X
Y yields
via composition a function taking generalized elements of X at each stage
, x I X, to generalized elements of Y at the same stage, (f o x) I Y.
Two such morphisms f,g:X > Y are equal just if they determine equal
functions on generalized elements at all stages, but are not necessarily
equal if they determine the same functions just on global elements. Call
a category with terminal object well-pointed if for all f, g : X > Y in C,
f = g whenever / o x = g o x for all global elements x : 1 > X. Typically,
categories of sets equipped with extra structure and structure-preserving
functions are well-pointed, and algebraic structures in such categories are
closely related to corresponding set-valued structures via the use of global
elements. If we only consider algebras in such well-pointed categories, we
lose the ability to model certain phenomena. Here is a little example stolen
from [Goguen and Meseguer, 1985], to do with 'empty sorts'.
Example 2.6. Consider the usual algebraic theory of Boolean algebras
(with sort bool and operations T, F, , V, ) augmented with a second sort
hegel and a function symbol C : hegel> bool satisfying the axiom (C(x)) C(x) : bool [x : hegel\. Then T = F : bool [x : hegel] is a theorem of this
theory, but T = F : bool [] is not. Any set-valued model of the theory that
assigns a non-empty set to hegel must identify T and F. However, there
are models in non-well-pointed categories for which hegel is non-empty (in
the sense of not being an initial object), but do not identifyf T and F.
For example, consider the category [w )4 Se] of set-valued functors and
natural transformations from the ordinal (which is a poset, hence a category). A more concrete description of [w, Set] is as the category of 'sets
50
Andrew M. Pitts
evolving through (discrete) time'. The objects are sets X equipped with
a function E : X > w recording that x X exists at time E(x) w,,
together with a function () + : X > X describing how elements evolve
from one instant to the next, and hence which is required to satisfy E(x+) =
E(x) + l. A morphism between two such objects, / : X Y, is a function
between the sets which preserves existence (E(f(x)) = E(x)) and evolution (f(x+) = f ( x ) + ) . The global sections of X are in bijection with the
elements which exist at the beginning of time, {x X \ E(x) 0}. So this
category is easily seen to not be well-pointed. One can model the algebraic
theory of the previous paragraph in this category by interpreting bool as the
set having two distinct elements at time 0 that evolve to a unique element
at time 1, and interpreting hegel as the set with no elements at time 0 and
a single element thereafter. (This interpretation for hegel is different from
the initial object of [w,Set], which has no elements at any time.)
The internal language of a category with just finite products is of rather
limited usefulness, because of the very restricted forms of expression and
judgement in equational logic. However, internal languages over richer logics can be used as powerful tools for proving complicated 'arrow-theoretic'
results by more familiar-looking 'element-theoretic' arguments. See [Bell,
1988], for extended examples of this technique in the context of topos theory
and higher-order predicate logic. The use of categorical semantics in nonwell-pointed categories gives us an increase in ability to construct useful
models compared with the more traditional 'sets-and-elements' approach.
The work of Reynolds and Oles (see [Oles, 1985]) on the semantics of block
structure using functor categories is an example. (As the example above
shows, functor categories are not well-pointed in general.) See [Mitchell
and Scott, 1989] for a comparison of the categorical and set-theoretic approaches in the case of the simply typed lambda calculus.
Categorical datatypes
This section explores the categorical treatment of various type constructors.

We postpone considering types that depend upon variables until section 6,
and concentrate here upon 'simple' types with no such dependencies. We
will consider properties of these types expressible within the realm of equational logic; so from the work in the previous section we know that at the
categorical level we must start with a category with finite products and ask
what more it should satisfy in order to model a particular type constructor.
We hope to demonstrate that the necessary categorical structure for a particular type constructor can be derived from its introduction, elimination
and equality rules in a systematic way, given the basic framework of the
previous section.
In fact what emerges is an interplay between type theory and categorical structure. To model the term-forming operations associated with
Categorical logic
51
a type constructor one needs certain structures in a category; but then

the characterization (up to isomorphism) of these structures via categorical properties (typically adjointness properties) sometimes suggests extra,
semantically meaningful rules to add to the logic.
Metalinguistic conventions
The term-forming operations we will consider in this and subsequent sections will contain various forms of variable-binding, with associated notions
of free and bound variables and substitution. To deal with all this in a uniform manner, we adopt a higher-order metalanguage of 'arities and expressions' as advocated by Martin-L6f. See [Nordstrom et al., 1990, Chapter
3] for an extended discussion of this approach. For our purposes it is sufficient to take this metatheory to be a simply typed lambda calculus with
a-, b-, and n-conversion, whose terms will be called metaexpressions. The
result of applying metaexpression e to metaexpression e' will be denoted
e(e'), with a repeated application such as e(e')(e") abbreviated to e(e',e");
in certain situations the application e(e') will be written ee<. Lambda abstraction in the metalanguage will be denoted (x)e, with a repeated lambda
abstraction such as (x)(y)e abbreviated to (x, y)e. Equality of metaexpressions up to a-, b-, and n-conversion will be denoted e e'. Thus one has
The types of the meta-language will be called arities. For the moment
we will assume that the arities are built up from two ground arities, TYPES
and TERMS, standing respectively for the syntactic categories of object
language types and object language terms. Higher function arities will be
indicated by ARITY
ARITY'. So, for example, TYPES
TERMS is the
arity of functions assigning a term expression to each type expression. For
a many-sorted signature, Sg, as in section 2, we now regard the function
symbols F of Sg are metaconstants of arity TERMS
TERMS for various
r, and regard the sorts as metaconstants of arity TYPES. The countably
infinite set Var of variables used in that section will be identified with the
metavariables of arity TERMS.
Throughout this section we will assume that such a signature Sg has
been given. On the category-theoretic side, C will denote a category with
at least finite products, and we assume that a structure for Sg in C has
been given. The simple types and their associated terms will be built up
over the sorts of Sg. In this context, it is more usual to refer to the sorts of
Sg as ground types. As before, terms and equations will only be considered
in the presence of finite contexts assigning types to variables.
Remark 3.1 (Uniqueness of typing derivations and uniqueness
of types). The various rules we will give for forming terms-in-context
and equations-in-context are meant to augment the basic ones of equational logic given in section 2 (i.e. (2.2), (2.4) and (2.6)-(2.9)). The new
52
Andrew M. Pitts
rules retain the property that there is at most one derivation of a typing
judgement M : [L]. Thus the definition of its meaning as a morphism
[M[L] : [L] > [ ] in C can be given unambiguously by induction on the
structure of this derivation. The same is true for the rules considered in
section 5. It is only when we come to consider dependent type theories
in section 6 that this property breaks down and a more careful approach
to the categorical semantics must be adopted. We will also take care to
retain the property of derivable typing judgements, M : a [L], that a is
uniquely determined by the term M and the context L. This is the reason
for the appearance of type subscripts in the syntax given below for the
introduction terms of disjoint union, function and list types.
Remark 3.2 (Implicit contexts). In order to make the statement of
rules less cluttered, from now on we will adopt the convention that a lefthand part of a context will not be shown if it is common to all the judgements in a rule. Thus for example rule (3.2) below is really an abbreviation
for
case
Remark 3.3 (Congruence rules). The introduction and elimination
rules for the various datatype constructors to be given below have associated with them congruence rules expressing the fact that the term-forming
constructions respect equality. For example, the congruence rules corresponding to (3.1) and (3.2) are:
case
We will not bother to give such congruence rules explicitly in what follows.
3.1
Disjoint union types
We will use infix notation and write a + a' rather than +( ,) for the
disjoint union of two types a and ' . (Thus this type constructor has arity
TYPES
TYPES
TYPES.) The rules for introducing terms of type
+
are
and the corresponding elimination rule is
Categorical logic
53
What structure in a category C with finite products is needed to define

[M[L]| in the presence of these new term- forming operations? We already
have at our disposal the general framework for interpreting equational logic
in categories with finite products, given in the previous section. Since this
is our first example of the technique, we will proceed with some care in
applying this framework.
Formation. Since types a get interpreted as objects X = [ ] of C, we
need a binary operation, X, X'
X + X' , on objects in order to interpret
the formation of disjoint union types as:
Introduction. Since terms-in-context M : a [L] get interpreted as morphisms from I = [L] to X [ ], to interpret the introduction rules (3.1)
we need functions on horn-sets of the form
that can be applied to [M[L]] and |M'][L] respectively to give the interpretation of inl (M) and inr(M'). Now in the syntax, substitution commutes
with term formation, and since substitution is interpreted by composition
in C, it is necessary that the above functions be natural in /. Therefore
by the Yoneda lemma (see [Mac Lane, 1971, III.2]), there are morphisms
X > X + X' and X' > X + X' which induce the above functions on
horn-sets via composition. So associated with the object X + X' we need
morphisms
inlx,x' :X*X + X'
and inrx,x> -X > X + X'
and can then define
Elimination. Turning now to the interpretation of the elimination rule

(3.2), we need a ternary function on hom-sets of the form
and, as before, it must be natural in I because of the way that substitution

is modelled by composition in C. Naturality here means that for each
caseI
54
Andrew M. Pitts
Applying this with 2, n o (I x id), and n' o (I x id) for c, n, and n'
respectively, gives
case I (c, n, n') = caseI(x+x')(x-2,n o (I
x id),n'o(7n x id))o{id,c)
since 2 o (id,c) = c and (I x id) o ( ( i d , c ) x id) = id. So in fact

cas1/(c, n, n') can be expressed more fundamentally as a composition {n|n'}/o
(id, c) where
is a family of functions, natural in /. Thus the semantics of case-terms

becomes:
[case
Equality. Next we consider equality rules for a + ' . Consider first the
familiar rules:
(3.5)
case(inr (M'),N,N') = N'(M') : r
Writing m : I > X for [M[L], m' : I > X' for [M'[L]J, n : I x X >Y
for [N(x)[L,x : ]], and n' : I x X1 . Y for [N'(x')[L ,x' : a'], then from
above we have that [case(inl ' ( M ) , N , N ' ) [ L ] ] is {n\n'}I ( i d , inlx,x' m)
and [case(inr(M),N,N')[L]l is {n|n'}/ o (id, inr x,x' m). From Lemma
2.2, we also have that [N(M)[L] is no ( i d , m) and that [N(M')[L]] is n' o
(id, m). Consequently the structure on C for interpreting terms associated
with disjoint union types described above, is sound for the rules (3.4) and
(3.5) provided the equations
hold for all m, n and n' (with appropriate domains and codomains). Clearly
for this it is sufficient to require for all n and n' that
and the naturality of { |}/ ensures that (3.6) and (3.7) are also necessary
for the previous two equations to hold for all m, n and n'.
Categorical logic
55
So we require that { | } _ provides a natural left inverse to the natural

transformation
which sends / to (f o (id x inlx,x'), f (id x inrx, x' ))- If, furthermore,
we require that it provide a two-sided inverse, so that
then the categorical semantics becomes sound for a further rule for a + ' ,
namely:
caSe(C,(x)F(inlf,(x)),(x')F(inr(x')))
= F(C) : T
(3.10)
(Recall that an expression like (x)-F(inl'(x)) denotes a lambda abstraction

in the metalanguage.)
If we think of (3.4) and (3.5) as the 'b-rules' for disjoint union, then
(3.10) is an 'n-rule'. As we will see, the rule is necessary if we wish a + a'
to be characterized up to isomorphism by and 1.
Now taking the component of (3.8) at the terminal object 1 and using
the canonical isomorphisms 2 : 1 x (-)
( ), gives that
is a bijection for each Y. By definition, this means that
is a binary coproduct diagram in C. We will denote the inverse bijection

to (inl Xt x inr x,X') at apairofofmorphisms / : X Y, f : X' > Y by
So we are led to require that C have binary coproducts. But this is not
all: we can now compose the natural bijection (3.8) with
to deduce that for each /, X, X', composition with the canonical morphism
56
Andrew M. Pitts
induces a bijection on hom-sets, and hence, by the Yoneda lemma, that d

must be an isomorphism. In this case we say that binary products distribute
over binary coproducts in C, or simply that C has stable binary coproducts.
Thus the construct { | }- takes n : I x X > Y and n' : I x X' > to
to
Defining satisfaction of equations-in-context over this richer collection

of terms just as in section 2.2, Theorem 2.4 extends to include the equality
rules for disjoint unions, i.e. if C is a category with finite products and
stable binary coproducts, then the equations-in-context that are satisfied by
a structure in C are closed under the rules of equational logic augmented
by rules (3.4), (3.5), and (3.10). As with all categorical structure defined
by universal properties, coproducts in a category are unique up to isomorphism. So we have that the structure needed in a category to interpret
disjoint unions with all three equality rules is essentially unique. If we
do not wish to model the third equality rule (3.10), then we have seen
that a weaker structure than stable coproducts is sufficient just inlx,x' ,
inlx,x' and an operation { | }_ satisfying the two equations (3.6) and
(3.7), together with the naturality condition:
(This naturality is automatic in the presence of the uniqueness rule (3.10).)

However, in this case there may be several non-isomorphic 'disjoint unions'
for X and X' in C. Put another way, provided the third equality rule (3.10)
is included, the rules for disjoint unions characterize this type constructor up
to bijection. This kind of observation seems important from a foundational
point of view, and arises very naturally from the categorical approach to
logic.
The stability of binary coproducts in C says precisely that for each object 7, the functor I x ( ) : C > C preserves binary coproducts. Since
coproducts, being colimits, are preserved by any functor with a right adjoint, stability is automatic if each Ix ( ) : C > C has a right adjoint. The
value of this right adjoint at an object X is by definition the exponential object I -X. In particular ifC is a cartesian closed category, then coproducts
in C are automatically stable, since all exponential objects exist in this case
by definition. We will see in Section 3.3 that exponential objects model
function types. So if one is only concerned with modelling disjoint sums in
a higher-order setting, one need only verify the presence of coproducts in
Categorical logic
57
the category. Here is an example of a category with non-stable coproducts

(and hence without exponentials).
Example 3.4. Recall that the category of complete, atomic Boolean algebras and boolean homomorphisms is equivalent to the opposite of the
category of sets and functions. In Set one generally does not have
(Consider the case I = X = X' = 1, for example.) Thus in the opposite of

the category of sets, binary coproducts are not in general stable, and hence
nor are they stable in the category of complete atomic Boolean algebras.
Therefore, even though this category has coproducts (it has all small limits
and colimits), we cannot soundly interpret disjoint union types in it.
Remark 3.5 (Empty type). We have treated binary disjoint union
types. The 'nullary' version of this is the empty type null, with rules:
These rules can be soundly interpreted in C if it has a stable initial object,

0. This means that not only is 0 initial (i.e. for each object X, there
is a unique morphism 0 > X), but so also is 7 x 0 for any object /.
This latter condition is equivalent to requiring that
: I x 0 > 0 is an
isomorphism. As before, this stability condition is automatic if the functors
I x () : C > C have right adjoints, and thus, in particular, an initial
object in a cartesian closed category is automatically stable.
3.2
Product types
One could be forgiven for jumping straight to the conclusion that product
types a x a' should be interpreted by binary categorical product in a category C. However, as we have seen in section 2, the finite product structure
of C is there primarily to enable terms involving multiple variables to be
interpreted. Also, we will use the elimination rule for products that is derived systematically from its formation and introduction rule, rather than
the more familiar formulation in terms of first and second projection. (See
[Backhouse et al., 1989] for comments on this issue in general.) Nevertheless, with a full set of equality rules including the analogue of the 'surjective
pairing' rule, binary products in C are exactly what is required to model
product types. If one does not wish to model the surjective pairing rule,
then a weaker structure on C (not determined uniquely up to isomorphism)
suffices.
Recall that the introduction rule and corresponding elimination rule for
product types are
58
Andrew M. Pitts
(together with associated congruence rulescf. Remark 3.3). By a similar

analysis to that in section 3.1, one finds that the following structure on C
is needed to interpret these new terms:
for all objects X,X', an object X * X';
for all objects X,X', a morphism
for all objects /, X, X', Y, a function
that is natural in I (so that splitI' (n o (g x id)) = splitI(n) o (g x id)

holds for all
The semantics of product types and terms in C is then:
def
The equality rules for product types are:
For the above semantics to be sound for (3.14), one needs that for each
In other words, the natural transformation induced by pre-composition

with (id x pairx x1)
should have left inverse given by n - split I ( n ) . This condition does not
suffice to determine X * X' uniquely up to isomorphism: there may be
Categorical logic
59
several different such 'weak product' structures on C. However, if we insist

that (3.15) is also satisfied, i.e. that
then split_ becomes a two-sided inverse for (3.16). By considering the

component of this natural isomorphism at the terminal object, one has
that pre-composition with pair : X x X' -> X * X' induces a bijection on
hom-sets, and hence is itself an isomorphism. Consequently, to interpret
product types satisfying both equality rules, the structure needed on C must
be essentially the existing binary product structure (and so, in particular,
is unique up to isomorphism). Thus the semantics of product types and
terms in C simplifies to:
In particular, the definable first and second projections
when interpreted, give the first and second projection morphisms as one
might hope:
Remark 3.6 (One-element type). The 'nullary' version of binary product types is the one-element type unit with the following rules (together
with associated congruence rules). As for product types, we use the possibly less familiar elimination rule derived systematically from the form of
formation and introduction
60
Andrew M. Pitts
The last rule is the analogue of rule (3.15)in other words, it is the
for this type. The 'B-rule' for unit (analogous to (3.14)) is
-rule'
but it is easy to see that in fact this rule is derivable from the above rules,
as is the rule
Using an argument similar to that for product types, one finds that these
rules can be interpreted soundly in C provided it has a terminal object.
3.3
Function types
Since types a get interpreted as objects X = [o] of C, we need a binary

operation
objects in order to interpret function types
as
follows:
Introduction.
The introduction rule for function types is:
To interpret this rule in a category C with finite products we need a function

on horn-sets of the form
in order to define
In order to preserve the basic property of the semantics that substitution

is modelled by composition, we require the above functions to be natural
in /, meaning
Elimination. We will use the familiar elimination rule involving application rather that the rule systematically derived from formation and introduction, which involves judgements with higher-order contexts (see [Nordstrom et o/., 1990, Section 7.2]):
Categorical logic
61
To interpret this rule, we need a function on horn-sets of the form
which is natural in I (in order to respect the semantics of substitution in

terms of composition). Naturality in / of these functions implies that they
are induced by a morphism
and we define
Equality.
The rule of B-conversion is
The structure in C we have described for interpreting function types is

sound for this rule provided
holds for all

For this it is sufficient, and
because of the naturality of cur also necessary, that
hold for all / : I x X > y.

The rule for n-conversion is
The semantics is sound for this rule provided that for all m : I >
(X-Y)
In fact the naturality of cur_ implies that this holds if and only if for each
X and y
62
Andrew M. Pitts
Now (3.20) and (3.22) say precisely that the natural transformation
given by
bijection with inverse cur-. Thus,
by definition, X-Y is the exponential of Y by X in the category C, with
evaluation morphism
Recall that by definition, a cartesian closed category has all finite products and exponentials.
Thus we have: function types satisfying B- and n-conversion can be soundly
interpreted in C provided it is cartesian closed.
3.4 Inductive types

In this section we consider the categorical interpretation of inductively
defined datatypes (such as the natural numbers, lists and trees) using initial
algebras. For definiteness we will concentrate on the case of the list type
constructor,
Recall that the introduction rules and corresponding elimination rule
for list are:
By a process of analysis that one hopes is becoming familiar by now, one

finds that the following structure on a category C with finite products is
needed to interpret this new syntax:
For each object X, an object LX equipped with morphisms nilX :
For all objects I, X, X', an operation sending a morphism / : / x X x
LX x X' > X' to a morphism listrecI(f) : I x LX x X ' > X1,
which is natural in I (so that for all g : I' > I, listrecI'- (f o (g x
id x id x id)) = l i s t r e c ( f ) o (g x id x id)).
The semantics of alist and its associated terms in C is then:
Categorical logic
63
(In the clause for

denotes the unique morphism from
the terminal object 1.)
Now consider the usual equality rules for list:
to
For the semantics to be sound for these two rules, one needs that for each
We can go one step further and insist that given f, listrecI(f) is the unique
morphism satisfying (3.27) and (3.28). In this case the structure on C is
also sound for the rule
With (3.29) and in the presence of product types, the scheme for primitive recursion becomes interdefinable with a simpler scheme of iteration,
given by the following rules:
64
Andrew M. Pitts
For clearly iteration is a special case of primitive recursion, and in the

reverse direction one can define
and use (3.31), (3.32) and (3.33) to prove that this has the correct properties. To do this, one also has to prove that
and this requires the uniqueness property (3.33).

In C, the rules (3.30)-(3.33) correspond to the following universal property of the object LX equipped with morphisms nilX : 1 > LX and
cons x ' X x LX > LX: for each pair of morphisms f : I x X x X1 > X'
and m' : I > X' , there is a unique morphism g : I x LX > X' such
that the following diagrams commute:
The uniqueness property of g implies that the operation sending / to g is

natural in Iso it is unnecessary to state this as a separate requirement.
If the category C is cartesian closed, then a further simplification can be
made: it is sufficient to have the above universal property for / = 1 to
Categorical logic
65
deduce the general case. If C also has binary coproducts, then one can
combine nilx and consx into a single morphism
.where T : C > C is the functor 1+(X x ). The universal property enjoyed

by nilx and consx is equivalent to the following property of i: for each
morphism h : T(X') X', there is a unique morphism g : LX > X'
with g o i = ho T(g). In other words, (LX,i) is an initial object in the
category of algebras for the functor T. (Recall that a T-algebra is an object
X' of C equipped with a 'structure' morphism T(X') > X'; a morphism
of T-algebras is a morphism in C between the underlying objects of the
algebras that makes the evident square involving the structure morphisms
commute.)
As usual, this initiality property characterizes LX, nilx and cons x
uniquely up to isomorphism in C. Moreover, the structure morphism of
an initial algebra is always an isomorphism: so i gives an isomorphism
between 1 + (X x LX) and LX. (The inverse of i is the unique T-algebra
morphism from the initial algebra to (T(LX),T(i)).)
Taking the type a in list to be the one-element type unit, one obtains
the type of natural numbers. On the categorical side, when X is the terminal object 1 in C, the above universal property of LI is that given by
Lawvere in defining the notion of a natural number object in a category.
Other inductive datatypes (equipped with iterators satisfying uniqueness
conditions) can be modelled soundly by requiring C to have initial algebras
for the 'strictly positive' functors T : C > Cthose expressible via a combination of constant functors, products, coproducts, and exponentiation by
a fixed object.
Remark 3.7 (Weak natural numbers object). Without the uniqueness rules (3.29) or (3.33), the scheme of iteration is weaker than that of
primitive recursion. (For example, the expected properties of the predecessor function on the natural numbers cannot be derived from an iterative
definitionsee [Girard, 1989, page 51].) The corresponding uniqueness
part of the universal property defining the notion of natural number object
N makes this notion conditional-equational rather than equational. If this
uniqueness requirement is removed, N is termed a weak natural numbers
object. Lambek [1988] and Roman [1989] have studied extensions of the
algebraic theory of weak natural numbers involving Mal'cev operations in
which the uniqueness of the iterator can be derived.
3.5
Computation types
Moggi [1991] introduces a new approach to the denotational semantics of

programming languages based on the categorical notion of a strong monad
66
Andrew M. Pitts
and the corresponding type-theoretic notion of 'computation types'. As

a further illustration of the methods developed so far, we will give the
semantics of Moggi's 'computational lambda calculus' in a category with
finite products equipped with a strong monad.
The syntax of computation types is as follows. We are given a unary
type constructor a i-- Ta. One should think of Ta as the type of 'computations' of elements of type a. There are two rules for building terms of
computation types:
(together with associated congruence rulescf. Remark 3.3).

Intuitively, val(M) is the value M regarded as a trivial computation
which immediately evaluates to itself; and let(E', F) denotes the sequential
computation which firstly tries to evaluate E to some value M : a and
then proceeds to evaluate F(M). These intended meanings motivate the
following three equality rules:
To interpret this syntax soundly in a category C with finite products

we need the following structure on C:
for each object X, an object TX;
for each object X, a morphism nx X > TX;
for all objects I , X , X ' , a function
that is natural in I (so that

holds for
all
Then the semantics of computation types and their associated terms in C
is:
Categorical logic
67
Satisfaction of rules (3.36), (3.37), and (3.38) requires the following equational properties of nx and lift I to hold for all
(we
have used the naturality of lift I in I to state
these in their simplest form):
Specifying the structure ( T , n , l i f t ) with the above properties is in fact

equivalent to specifying a monad on the category C together with a 'tensorial strength' for the monad: we refer the reader to [Moggi, 1991] and
the references therein for more details. Note that unlike the other categorical datatypes considered in this section, for a given category C the
structure of a strong monad is not determined up to isomorphism there
may be many different ones on C. (Moggi [1991] gives several examples
with computational significance.)
Theories as categories
Sections 2 and 3 have shown how to model an equational theory, possibly

involving some simple datatypes, in a suitably structured category in a way
which respects the rules of equational logic. The purpose of this section
is to demonstrate that this categorical semantics is completely general, in
the sense that the category theory provides an alternative but equivalent
formulation of the concepts embodied in the logic. We will see that there
is a correspondence between theories and categories, which enables one to
view the latter as giving an abstract or presentation-free notion of theory.
Such a theory-category correspondence relies upon the fact that the
categorical formulation of semantics allows us to consider models of a theory
in different categories. For a given theory Th, amongst all these different
categories it is possible to construct one which contains the 'most general'
model of Th. This category is called the 'classifying category' of Th and the
model it contains is called the 'generic' model. They are characterized by
a certain category-theoretic, universal property which depends upon the
ability to compare algebras in different categories by transporting them
along functors preserving the relevant categorical structure. So we begin
by describing this process.
Until section 4.4 we will confine our attention to algebraic theories versus categories with finite products. Th will denote a fixed, many-sorted
algebraic theory (as defined in section 2.1), with underlying signature Sg.
68
4.1
Andrew M. Pitts
Change of category
Recall that a functor T : C > D is said to preserve the finite product

Xi x x Xn if the morphisms
make
T ( X 1 x x Xn) into the product of the T(Xi) in V. If V itself has finite
products, then this is equivalent to requiring that
be an isomorphism. (A stronger condition would be to demand that a be

an identity morphismin which case we say that T strictly preserves the
finite product X1 x x Xn.)
If C and D are categories with finite products and T : C > D is a
functor preserving them, then every structure S for Sg in C gives rise to a
structure T(S) in V defined by:
for all sorts a and function symbols F : a\,..., an > T. Since T preserves
finite products and the semantics of terms-in-context is defined in terms of
these, the meaning of a term in 5 is mapped by T to its meaning in T(S).
More precisely, if M : r [F] then
commutes in "D. Consequently, if 5 satisfies M = M' : T [F], then so does

T(S). Thus finite product preserving functors preserve the satisfaction of
equations. In particular, if 5 is an algebra in C for a theory Th, then T(S)
is an algebra for Th in V.
Example 4.1. If C is locally small, then for each object / in C the homfunctor C(I, _) : C Set preserves products (but not strictly so, in general). Thus every algebra S in C gives rise to an ordinary, set-valued algebra
C ( I , S ) , whose elements are the 'generalized elements of S at stage /' in
the sense of section 2.3.
4.2
Classifying category of a theory
Two contexts over the signature Sg are a.-equivalent if they differ only in
their variables; in other words, the lists of sorts occurring in each context
Categorical logic
69
axe equal (and, in particular, the contexts are of equal length). Clearly
this gives an equivalence relation on the collection of contexts, and the set
of a-equivalence classes of contexts is in bijection with the set of lists of
sorts in Sg. Assuming a fixed enumeration Var = {v1,V2, } of the set of
variables (i.e. of the set of metavariables of arity TERMS), we can pick a
canonical representative context
for the a-equivalence
class corresponding to each list a1, . . . , an of sorts. We will not distinguish
notationally between a context and the a-equivalence class it determines.
Given contexts F and
a context morphism
from F to r'
is specified by a list y = [N1 , . . . , Nm] of terms over Sg such that Nj : TJ [F]

holds for each j = 1, . . . ,m. Note that F' could be replaced by any aequivalent context without affecting this definition.
Given another such morphism y' = [N1', . . . , N'm], we will write
to indicate the judgement that y and y' are context morphisms from F
to F' that are Th-provably equal: by definition, this means that for each
(2.8) imply that Th-provable equality of context morphisms (between two
given contexts) is an equivalence relation. Moreover, rule (2.9) shows that
changing F up to a-equivalence will not change the class of 7 under this
equivalence relation.
The composition of context morphisms y : F > F' and y' : F" > F"
is the context morphism y' o y : F F" formed by making substitutions:
The fact that y' o y does constitute a context morphism from F to F"
follows from rule (2.4); and rule (2.9) implies that composition respects
Th-provable equality:
The usual properties of term substitution imply that composition of

context morphisms is associative:
70
Andrew M. Pitts
when
Moreover, the
operations of composition possess units: the identity context morphism for
is given by the list idr = [x1, , xn] of variables in F; clearly one has
We now have all the ingredients necessary to define a category. Specifically, the classifying category, C l ( T h ) , of an algebraic theory Th is defined
as follows:
Objects of Cl(Th) are a-equivalence classes of contexts (or, if you prefer,
finite lists of sorts) over the signature of Th.
Morphisms of C(Th) from one object F to another F' are equivalence
classes of context morphisms for the equivalence relation which identifies
y : F > F' with y' : F > F' just if 7 =Th l' y' > F'. Composition of
morphisms in Cl( Th) is induced by composition of context morphisms, and
identities are equivalence classes of identity context morphisms. We will not
distinguish notationally between a context morphism and the morphism of
C l ( T h ) which it determines.
Proposition 4.2. Cl(Th) has finite products.
Proof. Clearly, for each context F the empty list of terms is the unique
context morphism F > [], and so its equivalence class is the unique
morphism from F to [] in Cl(Th). Thus the (a-equivalence class of the)
empty context [ ] is a terminal object in Cl( Th).
Given contexts F = [x1 : a1,..., xn : an] and F' = [yi : TI ,..., ym : rm],
we make use of the given enumeration Var = { v i , v 2 , . . . } of the set of
variables to define a context
Then [ v 1 , . . . , vn] and [v n +1,..., vn+m] determine morphisms ?I : F x F' *

F and 2 : F x F' > F' in C l ( T h ) which make F x F' into the product of F and F' in C l ( T h ) . For if 7 = [M1,...,M n ] : A > F and
a context morphism (y,y') : A > F x F' which is unique up to Thprovability with the property that
Remark 4.3. We could have defined C l ( T h ) by taking its objects to be
just contexts rather than a-equivalence classes of contexts; this would have
resulted in a larger category, equivalent to the one defined above (and hence
Categorical logic
71
with the same categorical properties). One advantage of the definition we

gave is that the particular choice of finite products given in the proof of
Proposition 4.2 is strictly associative and strictly unital: this means that
for all objects F, F' and F", the morphisms
are not merely isomorphisms (as is always the case), but actually identity
morphisms.
Remark 4.4. There is a close relationship between Cl(Th) and the free
Th-algebras in Set generated by finitely many indeterminates. Writing F
for
denote the free algebra generated
by finitely many indeterminates x1,..., xn of sorts a1,..., an respectively.
Then FTh(F) can be constructed by taking its underlying set at a sort r
to consist of the set of terms M satisfying M : r [F], quotiented by the
equivalence relation which identifies M with M' just if M = M' : T [F]
is a theorem of Th. This quotient set is precisely the set of morphisms
F > [vi : T] in C l ( T h ) . Thus the horn-sets of C l ( T h ) can be used to
construct the free finitely generated Th-algebras in Set. Conversely, it can
be shown that the category C l ( T h ) is equivalent to the opposite of the
category whose objects are the free, finitely generated Th-algebras in Set,
and whose morphisms are all Th-algebra homomorphisms.
Next we describe the 'generic' model of Th in the classifying category.
Each sort a of the underlying signature Sg of the theory Th determines an
object in the classifying category of Th represented by the context [v1 : a].
We will denote this object of Cl(Th) by G[a]. If F : aI , . . . , an r is a
function symbol in Sg, then, since
we have that [ F ( v 1 , . . . , vn)] is a context morphism from [v1 : a1,..., vn :

an] to [v1 : T}. Now the proof of Proposition 4.2 shows that in C l ( T h )
the object
is the product of the objects [vi : oi] =
hence [ F ( v 1 , . . . , v n ) } determines a morphism G[F] : G[o1] x x
Altogether,
then, G is a structure for Sg in the
category C l ( T h ) .
Lemma 4.5. The structure G has the following properties.
(i) For each context F, the object G|F] in C l ( T h ) is (the a-equivalence
class of) F;
(ii) If M : T [F] then the morphism G[M[F]1 : G[F] > G[r] in Cl(Th)
is that determined by the context morphism [M] : F > [v1 : T];
72
Andrew M. Pitts
(iii) M = M' : T [F] is a theorem of Th if and only if G[M[F]] =

G[M'[F]]. In other words, G satisfies an equation-incontext just
if it is a theorem of Th.
Prooof.
(i) We have already observed that [v1 : a1 , . . . ,vn : an] is the product
G[oI] x x G{an} in C l ( T h ) ; but recall from section 2.2 that this
is also the definition of G[[VI : a1 , . . . , vn : (on]].
(ii) This follows by induction on the structure of M using the explicit
description of the product structure of Cl( Th) given in the proof of
Proposition 4.2.
(iii) By part (ii), G[M[F]] = G[M'[F]] holds if and only if [M] and [M']
determine equal morphisms in C l ( T h ) , which by definition means
that M = M' : T [F] is a theorem of Th.
Part (ii) of the above lemma implies in particular that G satisfies the
axioms of Th and hence is a Th-algebra. G will be called the generic
Th-algebra. It enjoys the following universal property.
Theorem 4.6 (Universal property of the generic algebra). For each
category C with finite products, any Th-algebra S in C is equal to S(G) for
some finite product preserving functor S : C l ( T h ) > C. Moreover, the
functor S is uniquely determined up to (unique) natural isomorphism by
the algebra S. (S is called the functor classifying the algebra S.)
Proof. Define 5 on objects F by
and
on morphisms
Then the fact that S is a functor preserving finite products follows easily
from the definition of C l ( T h ) in section 4.2. Applying S to G, one has for
a sort a that
similarly for a
function symbol F that
Hence S(G) = S.
Now suppose that T : Cl(Th) > C is another product-preserving
functor and that there is an isomorphism, h : T(G) = S, of Th-algebras
in C. For each object
, since F =
one
gets isomorphisms
Categorical logic
73
which are the components of a natural isomorphism k : T =^ S. Finally,

note that since T and S preserve finite products and every object in Cl( Th)
is a finite product of objects of the form G[o], k is uniquely determined by
the condition that it induces h.
I
Corollary 4.7.
(i) The classifying category of Th is determined uniquely up to equivalence, and the generic Th-algebra uniquely up to isomorphism by the
universal property in Theorem 4.6.
(ii) The operation of evaluating a finite product preserving functor from
Cl( Th) to C at the generic algebra G is the object part of an equivalence of categories:
where F P ( C l ( T h ) , C ) is the category of finite product preserving functors and natural transformations from C l ( T h ) to C, and Th-ALG(C)
is the category of Th-algebras and homomorphisms in C.
Proof. Part (i) is a routine consequence of the universal property, but part
(ii) deserves further comment.
The statement of Theorem 4.6 says that the functor T -> T(G) is
essentially surjective, and full and faithful for isomorphisms; hence it gives
an equivalence between the category of functors and natural isomorphisms
and the category of algebras and algebra isomorphisms. Since this is true
for any C with finite products, we can replace C by its arrow category
(whose
objects are the morphisms of C and whose morphisms are
commutative squares in C), which certainly has finite products when C
does. The equivalence for objects and isomorphisms in this case implies
that the original functor T >- T(G) is full and faithful, and hence that
(4.1) holds.
I
4.3
Theory-category correspondence
Let Sgc be the signature defined from a category C with finite products, as in section 2.3. As we noted in that section, there is a canonical
structure for Sgc in C. Define Thc to be the algebraic theory over Sgc
whose axioms are all equations-in-context which are satisfied by this structure. Then the structure is automatically an algebra for this theory, and
hence by Theorem 4.6 corresponds to a finite product preserving functor
T : C l ( T h c ) > C. The definition of Sgc (which names the various objects
and morphisms in C) and The (which identifies terms which name the same
things in C) entails that T is full, faithful and essentially surjectiveand
74
Andrew M. Pitts
hence is an equivalence of categories. Thus we have that every category

with finite products is equivalent to the classifying category of some manysorted algebraic theory. As we noted in section 2.3, Thc will have a set of
symbols and axioms (rather than a proper class of them) only in the case
that C is a small category.
Starting with C, forming Thc and then Cl(Thc), one gets back not C
itself, but an equivalent category. What about the reverse process: how are
the theories Th and Th C l ( T h ) related? To answer this question, we need an
appropriate notion of morphism, or translation between algebraic theories.
A rather general notion is obtained by declaring a translation Th > Th'
to be an algebra for Th in the classifying category of Th'. The syntactic
nature of the construction of Cl( Th') permits one to give a purely syntactic
explanation of this notion of translation, which we omit here. In fact we
can form a 2-category of many-sorted algebraic theories, Alg, whose horncategories are the categories of algebras and homomorphisms in classifying
categories:
If F-p denotes the 2-category whose objects are categories with finite products and whose horn-categories consist of finite product preserving functors
and all natural transformations, then the classifying-category construction
is the object part of a 2-functor
This 2-functor is 'full and faithful' in the sense that it is an equivalence on

hom-categories (using (4.1)), and is 'essentially surjective' in the sense that
every object of Fp is equivalent to one in the image of Cl. Thus Cl induces
an equivalence between Alg and fp in an appropriate, up-to-equivalence
sense.
Remarks 4.8. We close this section by mentioning some consequences of
the correspondence.
(i) We can view a particular small category with finite products C as
specifying a (many-sorted) algebraic theory independently of any particular presentation in terms of a signature and axioms: there may
be many such presentations whose syntactic details are different, but
which nevertheless specify the 'same' theory, in the sense that their
classifying categories are equivalent to the given category C. Indeed,
once one has this categorical view of algebraic theories, one sees that
there are many 'naturally occurring' algebraic theories which do not
arise in terms of a presentation with operators and equations. For
example, the category whose objects are the finite cartesian powers of
the set of natural numbers N and whose morphisms Nm >Nn are ntuples of m-ary primitive recursive functions, is a category with finite
Categorical logic
75
products and hence an algebraic theory. This category is a paradigmatic example of the notion of 'iteration theory' introduced by Elgot:
see the book by Bloom and Esik [1993]. (A reader who takes this advice should be warned that [Bloom and Esik, 1993] adopts a not
uncommon viewpoint that algebraic theories can be identified with
categories with finite coproducts. Since the 2-category of categories
with finite coproducts and functors preserving such is equivalent (under the 2-functor taking a category to its opposite category) to the
2-category of categories with finite products, this viewpoint is formally equivalent to the one presented here. However, it does not sit
well with the intuitively appealing picture we have built up of the
sorts of a theory (objects of a category) as generalized sets and the
terms-in-context (morphisms) as generalized functions.)
(ii) If T : C > D is a morphism in Fp between small categories, then,
for any C Fp with small colimits, it can be shown that the functor
induced
by composition with T has a left
adjoint, given by left Kan extension along T. Since T corresponds
to a translation between algebraic theories and T* is the functor
restricting algebras along T, this left adjoint provides 'relatively free'
constructions on algebras for a wide variety of situations (depending
upon the nature of the translation).
(iii) Free constructions (indeed weighted colimits in general) in Fp can
be constructed via appropriate syntactic constructions on algebraic
theories and translations between them.
4.4
Theories with datatypes
In this section we will examine the effect on the classifying category Cl( Th)
of a theory Th when we enrich equational logic with the various datatype
constructions considered in section 3, together with their associated introduction, elimination, and equality rules. We will look at product, disjoint
union, and function types. In each case the classifying category turns out
to possess the categorical structure that was used in Section 3 to interpret these datatype constructs. (Similar considerations apply to the other
type-forming operations considered in that section, namely list types and
'computation' types.)
Product types. (Cf. Section 3.2.) In this case, for each pair of types a and
a' there is a binary product diagram in the classifying category C l ( T h ) of
the form
Similarly, in the presence of a one-element type unit (cf. Remark 3.6), then
[z : unit] is a terminal object in C l ( T h ) . It follows that in the presence of
76
Andrew M. Pitts
these type-forming constructs, C l ( T h ) is equivalent to the full subcategory

whose objects are represented by contexts of length one.
Disjoint union types. (Cf. Section 3.1.) In this case, for each pair of types
a and a' and each context F = [x1 : aI, . . . ,xn : a n ] , there is a coproduct
diagram in the classifying category Cl( Th) of the form
(where x,x',z are chosen to be distinct from x = x1,. . . ,xn). In the case
T = 0, we have that [z : a + a'] is the binary coproduct of [x : a] and
[x : a] in Cl( Th). Given the description of products in the category Cl( Th)
in Proposition 4.2, it also follows that product with an arbitrary object
[F] distributes over this coproduct, i.e. it is a stable coproduct(cf. 3.1).
Similarly, in the presence of an empty type null (cf. Remark 3.5), [z : null]
is a stable initial object in C l ( T h ) .
In the presence of product and one-element types we have seen that
every object is isomorphic to one of the form [x : a]. In the presence of
disjoint union and empty types as well, we can conclude that Cl( Th) has
all stable finite coproducts.
Function types. (Cf. Section 3.3.) In this case, for each pair of types a
and a', the object [f : a-a'] is the exponential
of
C l ( T h ) , with associated evaluation morphism
Unlike the case for disjoint union types, it is not necessary to assume the
presence of product types in order to conclude that the classifying category
possesses exponentials for any pair of objects. For, given any objects T =
the
is
given by the object
Thus in the presence of function types, the classifying category Cl( Th) is a
cartesian closed category, whether or not we assume the theory Th involves
product types.
Remark 4.9 (The generic model of a theory). Suppose we consider
equational theories Th in the equational logic of product, disjoint union,
Categorical logic
77
and function types. We have seen that Cl(Th) is a cartesian closed category with finite coproducts. (Recall that the stability of coproducts is
automatic in the presence of exponentials.) Such a category is sometimes
called bicartesian closed. We can define a structure G in C l ( T h ) for the
underlying signature of Th just as in Section 4.2 and satisfying Lemma 4.5.
Thus the structure G in C l ( T h ) is a model of Th (i.e. satisfies the axioms
of Th) and indeed satisfies exactly the equations that are theorems of Th.
An immediate corollary of this property is the completeness of the categorical semantics: an equation is derivable from the axioms of Th using the
equational logic of product, disjoint union, and function types if (and only
if) it is satisfied by all models of Th in bicartesian closed categories.
Indeed, Theorem 4.6 extends to yield a universal property characterizing G as the generic model of Th in bicartesian closed categories: given any
other model S of Th in a bicartesian closed category C, then the functor
S : C(Th) > C defined in the proof of Theorem 4.6 is a morphism of
bicartesian closed categories, i.e. preserves finite products, finite coproducts, and exponentials. It also maps G to 5 and is unique up to unique
isomorphisms with these properties.
Predicate logic
In previous sections we have considered the categorical interpretation of

properties of structures that can be expressed equationally. Now we consider what it means for a structure in a category to satisfy properties expressible in the (first-order) predicate calculus, using logical connectives
and quantifiers. As in section 3, adjunctions play an important role: we
will see that the propositional connectives, the quantifiers, and equality
can be characterized in terms of their adjointness properties. First we set
up the basic framework of predicate logic and its categorical semantics.
5.1
Formulas and sequents
Let us augment the notion of many-sorted signature considered in section 2

by allowing not only sort and function symbols, but also relation symbols,
R. We assume that each relation symbol comes equipped with a typing of
the form
indicating both the number and the sorts of the
terms to which R can be applied. To judgements of the form (2.1) asserting
that an expression is a well-formed term of a given sort in a given context,
we add judgements of the form
asserting that the expression 0 is a well-formed formula in context F. The

atomic formulas over the given signature are introduced by the rules
78
Andrew M. Pitts
with one such rule for each relation symbol R. Later we will consider compound formulas built up from the atomic ones using various propositionforming operations. The logical properties of these operations will be specified in terms of sequents of the form
where
is a finite list of formulas, ip is a formula and the
judgements 0i,prop [T] and prop [T] are derivable. The intended meaning
of the sequent (5.2) is that the joint validity of all the formulas in logically
entails the validity of the formula if).
Figure 2 gives the basic, structural rules for deriving sequents. Since we
wish to consider predicate logic as an extension of the rules for equational
logic given in section 2.1, Fig. 2 includes a rule (Subst) permitting the
substitution in a sequent of a term for a provably equal one. The rule
(Weaken) allows for weakening of contexts. The other possible form of
weakening is to add formulas to the left-hand side of a sequent:
This is derivable from the rules in Fig. 2 because of the form of rule (Id) .
Note that in stating these rules we continue to use the convention established in Remark 3.2 that the left-hand part of a context is not shown if it
is common to all the judgements in a rule. Thus for example, the full form
of rule (Subst) is really
Let us enrich the notion of theory used in section 2 by permitting the

signature of the theory to contain typed relation symbols in addition to
sorts and typed function symbols, and by permitting the axioms of the
theory to be sequents as well as equations-in-context. The theorems of such
a theory will now be those judgements that can be derived from the axioms
using the rules in Figs. 1 and 2 (together with the rules for propositionforming operations to be considered below, as appropriate).
5.2
Hyperdoctrines
If the judgement 0 prop [x1 : a1 , . . . , xn ' an] ver a given signature is

derivable, then {x1, . . . , xn] contains the variables occurring in the formula
Categorical logic
79
'
Fig, 2. Structural rules

Intuitively such a formula describes a subset of the product of the
sorts a1, ... ,an. Indeed, suppose we are given a set-valued structure for
the signature: such a structure assigns a set [o] to each sort a, a function
to
each function symbol
T, and a subset
to each relation symbol R C
Then
each formula-in-context prop
gives rise to the subset of
consisting of those n-tuples
(a1,..., an) for which the sentence
is satisfied in the
classical, Tarskian sense (see [Chang and Keisler, 1973, 1.3]). Our aim is
to explain how this traditional notion of satisfaction can be generalized
to give an interpretation of formulas-in-context in categories other than
the category of sets. To do this one needs a categorical treatment of the
notion of 'subset' and the various operations performed on subsets when
interpreting logical connectives and quantifiers. For this we will use the
'hyperdoctrine' approach originated by Lawvere [1969; 1970], whereby the
'subsets' of an object are given abstractly via additional structure on a
category.
Definition 5.1. A prop-category, C, is a category possessing finite products and equipped with the following structure:
For each object X in C, a partially ordered set Propc(X), whose elements will be called C-properties of X. The partial order on Propc(X)
will be denoted by <.
For each morphism f : Y > X in C, an operation assigning to each
C-property A of X, a C-property f*A of Y called the pullback of A
along f. These operations are required to be
monotone: if A < A', then f*A < f*A';
80
Andrew M. Pitts
Thus a prop-category is nothing other than a category with finite products, C, together with a contravariant functor Propc() from C to the category of posets and monotone functions. Propc() is a particular instance of
a Lawvere 'hyperdoctrine', which in general is category- rather than posetvalued (and pseudofunctorial rather than functorial). The reader should
be warned that the term 'prop-category' is not standard; indeed there is
no standard terminology for the various kinds of hyperdoctrine which have
been used in categorical logic.
Here are some important examples of prop-categories from the worlds
of set theory, domain theory, and recursion theory.
Example 5.2 (Subsets). The category Set of sets and functions supports
the structure of a prop-category in an obvious way by taking the Setproperties of a set X to be the ordinary subsets of X . Given a function
f : Y > X, the operation /* is that of inverse image, taking a subset
A C X to the subset {y \ f(y) E A] C Y.
Example 5.3 (Inclusive subsets of epos). Let Cpo denote the category
whose objects are posets possessing joins of all w-chains and whose morphisms are the w-continuous functions (i.e. monotone functions preserving
joins of w-chains). This category has products, created by the forgetful
functor to Set. We make it into a prop-category by taking PropCpo(X) to
consist of all inclusive subsets of X, i.e. those that are closed under joins
of w-chains in X. The partial order on PropCpo(X) is inclusion of subsets.
Given / : Y X, since / is w-continuous, the inverse image of an inclusive subset of X along / is an inclusive subset of Y; this defines the
operation /* : PropCpo(X) > PropCpo(Y).
Example 5.4 (Realizability). The prop-category Kl has as underlying
category the category of sets and functions. For each set X, the poset
P r o p k l ( X ) is defined as follows. Let X>P(N) denote the set of functions
from X to the power set of the set of natural numbers. Let < denote
the binary relation on this set defined by: p < q if and only if there is a
partial recursive function : N * N such that for all x 6 X and n N,
if n p(x) then (p is defined at n and (n) q(x). Since partial recursive
functions are closed under composition and contain the identity function,
< is transitive and reflexive, i.e. it is a pre-order. Then Propkl(X) is
the quotient of X-P(N) by the equivalence relation generated by <; the
partial order between equivalence classes [p] is that induced by <. Given a
function / : Y > X, the operation /* : PropKl(X) > PropKl(Y) sends
it is easily seen to be well-defined, monotonic and functorial.
Example 5.5 (Subobjects). A important class of examples of propcategories is provided by using the category-theoretic notion of a subobject
of an object. Recall that a morphism / : Y > X in a category C is a
Categorical logic
81
monomorphism if for all parallel pairs of morphisms g, h with codomain

y, g = h whenever / o g = f o h. The collection of monomorphisms in C
with codomain X can be pre-ordered by declaring that f < f' if and only
if f = f' o g for some (mono)morphism g. Then a subobject of X is an
equivalence class of monomorphisms with codomain X under the equivalence relation generated by <. If for each X, there are only a set of such
equivalence classes, C is said to be well-powered.
If C has all finite limits and is well-powered, we can make it into a propcategory by taking Propc(X) to be the set of subobjects of X with partial
order that induced by <. Given / : Y > X in C, the operation /* on
subobjects is that induced by pullback along /. (Recall that a pullback of
a monomorphism is again a monomorphism.) When C = Set, we obtain
an example that is isomorphic to Example 5.2 above. (Subobjects of X
in Set are in natural bijection with subsets of X.) But note that under
a similar isomorphism for C = Cpo, the structure in Example 5.3 picks
out a restricted collection of subobjects. (Not every subobject of X in Cpo
corresponds to an inclusive subset Xconsider, for example, the subobject
determined by the identity function from the unordered two-element set to
the ordered two-element set.)
Much of the development of the categorical approach to predicate logic
(such as the classic text by Makkai and Reyes [1977]) has restricted its
attention to interpretations in this class of examples, where formulas (in
context) are interpreted as subobjects in categories.
Given a signature Sg of sort, function, and relation symbols as in section
5.1, a structure for Sg in a prop-category C is specified by giving an object
[o] in C for each sort, a morphism
in C for each function symbol
and a C-property
for
each relation symbol
For each context
and formula over the signature
for which the judgement prop [T] is derivable, we will define a C-property
where [F| denotes the p r o d u c t . The definition will be given

by induction on the derivation of prop [F], since there will be at most one
way to derive the well-formedness of a formula in a given context. At the
moment we only have one rule for forming formulas, namely rule (5.1) for
forming atomic formulas. To define
in this case we use the semantics
of terms-in-context described in section 2 to assign meanings
in
the
structure for the terms Mi and then define
82
Andrew M. Pitts
The following lemma is a consequence of Lemma 2.2 specifying the

behaviour of the categorical semantics with respect to substitution of terms
for variables in terms.
Lemma 5.6 (Semantics of substitution and weakening). In the categorical semantics of formulas in context, substitution of a term for a variable in a formula is interpreted via the pullback operations. Specifically, if
then
where
denotes the result of simultaneously substituting Mi for
(i = l,...,n) in
Similarly, weakening of contexts is interpreted via pullback along a product projection: if prop [T], then
5.3
Satisfaction
Suppose that
[F] is a sequent over a given signature Sg.
Given a structure for Sg in a prop-category C, what should it mean for
the structure to satisfy the sequent? Since prop [F] and prop [F] are
required to hold, we get C-properties [ [ F ] ] and [F]] of the object [F].
In the case n = 1 when the sequent contains a single antecedent formula,
it seems natural to define the satisfaction of the sequent to mean that
holds
in the poset Propc([F]). For the general case, let
us suppose that each poset Propc(X) comes equipped with a distinguished
element Tx and a binary operation A, A'
A A A'. Then we can define
to
be satisfied if
where
is defined by induction on the length of the list
We require this definition of satisfaction be sound for the rules in Fig. 2:

if the hypotheses of a rule are satisfied so should be the conclusion. For
(Cut) to be sound in the case t h a t , it is sufficient that for all
A, B, C Propc(X), if A < B and ~TX A B < C then A < C. For (Id) to
be sound, it is sufficient that A A B < B. From these two properties plus
Categorical logic
83
the fact that < is a partial order, it follows that TX A A = A. Using this,
the soundness of (Exchange) amounts to requiring A A B = B A A. But
then we have both A B = B and A B = B/\A<A; so A A B is a
lower bound for A and B. In particular, for all A, A = TX A < TX, so
that TX is the greatest element of Propc(X). In fact A/\B has to be the
greatest lower bound of A and B: for the soundness of (Contract!) requires
C < C AC, for all C; and the general form of (Cut) (when $' is non-empty)
requires that, for all A,A',B,C Propc(X), if A < B and A' A B < C
then A A A' < C. The latter property implies that A is monotone, and
hence C < A and C < B imply C < C A C < A A B. So all in all, we need
each poset Propc(X) to have finite meets. But that is not all: in view of
Lemma 5.6, for the soundness of rules ( Weaken) and (Subst) we will need
that these finite meets be preserved by the pullback operations /* in C.
Therefore we are led to the following definition.
Definition 5.7. A prop-category C has finite meets if for each object X
in C the poset Propc(X) possesses all finite meets and these are preserved
by the pullback operations /*. Thus for each X there is TX Propc(X)
satisfying
and for all A, B Propc(X), there is an element A A B

satisfying
Propc(X)
Given a structure in C for a signature Sg, we say that a sequent

over Sg is satisfied by the structure if
(5.3)
where the left-hand side indicates the (finite) meet of the elements
Extending Theorem 2.4, we have:
Theorem 5.8 (Soundness). Let C be a prop-category that has finite
meets and let Th be a theory in the sense of section 5.1. Then any structure
in C for the underlying signature of Th that satisfies the axioms of Th also
satisfies its theorems.
Examples 5.9. The prop-categories of Examples 5.2-5.5 all have finite
meets. Meets in Set (or Cpo) are given by set-theoretic intersection of
subsets (or inclusive subsets) these are clearly preserved by the pullback
operations since these are given by taking inverse images of subsets along
functions (or w continuous functions).
Finite meets in Kl can be calculated as follows. Choose some recursive
bijection pr : N x N > N and define a binary operation on subsets A,BC
84
Andrew M. Pitts
Nby
A A B = {pr(n, m) | n E A and m B}.

Then one can show that for any pair of k-properties of a set X represented
by functions p, q : X > P(N) say, the meet of [p] and [q] in P r o p k l ( X )
is represented by the function n - p(n) A q(n). The greatest element
Tx PrPKe(X) is represented by the function n i- N. Since the pullback
operations /* in kl are given by pre-composition with /, it is clear from
these descriptions that finite meets are preserved by f*.
Finally, let C be a category with finite limits, made into a prop-category
as in Example 5.5 by taking the C-properties of an object X to be its
subobjects. Then the top subobject TX is represented by the identity on X;
clearly this is stable under pullback. Given two subobjects represented by
monomorphisms A > X, B > X say, their binary meet is represented by
the composition A B > A > X, where A B > A is the categorical
pullback of B > X along A > X. Elementary properties of pullbacks
in categories guarantee that this meet operation is stable under pullback.

Given the well-known connection between intuitionistic prepositional logic
and Heyting algebras (see [Dummett, 1977, Chapter 5], for example), it
is not surprising that to model these prepositional connectives in a propcategory we will need each poset Propc(X) to be a Heyting algebra. However, we also require that the Heyting algebra structure be preserved by
the pullback operations f*. This is because these operations will be used in
the categorical semantics to interpret the operation of substituting terms
for variables in a formula.
Definition 5.10. Let C be a prop-category.
(i) C has finite joins if for each object X in C the poset Propc(X) possesses all finite joins and these are preserved by the pullback operations /*. Thus for each X there is x Propc(X) satisfying
and for all A, B Propc(X), there is an element A V B Propc(X)

satisfying
* for all C 6 Propc(X), A V B < C if and only if A < C and
B<C,
(ii) C has Heyting implications (also called 'relative pseudocomplements')
if it has finite meets (cf. Definition 5.7) and for each object X and all
A,B Propc(X), there is an element A*B Propc(X) satisfying
* for all C 6 Propc(X), C < A -> B if and only if C A A < B,
"(A
-+B) = f*A - f*B, for all / : Y > X.
Categorical logic
85
Given a signature Sg as in section 5.1, consider compound formulas

built up from the atomic ones and the propositional constant false using
the propositional connectives & (conjunction), V (disjunction), and => (implication) . The rules of formation are
false prop [T]
prop [T]
' prop [F]

prop [F]
(where # is one of &, V, =>).
(5.5)
Negation,
, will be treated as an abbreviation of => false; truth, true,
will be treated as an abbreviation of -ifalse; bi-implication,
will be
treated as an abbreviation of
Given a structure for Sg in a prop-category C with finite meets, finite joins and Heyting implications, we can interpret formulas-in-context
0[F] as C - p r o p e r t i e s , by induction on the derivation of
prop [F]. Atomic formulas are interpreted as in section 5.3, and compound
formulas as follows:
v
In this way the notion given in section 5.3 of satisfaction of a sequent by a
structure applies to sequents involving the propositional connectives.
Theorem 5.11 (Soundness). Given a structure in a prop-category C
with finite meets, finite joins, and Heyting implications, the collection of
sequents
that are satisfied by the structure (cf. 5.3) is closed under
the usual introduction and elimination introduction rules for the propositional connectives in Gentzen's natural deduction formulation of the intuitionistic sequent calculus, set out in Fig. 3.
Recall that a poset P can be regarded as a category whose objects are
the elements of *P and whose morphisms are instances of the order relation.
From this point of view, meets, joins, and Heyting implications are all
instances of adjoint functors. The operation of taking the meet (or the join)
of n elements is right (or left) adjoint to the diagonal functor P > Pn; and
given A E P, the Heyting implication operation
adjoint to ( ) A A : P > P. Figure 4 gives an alternative formulation
of the rules for the intuitionistic propositional connectives reflecting this
adjoint formulation. The rules take the form
86
Andrew M. Pitts
Fig. 3. Natural deduction rules for intuitionistic prepositional connectives
Fig. 4. 'Adjoint' rules for intuitionistic prepositional connectives

sequents
sequent
A set of sequents is closed under such a 'bi-rule' if the set contains the sequents above the double line if and only if it contains the sequent below the
double line; such a rule is thus an abbreviation for several 'uni-directional'
rules.
Note that the presence of the extra formulas in rule (V-Adj) means
that the character of disjunction is captured not just by the left adjointness
Categorical logic
87
property of binary joinsone also needs the adjoint to possess a 'stability'

property which in this case is the distribution of finite meets over finite
joins. (Compare this with the need identified in section 3.1 for coproducts
to be stable in order to model disjoint union types correctly.) In the presence of rule (=>-Adj) this stability property is automatic, and we could
have given the rule without the extra formulas
((false-Adj) is also a
'stable' left adjunction rule, but in this case the stability gives rise to no
extra condition.)
The proof of Theorem 5.11 amounts to showing that the rules in Fig. 3
are derived rules of Fig. 4. Conversely, it is not hard to prove that the (unidirectional versions of) the rules in Fig. 4 are derived rules of Fig. 3. In
this sense, the two presentations give equivalent formulations of provability
(i.e. what can be proved in intuitionistic propositional logic). However,
the structure of proofs in the two formulations may be very different. One
should note that the presence of rule (Cut) (which corresponds to the
transitivity of < in prop-categories) in Fig. 4 is apparently essential for the
adjoint formulation to be equivalent to the natural deduction formulation
of Fig. 3unlike the situation for Gentzen's sequent calculus formulation
where cuts can be eliminated (see [Dummett, 1977, 4.3]).
Remark 5.12. A typical feature of the categorical treatment of logical
constructs is the identification of which constructs are essentially uniquely
determined by their logical properties. Adjoint functors are unique up
to isomorphism if they exist. So, in particular, the operations of Definitions 5.7 and 5.10 are uniquely determined if they exist for C. Correspondingly, the adjoint rules of Fig. 4 make plain that, up to provable equivalence,
the intuitionistic connectives are uniquely determined by their logical properties. For example, there cannot be two different binary meet operations
on a poset, and correspondingly if &' were another connective satisfying
rule (& - Adj), then
would be provable for all
Such uniqueness for logical constructs does not always hold: for example,
Girard's [1987] exponential operator does not have this property.
Example 5.13. The prop-category Set of Example 5.2 has finite meets
and finite joins, given by set-theoretic intersection and union respectively
(which are preserved by the pullback operations since these are given
by taking inverse images along functions). Indeed, each PropSet(X) is a
Boolean algebra and so the categorical semantics of formulas is sound for
classical propositional logic. This semantics coincides with the usual settheoretic one, in the sense that the subset consists of those n-tuples
sentence
is satisfied in the classical, Tarskian sense
(see [Chang and Keisler, 1973, 1.3]).
Example 5.14. Turning to the prop-category Cpo of Example 5.3, first
note that each poset PropCpo(X) does have meets, joins, and Heyting im-
88
Andrew M. Pitts
plications. Meets (even infinite ones) are given by set-theoretic intersection. Finite joins are given by set-theoretic union. The Heyting implication
A > B of inclusive subsets A, B 6 PropCpo (X) is given by taking the intersection of all inclusive subsets of X that contain
A or x E B}.
The operation /* of taking the inverse image of an inclusive subset
along an w-continuous function / : Y > X preserves meets and finite
joins, but it does not preserve Heyting implications. (For example, take X
to be the successor ordinal w+, Y to be the discrete w-cpo with the same set
of elements, and / to be the identity function; when A {w} and B = 0,
one has
Thus Cpo supports
the interpretation of conjunction and disjunction, but not implication.
Example 5.15. The prop-category Kl of Example 5.4 has finite meets,
finite joins, and Heyting implications. To see this, one needs to consider
numerical codes for partial recursive functions. Let n x denote the result,
if defined, of applying the nth partial recursive function (in some standard
enumeration) to x. The notation {n}(x) is traditional for n x. We will
often write nx for n x; a multiple application (n x) y will be written nxy,
using the convention that associates to the left.
So for each partial recursive function ip : N -* N there is some n N
such that nx x (x) for all x N. Here 'e e' means e- if and only if e',
in which case e = e', and 'e- means the expression e is defined. The key
requirement of this enumeration of partial recursive functions is that the
partial binary operation n, m H-> n m makes N into a 'partial combinatory
algebra'i.e. there should be K, S N satisfying, for all x,y,z E N, that
and Kx x
Sxfy, Sxyty and Sxyz x xz(yz).

In particular, K and S can be used to define P, P0, PI e N, so that (x, y) >-t
Pxy defines a recursive bijection N x N = N with inverse z >-* (Poz, PI 2)Now define three binary operations on subsets A, B C N as follows:
Using elementary properties of the partial combinatory algebra (N, ) one

can show that for any pair of kl-properties of a set X, represented by
functions p, q : X P(N) say, the meet of [p] and [q] in PropKf(X)
is represented by the function n i-> p(n) A q(n). Similarly, their join is
represented by the function n >-> p(n) V q(n) and their Heyting implication
Categorical logic
89
is represented by the function n 1-4 p(n)->q(n). The greatest and least

elements Txi-Lx Propkl ( (X) are represented by the functions n >-> N
and n M- 0 respectively. Since the pullback operations /* in kl are given
by pre-composition with /, it is clear from these descriptions that finite
meets, finite joins, and Heyting implications are all preserved by f* .
So the prop-category ICf. supports an interpretation of the prepositional
connectives that is sound for intuitionistic logic. Combining the definition
of the categorical semantics with the above description of finite meets, finite
joins, and Heyting implications in kl one finds that this interpretation
is in fact Kleene's '1945-realizability' interpretation of the intuitionistic
prepositional connectives (see [Dummett, 1977, 6.2]), in the sense that the
relation '
coincides with the relation 'n realizes .
Remark 5.16 (Classical logic). We can obtain classical prepositional
logic by adding the rule
to those in Fig. 3. Recalling that

is an abbreviation for
one has that
is the pseudocomplement of
in the Heyting algebra Propc([F]). For the above rule to be sound in C we need
to hold for each A Propc(X). In other words,
the pseudocomplement of every C-property must actually be a complement.
So to obtain a sound (and in fact complete) semantics for classical prepositional logic we require that each Propc(X) is a Boolean algebra and that
each pullback operation /* preserve finite meets and joins (and hence also
complements).
5.5 Quantification
The rules for forming quantified formulas are
The usual natural deduction rules for introducing and eliminating quantifiers are given in Fig. 5. Modulo the structural rules of Fig. 2, these natural deduction rules are interderivable with an 'adjoint' formulation given
by the bidirectional rules of Fig. 6. It should be noted that some side conditions are implicit in these rules because of the well-formedness conditions
mentioned after (5.2) that are part of the definition of a sequent. Thus x
does not occur free in in (V -Intro) or (V-Adj); and it does not occur free
in
(3-Elim) or (3-Adj).
What structure in a prop-category C with finite meets is needed to
soundly interpret quantifiers? Clearly we need functions
90
Andrew M. Pitts
Fig. 5. Natural deduction rules for quantifiers
Fig. 6. 'Adjoint' rules for quantifiers
so that we can define
In order to retain the soundness of the structural rules (Weaken) and

(Subst), we must require that these operations be natural in I, i.e. for
any f : I' I we require
Given the semantics of weakening in Lemma 5.6, for the soundness of

(V-Adj) we need
for all A Propc(I) and B Propc(I x X). In other words.
provides
Categorical logic
91
a right adjoint to the monotone function
Note that this requirement determines the function

uniquely and
implies in particular that it is a monotone function.
Given the definition of satisfaction of sequents in section 5.3, for the
soundness of (3-Adj) we need
for all A, C e Propc(I) and B 6 Propc(I x X). We can split this requirement into two: first that
provides a left adjoint to,
and second a
'stability' condition for the left adjoint with respect to meets:
Definition 5.17. Let C be a prop-category with finite meets. We say that

C has universal quantification if, for each product projection
:I x X >
X in C, the pullback function 1 possesses a right adjoint
and
these right adjoints are natural in / (5.6).
We say that C has existential quantification if each
possesses a left
adjoint V/,x (5-9)
these left adjoints are both natural in I (5.7) and
satisfy the stability condition (5.10).
Thus we have shown that if C is a prop-category with finite meets and
both universal and existential quantification, then the sequents that are satisfied by a structure in C are closed under the quantifier rules in Fig. 5.
Remark 5.18. Conditions (5.6) and (5.7) are instances of what Lawvere
[1969] termed the 'Beck-Chevalley condition': see Remark 5.27. Condition
(5.10) was called by him 'Frobenius reciprocity'. It is somewhat analogous
to the stability condition on coproducts needed in section 3.1 to soundly
interpret disjoint union types. Just as there we noted that the existence of
exponentials makes stability of coproducts automatic, so here it is the case
that condition (5.10) holds automatically if C has Heyting implications (see
Definition 5.10).
Example 5.19. The prop-cat Set of Example 5.2 possesses adjoints for
all pullback operations and in particular for pullback along projections.
Specifically, for A C I x X we have
These adjoints are easily seen to be natural in /, and since Set has Heyting
92
Andrew M. Pitts
(indeed Boolean) implications, as noted above the Frobenius reciprocity

condition (5.10) holds automatically.
Thus Set has both universal and existential quantification. Given the
above formulas for the adjoints, it is clear that the remark in Example 5.13
about the coincidence of the categorical semantics in Set with the usual,
Tarskian semantics of formulas continues to hold in the presence of quantified formulas.
Example 5.20. The prop-category K.I of Example 5.2 also has universal
and existential quantification. Given A Propel x X), suppose A is
represented by the function p : I x X > P(N). Then
and
V/,x (^) can be represented respectively by the functions
defined by
Some calculations with partial recursive functions show that these formulas
do indeed yield the required adjoints, and that they are natural in /. Since
we noted in Example 5.15 that K.I has Heyting implications, the Frobenius
reciprocity condition (5.10) holds automatically.
Example 5.21. The prop-category Cpo of Example 5.3 possesses natural right adjoints to pulling back along projections: they are given just
as for Set by the formula (5.11), since this is an inclusive subset when
A is. Cpo also possesses left adjoint to pulling back along projections:
VI x(A) is given by the smallest inclusive subset of I containing {i E I \
3x & X.(i,x) 6 A} (i.e. by the intersection of all inclusive subsets containing that set). However, these left adjoints do not satisfy the Beck-Chevalley
condition (5.7). For if this condition did hold, for any i 6 / we could apply it with I' a one-element w-cpo and / : /' > I the function mapping
the unique element of /' to i, to conclude that i V/,x(^) ^ anc^ on'y if
(i,x) E A for some x X. In other words, the set in (5.11) would already
be inclusive when A is inclusive. But this is by no means the case in general.
(For example, consider when / is the successor ordinal LJ+ and X is the
discrete w-cpo with the same set of elements. Then A = {(m,n) \ m < n}
is an inclusive subset of I x X, but (5.11) is u, which is not an inclusive
subset of w + .)
Thus the prop-category Cpo has universal quantification, but not existential quantification.
Categorical logic
93
Fig. 8. 'Adjoint' rule for equality
5.6
Equality
We have seen that the categorical semantics of the prepositional connectives and quantifiers provides a characterization of these logical operations
in terms of various categorical adjunctions. In this section we show that,
within the context of first-order logic, the same is true of equality predicates. (As with so much of categorical logic, this observation originated
with Lawvere [1970].) The formation rule for equality formulas is
Natural deduction rules for introducing and eliminating such formulas are
given in Fig. 7 (cf. [Nordstrom et ai, 1990, Section 8.1]). The usual properties of equality, such as reflexivity, symmetry, and transitivity, can be
derived from these rules. It is not hard to see that modulo the structural
rules of Fig. 2, the natural deduction rules are interderivable with an 'adjoint' formulation given by the bidirectional rule of Fig. 8.
Suppose C is a prop-category with finite meets. To interpret equality
formulas whilst respecting the structural rules (Weaken) and (Subst) of
Fig. 2, for each C-object X we need a C-property
so that we can define
94
Andrew M. Pitts
Given the definition of satisfaction of sequents in section 5.3, for the soundness of (=-Adj) we need
for all C-objects I,X and all C-properties A 6 Propc(I x X) and B

Propc(I x (X x X ) ) . Here AX is the diagonal morphism (idx,idx) '
X > X x X, and TTI and 7r2 are the product projections X x X > X
andl x(X xX) > X x X.
Condition (5.12) says that for each A Propc(I x X), the value of the
left adjoint to (idj x AX)* exists at A and is equal to (idi x ni)*(A) A
In particular, taking / to be the terminal object in C and A =
we have that Eqx is the value of the left adjoint to Ax at the top
element Tx Propc(X), i.e.
for all B Propc(X x X). Note that the C-properties Eqx are uniquely
determined by this requirement.
Definition 5.22. Let C be a prop-category with finite meets. We say that
C has equality if for each C object X, the value Eqx of the left adjoint to
Ax at the top element Tx 6 Propc(X) exists and satisfies (5.12)
Thus we have shown that if C is a prop-category with finite meets and
equality, then the sequents that are satisfied by a structure in C are closed
under the equality rules in Fig. 7.
Remark 5.23. In fact when C also has Heyting implications and universal
quantification, then property (5.12) is automatic if Eqx exists satisfying
(5.13). This observation corresponds to the fact that in the presence of
implication and universal quantification, the rule (=-Adj) is interderivable
with a simpler rule without 'parameters':
Example 5.24. The prop-category Set of Example 5.2 has equality. Since
we have seen in previous sections that Set has implication and universal
quantification, by Remark 5.23 it suffices to establish the existence of the
left adjoint to Ax at TX- But for this, clearly we can take Eqx C X x X
to be the identity relation {(x,x) \ x . X}.
Similarly for the prop-category kl of Example 5.4: since it has implication and universal quantification, to see that it also has equality we just
have to verify (5.13). This can be done by taking taking Eqx to be the
kl-property represented by the function 6X : X x X P(N) defined by
Categorical logic
95
Example 5.25. We saw in Example 5.14 that prop-category Cpo does

not have Heyting implications. Hence condition (5.12) is not necessarily
implied by the special case (5.13) in this case. Nevertheless, we can satisfy
(5.12) by taking each Eqx to be the inclusive subset {(x,x) \ x X} of
the w-cpo X x X. Thus Cpo does have equality.
Example 5.26. Let C be a category with finite limits, made into a propcategory (with finite meets) as in Example 5.5. Then C has equality, with
Eqx the subobject of X x X represented by the diagonal monomorphism
AX = (idx, idx)- Note that in this case, definition (5.11) implies that the
interpretation [(M =ff M')[F]J of an equality formula is the subobject of
[F] represented by the equalizer of the pair of C-morphisms
.
Remark 5.27 (Generalized quantifiers). Suppose that C is a propcategory with finite meets, Heyting implications, and both universal and
existential quantification. Then not only do the adjoints
but in fact for any C morphism / : X > Y, the monotone function
/* : Propc(Y) > Propc(X) has both left and right adjoints, which will
be denoted V/ and A/ respectively. Indeed, for B Propc(Y) we can
define
It is easier to see what these expressions mean and to prove that they
have the required adjointness properties if we work in a suitable internal
language for the prop-category C. The signature of such an internal language is like that discussed in section 2.3, but augmented with relation
symbols R C X1 x x Xn for each C-property R Propc(Xi x x Xn)
(for each tuple of C-objects Xi, . . . ,Xn). Using the obvious structure in
C for this signature, one can describe C-properties using the interpretation
of formulas over the signature; and relations between such C-properties
can be established by proving sequents in the predicate calculus and then
appealing to the soundness results we have established.
From this perspective Vf and Af are *ne interpretation of formulas
that are generalized quantifiers, adjoint to substitution:
96
Andrew M. Pitts
The adjointness properties
can be deduced from the fact that the following bidirectional rules are
derivable from the natural deduction rules for &, =>, 3, V, =:
We required the adjoints V/ x( = V* ) an<^ A/ x( = AT ) to be natural

in / in order to model the interaction between quantification and substitution correctly. More generally, the adjoints \J , and f\f enjoy stability
properties reflecting the interaction of the generalized quantifiers with substitution on their parameters. These stability conditions are all instances
of what Lawvere [1969] termed Beck-Chevalley conditions. In general, if
is a commutative square in C, then we say that the left adjoints to the

pullback functions satisfy a Beck-Chevalley condition for the above square
if g*\/li = \lfh\
Note that h*k* = f*g* (since kh = gf), idw < k*\Jk
(since \Vk is left adjoint to k*), and Vff* < idy (since Vf IS left adjoint
to /*); so
So the Beck-Chevalley Condition amounts to requiring the other inequality: <7*V'k V/'1*- Dually, #*Afc ^ A/'1* holds automatically and the
right adjoints are said to satisfy a Beck-Chevalley condition for the above
square if the reverse inequality holds, so that g*/\k = A/'1*- With this terminology, it is the case that in a prop-category with finite meets, Heyting
implications, and quantification, the left and right adjoints to the pullback
operations satisfy the Beck-Chevalley condition for certain commutative
Categorical logic
97
squares which (by virtue of the finite products in C) are pullback squares.
These are the squares of the form
If the underlying category of C has all pullbacks, obviously a sufficient

condition to ensure the adjoints to the pullback functions satisfy these
stability conditions is that the Beck-Chevalley condition holds for all pullback squares. (And in fact this holds for the left adjoints if and only if it
holds for the right adjoints.) This is the case for the prop-categories Set
and KI of Examples 5.2 and 5.4.
Remark 5.28. The version of predicate logic we have described here is
somewhat unusual in that it has both equality judgements (M = M' : a [F])
and equality formulas (M =CT M'), the latter occurring as a constituent of
sequent
judgments.
Using the rule (Subst) from Fig. 2 and the
rule (=-Intro) from Fig. 7, one can derive the following rule connecting the
two forms of equality:
However, for the converse of this rule to be satisfied in a prop-category with

equality it would have to be the case, for any parallel pair of C-morphisms
/,/' : I X, that if T/ = (f,f')*(Eqx) then / = /'. This condition
holds for the examples given in this section, but not in general. (For example, consider a 'degenerate' prop-category whose underlying category is
the category of sets and functions and whose poset of properties at each
set is the trivial, one-element poset.)
5.7
Completeness
Let Th be a theory whose sequent axioms may involve the prepositional

connectives, quantifiers, and equality. The theorems of such a theory are
those judgements that can be derived from the axioms using the rules in
Figs 2, 3, 5, and 7, together with the rules for equational logic given in
section 2.1.
Given a prop-category C possessing finite meets, finite joins, Heyting
implications, quantification, and equality, a categorical model for Th in C
consists of a structure for the signature of the theory with the property that
each of the theory's axioms is satisfied by the structure. The soundness of
98
Andrew M. Pitts
the categorical semantics implies that every theorem of the theory is also
satisfied by such a model. Conversely, the categorical semantics is complete,
in the sense that a judgement over the signature of a given theory is a
theorem if it is satisfied by all models of the theory in prop-categories with
finite meets, finite joins, Heyting implications, quantification, and equality.
This completeness is an easy corollary of the stronger result that, given
Th, there is a 'classifying' prop-category C l ( T h ) containing a 'generic'
model G, which is, in particular, a structure that satisfies a sequent (or
an equation) if and only if it is a theorem of Th. This classifying propcategory can be constructed via an extension of the 'term-model' construction discussed in Section 4. The underlying category of the prop-category
C l ( T h ) is constructed just as in section 4.2: its objects are a-equivalence
classes of contexts F, and its morphisms are equivalence classes of context
morphisms under provable equality in Th.
Then for each object F we define the poset of Cl(Th)-properties of F as
follows. Its underlying set is the quotient
where the equivalence relation (f> ~ Th <f>' holds if and only if both <j> (- <$>' [F]
and $ h (j) [F] are theorems of Th. The partial order on -Prop^f T/I) (F) is
that induced by Th-provable entailment: A < A' holds if and only if for
some (indeed, any) formulas <> and 4>' representing the equivalence classes
A and A' respectively,
is a theorem of Th.
To complete the definition of the prop-category structure (cf. Definition 5.1), we have to define the action of pulling back a C(Th)-property
along a morphism. This is induced by the operation of substituting terms
for variables in formulas. Given A Propcl(Th) (F) and 7 : F' > F with
The properties of monotonicity and functoriality of ()* in Definition 5.1

are easily verified (using the definition of identities and composition in
Cl( Th) given in section 4.2.)
Proposition 5.29. The classifying prop-category Cl(.( Th) has finite meets,
finite joins, Heyting implication, universal and existential quantification,
and equality.
Categorical logic
99
Proof. The prepositional operations are induced by the corresponding logical connectives. Thus for any object F and Cl( Th)-properties A = [] and
A1 = [<f>'] of T, we have:
Similarly, quantification is induced by the corresponding operation on

formulas. Thus if A = [4>] Proper/I) (^ x F), so that (j>prop [A,F], then
if F = [xi :CTI, . . . , xn : <7n] say.

Finally, for each object F = [x\ : a\ , . . . , xn : crn], the equality property
EqT 6 Prop(T x F') can be represented by the formula
where the variables x1 , . . . , x'n are chosen to be distinct from x1 , . . . , xn

(and each other).
Turning now to the generic model G of Th in Cl(Th), its underlying
structure is defined for the types and function symbols of Th as in section 4.2, and for relation symbols R C <, . . . , a n by
G[R] = [R(x1, . . . , xn)] Prop ce(Th) ([x1 : TI , . . . , xn : an])Extending the properties of G on types, terms and equations given in
Lemma 4.5, we also have the following properties for formulas and sequents.
Lemma 5.30. The structure G has the following properties.
(i) If prop [F], then the interpretation G[0[F]] Propcl(Tht)(F) of the
formula </> in the structure G is just the C l ( T h ) -property represented
by the formula
(ii) $ h i[> [F] is a theorem of Th if and only if
In other words, G satisfies a sequent just if it is a theorem of Th. In

particular, G satisfies the axioms of Th and hence is a model of Th.
100
Andrew M. Pitts
Corollary 5.31 (Completeness). A judgement over the signature of a

given theory is a theorem if it is satisfied by all models of the theory in
prop-categories with finite meets, finite joins, Heyting implications, quantification, and equality.
Stronger forms of completeness hold with models of Th restricted to
particular classes of prop-category. For example, Kripke's completeness
theorem for intuitionistic predicate logic (see [Dummett, 1977, Chapter 5])
can be paraphrased in category-theoretic terms as asserting the completeness of the collection of prop-categories of the kind given in Example 5.5,
but with the category C restricted to be a category of set-valued presheaves
on a poset.
Remark 5.32. The classifying prop-category C l ( T h ) and the generic algebra G of a predicate theory have a universal property analogous to that
given for algebraic theories in Theorem 4.6 (but with respect to a suitable
notion of morphism of prop-categories). This universal property forms the
basis of an equivalence between theories in predicate logic (and translations
between them) and suitably structured prop-categories (and morphisms between them)cf. Section 4.3.
Dependent types
This section considers the categorical semantics of type theories involving

types that depend upon terms. Martin-Lof's type theory (see [Nordstrom
et a/., 1990]) provides an example of such a system, as does the GirardReynolds second-order lambda calculus (see [Girard, 1989]). Here we will
just consider a fundamental example, namely the dependently typed analogue of the algebraic theories of section 2. So types and terms will be built
up from a signature of function symbols which now may be type-valued as
well as term-valued. Once one has explained the categorical framework
corresponding to such dependently typed algebraic theories,1 one can use it
systematically to describe the categorical structure needed for any particular dependently-typed datatype constructormuch as we did for simple
types in section 3. We will just consider a single example of this, namely
the categorical semantics of dependent products in section 6.5.
Several different, but interconnected, categorical structures have been
proposed for interpreting the basic framework of dependent types by Seely
[1984], Cartmell [1986], Taylor [1999], Ehrhard [1988], Streicher [1989;
1991], Hyland and Pitts [1989], Obtutowicz [1989], Curien [1989], and Jacobs [1999]. This reflects the fact that the categorical interpretation of
dependent types is undoubtedly more complicated than the other varieties
of categorical logic explained in this chapter. This is due to the structural
'Cartmell [1986] calls such theories 'generalized algebraic'.
Categorical logic
101
complications implicit in the logic. One complication is that in general

one must consider the satisfaction of equations not only between terms
(of the same type) but also between types. Another complication is that
proofs of well-formedness of expressions cannot be separated from proofs of
equality, and are by no means unique. If one assigns meanings to expressions by induction on the derivation of their well-formedness, one therefore
has to take care that the meaning is independent of the particular derivation. Early accounts [Seely, 1984] of the categorical semantics of dependent
types tended to gloss over this point. Here we will take a more careful, but
necessarily more complicated approach using an adaptation of Cartmell's
notion of 'category with attributes'a simplified version of the 'contextual categories' he uses in [Cartmell, 1986]. Categories with attributes are
categories equipped with some extra structure for interpreting (dependent)
types: accordingly we adopt (in Definition 6.9) the rather more compact
terminology of 'type-categories' for the categorical structure we use.
In order to motivate the notion of type-category, we will reverse the pattern set by sections 2 and 4: having described the syntax, we will organize
it into a category just as in section 4.2, and see how the extra structure
needed for a type-category emerges. We then give the interpretation of
the syntax in a general type-category. The soundness of the interpretation
(Theorem 6.20) relies on some 'strictness' conditions built into the definition of type-category to avoid the potential difficulties mentioned above to
do with multiple proofs of well-formedness of judgements. The wide range
of examples of type-categories which we give shows that these strictness
conditions are not restrictive in practice. Without them one must resolve
quite complicated coherence problems: see [Curien, 1990].
6.1
Syntactic considerations
We will continue to make use of the simply typed metalanguage introduced

at the beginning of Section 3, with ground arities TYPES and TERMS. We
assume given a signature, Sg, consisting of collections of meta-onstants
s : TERMS - TYPES, called n-ary type-valued function symbols
F : TERMS - TERMS, called n-ary term-valued function symbols
for each number n. The raw2 expressions of the object language over Sg
are then the metaexpressions built up from the symbols in Sg and a fixed,
countably infinite set Var = {vi, v-2,. } of metavariables of arity TERMS.
In particular, the raw types over Sg are metaexpressions of arity TYPES
and the raw terms over Sg are metaexpressions of arity TERMS. (The
algebraic signatures of section 2.1 also contained typing information for
the function symbols. The analogous information here will be given as
part of the axioms of a dependently typed algebraic theory, rather than as
2
The adjective 'raw' is used to emphasize that not all expressions will be 'well-formed'
in the technical sense to be explained.
102
Andrew M. Pitts
part of its underlying signature.) Throughout section 6, Sg will denote a

fixed signature in the above sense.
Definition 6.1. As before, a context, F, is a finite list F = [xi : a1,..., xn :
an] of (variable, type) pairs, but now subject to the following conditions
on variables: for each i = 1,..., n,
var((?i) C {xi,...,Xi-i}
and z,- g {z1;.. .,xt-i}
where var(e) denotes the (finite) set of variables occurring in the expression
e. Thus the variables Xi are distinct and each type <r, only involves variables
which have already been listed in the context. Notational conventions
for contexts will be as in section 2.1; in particular, [] denotes the empty
context.
The variant of dependently typed equational logic that we are going to
describe contains rules for deriving a number of different forms of judgement, set out in Table 1. The 'secondary'judgement forms are so-called because they are in fact expressible in terms of the primary forms, modulo the
rules for dependently typed equational logic given below (cf. Remark 6.4).
Definition 6.2. A dependently typed algebraic theory , Th, over the signature sg is specified by the following data.
For each type-valued function symbol s, a judgement
s(x) type [Ts]
called the introductory axiom of s. Here x is the list of variables of
the context Fs, and must have length n when s has arity TERMS -
TYPES. Ts lists the types of the argument to which s may be applied.
For each term-valued function symbol F, a judgement
called the introductory axiom of F. Once again, x is the list of variables of the context fy, and must have length n when F has arity
TERMS - TERMS. FF lists the types of the arguments to which
F may be applied, and F gives the type of the result (which may
depend upon those arguments).
A collection of judgements of the form M = M' : a [F], called the
term-equality axioms of Th.
A collection of judgements of the form a = a' [F], called the typeequality axioms of Th.
Given such a theory, the theorems of Th are the judgements which are
provable using the rules shown in Figs 9 and 10. In the rules, x is the
Categorical logic
103
Table 1. Forms of judgement

(F and F" are contexts, a and a' are raw types, M and M' are raw terms,
and y and y' are finite lists of raw terms.)
Judgement
Intended meaning
Restriction
Primary forms
a type [T]
'a is a well-formed type in

context F'
var(a) C var(T)
M : a [F]
'M is a well-formed term

of type a in context F'
var(M, a) C var(F)
a = a' [F]
'cr and a1 are equal

(well-formed) types in
context F'
ivar(cr, a') C t>var(F)
M = M' : 7 [F]
'M and M' are equal

(well-formed) terms of
type a in context F'
var(M,
M', ) C var(F)
Secondary forms
F ctxt
7 : F->T'
T is a well-formed
context'
'7 is a context morphism var(y) C var(F)
from F to F"
F = F'
T and F' are equal (wellformed) contexts'
F and F' of equal length
7 = 7': F->F'
'7 and 7' are equal context

morphisms from F to F"
var(7,7') C var(T) and

7, 7', and F' of equal
length
104
Andrew M. Pitts
Contexts
Context morphisms
Fig. 9. General rules
Categorical logic
ctxt
(s has introductory axiom s(x) type [Tg])
s(x) type [T
aF type [IV]
F(x) : aF
105
(F has introductory axiom F(x) : aF [IV])
M :CT[F] M' : a [F]
M = M' : a [T]
(M = M' : a [F] is a term-equality axiom)
a type [F] a' type [F]
(a = a1 [F] is a type-equality axiom).
Fig. 10. Rules for axioms

list of variables of context F and x' is the list of variables of context F';
and supposing 7 = [M\,..., Mn] and x = [x\,..., xn], then a[^/x\ denotes
the result of simultaneously substituting the term M, for the variable Xi
in the type a. In reading the rules, it should not be forgotten that we
only consider contexts which are well-formed, in the sense of satisfying the
conditions on variables mentioned in Definition 6.1. Thus for example, in
the rule for deriving [T,x : a], it is necessarily the case that x is distinct
from the variables in F.
The rules in Fig. 9 are general rules for dependently typed equational
logic, whereas those in Fig. 10 relate to the particular axioms of Th. Note
that these rules for using the axioms of Th do have hypotheses: if the
hypotheses of such a rule are never satisfied, then we can never make use
of the axiom.
Definition 6.3. We will say that a dependently typed algebraic theory Th
is well-formed if all of the hypotheses of the rules for introducing axioms
are provable from the rules in Figs 9 and 10. (In this case each of the
axioms is indeed a theorem of Th.)
Remark 6.4. The form of judgement ' 7 : FF'' is not usually made
explicit in presentations of theories of dependent types. We have chosen
to make it a 'first-class' judgement form because it permits a conceptually
clear and concise formulation of the substitution rules, and because it will
play a key role in the definition of the classifying category of a dependently
typed algebraic theory in the next section. However, it is easy to see from
the rules in Fig. 9 that this form of judgement, along with the forms 'y =
7' : F>F" ', T ctxt ' and T = F' ', are all equivalent to finite conjunctions
of instances of the forms 'a type [T]', 'M : a [F]', 'a = a' [F]', and
'M = M' :o- [F]'.
106
Andrew M. Pitts
Example 6.5. The theory of categories provides an example of a wellformed, dependently typed algebraic theory. The underlying signature is:
obj
hom
Id
Comp
:
:
:
:
TYPES
TERMS2->TYPES
TERMS^TERMS
TERMS5-TERMS.
The axioms are as follows:
where
It is evident from this example that the formal requirement in the introductory axiom of a function symbol (such as that for Comp) that all
variables in the context occur explicitly as arguments of the function is
at variance with informal practice. See [Cartmell, 1986, Section 10] for a
discussion of this issue.
Remark 6.6 (Substitution and Weakening.). A general rule for substituting along a context morphism is derivable from the rules in Figs 9
and 10, viz.
Categorical logic
107
where J is one of the four forms 'e type', 'e = e", 'e : e", or 'e = e' : e"\
and y is the list of variables in T'. A special case of this is a general derived
rule for weakening contexts:
The rules for substitution in Fig. 9 also have as special cases forms which
correspond more closely to the substitution rule (2.9) for simply typed
equational logic, viz:
6.2
Classifying category of a theory
We are now going to construct a category, C l ( T h ) , out of the syntax of

a dependently typed algebraic theory Th. In fact the construction is essentially just as in section 4.2. More accurately, the construction in that
section is the special case of the one given here when the theory has only
0-ary type-valued function symbols.
We will use the following terminology with respect to the judgements
which are theorems of Th. Say that F is a Th- context if the judgement
[F] ctxt is a theorem of Th; say that Th-contexts F and F' are Th-provably
equal if the judgement F = F' is a theorem of Th; say that 7 : F-F' is a
morphism of Th-contexts if the judgement 7 : F-F' is a theorem of Th;
and finally, say that two T7i-context morphisms are Th-provably equal if
7 = 7': F-^F' is a theorem of Th.
Objects of C l ( T h ) . The collection of objects of the classifying category is
the quotient of the set of Th-contexts by the equivalence relation of being
7h-provably equal. This definition makes sense because the following rules
are derivable from those in Figs 9 and 10:
We will tend not to distinguish notationally between a Th-context and the

object of Cl( Th) that it determines.
Morphisms of C l ( T h ) . Given two objects in Cl(Th), represented by Thcontexts F and F' say, the collection of morphisms in the classifying cat-
108
Andrew M. Pitts
egory from the first object to the second is the quotient of the set of Thcontext morphisms F-F' by the equivalence relation of being Th-provably
equal. This definition makes sense because the following rules are derivable
from those in Figs 9 and 10:
We will tend not to distinguish notationally between a Th-context morphism and the morphism of Cl ( Th) which it determines.
Composition in Cl(Th).
Given context morphisms 7 : F>T' and 7' :

define
tion 7' o 7 : F->T" just as in section 4.2, viz.
The derived rules for substitution mentioned in Remark 6.6 can be used to
show that the following derived rules for composition are valid.
From these rules it follows that a well-defined and associative operation of

composition is induced on the morphisms of the classifying category. The
identity morphisms for this composition are induced by the identity context
morphisms idr ' F>F, which are defined just as in section 4.2:
where x 1 , . . . , xn are the variables listed in F. These context morphisms do

induce morphisms in Ct( Th) which are units for composition because the
following rules are derivable:
Categorical logic
109
This completes the definition of Cl( Th) as a category. We now move

on to examine what extra categorical structure it possesses.
6.3
Type-categories
For a simply typed algebraic theory, we saw in section 4 that the relevant
categorical structure on the corresponding classifying category was finite
products. Here it will turn out to be the more general3 property of possessing a terminal object and some pullbacks. To explain which pullbacks,
we identify a special class of morphisms in the classifying category of Th.
Definition 6.7. If F is a Th-context, the collection of T-indexed types in
Cl( Th) is defined to be the quotient of the set of types a such that a type [F]
is a theorem of Th, with respect to the equivalence relation identifying a
and a1 just if a = a1 [F] is a theorem of Th. As usual, we will not make
a notational distinction between a and the F-indexed type it determines.
Each such F-indexed type has associated with it a projection morphism,
represented by the context morphism
Here x1,... ,xn are the variables listed in F, and x is any other variable.
Note that the object in C l ( T h ) represented by [F,a; : a] and the morphism
represented by a are independent of which particular variable x is chosen.
Lemma 6.8. Given a morphism 7 : F' F in Cl( Th) and a T-indexed
type represented by a, then
is a pullback square in CL( Th) .

Proof. Suppose we are given 7' : F"->F' and 7" : F"-[r, x : a] in CL( Th)
satisfying 7 o 7' = na o 7" : F"->F. We have to prove that there is a unique
3
Since finite products can be constructed from pullbacks and a terminal object.
110
morphism
Andrew M. Pitts
satisfying
and
Now since
, we must have that the list of terms
7" is of the form
for some term N for which
is a theorem of Th. Now since
(where x1 is the
list of variables in F'), we get a morphism
satisfying
and
as required. If 6' : F">[!", x' : &[j/x\] were any other such morphism, then
from the requirement
' we conclude that the list 6' is of the
f o r m ; and then from the requirement
we conclude
further that
The above lemma motivates the following definition, which is essentially

Cartmell's (unpublished) notion of 'category with attributes'.
Definition 6.9. A type-category, C, is a category possessing a terminal
object, 1, and equipped with the following structure:
For each object X in C, a collection Typec(X), whose elements will
be called X -indexed types in C.
For each object X in C, operations assigning, to each X-indexed type
A an object X K A, called the total object of A, together with a
morphism
led the projection morphism of A.

For each morphism / : Y X in C, an operation assigning to each
X -indexed type A, a, Y indexed type f*A, called the pullback of A
Categorical logic
along X, together with a morphism
making the following a pullback square in the category C:
111
A
In addition, the following strictness conditions will be imposed on

these operations:
Notation 6.10. If C is a type-category and X is a C-object, then as usual

C/X will denote the slice category whose objects are the C-morphisms
with codomain X, f : dom(f) l X, and whose morphisms / > f
are C-morphisms g : dom(f) > dom(f') satisfying /' o g = /. Identity
morphisms and composition in C/X are inherited from those in C. Note
that for each A Typec(X), the projection morphism -ITA is an object in the
slice category C/X. So we can make Typec(X) into a category (equivalent
to a full subcategory of C/X) by taking morphisms A > A' to be C/Xmorphisms VA > TT^' (with identities and composition inherited from
C/X).
Proposition 6.11. The classifying category, C l ( T h ) , of a dependently
typed algebraic theory Th is a type-category.
Proof. We identified notions of indexed type and associated projection
morphisms for C l ( T h ) in Definition 6.7 and verified in Lemma 6.8 the
existence of pullback squares of the required form (6.5). The 'strictness'
conditions in Definition 6.9 are met because of the usual properties of
substitution of terms for variables. Finally, note that Cl( Th) does have a
terminal object, namely the (equivalence class of the) empty context []. I
Here are some examples of 'naturally occurring' type-categories.
Example 6.12 (Sets). The category Set of sets and functions supports
the structure of a type-category: for each set X, we can take the ^-indexed
types to be set-valued functions with domain X. Given such a function
A : X ^ Set, the associated total set is the disjoint union
112
Andrew M. Pitts
with projection function ~KA given by first projection (x, a) t- x.

The pullback of A along a function / : F > X is just the composition
def
which indeed results in a pullback square in Set of the required form (6.5)
and satisfying the strictness conditions, with
equal to the function
Note the following property of this example, which is not typical of typecategories in general: up to bijection over X, any function with codomain
X, f : Y > X, can be expressed as the projection function associated with
an indexed type:
Example 6.13 (Constant families). Every category C with finite products can be endowed with the structure of a type-category, in which the
indexed types are 'constant families'. For each object X in C, one defines Typec(X) to be Objc, the class of all objects of C. The associated
operations are
Given / : Y > X in C and A Typec(X) = Objc, the pullback F-indexed

type f*A is just the object A itself and the morphism
X x A is / x id A- This does yield a pullback square in C, viz.
and these pullbacks do satisfy the strictness conditions in Definition 6.9.

When a category with finite products is regarded as a type-category in this
way, the categorical semantics of simply typed algebraic theories given in
section 2 becomes essentially a special case of the semantics of dependently
typed theories to be given below.
Example 6.14 (Toposes). The following example is given for readers
familiar with the notion of topos (see the references in section 7). One
Categorical logic
113
can make each topos into a type-category as follows. First note that is
indeed a category with a terminal object. For each object X e Obj, define
Type (X) to consist of all pairs (A, a) where A 6 Obj and a : X x A fi.
Here fi denotes the codomain of the object classifier of , T : 1 > fl.
Given such an X-indexed type, the total object X x (A, a) is given by
forming a pullback square in E:
brojection
morphism associated to (A, a) is defined by the composition
For any morphism

is defined to be the F-indexed
type
The pullback square (6.5) is obtained as the factorization through (6.6) of the corresponding pullback for a o (/ x id A)Elementary properties of pullback squares ensure that the strictness conditions of Definition 6.9 hold, without the need for any coherence assumptions
on the chosen pullback operations for E. Traditionally, dependently typed
theories have been interpreted in toposes using the locally cartesian closed
structure that they possess, whereby the category Type(X) of X-indexed
types (cf. Notation 6.10) is just the slice category E / X : see [Seely, 1984].
Such a choice for indexed types yields a 'non-strict' type-category structure, in that the strictness conditions of Definition 6.9 have to be weakened by replacing the equalities by coherent isomorphisms. This can lead
to complications in the interpretation of type theory: see [Curien, 1990].
The method of regarding a topos as a type-category given here achieves
the strictness conditions and side-steps issues of coherence. Given that
toposes correspond to theories in intuitionistic higher-order logic (cf. [Bell,
1988], [Mac Lane and Moerdijk, 1992]), this example can form the basis
for interpreting dependently typed theories in higher-order predicate logic:
see [Jacobs and Melham, 1993]. However, Hofmann [1995] has recently
pointed out that using a particular construction of Benabou (for producing
a split fibration equivalent to a given fibration), an arbitrary locally cartesian closed category, E, can be endowed with a more involved notion of
X-indexed type which makes a type-category (supporting the interpretation of product, sum, and identity types) and with T y p e e ( X ) equivalent
to E/X (pseudo-naturally in X).
114
Andrew M. Pitts
Example 6.15 (Split fibrations). Let Cat denote the category of small
categories and functors. We can turn it into a type-category by decreeing
that for each small category, C, the C-indexed types are functors A :
Cop > Cat. The associated total category C x A is given by a construction
due to Grothendieck:
An object of C x A is a pair (X, A), with X an object of C and A
an object of A.(X).
A morphism in C x A from (X, A) to (X1, A') is a pair (x, a), where
x : X > X' in C and a : A > A.(x)(A') in A(X). The composition
of two such morphisms (a;, a) : (X, A) > (X',A') and (a;', a') :
(X1, A') > (X", A") is given by the pair (x1 o x, A(x)(a') o a). The
identity morphism for the object (^",^4) is given by (id x, id A)The projection functor TTA : C K A > C is of course given on both objects
and morphisms by projection onto the first coordinate.
The pullback of the indexed type A : Cop > Cat along a functor
F : D > C is just given by composing A with F, regarded as a functor
Dop > Cop. Applying the Grothendieck construction to A and to A o F,
one obtains a pullback square in the category Cat of the required form, with
F x A : D x (A o F) > C K A the functor which acts on objects and
morphisms by applying F in the first coordinate.
Regarding a set as a discrete category, there is an inclusion between the
type-category of Example 6.12 and the present one. Unlike the previous
example, not every morphism in Cat arises as the first projection of an
indexed type. Those that do were characterized by Grothendieck and are
known as 'split Grothendieck fibrations'. As the name suggests, these are
a special instance of the more general notion of 'Grothendieck fibration'
which would give a more general way of making Cat into a type-category,
except that the 'strictness' conditions in Definition 6.9 are not satisfied. See
[Jacobs, 1999] for more information on the use of Grothendieck fibrations
in the semantics of type theory.
6.4
Categorical semantics
We will now give the definition of the semantics of the types, terms, contexts, and context morphisms of Th in a type-category C. In general,
contexts are interpreted as C-objects, context morphisms as C-morphisms,
and types as indexed types in C. Terms as interpreted using the following
notion of 'global section' of an indexed type.
Definition 6.16. Given an object X in a type-category C, the global sections of an X-indexed type A Typec (X) are the morphisms a : X >
X x A in C satisfying IT A a = idx- We will write
Categorical logic
115
to indicate that a is a global section of the X-indexed type A. For any

morphism / : Y > X, using the universal property of the pullback square
(6.5) we get
fa
is the unique morphism with TT/.^ o /*
and (/ x A) o fa = a o /.
Definition 6.17. Let Sg be a signature as in section 6.1. A structure for

Sg in a type-category C is specified by:
For each type-valued function symbol s, a C-object Xs and an indexed
type As E Typec(Xs).
For each term-valued function symbol F, a C-object Xp, an indexed
type AF Typec(Xp), and a global section ap XF AFSemantics of expressions. Given such a structure, we will define four relations:
where the judgements enclosed by [ J are all well-formed and where X is

a C-object, A Typec(X), a Ex A, and / is a morphism from X' to X
in C. These relations are defined inductively by the rules in Fig. 11. In
the first rule concerning context morphisms, {) : X*l denotes the unique
morphism from X to the terminal object. The two rules concerning the
semantics of variables use the following pairing notation.
Notation 6.18. Referring to the pullback square
h : Z > X x A are morphisms satisfying / o g = KA o h, then
and
will denote the unique morphism satisfying

A) o (g, h} h whose existence is guaranteed by the universal property of
the pullback square. Thus for example, in this notation the global section
fa y /* A referred to in Definition 6.16 is given by the morphism (idy, &
It is clear from the form of the rules in Fig. 11 that the relations they
define are monogenic, in the sense that for a judgement J and categorical
structures E and E', if [J] x E and [J] x E', then E = E' in C. Thus
given a structure for Sg in C, the assignments
116
Andrew M. Pitts
Contexts
Terms
Context morphisms
Fig. 11. Categorical semantics
Categorical logic
117
determine partial functions. We will write

to indicate that these
partial functions are defined at a particular argument J.
Remark 6.19. The case when J is x : T [A] deserves some comment,
since this is the most complicated case in the definition of [J]. The wellformedness of x : T [A] guarantees that x is assigned a type in A, i.e. that
A is of the form [F, x : a, F']. However, the presence of type equality judgements in the logic means that a is not necessarily syntactically identical
to T. This accounts for the presence of the hypotheses concerning r in the
two rules for this case in Fig. 11. The first of these two rules deals with the
case when F' = [ ], and then the second rule must be applied repeatedly to
deal with general F'.
Satisfaction of judgements Next we define what it means for the various
forms of judgement to be satisfied by a structure for Sg in a type-category,
C.
F ctxt is satisfied if and only if [F ctaJtJJJ a type [F] is satisfied if and only if \a type [F]J||..
M : a [F] is satisfied if and only if |M : a [F]|-IJ..
7 : F->F' is satisfied if and only if [7 : F-F']JJ..
F = F' is satisfied if and only if for some (necessarily unique) object
X
[F ctxt\ x X
and [F7 ctxt] x X.
a = a' [F] is satisfied if and only if for some (necessarily unique) object X and ^-indexed type A Typec(X)
{a type [F]I x A [X]
and
[a' type [F]] x A [X].
M = M' : a [F] is satisfied if and only if for some (necessarily unique)

object X, indexed type A 6 Typec(X), and global section a Ex A
IM : a [F]] x a : A [X]
and
[M' : a [F]] x a : A [X].
7 = 7' : F-F' is satisfied if and only if for some (necessarily unique)

morphism / : X' > X in C
17 : F'->r] x / : X'-*X
and [7' : F'->F] x / : X'-tX.
Suppose Th is a dependently typed algebraic theory. A model of Th

in a type-category, C, is a structure in C for the underlying signature of
118
Andrew M. Pitts
Th with the property that the collection of judgements satisfied by the

structure is closed under the rules for the axioms of Th given in Fig. 10.
Theorem 6.20 (Soundness). The collection of judgements that are satisfied by a structure in a type-category, C, is closed under the general rules
of dependently typed equational logic given in Fig. 9. Consequently, a model
inC of a dependently typed algebraic theory, Th, satisfies all the judgements
which are theorems of Th.
Much as with the corresponding result for simply typed equational logic,
the key tool used in proving the above theorem is a lemma giving the
behaviour of substitution in the categorical semantics:
Lemma 6.21 (Semantics of substitution). Suppose that
Then
The generic model of a well-formed theory. Suppose that Th is a dependently typed algebraic theory that is well-formed, in the sense of Definition 6.3. Then the classifying category C l ( T h ) contains a structure, G, for
the underlying signature of Th. G is defined as follows, where we use a
notation for the components of the structure as in Definition 6.17.
The well-formedness of Th implies that for each type-valued function
symbol s, with introductory axiom s(x)type [Fs] say, Fs is a ITi-context and
hence determines an object Xs of Cl( Th). Then define the X s -indexed type
AS 6 TyPecl(Th)(-^s) to be that represented by s(x) (which is a Fs-indexed
type because s(x) type [Fs] is a theorem of Th).
For each term-valued function symbol F with introductory axiom F(x) :
VF [TF],the well-formedness of Th implies that up type \Tp] is a theorem of
Th. Hence F is a Th-context and hence determines an object
ofCl(Th). Then define the XF-indexed type AF T y p e c l ( T h ) ( X F )to be
that represented by the Ff-indexed type
, and define the global section
to be the morphism
represented
by the Th-context morphism
The structure G has the following properties:
For each judgement F ctxt and Cl(Th)-object X, the relation [F] x X
holds if and only if F ctxt is a theorem of Th and X is the object of
C l ( T h ) represented by F.
For each judgement a type, [F], each object X and each X-indexed
type A e Typece^Th-)(X), the relation [a type [F]J x A [X] holds if
and only if a type [F] is a theorem of Th, X is the object of C l ( T h )
represented by F, and A is the X"-indexed type represented by a.
Categorical logic
119
For each judgement M : a [F], each object X and each X-indexed

type A Typec^Th)(X), and each global section a Ex A, the relation
[M : a [F]] x a A [X] holds if and only if X is the object of
Ci( Th) represented by F, A is the X-indexed type represented by a,
and a is the global section represented by the Th-context morphism
An equality judgement is satisfied by G if and only if it is a theorem
of Th.
Thus G is a model of Th and a judgement is satisfied by this model if
and only if it is a theorem of Th.
Remark 6.22. The classifying type-category Cl( Th) and the generic model
G of a well-formed, dependently typed algebraic theory Th have a universal
property analogous to that given for algebraic theories in Theorem 4.6, with
respect to a suitable notion of morphism of type-categories. To go further
and develop a correspondence between dependently typed algebraic theories and type-categories along the lines of section 4.3, one has to restrict to
the subclass of 'reachable' type-categories. For note that an object X in
a type-category C can appear as the interpretation of a context only if for
some n > 0 there is a sequence of indexed types
with
Call C reachable if there is such a sequence for
every C-object. Every classifying category has this property. Conversely
if C is reachable, then it is equivalent to Cl( Th) for a theory in a suitable
'internal language' for C (cf. section 2.3).
6.5
Dependent products
The categorical framework corresponding to dependently typed equational

logic that we have given can be used to infer the categorical structure
needed for various dependently typed datatype constructorsmuch as we
did for simple types in section 3. We will just consider one example here,
namely the structure in a type-category corresponding to dependent products. The formation, introduction, elimination, and equality rules for dependent product types are given in Fig. 12. Equality rules for both B- and
n-conversion are given. There are also congruence rules for the constructors
II, A, and ap, which we omit (cf. Remark 3.3).
If C is a type-category, the existence of the pullback squares (6.5) allows
us to define a functor between slice categories
given by pullback along if A ' X x A > X :
120
Andrew M. Pitts
Fig. 12. Rules for dependent product types
(This definition makes use of the pairing notation introduced in Notation 6.18.) Symmetrically, there is a functor
induced by pullback along
Definition 6.23. A type-category C has dependent products if for each

there
type
and a morphism in Typec(X tx. A)
Categorical logic
121
satisfying the following:

Adjointness property. ^n(A,A') ' X x 11(^4, A') > X is the value of
the right adjoint to the pullback functor (6.7) at TTA> ' X x A x A' >
X x A, with counit apA A,. In other words, for any / : Y X in C
and g :
there is a unique morphism in
C/X
satisfying
Strictness property.
For any morphism
Here /* and (f x .A)* are instances of the pullback functors (6.8).

To specify the categorical semantics of dependent product types in such
a type-category, we give rules extending the inductively defined relation of
section 6.4:
Formation
Introduction
Note that the conclusion of this rule is well-formed if the hypotheses are.
For if a' &XKA A', then a'
so we can apply the adjointness property from Definition 6.23 to form
cur(o') : idx > ^n(A>i')' wmch is, in particular, a global section of
H(A,A').
Elimination
If the hypotheses of this rule are well-formed, then a Ex A and b x

H(A,A'),
Since
122
we
Andrew M. Pitts
can use
the pairing operation of Notation
6.18 to form
Since by definition
and
a, we get a morphism (a, b) :

hence by composition a morphism
pairing operation yields a morphism
whose composition with

' is idx and hence which is a global section
of a" A'. Thus the conclusion of the above rule is well-formed when its
hypotheses are.
With these rules we can extend Theorem 6.20 to include dependent
product types.
Theorem 6.24 (Soundness). Defining satisfaction of judgements as in
section 6.4, it is the case that the collection of judgements satisfied by a
structure in a type-category with dependent products is closed under the
rules in Fig. 12 (as well as the general rules of Fig. 9).
Thus the structure of Definition 6.23 is sufficient for soundly interpreting dependent products. On the other hand it is necessary, in the sense
that Proposition 6.11 can be extended as follows:
Proposition 6.25. If Th is a theory in dependently typed equational logic
with dependent product types, then the classifying category C l ( T h ) constructed in section 6.2 is a type-category with dependent products.
Proof. Referring to Definition 6.23, to define (6.9) find judgements
that are theorems of Th and such that X, A, and A' are the equivalence
classes of F, a, and o-'(x), respectively. Then take 11(^4,^4') to be the Findexed type determined by
. This definition is independent of the
choice of representatives. The morphism (6.10) is that represented by the
Th-context morphism
Since,
this does indeed induce a morphism of the required kind; and once again the definition of apAA, is independent of the choice of representatives.
The adjointness property required for 11(^4, ^4') can be deduced from the
equality rules in Fig. 12, and the stability property follows from standard
properties of substitution.
Categorical logic
123
Further reading
This section lists some important topics in categorical logic which have not
been covered in this chapter and gives pointers to the literature on them.
Higher-order logic The study of toposes (a categorical abstraction of key
properties of categories of set-valued sheaves) and their relationship to set
theory and higher order logic has been one of the greatest stimuli of the
development of a categorical approach to logic. [Mac Lane and Moerdijk,
1992] provides a very good introduction to topos theory from a mathematical perspective; [Lambek and Scott, 1986, Part II] and [Bell, 1988]
give accounts emphasizing the connections with logic. The hyperdoctrine
approach to first-order logic outlined in section 5 can be extended to higherorder logic and such higher-order hyperdoctrines can be used to generate
toposes: see [Hyland et al, 1980], [Pitts, 1981,1999] and [Hyland and Ong,
1993].
Polymorphic lambda calculus Hyperdoctrines have also been used successfully to model type theories involving type variables and quantification
over types. [Crole, 1993, Chapters 5 and 6] provides an introduction to the
categorical semantics of such type theories very much in the spirit of this
chapter.
Categories of relations Much of the development of categorical logic has
been stimulated by a process of abstraction from the properties of categories
of sets and functions. However, categorical properties of sets and binary
relations (under the usual operation of composition of relations) have also
been influential. The book by Preyd and Scedrov [1990] provides a wealth
of material on categorical logic from this perspective.
Categorical proof theory Both Lawvere [1969] and Lambek [1968] put forward the idea that proofs of logical entailment between propositions,
may be modelled by morphisms,
in categories. If one is only
interested in the existence of such proofs, then one might as well only
consider categories with at most one morphism between any pair of objects, i.e. only consider pre-ordered sets. This is the point of view taken in
section 5. However, to study the structure of proofs one must consider categories rather than just pre-orders. Lambek, in particular, has studied the
connection between this categorical view of proofs and the two main styles
of proof introduced by Gentzen (natural deduction and sequent calculus),
introducing the notion of multicategory to model sequents in which more
than one proposition occurs on either side of the turnstile,
: see [Lambek, 1989]. This has resulted in applications of proof theory to category
theory, for example in the use of cut elimination theorems to prove coherence results: see [Mine, 1977], [Mac Lane, 1982]. In the reverse direction of
applications of category theory to proof theory, general categorical machinery, particularly enriched category theory, has provided useful guidelines
124
Andrew M. Pitts
for what constitutes a model of proofs in Girard's linear logic (see [Seely,
1989], [Barr, 1991], [Mackie et al., 1993], [Bierman, 1994]); for example,
in [Benton et al., 1993], such considerations facilitated the discovery of a
well-behaved natural deduction formulation of intuitionistic linear logic.
Categorical combinators The essentially algebraic nature of the category
theory corresponding to various kinds of logic and type theory gives rise to
variable-free, combinatory presentations of such systems. These have been
used as the basis of abstract machines for expression evaluation and type
checking: see [Curien, 1993], [Ritter, 1992].
References
[Backhouse et al, 1989] R. Backhouse, P. Chisholm, G. Malcolm, and
E. Saaman. Do-it-yourself type theory. Formal Aspects of Computing,
1:19-84, 1989.
[Barr, 1991] M. Barr. *-autonomous categories and linear logic. Math.
Structures in Computer Science, 1:159-178, 1991.
[Barr and Wells, 1990] M. Barr and C. Wells. Category Theory for Computing Science. Prentice Hall, 1990.
[Bell, 1988] J. L. Bell. Toposes and Local Set Theories. An Introduction,
volume 14 of Oxford Logic Guides. Oxford University Press, 1988.
[Benton et al., 1993] P. N. Benton, G. M. Bierman, V. C. V. de Paiva,
and J. M. E. Hyland. A term calculus for intuitionistic linear logic. In
M. Bezem and J. F. Groote, editors. Typed Lambda Calculi and Applications, Lecture Notes in Computer Science 664, pages 75-90, SpringerVerlag, 1993.
[Bierman, 1994] G. M. Bierman. On intuitionistic linear logic. PhD thesis,
Cambridge Univ, 1994.
[Bloom and Esik, 1993] S. L. Bloom and Z. Esik. Iteration Theories.
EATCS Monographs on Theoretical Computer Science. Springer-Verlag,
1993.
[Cartmell, 1986] J. Cartmell. Generalised algebraic theories and contextual
categories. Annals of Pure and Applied Logic, 32:209-243, 1986.
[Chang and Keisler, 1973] C. C. Chang and H. J. Keisler. Model Theory.
North-Holland, 1973.
[Coste, 1979] M. Coste. Localisation, spectra and sheaf representation. In
M. P. Fourman, C. J. Mulvey, and D. S. Scott, editors, Applications of
Sheaves, Lecture Notes in Mathematics 753, pages 212-238. SpringerVerlag, 1979.
[Crole, 1993] R. L. Crole. Categories for Types. Cambridge Univ. Press,
1993.
Categorical logic
125
[Crole and Pitts, 1992] R. L. Crole and A. M. Pitts. New foundations for
fixpoint computations: Fix-hyperdoctrines and the fix-logic. Information
and Computation, 98:171-210, 1992.
[Curien, 1989] P.-L. Curien. Alpha-conversion, conditions on variables and
categorical logic. Studia Logica, 48:319-360, 1989.
[Curien, 1990] P.-L. Curien. Substitution up to isomorphism. Technical Report LIENS-90-9, Laboratoire d'Informatique, Ecole Normale
Superieure, Paris, 1990.
[Curien, 1993] P.-L. Curien. Categorical Combinators, Sequential Algorithms, and Functional Programming (2nd edition). Birkhauser, 1993.
[Dummett, 1977] M. Dummett. Elements of Intuitionism. Oxford University Press, 1977.
[Ehrhard, 1988] Th. Ehrhard. A categorical semantics of constructions. In
3rd Annual Symposium on Logic in Computer Science, pages 264-273.
IEEE Computer Society Press, 1988.
[Freyd, 1972] P. J. Freyd. Aspects of topoi. Bulletin of the Australian
Mathematical Society, 7:1-76 and 467-80, 1972.
[Freyd and Scedrov, 1990] P. J. Freyd and A. Scedrov. Categories, Allegories. North-Holland, Amsterdam, 1990.
[Girard, 1986] J.-Y. Girard. The system F of variable types, fifteen years
later. Theoretical Computer Science, 45:159-192, 1986.
[Girard, 1987] J.-Y. Girard. Linear logic. Theoretical Computer Science,
50:1-102, 1987.
[Girard, 1989] J.-Y. Girard. Proofs and Types, Cambridge Tracts in Theoretical Computer Science 7. Cambridge University Press, 1989.
[Goguen and Meseguer, 1985] J. A. Goguen and J. Meseguer. Initiality,
induction and computability. In M. Nivat and J. C. Reynolds, editors,
Algebraic Methods in Semantics, pages 459-541, Cambridge University
Press, 1985.
[Goguen et al, 1977] J. A. Goguen, J. W. Thatcher, E. G. Wagner, and
J. B. Wright. Initial algebra semantics and continuous algebras. Journal
of the Association for Computing Machinery, 24:68-95, 1977.
[Hofmann, 1995] M. Hofmann. On the interpretation of type theory in
locally cartesian closed cateories. In L. Pacholski and J. Tiuryn, editors, Computer Science Logic, Kazimierz, Poland, 1994, Lecture Notes
in Computer Science 933. Springer-Verlag, 1995.
[Hyland, 1988] J. M. E. Hyland. A small complete category. Annals of
Pure and Applied Logic, 40:135-165, 1988.
[Hyland and Ong, 1993] J. M. E. Hyland and C.-H. L. Ong. Modified realizability toposes and strong normalization proofs. In M. Bezem and
J. F. Groote, editors, Typed Lambda Calculi and Applications, Lecture
Notes in Computer Science 664, pages 179-194. Springer-Verlag, 1993.
126
Andrew M. Pitts
[Hyland and Pitts, 1989] J. M. E. Hyland and A. M. Pitts. The theory of

constructions: categorical semantics and topos-theoretic models. In J.
W.Gray and A. Scedrov, editors, Categories in Computer Science and
Logic, Contemporary Mathematics 92, pages 137-199. American Mathematical Society, 1989.
[Hyland et al, 1980] J. M. E. Hyland, P. T. Johnstone, and A. M. Pitts.
Tripos theory. Mathematical Proceedings of the Cambridge Philosophical
Society, 88:205-232, 1980.
[Jacobs and Melham, 1993] B. Jacobs and T. Melham.
Translating
dependent type theory into higher order logic. In M. Bezem and J. F.
Groote, editors, Typed Lambda Calculi and Applications, Lecture Notes
in Computer Science, pages 209-229. Springer-Verlag, 1993.
[Jacobs, 1999] B. Jacobs. Categorical Loigc and Type Theory. Elsevier,
1999.
[Lambek, 1968] J. Lambek. Deductive systems and categories I. Math.
Systems Theory, 2:287-318, 1968.
[Lambek, 1988] J. Lambek. On. the unity of algebra and logic. In
F. Borceux, editor, Categorical Algebra and its Applications, Lecture
Notes in Mathematics 1348. Springer-Verlag, Berlin, 1988.
[Lambek, 1989] J. Lambek. Multicategories revisited. In J. W. Gray and
A. Scedrov,editors, Categories in Computer Science and Logic, Contemporary Mathematics 92, pages 217-239, American Mathematical Society,
1989.
[Lambek and Scott, 1986] J. Lambek and P. J. Scott. Introduction to
Higher Order Categorical Logic, Cambridge Studies in Advanced Mathematics 7. Cambridge University Press, 1986.
[Lawvere, 1964] F. W. Lawvere. An elementary theory of the category
of sets. Proceedings of hte National Academy of Sciences of the USA,
52:1506-1511, 1964.
[Lawvere, 1966] F. W. Lawvere. The category of categories as a foundation
for mathematics. In S. Eilenberg, D. K. Harrison, S. MacLane and H.
Rohrl, editors, Proc. Conference on Categorical Algebra, La Jolla, pages
1-21, Springer-Verlag, 1966.
[Lawvere, 1969] F. W. Lawvere. Adjointness in foundations. Dialectica,
23:281-296, 1969.
[Lawvere, 1970] F. W. Lawvere. Equality in hyperdoctrines and the comprehension schema as an adjoint functor. In A. Heller, editor, Applications of Categorical Algebra, pages 1-14. American Mathematical Society, 1970.
[Mac Lane, 1971] S. Mac Lane. Categories for the Working Mathematician, Graduate Texts in Mathematics 5. Springer-Verlag, Berlin, 1971.
Categorical logic
127
[Mac Lane, 1982] S. Mac Lane. Why commutative diagrams coincide with
equivalent proofs. Contemporary Mathematics, 13:387-401, 1982.
[Mac Lane and Moerdijk, 1992] S. Mac Lane and I. Moerdijk. Sheaves in
Geometry and Logic. A First Introduction to Topos Theory. Universitext.
[Mackie et al., 1993] I. Mackie, L. Roman, and S. Abramsky. An internal language for autonomous categories. Applied Categorical Structures,
1:311-343, 1993.
[Makkai and Reyes, 1977] M. Makkai and G. E. Reyes. First Order Categorical Logic, Lecture Notes in Mathematics 61. Springer-Verlag, 1977.
[McLarty, 1992] C. McLarty. Elementary Categories, Elementary Toposes,
Oxford Logic Guides 21. Oxford University Press, 1992.
[Mine, 1977] G. E. Mine. Closed categories and the theory of proofs. Zap.
Nauch. Sem. Leningrad. Otdel. Mat. Inst. im. V. A. Steklova (LOMI),
96:83-114,145, 1977. Russian, with English summary.
[Mitchell and Scott, 1989] J. C. Mitchell and P. J. Scott. Typed lambda
models and cartesian closed categories (preliminary version). In J. W.
Gray and A. Scedrov, editors, Typed Lambda Calculi and Applications,
Lecture Notes in Computer Science, pages 301-316, Springer-Verlag,
1989.
[Moggi, 1991] E. Moggi. Notions of computations and monads. Information and Computation, 93:55-92, 1991.
[Nordstrom et al., 1990] B. Nordstrom, K. Petersson, and J. M. Smith.
Programming in Martin-Lof's Type Theory, volume 7 of International
Series of Monographs on Computer Science. Oxford University Press,
1990.
[Obtulowicz, 1989] A. Obtulowicz. Categorical and algebraic aspects of
Martin-L6f type theory. Studia Logica, 48:299-318, 1989.
[Oles, 1985] F. J. Oles. Types algebras, functor categories and block structure. In M. Nivat and J. C. Reynolds, editors. Algebraic Methods in
Semantics pages 543-574. Cambridge University Press, 1985.
[Pierce, 1991] B. C. Pierce. Basic Category Theory for Computer Scientists. MIT Press, 1991.
[Pitts, 1981] A. M. Pitts. The theory of toposes. PhD thesis, Cambridge
Univ., 1981.
[Pitts, 1987] A. M. Pitts. Polymorphism is set theoretic, constructively. In
D. H. Pitt, A. Poigne, and D. E. Rydeheard, editors, Category Theory
and Computer Science, Proc. Edinburgh 1987, Lecture Notes in Computer Science 283, pages 12-39. Springer-Verlag, Berlin, 1987.
[Pitts, 1989] A. M. Pitts. Non-trivial power types can't be subtypes of
polymorphic types. In 4th Annual Symposium on Logic in Computer
Science, pages 6-13. IEEE Computer Society Press, 1989.
128
Andrew M. Pitts
[Pitts, 1999] A. M. Pitts. Tripos theory in retrospect. In L. Birkedal and

G. Rosolini, editors, Proceedings of the Tutorial Workshop on Realizabitity Semantics, FLOC '99, Trento, Italy, 1999. Electronic Notes in
Theoretical Comptuer Science 23, Elsevier, 1999.
[Poigne, 1992] A. Poigne. Basic category theory. Chapter in S. Abramsky,
D. M. Gabbay and T. S. E. Maibaum, editors, Handbook of Logic in
Computer Science, Vol. 1, Oxford University Press, 1992.
[Reynolds, 1983] J. C. Reynolds. Types, abstraction and parametric polymorphism. In R. E. A. Mason, editor, Information Processing 83, pages
513-523. North-Holland, 1983.
[Reynolds and Plotkin, 1993] J. C. Reynolds and G. D. Plotkin. On functors expressible in the polymorphic typed lambda calculus. Information
and Computation, 105:1-29, 1993.
[Ritter, 1992] E. Ritter. Categorical abstract machines for higher-order
typed lambda calculi. PhD thesis, Cambridge University, 1992.
[Roman, 1989] L. Roman. Cartesian categories with natural numbers object. Journal of Pure and Applied Algebra, 58:267-278, 1989.
[Scott, 1980] D. S. Scott. Relating theories of the lambda calculus. In
J. P. Seldin and J. R. Hindley, editors, To H. B. Curry: Essays on
Combinatory Logic, Lambda Calculus and Formalism, pages 403-450.
[Seely, 1984] R. A. G. Seely. Locally cartesian closed categories and type
theories. Mathematical Proceedings of the Cambridge Philosophical Society, 95:33-48, 1984.
[Seely, 1987] R. A. G. Seely. Categorical semantics for higher order polymorphic lambda calculus. Journal of Symbolic Logic, 52:969-989, 1987.
[Seely, 1989] R. A. G. Seely. Linear logic, *-autonomous categories and
cofree algebras. In J. W. Gray and A. Scedrov, editors, Typed Lambda
Calculi and Applications, Lecture Notes in Computer Science 664, pages
371-382. Springer-Verlag, 1989.
[Streicher, 1989] Th. Streicher. Correctness and completeness of a categorical semantics of the calculus of constructions. PhD thesis, University of
Passau, 1989. Tech. Report MIP-8913.
[Streicher, 1991] Th. Streicher. Semantics of Type Theory. Birkhauser,
1991.
[Taylor, 1999] P. Taylor. Practical Foundations of Mathematics. Cambridge University Press, 1999.
A uniform method for proving lower

bounds on the computational
complexity of logical theories
Kevin J. Compton and C. Ward Henson
Contents
1
2
3
4
5
6
7
8
9
10
Introduction
Preliminaries
Inseparability results for monadic second-order theories . . . .
Applications
Upper bounds
Open problems
129
135
140
151
158
164
173
180
196
204
1 Introduction
In this chapter we present a method for obtaining lower bounds on the
computational complexity of logical theories, and give several illustrations
of its use. This method is an extension of widely used procedures for proving the recursive undecidability of logical theories. (See Rabin [1965] and
Ersov et al. [1965].) One important aspect of this method is that it is based
on a family of inseparability results for certain logical problems, closely related to the well-known inseparability result of Trakhtenbrot (as refined
by Vaught), that no recursive set separates the logically valid sentences
from those which are false in some finite model, as long as the underlying
language has at least one non-unary relation symbol. By using these inseparability results as a foundation, we are able to obtain hereditary lower
bounds, i.e., bounds which apply uniformly to all subtheories of the theory.
The second important aspect of this method is that we use interpretations to transfer lower bounds from one theory to another. By doing this
we eliminate the need to code machine computations into the models of the
theory being studied. (The coding of computations is done once and for all
130
in proving the inseparability results.) By using interpretations, attention

is centred on much simpler definability considerations, viz., what kinds of
binary relations on large finite sets can be defined using short formulas in
models of the theory. This is conceptually much simpler than other approaches that have been proposed for obtaining lower bounds, such as the
method of bounded concatenations of Fleischmann et al. [1977].
We will deal primarily with theories in first-order logic and monadic
second-order logic. Given a set 17 of sentences in a logic L, we will consider
the satisfiability problem
sat(
)={
L \ a is true in some model of 27}
and the validity problem

val(
)= {
L \ a is true in all models of 27}.
A hereditary lower bound for 27 is a bound that holds for sat( ') and
val( ') whenever 27' C val( ). If L is a first-order logic, define inv(L)
to be the set of sentences in L that are logically invalid, i.e., false in all
models. If L is a monadic second-order logic, define inv(L) to be the set
of sentences false in all weak models. (See section 2 for definitions.)
The complexity classes used here are time-bounded classes for nondeterministic Turing machines and for the more general class of linear alternating Turing machines. In providing reductions between different decision
problems, we are always able to give log-lin reductions. That is, our reduction functions can be computed by a deterministic Turing machine which
operates simultaneously in log space and linear time. In particular, such
functions have the property that the size of a value is bounded uniformly
by a constant multiple of the size of the argument.
Let L0 denote the first-order logic with a single, binary relation symbol.
Let MLo denote the corresponding monadic second-order logic. Let T(n)
be a time resource bound which grows at least exponentially in the sense
that there exists a constant d, 0 < d < 1, such that T(dn)/T(n) tends to
0 as n tends to . (This condition is satisfied by the iterated exponential
functions and other time resource bounds which arise most commonly in
connection with the computational complexity of logical theories.) Let
satT(Lo) denote the set of sentences in L0 such that a is true in some
model on a set of size at most T(| |). (Here \ \ denotes the length of a.)
Similarly define satT(ML 0 ) for sentences of monadic second-order logic.
The inseparability results which form the cornerstone of our method are as
follows:
(a) For some c > 0, satT(Lo) and inv(Lo) cannot be separated by any
set in NTIME(T(cn)).
(b) For some c > 0, satT(MLo) and inv(MLo) cannot be separated by
Proving lower bounds
131
any set in ATIME(T(cn),cn).

(ATIME(T(cn),cn) denotes the set of problems recognized by alternating
Turing machines in time T(cn) making en alternations along any branch.)
In proving (b) we prove another interesting result. Let ML+ be a monadic
second-order logic with a ternary relation PLUS and satT(M +) be the set
of sentences in this logic true in the model (T(n), +}, where n = \ \ and
+ is the usual ternary addition relation on the set T(n) = {0,..., T ( n ) 1}.
Then for some c > 0, satT(M +) and inv(ML+) cannot be separated by
any set in ATIME(T(cn),cn).
We prove and discuss these results in sections 3 and 4 respectively. In
fact, we prove more: any problem separating satT(L 0 ) and inv(L0) is a
hard problem (under log-lin reductions) for the complexity class
NTIME(T(cn)).
Any problem separating satT(ML0) and inv(ML0) is a hard problem for
the complexity class
ATIME(T(cn),cn}.
In these results one can see a parallel between first-order logic and
NTIME, on the one hand, and monadic second-order logic and linear alternating time, on the other. This parallel persists throughout the lower
bounds for logical theories which we discuss here, and we feel that our point
of view helps to explain why the complexity of some theories is best measured using NTIME while for others the best measure is linear alternating
time.
In order to obtain lower bounds from these inseparability results, or to
transfer lower bounds from one theory to another, we use interpretations.
However, sometimes we require not just a single interpretation, but rather
a sequence {In | n 0} of such interpretations. Not only do we require
that each In define a sufficiently rich class of models when applied to the
models of the theory under study, but also we require that the function
taking n (in unary) to In should be log-lin computable.
As an example of how such interpretations are used, suppose is a
theory such that for each n 0, In applied to models of yields all the
binary relations of size at most T(n) (and perhaps others), for a given time
resource bound T. It follows that for some constant c > 0, sat( ) and
inv(L) cannot be separated by any set in NTIME(T(cn)). In general, it
follows that
has a hereditary NTIME(T(cn)) lower bound. There is a
corresponding result for the complexity classes ATIME(T(cn),cn) when
the interpretations In interpret monadic second-order logic of binary relations on sets of size at most T(n).
132
Upon establishing a lower bound for sat() in this manner, we may

then use interpretations of to obtain lower bounds for other theories.
Continuing the example above, assume In applied to the set of models of
' yields all the binary relations of size at most T(n). In fact, it will not be
necessary to apply In to all models of to obtain all binary relations of
size at most T(n), since there are only finitely many such binary relations.
Suppose that Cn is a set of models of such that In applied to Cn yields all
the binary relations of size at most T(n). If {I'n \ n 0} is another log-lin
computable sequence of interpretations such that I'n applied to models of
a theory ' in a language L' yields all models of Cn (and perhaps others,
some possibly not even models of ), then for some constant c > 0, sat( ')
and inv(L') cannot be separated by any set in NTIME(T(cn)). Thus, we
have developed a theory for establishing lower bounds of logical theories
analogous to the theory for establishing NP -hardness results via polynomial
time reductions.
The observation that I'n applied to models of ' is allowed to yield
models not satisfying may seem unimportant, but in practice it results
in significant simplifications in interpretations, especially compared to the
method of establishing lower bounds by Turing machine encodings. There
one must must produce, for a nondeterministic Turing machine M with the
appropriate running time, an efficient reduction from strings w to sentences
in such a way that when M accepts w, w is true in some model of ',
w
and when M does not accept w, w is true in no model of '. Ensuring
that a sentence is true in no model of ' in the case of nonacceptance can
be cumbersome. Inseparability considerations eliminate the need for it.
Our method can give short, transparent lower bound results in many
cases where Turing machine encodings are far from apparent. An example
is the result of Compton et al. [1987] that the theory of almost all finite
unary functions is not elementary recursive. The proof there, using the
methods of this chapter, is set forth in a short paragraph. A proof by
Turing machine encodings would run to many pages, and possibly would
never have been discovered at all. It seems likely that our method will
have to be used if sharp lower bounds are to be obtained for some of the
important, more algebraic (and less directly combinatorial) theories which
are known to be decidable. (See, for example, Problems 10.1, 10.2, 10.7,
10.9, and 10.10.)
In making use of sequential families of interpretations there are certain technicalities regarding lengths of formulas which must be addressed.
They can be illustrated by considering the formula ' which results from a
formula when one replaces every occurrence of a certain binary relation
symbol P by a given formula . If has many occurrences of P and if the
length of is of the same order of magnitude as the length of , then '
may well be extremely long compared to . (This is precisely the kind of
operation on formulas used as a reduction function between theories when
133
one uses interpretations to obtain lower bounds.) This difficulty can be

overcome if one uses sequences {In} of interpretations in which either all
formulas in each In are in prenex form, or they are obtained by a certain
kind of iterative process. In practice, the interpretation sequences used to
transfer lower bounds from one logical problem to another can always be
found satisfying one of these conditions.
We have used this approach to give a precise analysis of the computational complexity of various theories of finite trees. For each r let r
denote the first-order theory of all finite trees of height r, and let M r
denote the corresponding monadic second-order theory. Also let
and
M , denote the corresponding theories of all finite trees. Let expm(n)
be the m-times iterated exponential function (e.g., exp2(n) = 2 2n ) and let
exp (n) be the tower of twos function:
Our results concerning the various theories of finite trees can be summarized as follows:
(a) For each r
4 there are constants c and d > 0 such that sat(r)
is in NTIME (ex.pr_2(dn)) but that sat(r) and val( r) are hereditarily not in NTIME (expr_2(cn)). For r = 3 the upper bound is
NTIME(2 d n 2 ) and the hereditary lower bound is NTIME(2cn).
(b) There exist constants c and d > 0 such that sat( ) is in
NTIME
but that sat (
) and val(
(exp(dn))
) are hereditarily not in
NTIME (exPoo (cn)).

Hence, these problems are hereditarily not elementary recursive.
(c) For each r 1 there are constants c and d > 0 such that sat(MSr)
is in
A TIME (expr (dn/ log n) , dn)
but that sat(MSr) and val(M r) are hereditarily not in
ATIME(expr(cn/ logn), en).
It is not hard to show that
and M
are mutually interpretable, and
hence have the same complexity. In any case, for such rapidly growing time
resource bounds as e x p ( n ) , the difference between NTIME and ATIME
has vanished.
134
In order to test our method for effectiveness and smoothness of use, we

have used it to provide proofs of essentially all previously known complexity
lower bounds for first-order and monadic second-order theories. These
arguments avoid direct coding of machine computations, and are usually
much simpler and more conceptual than the original arguments. We present
many of these proofs, or at least sketches of them, in section 8. In all
cases our lower bounds are hereditary, and are expressed in terms of log-lin
hardness for certain complexity classes, providing complete problems for
many of these NTIME and linear ATIME classes. In some cases we verify
results which had been only announced, no published proof ever having
appeared.
We do not consider lower bounds for sentences with restricted quantification prefixes, as in Lewis [1980], Scarpellini [1984], Gradel [1988; 1989],
Schoning [1997], and Borger et al. [1997]; nor do we consider lower bounds
for nonclassical logics such as temporal logics, interval logics, dynamic logics, logics of knowledge, and other modal logics. Many of these logics have
decision problems complete in deterministic time classes. See, for example, Chagrov and Zakharyaschev [1997], Fischer and Ladner [1979], Emerson and Halpern [1985], Fagin et al. [1995], Halpern and Moses [1992],
Halpern and Vardi [1986], Harel [1984], Kutty et al. [1995], Kozen and
Tiuryn [1990], Rabinovich [1998], Ramakrishna et al. [1992; 1996], Stirling
[1992], and Vardi [1997].
It is our hope that the appearance of this chapter will stimulate the
interests of many computer scientists and mathematicians, and that they
will be inspired to investigate the many decidable theories for which no
detailed complexity bounds have been found. Even though there has been
continued interest in the complexity of decidable thoeries since this material
first appeared (see, for example, Cegielski [1996], Cegielski et al. [1996],
Maurin [1996; 1997a; 1997b], and Michel [1992]), researchers in the area
are sometimes unaware of the tools for obtaining lower bounds, and, in
particular, of hereditary lower bounds and inseparability results.
The organization of our chapter is as follows. Section 2 contains various definitions and technical conventions. In section 3 we present some
technical machinery needed to handle the details about lengths of formulas
which arise in complexity arguments. Sections 4 and 5 contain the basic
inseparability results for logical problems; these are the analogues of the
Trakhtenbrot-Vaught theorem. In sections 6 and 7 we discuss interpretations and set up the procedures by which they are used to obtain lower
bounds for logical theories. Here too are proved the lower bounds for the
various theories of finite trees which are treated here. Section 8 contains
a lengthy series of applications of our method, yielding lower bounds for
a wide variety of theories of independent interest. In section 9 we obtain
various upper bounds for problems treated here, in order to show that our
method is capable of achieving sharp results. We present a selected list of
135
open problems at the end of section 10.

In this chapter we have not discussed ways in which our method can be
used to obtain lower bounds in terms of SPACE(T(n)) complexity classes.
This is because there are so few known cases in which best possible lower
bounds for logical theories are expressed in terms of space complexity
classes. The exceptions are the PSPACE-complete theories such as those
discussed in Stockmeyer [1977] and Grandjean [1983]. These are, in some
sense, the least complex theories since Stockmeyer shows implicitly that if
is a logical theory with has at least one model with at least one nontrivial definable relation (i.e., the relation is true of some elements and false
of others), then sat( ) is log-space, polynomial-time hard for PSPACE.
(Note that if equality is taken as a basic relation in the language, or is definable, then the hypothesis means simply that has at least one model with
two or more elements.) If does not have any such model, then it is utterly trivial, and both sat( ) and val( ) are in LOGSPACE. (We assume
throughout that the vocabularies of logics are finite.) Possibly methods of
this chapter could be extended to obtain polynomial nondeterministic time
lower bounds for PSPACE -complete theories.
On the other hand, all 'natural' logical theories which are known to
be decidable seem actually to be primitive recursive. Furthermore, among
theories where a somewhat careful upper bound analysis has been carried
out, decidable logical theories seem to fall into NTIME(exp (dn)) for some
constant d in all but a few cases. The exceptions have been discovered only
recently by Vorobynov [1997; preprint].
We believe that the method presented here is simple and can be mastered quickly. To get an overview of the applications of our method we
advise looking over the results in section 8 first. Not only does this give
a summary of the main complexity lower bounds now known, but also we
have tried to present these applications in such a way as to give an accessible exposition of how our methods are meant to be used, and the main
technical points which arise in their use.
Preliminaries
In this section we present the definitions and notations used throughout

the chapter.
All alphabets considered will be finite. The length of a string w is
denoted \w\. The empty string is denoted .
We use the standard 'big oh' and 'little oh' notations throughout, as
well as the 'big omega' notation: write f ( n ) = (g(n)) if f ( n )
kg(n) for
some k > 0 on all large n.
All theories considered here either first-order or monadic second-order.
For convenience we explicitly treat only relational languages in sections 37; functions are handled by using their graphs as relations, and constants
136
are treated as special unary relations. This restriction makes no difference

as far as concerns the lower bounds we obtain: sentences containing function and constant symbols can be transformed into equivalent sentences
containing relation symbols with an increase in length of only a constant
factor. (It is necessary to 'reuse' variables to accomplish this.)
We will assume for convenience that our languages contain equality.
However, in many situations our methods work even without equality. We
use equality mainly to keep formulas short while substituting other formulas for atomic formulas: equations are used for coding truth values. This
can usually be done by other formulas, as long as they satisfy the right
conditions of nontriviality. If one is willing to accept polynomial-time reductions, then equality is generally not necessary, but the lower bounds
degrade slightly.
To specify a logic in this chapter, we need only give its set of relation
symbols and their associated arities (the vocabulary of the logic) and indicate whether the logic is first-order or monadic second-order. We formulate
all of our logics using finitely many symbols, so that all terms and formulas
are strings on a finite alphabet. In particular, a variable is represented by
a symbol followed by a subscript in binary notation. Thus, to represent
n distinct variables we need strings with total length about n log n. (Logarithms will always have base 2.) To avoid subscripted subscripts we use
lower-case Roman letters t,u,x,y,zpossibly with subscriptsas formal
variables to denote actual variables Vi. Monadic variables are represented
by corresponding upper-case letters.
The power of a model is the cardinality of its universe.
A weak model for a monadic second-order logic L is a pair (, F},
where is a model for L and F is a collection of subsets of the universe
of . The truth value of a formula from L in (, .F) is determined in
the usual way except that monadic quantifiers range over the sets in .F
rather than the collection of all sets. Throughout the chapter, equivalence
of monadic second-order formulas will mean equivalence on weak models.
This is stronger than the usual notion of equivalence.
The first-order and monadic second-order logics with vocabulary consisting just of a binary relation symbol P are central to our investigation.
They will be denoted L0 and MLo, respectively.
We also study theories of finite trees; again the vocabulary consists just
of one binary relation symbol which, in this case, interprets the successor
(or parent-child) relation. Let Lt and MLt denote the first-order and
monadic second-order logics with this vocabulary. These are essentially
the same as Lo and MLo; they differ only in the binary relation symbol
used. However, it will be convenient to have a different notation for these
logics when considering trees.
When considering finite trees we will often require the notion of a primary subtree. Such a subtree is formed by restricting to a set of vertices
137
consisting of a child of the root and all its descendents. Thus, we may
regard a tree as being formed by directing an edge from the root of the tree
to the root of each of its primary subtrees.
The depth of a vertex in a tree is its distance from the root. The height
of a vertex is the maximum distance to a leaf below it. Thus, the height of
a tree is the maximum depth of its vertices, which is also the height of the
root.
As we noted in Section 1, we will consider problems of the form sat()
and val( ). Prom a computational point of view, these two problems are
complementary. That is, a sentence a is in sat( ) exactly when - is not
in val(). Hence, sat() is a member of a particular complexity class if
and only if val( ) is a member of the corresponding co-complexity class.
If is a complete theory, then sat() = val( ). When we are in a firstorder logic, val( ) is the deductive closure of by the Godel completeness
theorem. There is no corresponding result for monadic second-order logic.
Often a logical theory is specified not by giving a set of axioms , but
by giving a class of models C. In this situation we take to be the set
of sentences true in all members of C. It is easy to verify in this case that
val( ) = and sat() is the set of sentences true in some member of C.
If L is a first-order logic we define inv(L) to be the set of sentences
false in all models for L. This is just the complement of sat( ). If L is a
monadic second-order logic we define inv(L) to be the set of sentences false
in all weak models for L.
Given a time resource bound T(n), let satr() be the set of sentences
true in some model of of size at most T(| |). Also, write satT(L) for
satT( ). Let satpt() be the set of prenex sentences true in some model
of of size at most r(| |).
Let
be a model for a logic L, m = m1, . . . ,m,k elements of , and
( x i , . . . , x n , y 1 , . . . , y k ) a formula from L. Then
(x,m) denotes the
n-ary relation defined by
for a = a1,. ..,an

M.
Interpretations of one class of models in another are fundamental to
many parts of logic, and we use them extensively here. For example, to
interpret a binary relation ' (i.e., a model for the logic L0) in a theory
from a logic L, we must produce formulas 6(x, u) and (x, y, u) from L so
that for some model of and some elements m of , ' is isomorphic
to the structure
where we require that

(x, y,m)
(x,m) x
(x,7n). There is also a
more general kind of interpretation that is often used, in which the domain
of can be a set of k-tuples from (not just elements of ) and in which
138
' is isomorphic to a quotient of by an equivalence relation definable in

.
Let be a formula in a logic L and D a unary relation symbol. By
D we mean the relativization of to D. This is formed by systematically
replacing all subformulas y and y of with
y(D(y)
) and
y(D(y)
), respectively. If L is a monadic second-order logic, it is not
necessary to relativize the set quantifiers since elements have already been
restricted to D.
The complexity classes we use are defined by time resource bounds.
A time resource bound T is a mapping from the nonnegative reals to the
nonnegative reals such that for each k > 0, T(kn) is dominated by some
fully time-constructible function on the integers; see Hopcroft and Ullman
[1979] for definitions. (Readers who need a primer in complexity theory
may also wish to consult Stockmeyer [1987].) We will also require that
T(n) > n and that for each k 1, T(kn]
kT(n). This last condition
Machtey and Young [1978] call at least linear. It says that when input
length is increased by some factor, the allowed computation time increases
by at least the same factor. It is included for technical reasons; we could
get by with less, namely, that T be nondecreasing and for every / there
should be a k such that T(kn)
lT(n).
The iterated exponentials and tower of twos functions appear often as
time resource bounds in the problems we consider. The iterated exponentials exp m (n), where m is a nonnegative integer, are defined by induction
on m. Let exp0(n) = n and expm+1(n) = 2expm(n). The tower of twos
function e x p ( n ) is defined to be
Recall that a problem is elementary recursive if it is recognized in time

exp m (n) for some m 0.
All of our bounds are for nondeterministic or alternating Turing machines. The set of problems recognized by nondeterministic Turing machines in time T(n) is denoted NTIME(T(n)).
With alternating Turing machines we will be concerned chiefly with the complexity classes
ATIME(T(n), cn), the set of problems recognized by an alternating Turing
machine in time T(n) making at most cn alternations. We will assume that
alternating Turing machines have four types of states: universal, existential, accepting, and rejecting. See Chandra et al. [1981] for the definition
of acceptance by alternating Turing machines and a description of the computation trees associated with these machines.
We will sometimes say that a theory has a hereditary NTIME(T(cn))
(or ATIME(T(cn), en)) lower bound. By this we mean that there is a c > 0
such that for all E'
, neither sat( ') nor val( ') is in NTIME(T(cn))
139
(or in ATIME(T(cn),cn)).
A log-lin reduction is a mapping computable in log space and linear time.
In some sources this terminology is used for a log space computable, linearly
bounded mapping, which is a weaker notion. (Linearly bounded means that
output length is less than some constant multiple of input length.) It is not
crucial for the applications presented here that our reductions be quite so
restricted: polynomial-time, linearly bounded reductions suffice. However,
to obtain some results in the literature, such as the nondeterministic polynomial lower bounds in Grandjean [1983], linear time reductions would be
needed.
We encounter a technical problem with log-lin reductions: we do not
know if they are closed under composition. To overcome this difficulty we
define a stronger notion of reset log-lin reduction. A machine performing
such reduction is a log space, linear time bounded Turing machine with
work tapes, an input tape, and an output tape. It has the capability to
reset the input tape head to the initial input cell on k moves during a computation, where k is fixed for all inputs; on all other moves the input tape
head remains in place or moves one cell to the right. It writes the output
sequentially from left to right. Suppose that M' and M" are two such machines using at most k' and k" resets, respectively. We informally describe
a machine M to compute the composition of the reductions computed by
M' and M". Imagine that the output tape of M' and the input tape of
M" have been removed. Instead, M' sends its output directly to M". As
M" computes its output, it calls M' to supply it with a new symbol on
those moves when the input head of M" would have moved right. M' has
only to resume its computation from the last call to supply this symbol.
On those moves where M" would have reset its input head, M' must begin
its computation anew. Now the input head of M" would have passed over
each input cell at most k" +1 times during the computation, and to supply
each symbol the input head of M' passes over each input cell at most k' +1
times. Thus, M resets its input head at most (k1 + l)(k" + 1) - 1 times.
Clearly, M is log space bounded. Since the part of M corresponding to M'
is forced to begin its computation anew at most k" times, it is easy to see
that M is linear time bounded.
It is not difficult to show that the prenex formulas of a logic are closed
under relativization up to reset log-lin reductions. That is, there is a reset
log-lin reduction which takes formulas of the form D, where is a prenex
formula with no variable quantified more than once, to equivalent prenex
formulas. We use this fact often. Unfortunately, we know of no way to
eliminate duplicate quantifications of variables using reset log-lin reductions, but this can be accomplished easily with polynomial-time, linearly
bounded reductions.
A problem is hard for a complexity class C via reductions from a class
S if every problem ' C can be reduced to by some / S. That is, if
140
Kevin J. Campion and C. Ward Henson
A and A' are the alphabets for and 17' respectively, then / maps A1* to
A* so that w
" if and only if f ( w )
. If, in addition, C, we say
that 1 is complete for C via reductions from S.
One of our goals is to develop effective and easily used methods for transferring lower bounds from one problem to another. Our methods are based on
interpretations between theories (or equivalently, between classes of models) and can be seen as an extension of the most widely used methods for
proving the undecidability of logical theories; see Ersov et al. [1965] and
Rabin [1965] for a discussion of undecidable theories from this point of view.
To obtain complexity lower bounds for decidable theories we must use interpretations which have a somewhat more general form than those used
in undecidability proofs, and there are certain technicalities about lengths
of formulas which must be addressed in this more general setting. In this
section we will develop the required machinery. The first-time reader may
wish to skip the proofs in this section as they are somewhat tedious and
only the statements of results will be used later.
A common method for proving that a theory in a logic L is undecidable is to show that the theory So of finite binary relations, formulated in
the logic L0, can be interpreted in
In the simplest case this means that
formulas (x,u) and (x,y,u) of L are given so that every finite binary
relation can be obtained (up to isomorphism) in the form
for a model of and m a sequence of elements of 91. The formulas 6 and

are then used to define a reduction from formulas of L0 to formulas of L,
as follows: given a formula of L0, replace every occurrence of an atomic
formula P(z, t) by the formula (Z, t, u) and relativize every quantifier to
the formula . (One must rewrite bound variables to avoid conflicts and
make sure that u is a sequence of otherwise unused variables.) Call the
resulting formula . The reduction mapping
is then used to
obtain undecidability results for from corresponding results for E0.
This kind of simple interpretation is not adequate for obtaining lower
complexity bounds when is a decidable theory. One works instead with a
parameterized family of formulas { n \ n > 0 } from L0 and uses a sequence
of formula pairs { (n(x,u),n(x,y,u)) | n > 0} from L. In reducing the
formulas n to L: one proceeds as above, except that n is obtained from
using n and n. In complexity lower bound arguments, it is not only
n
necessary that the function n
n should be efficiently computable, but
also that \'n\ should be linearly bounded in \n\. If P occurs many times
in n and |n| grows without bound as n increases, or if n has many
quantifiers and |n| grows without bound as n increases, then the linear
141
boundedness condition may not hold. However, in certain cases there are
methods to efficiently replace 'n by an equivalent formula for which the
linear boundedness condition does hold. Roughly speaking, we can do this
when the formulas n and n are all in prenex form, or are obtained by
a certain kind of iterative procedure. The machinery developed here to
accomplish this task is implicit in most complexity lower bound arguments
for logical problems.
In order to describe this machinery, it is convenient to introduce an
extension L* of each logic L, in which explicit definitions are allowed. (L*
has no more expressive power than L, but properties can sometimes be
expressed by shorter formulas in L* than in L.) Continuing the example
above, let Dn denote a formula in which all quantifiers of n have been
relativized to a new unary relation symbol D. Then the extended language
L* in this case would include a formula
whose interpretation is exactly the same as that of 'n, although its length
is likely to be more under control. Here the equivalences in brackets are
interpreted to mean that P is explicitly defined by n and that D is explicitly defined by n. The general problem, treated below in this section,
is to find situations in which certain formulas of the extended language L*
can be efficiently reduced to equivalent formulas of L, without a significant
increase in the length of the formulas. (In general, it is possible to find for
each L* formula of length n an equivalent L formula of length O(n log n);
this is not good enough for sharp complexity bounds.)
Let L be either a first-order or monadic second-order logic. Define L*
as follows. Formulas of L* may contain any of the symbols occurring in
formulas of L and, in addition, relation variables Sji for each i, j 0. In
each case the arity of Sij is j and the subscript and superscript of S? are
expressed in binary notation. (If L is a monadic second-order logic we need
two superscripts, the first denoting the arity of element arguments and the
second denoting the arity of set arguments.) Subscripts and superscripts
of relation variables contribute to the length of formulas in which they
occur, just as element variable subscripts do. (However, superscripts may
be ignored in asymptotic estimates of formula length because they are
dominated in length by their corresponding argument lists.) We define the
set of formulas of L* inductively, and at the same time define free( ),
the set of free variables in (p. An atomic formula
of L* is either an
atomic formula of L or a formula P(x1 ,...,_,) where P denotes a relation
variablein the former free(( ) is the same as in L; in the latter, free((p)
{P,xi,.. - , X j } . More complex formulas may be constructed using the
logical connectives and quantifiers appropriate to L; in these cases free(( )
is defined just as in L. The only other way to construct more complex
142
Kevin J. Campion and C. Ward Henson
formulas is by explicit definition. Let

and 0 be formulas in L*, P a,
relation variable which does not occur freely in 6, and x = xi,...,Xj a
sequence of distinct element variables. Then given by
is also a formula of L* and

free
The part of within brackets is an explicit definition which defines the
interpretation of P in . If 0 is a prenex formula from L we will say that
it is a prenex definition. The truth value of is the same as that of the
second-order expression
Notice that the truth value is consistent with the definition of free(
Notice also that the second-order expression above is equivalent to
).
so that (P(x)
is equivalent to [P(x)
. If free ( ) = 0, then
is a sentence of L*.
We will let sat*( ) denote the set of sentences from L* true in some
model of S, satT( ) denote the set of sentences from L* true in some
model of of size at most T(| |), satT(L) denote the set of sentences
from L* true in some model of size at most T(| |), and inv*(L) denote the
set of sentences from L* true in no model (or no weak model when L is a
monadic second-order logic).
Introduction of explicitly defined relations is standard practice in mathematical discourse. Explicitly defined relations are also similar to nonrecursive procedures in programming languages.
Explicit definitions can be used to define reductions between satisfiability problems. To provide good lower bounds these reductions must be
efficiently computable and linearly bounded. We will show, in fact, that
there are reset log-lin reductions, defined on certain subsets of sentences
from L*, that take formulas to equivalent formulas in L. (Unfortunately,
such reductions probably cannot be defined on the set of all sentences in
L*; with a little effort we can produce a polynomial-time reduction which
maps sentences in L* of length n to equivalent sentences in L of length
O(nlogn).)
We inductively define positive and negative occurrences of a relation
symbol Q in formulas from L*. Q occurs positively in atomic formulas
143
of the form Q(x). Q occurs positively (negatively) in the formulas

and V when it occurs positively (negatively) in either of the formulas
( or ). Q occurs positively (negatively) in the formula
if it occurs
negatively (positively) in the formula . Q occurs positively (negatively)
in the formulas
and x(p if it occurs positively (negatively) in the
formula . Q occurs positively (negatively) in the formula [P(x)
,
where P is not Q, if it occurs positively (negatively) in , or if it occurs
positively (negatively) in 9 and P occurs positively in , or if it occurs
negatively (positively) in 9 and P occurs negatively in . We say that
P occurs only positively in a formula if it does not occur negatively (in
particular, it may not occur at all).
We inductively define an iterative definition [P(x) ]n as follows.
The iterative definition [P(x) = 0]0 is equivalent to the explicit definition
[P(x) = 1], where L is a sentence false in all models (or all weak models if
L is a monadic second-order logic). The iterative definition [P(x)
]n+l
is equivalent to
We make iterative definitions part of the syntax of L*, but we require
that the subscript n be written in unary notation so that the length of an
iterative definition is of the same order (O(n) and (n)) as the length of
the nested explicit definitions it replaces. We call 9 the operator formula
for the iterative definition.
We can think of iterative definitions as approximations to implicit definitions. We will not formally define implicit definitions, since they do not
figure directly in what follows, but an example should convey the idea.
(See Moschovakis [1974] for an account.) Consider a language containing
just a binary relation symbol E denoting the edge relation on graphs. The
implicit definition
[P(x, y) = (x = yVz
(P(x, z) A E(z, y)))]
defines the path relation in each graph: P(x, y) is the least relation satisfying the equivalence, so it holds precisely when there is a path between x
and y. Now consider the related iterative definition
[P(x, y) = (x = yVz
(P(x, z)
E(z, y)))] n
which defines a relation P(x,y) which holds precisely when the distance
between x and y is at most n 1 (when n > 1). Notice that this 'approximation' to the implicitly defined relation does not converge very rapidly.
The iterative definition
[P(x, y)
(x = yV E(x, y) V z (P(x, z) A P(z,
144
defines a relation P(x, y) which holds precisely when the distance between x
and y is at most 2 n - 1 (for n 1), so this approximation to the path relation
converges exponentially 'faster'. For an implicit definition to make sense,
= (P) should be monotone in P (i.e., for every structure , if P and P'
are relations on 21 with PC.P', then 0 (P) C 0 (P')). Monotonicity can
be guaranteed by requiring that P is positive in 6. No such restriction is
needed for iterative definitions. In most of our applications P does occur
positively and the iterative definitions approximate an implicit definition.
Usually, the faster the convergence, the better the lower bounds obtained by
our methods. We will see that the positivity of P in 0 does have implications
in lower bound results.
To show that we can efficiently transform iterative definitions into equivalent explicit definitions, we require the following theorem, which will also
be used to show that certain sets of formulas in L* can be efficiently transformed into equivalent formulas from L.
Theorem 3.1. Let L be a first-order or monadic second-order logic and let
L' be a logic, of the same type, whose vocabulary consists of the vocabulary
of L together with relation symbols P1 , . . . , Pm . There is a reset log-lin
reduction taking each prenex formula of L' to an equivalent prenex formula
of L' having at most one occurrence of each Pj .
Proof. The proof follows an argument of Ferrante and Rackoff [1979,
pp. 155-157]. We must add some details, however, because they were
not interested in obtaining a reset log-lin reduction. We adopt the same
assumption they did there: we assume that L has a symbol for equality
and that all structures have cardinality at least 2. We could dispense with
this assumption at the cost of added complications.
We deal explicitly only with the case m = 1. It will be clear from the
proof that the procedure can be iterated to treat P1 , P2 , . . . in succession.
We describe the action of our algorithm on , a prenex formula from
L. First add a 0 bit to the end of every variable index occurring in . This
will allow us to introduce variables of odd index without creating a conflict.
Now is of the form
where each Qi is a quantifier and
is quantifier- free. Let
be all the subformulas of containing P1 .

The idea is to replace each subformula P I ( X i l , . . . ,xil) of
with a
Boolean variable and stipulate with a formula containing just one occurrence of P1 that each of these Boolean variables has the same truth value
145
as the formula it replaces. Since we have no Boolean variable type, we instead replace each subformula PI xil ,...,xil) with an equation v\ = Vb(i) .
We must ensure for each i that b(i) is odd and greater than 1, that
b(i) is log-lin computable from PI (xil, . . . ,xil) (with no resets), and that
b(i)
b(j) when i j. To produce b satisfying these conditions suppose
that Xil , . . . , xil are formal variables denoting actual variables with subscripts ji, . . . ,ji respectively. In the string j l #j2# #j1 replace every
occurrence of 0 with 01, of 1 with 11, and of # with 10; let the result be
b(i). Let
be the result of replacing each formula PI (xil,, . . . ,xil) in
by the formula v1 = ub(i). Now with a little effort we can see that is
equivalent to
where y and y* y1 , . . . , y1 denote variables with odd indices of odd length.

It is not difficult to verify that this formula is reset log-lin computable from
(f using two resets.
I
Remark 3.2. The formula in the proof of Theorem 3.1 uses the symbol
.
If we require that formulas use only the Boolean connectives A, V,
and , we must expand the subformula v1 = y
P 1 ( y ) of ' to obtain a
formula in which P occurs twice, once positively and once negatively. It
is easy to see that this is the best we can do. Suppose that the number
of occurrences of P in such a formula could be reduced to one. If this
occurrence were positive, then ' would be monotone in P (i.e., truth
is preserved when the interpretation of P is expanded). If this occurrence
were negative, then
would be monotone in P. But it is easy to produce
a formula such that neither it nor its negation is monotone in P. However,
in the case where P occurs only positively in , we can construct
in
the proof of Theorem 3.1 using the subformula V1 = y -> P\(y ) in place
of v1 = y
P 1 ( y ) . For this case the theorem is true even if just the
connectives A, V, and are allowed. This is one of the advantages of using
positive formulas.
Theorem 3.3. Let L be a first-order or monadic second-order logic and I
be a fixed positive integer. There is a reset log-lin reduction which taking
each iterative definition of the form [P(x) = 0]n, where 0 is a formula from
L* of length at most I, to an equivalent explicit definition.
Proof. Since there are only finitely many formulas from L* of length at
most I, we may, given such a formula 0, find an equivalent prenex formula
0' from L in constant time. Moreover, by Theorem 3.1 we may assume
that P occurs in just once, say in a subformula P(y). Define formulas
0n = n(x) by induction on n. Let 0 be a sentence false in all models
146
(or all weak models if L is a monadic second-order logic). Form i+1 by

substituting the variables y for corresponding free variables x in 0i (perhaps
changing other variables to avoid conflicts) and substituting the result for
P ( y ) in '. It is clear that [P(x) = ]n is equivalent to [P(x) = n]. If
the substitution of variables has been done in a systematic way in the
construction of n, then it is clear that n can be obtained from [P(x) = 9]
by a reset log-lin reduction.
I
Often we need to make several iterative definitions simultaneously. For
example, Fischer and Rabin [1974], in their lower bound proof for the theory
of real addition, define sequences of formulas m n ( x , y , z ) and n(x, y,z).
Formula m n (x, y,z) holds precisely when a; is a nonnegative integer less
than 22n and x y = z; formula n(x, y, z) holds precisely when x, yx, and
z are nonnegative integers less than 22n and yx = z. These definitions are
simultaneous: the definition of n+1, for example, depends not only on n,
but also on mn. Let us make the notion of simultaneous definition precise.
Let L be a first-order or monadic second-order logic and 1 , . . . , k be
formulas from L*. A simultaneous iterative definition is denoted
Fix a structure for L and an assignment from to the free variables of

this definition (defined in the obvious way). The simultaneous iterative definition assigns a relation from the universe of to each symbol P1,...,P k .
We define this assignment by induction on the depth n of the definition.
When n = 0 it assigns the empty relation to each symbol. When n > 0 the
assignment to 6i is determined by letting the assignment for depth n 1
interpret the free occurrences of P1,...,P k in 0,. We can use simultaneous iterative definitions to augment the syntax of a logic in the same way
we used iterative definitions. In particular, subscripts on definitions are
expressed in unary notation.
The following theorem shows that simultaneous iterative definitions do
not increase the expressiveness of a logic. Moreover, their use does not
make for appreciably shorter expressions than use of ordinary iterative
definitions. The theorem is proved along the same lines as similar results in Fischer and Rabin [1974] and Ferrante and Rackoff [1979, p. 159].
Moschovakis [1974, p. 12] used similar ideas to prove an analogous theorem
for simultaneous implicit definitions.
Theorem 3.4. Let L be a first-order or monadic second-order logic and
P1,..., Pk be fixed relation variables. There is a reset log-lin reduction
taking each formula of the form
147
Pi(x1) = 1
where and 1,... ,0k are formulas from L* whose only free relation variables are P1 ,..., Pk, to an equivalent formula
of the form
where ' and ' are formulas from L* whose only free relation variable is
P. Moreover, if P1, . . . ,Pk occur only positively in each of the formulas
1,.. . ,0k, then we may arrange that P occurs only positively in .
Proof. As before, we assume that L has a symbol for equality and that all
structures have cardinality at least 2. Again, we could dispense with these
assumptions at the cost of added complications.
Without loss of generality, we may assume that the variable sequences
x1 , . . . , xk are mutually disjoint. Let z denote a sequence z , Z 1 , . . . , Z k of
distinct variables disjoint from x1 , . . . , Xk The idea of the proof is that one
relation P ( z , x 1 , . . . , X k ) will code the relations PI (x1 ) , . . . , Pk (xk ). To be
more precise, the relation P(z, x1 , . . . , Xk) is equivalent to
Thus, a particular Pi(Xj) can be extracted by writing
Call this formula 5i(x) (or Si for short). Define ' to be the L* formula
Notice that P is the only free relation variable in
Now we can easily show that
. Let
be the formula
148
is equivalent to [P(x)
]n
' by induction on n.
Remark 3.5. Notice that in the proof of Theorem 3.4 formula is formed
simply by inserting explicit definitions of fixed length before . These
definitions may be eliminated by replacing relation variables in
with
their corresponding definitions. Now if is a prenex formula or a member
of a prescribed set of formulas (defined below), it is easy to arrange that
is a formula of the same type.
We can now say precisely which kinds of definitions are used in the
reductions described at the beginning of this section: they are prenex definitions and iterative definitions. It is useful, therefore, to have terminology
to describe sets of formulas in L* built up from prenex formulas using
prenex and iterative definitions. We must place some restrictions on these
sets to be able to efficiently translate them into equivalent formulas from
L.
Let L be a first-order or monadic second-order logic. Let L' be the logic
formed by adding relation variables PI, ..., Pk to the vocabulary of L, and
I be a fixed positive integer. A prescribed set of formulas over L is a set of
formulas of the form
where is a prenex formula from L', and for each i either n, = 1 and
6i is a prenex formula from L' in which only P1, ..., Pi-1 may occur as
free relation variables (i.e., Pi has a prenex definition), or is a formula of
length at most l from L* in which only PI ,..., Pi may occur as free relation
variables (i.e., Pi has an iterative definition in which the operator formula
has bounded length). We place one further restriction on sets of prescribed
formulas: each variable is quantified at most once in and in each formula
i where Pi has a prenex definition. We impose this condition so that when
we relativize all the formulas within a set to a unary relation symbol D,
there is a reset log-lin reduction taking resulting formulas to equivalent
formulas from another prescribed set of formulas. The condition is easy to
satisfy in practice.
We now present our fundamental theorem for making reductions between formulas.
Theorem 3.6. Let L be a first-order or monadic second-order logic. For
each prescribed set of formulas over L there is a reset log-lin reduction
taking each formula in the set to an equivalent formula in L.
149
Proof. Fix a prescribed set of formulas over L. There are relation variables
P1 , . . . , Pk as in the definition such that all formulas in the set are of the
form
where is a prenex formula in which only P1,..., Pk, may occur as free
relation variables, and for each i either ni = 1 and i is a prenex formula
in which only P1,...,P,_i may occur as free relation variables, or , is
a formula of length at most l in which only P1,..., Pi may occur as free
relation variables.
At first glance it may seem that P1 , . . . , Pk are being defined simultaneously, but this is not the case. First P1 is assigned a value by an iterative
definition of depth n1 which is substituted in the remaining definitions.
Then P2 is assigned a value by the next iterative definition of depth n2
which is substituted in the remaining definitions, and so on. The proof
combines this observation with the construction used in Theorem 3.4. As
in that theorem, we will code the relations P 1 ( x 1 ) , . . . , Pk(xk) into a single
relation P ( y ) equivalent to
where y is the variable sequence z , z 1 , . . . , Z k , x \ , . . . , X k be the formula
As before, let
To construct a formula from L equivalent to we build, inductively,

a sequence of formulas (y ) , (y ) , k (y) Begin by taking 0 to be a
sentence false in all models (or weak models, if L is a monadic second-order
logic).
Suppose now that i-1 is given. Consider the simultaneous definition
This definition simply defines Pi(Xi) to be i and leaves the other relations
unchanged. Use the construction in the proof of Lemma 3.4 to produce an
150
equivalent definition [P(y ) ni(y)]. Hence, 77, is
where
is the formula
We claim that there is a reset log-lin reduction taking ni to an equivalent prenex formula ni with just one subformula P(u) in which P occurs.
Whether Pi has a prenex definition, in which case , is in prenex form,
or an iterative definition, in which case
is of bounded length, there is
a simple reset log-lin reduction to convert , into prenex form. Apply
the reduction given by Theorem 3.1 to the result to obtain an equivalent
formula in which each of the symbols PI , . . . , Pk occurs just once. In this
formula, for each j, substitute j(yj) for the subformula Pj(yj)- Convert
to prenex form again by a reset log-lin reduction and apply the reduction
of Theorem 3.1 one more time to obtain n' as desired. Notice that if Pi has
an iterative definition, ni, has length less than some constant determined
by / and the arities of P1 , . . . , Pk.
If Pi has a prenex definition, form
by substituting -\(u) for P(u)
in n'i- If Pi has an iterative definition we must make several substitutions.
Beginning with
i-1, replace free variables with the corresponding variables u and substitute the result for P(u) in n'i. Repeat this operation ni,
times. The resulting formula is .
In either case it is easy to see that i is obtained by a reset log-lin
reduction.
Since is in prenex form, we can apply the reset log-lin reduction of
Theorem 3.1 to obtain an equivalent prenex formula ' in which each of
the symbols P1,...,P k occurs at most once. As before, there is a reset
log-lin reduction to convert
into a prenex formula with just one subformula P(u) in which P occurs.
Substitute k(u) for this subformula to obtain finally '. Repeated use
of closure of reset log-lin reductions under composition shows that the
mapping
is reset log-lin computable.
Remark 3.7. Scrutiny of the preceding proof reveals two useful facts.
First, if all the symbols Pi have prenex definitions we can arrange that
is in prenex form. Second, if we wish to restrict to formulas in which the
only connectives are A, V, and , the theorem remains true providing Pi
151
occurs only positively in i when Pi, has an iterative definition. To see this,
observe that by the remark following Theorem 3.1 we can always ensure
that the formulas i each contain at most two occurrences of P. This is not
a problem when Pi has a prenex definition because i figures only once in
the construction of k and there are a bounded number of such definitions.
When Pi has an iterative definition we can ensure, again by the remark
following Lemma 3.1, that Pi occurs at most once in i since it occurs only
positively in i.
Hereditary lower bound results have proofs similar to the classical hereditary undecidability results. Young [1985], for example, modified techniques
used in the proof of the hereditary version of Godel's undecidability theorem, which states that all subtheories of Peano arithmetic are undecidable,
to show that all subtheories of Presburger aaithmetic have an NTIME (2 2cn )
lower bound. Our starting point is another classical undecidability result
the Trakhtenbrot-Vaught inseparability theorem. Many hereditary undecidability results have been derived from this theorem.
Recall that L0 is the first-order logic whose vocabulary contains just
a binary relation symbol P. Let fsat(Lo) be the set of sentences of L0
true in some finite model, and inv(Lo) the set of sentences of L0 true in
no model. The Trakhtenbrot-Vaught inseparability theorem states that
fsat(Lo) and inv(L0) are recursively inseparable: no recursive set contains
one of these sets and is disjoint from the other. Trakhtenbrot [1950] showed
this for a first-order logic with sufficiently many binary relations in its
vocabulary and Vaught [1960; 1962] reduced the number of binary relations
to one. To see how this theorem gives hereditary undecidability results,
suppose that for some theory in a logic L there is a recursive reduction
from the sentences of L0 to the sentences of L that takes fsat(L0) into
sat( ) and inv(Lo) into inv(L). Clearly sat( ) is not recursive since it
separates the image of fsat(Lo) from the image of inv(L0). Moreover, if
' C val( ), then sat( ) sat( ') and sat( ') inv(L) = 0 so sat( ')
is not recursive either.
Let T(n) be a time resource bound. Recall that sat T(Lo) is the set
of sentences in L0 such that is true in a structure of power at most
T(l l). Our analogue of the Trakhtenbrot-Vaught Inseparability Theorem states that for T satisfying certain weak hypotheses, satT(L0) and
inv(Lo) are NTIME(T(cn))-inseparable for some c > 0. That is, no set in
NTIME(T(cn)) contains one of these sets and is disjoint from the other.
We show, in fact, that the result is true if we restrict to prenex sentences
in L0. Thus, using the reductions between formulas described in the previous section, we can obtain hereditary NTIME lower bounds for theories
in much the same way that we obtain hereditary undecidability results. In
152
the next section we prove an inseparability theorem which gives hereditary

linear ATIME lower bounds.
Our result is a consequence of the following theorem.
Theorem 4.1. Let T(n) be a time resource bound and A be an alphabet.
Given a problem A C A* in U c >o NTIME(T(cn)), there is a reset log-lin
reduction taking each w A* to a prenex sentence w of L0 such that if
w A, then w satT(Lo), and if w
, then w inv(L0). Moreover,
each variable occurring in w is quantified just once.
Proof. Let M be a T(cn) time-bounded nondeterministic Turing machine
that accepts A. We may assume that on all inputs, all runs of M eventually
halt since we may incorporate into M a deterministic 'timer' which halts
after some number of moves given by a fully time-constructible function
dominating T(cn). To simplify notation we assume that M has just one
tape. Extending to multitape Turing machines requires only minor modifications. Let m be the number of tape symbols used by M. We assume
that one of the tape symbols not in A is a blank symbol, denoted #.
The proof has two parts. In the first we translate information about runs
of M on input w into formulas 'w in a logic with a vocabulary consisting
of m + 3 binary relation symbols so that 'w satisfies the conditions of
the theorem. In the second we transform sentences 'w into the desired
sentences w by combining m + 3 binary relations into one.
Translating Turing machine runs into first-order sentences is an old
idea in logic; see Turing [1937], Buchi [1962], and, for a general discussion,
Borger [l984a; 1984b; 1985]. Our translation of runs into sentences is standard except for some difficulties that must be overcome to obtain prenex
sentences using reset log-lin reductions.
First we describe the intended meanings of the m + 3 binary relation
symbols constituting the vocabulary of the logic for sentences 'w. The
symbol
will interpret a discrete linear order with a least element. For
convenience we use infix notation with this symbol. We call the least element with respect to this order 0 and denote the successor and predecessor
of an element x by x + 1 and x - 1, respectively. In this way we identify
elements of a model with consecutive nonnegative integers. We also have
relation symbols STATE, HEAD, and SYMa for each a A. STATE(x,t]
holds if M is in state x at time t. (States are ordered arbitrarily. We may
assume that all models considered have at least as many elements as M has
states since we can precede w with enough dummy quantifiers to ensure
that T ( ' w ) exceeds the number of states.) HEAD(x,t) holds if the read
head of M scans the tape cell at position x at time t. SYMa(x,t) holds if
the tape cell at position x contains symbol a at time t.
Let 'w be a prenex sentence asserting the following.
(a) Relation
is a discrete linear order with a least element.
(b) Each tape cell contains precisely one symbol at each time. The
153
read head scans precisely one cell at a given time. M is in precisely

one state at a given time.
(c) If HEAD(x, t) does not hold and SYMa(x, t) holds, SYMa(x, t + 1)
also holds. If HEAD(x, t) holds, then the values of SYMa(x,t + 1),
HEAD(x I, t + 1), and the element z making STATE(z, t + 1) true
are determined by the values of SYMa(x, t), and the element y making
STATE(y, t) true, in accordance with the transition function of M.
(d) The read head initially scans cell 0. M begins in its initial state.
(e) If STATE(x,t) holds, then t has a successor if and only if x is a
final state. For some t there is a final state x such that STATE(x, t)
holds.
(f) The input tape initially contains w.
Notice that (f) is the only conjunct depending on w; the others are fixed.
Thus, if we can express (f) as a prenex sentence obtainable from w by a
reset log-lin reduction, it is a simple matter to produce a prenex sentence
'w equivalent to the conjunction of (a)-(f) obtainable from w by a reset
log-lin reduction.
Suppose that w = a0a1...an-1 where each ai is an input alphabet
symbol. We cannot just say that there are positions V 0 , V I , . . . ,vn-1 such
that U0 = 0, Ui+i = Vi + 1, and SYMai (vi, 0) for i < n because the combined
length of variable indices is (n log n) . We must define two relations LEFT
and RIGHT to reduce the number of quantified variables.
Intuitively, LEFT and RIGHT interpret the left and right child relations for a binary tree T on the first n elements 0, . . . , n 1 of the model. It
is intended that LEFT(x, y) holds precisely when y = 2x and RIGHT (x, y)
holds precisely when y 2x + 1. Then T has root 0 and 0 is its own left
child (so the notion of tree is interpreted somewhat loosely).
Using the machinery of the previous section it is easy to give short formulas defining LEFT and RIGHT on long intervals. Let 0 be the formula
Then the relation P(X1, x2, y1, y2) given by the iterative definition
is true when 0 y1x1 2m1 and 2(y1 -xt) = y2-x2. Now LEFT(x, y)
is equivalent to P(0, 0, x, y) and RIGHT(x, y) is equivalent to P(0, l,x, y)
on the interval 0, . . . , 2m + 1, so we take m = [log(n 1)] to obtain RIGHT
and LEFT on the interval 0, . . . , n. By Theorem 3.3 there are first-order
formulas 'n and "n defining LEFT and RIGHT; moreover, they are computable from the unary representation of m by a reset Turing machine in
154
time log n and space log log n. By increasing time to log n log log n we can
make 'n and
prenex formulas.
The height of T is h = [log n] . Now for every i such that 0 i < h and
every j < 2h-j define a quantifier-free formula i j ( x 0 , . . . , Xi) by induction
on i. Roughly, i,j(xo, ... ,xi) says that if (xj,Xj1,. .. ,x 0 ) is a path in
from vertex j = Xi, then the symbol at position X0 on the input tape is
a X 0 . First, 0 , J ( X 0 ) is S Y M a j ( x 0 , 0 ) when j < n and some tautology (say
X0 = X0) when n j < 2h. Next, 0i +1,j (xo, . . . , x,+i) is the formula
By induction on i we can show that for j
2hi
the sentence
is true if and only if for every vertex k < n which is an ith-generation

descendant of j, S Y M a k ( k , 0 ) holds. Since 0 is a left child of itself, every
vertex in T is an hth-generation descendant of 0, so the sentence
says that SYMa k (k, 0) holds when k < n; that is, it says w is written on
the first n cells of the input tape at time 0. Let w be a conjunction of this
sentence and a sentence that says SYM#(x, 0) holds for all x > n (that
is, that all the tape cells from position n onward are blank at time 0).
We must show that there is a reset log-lin reduction taking w to w , from
which it follows easily that there is a reset log-lin reduction taking w to
We describe the actions of a machine effecting such a reduction. For

the conjunct asserting that cells from position n onward are blank this is
straightforward, so we need only show it for the conjunct asserting w is
written on the first n cells.
We will suppose that indices of variables are in unary; thus, the formal
variable Xi denotes the actual variable
First, w is read from the input tape while h cells are marked off on a work
tape. One way to accomplish this is simply to keep a count on a work tape
of the number of input tape cells scanned. Count in binary. Incrementing
the count requires changing the low order 1-bits to 0 until encountering
a 1, which is changed to 0. The work tape head is then returned to the
155
lowest-order bit to prepare for the next advance of the input head. It is
not difficult to show that the time required to read the input tape and do
all the increments is O(n).
Next the input head is reset. Now a simple algorithm utilizing a stack
to keep track of subscripts will generate w. The maximal stack height is
h. Formula w was defined in such a way that the information required
from the input tape can be read off from left to right as the algorithm
proceeds. Variable indices are easily computed from the stack height since
they are in unary.
This computation clearly uses just log space. We need show that it
takes just linear time. The time required is less than a constant multiple of
the length of h, o(x0, , Xh)', the length of this formula is in turn less than
a constant multiple of the combined lengths of variable indices occurring
within it. By induction on i, variable Xk occurs no more than 3 2i-k times
in ij when k < i and Xi occurs just twice. Hence, the combined lengths
of variable indices occurring in h,o amounts to no more than
Thus, the computation requires just linear time. Notice that each variable
in w is quantified just once so it is easily arranged that the same is true
of
w-
If necessary we can add dummy quantifiers at the beginning of 'w to

make its length at least cn. Thus, if w A, then 'w is true in some model
of size at most T(|w|). If w
, then 'w is true in no model. Suppose,
on the contrary, that 'w is true in some model . Consider the submodel
of
obtained by restricting to the elements which can be reached from
0 by finitely many applications of successor. The values of STATE (x,t),
HEAD(x,t), and SYMa(x, t) on this submodel describe a run of M on
input w. Since we have incorporated a timer which halts M on every run,
this submodel is finite. But then the last element t in this submodel has
no successor, so the state x for which STATE(x, t) holds is final. Thus, M
accepts w, a contradiction.
This completes the first part of the proof. We now show how to combine
m + 3 binary relations into one.
To simplify notation, let us rename the relation symbols P0,P1,...,
Pm+2. Suppose ' is a model of 'w. Before describing how to transform
'w into w, we describe the model of w corresponding to '. First form
the disjoint union of the interpretations of P0, P1,..., Pm+2 in '. We have
then relations R 0 ,R1,...,R m+ 2 on disjoint domains B0, B1,.. .,Bm+2.
Their union is a single binary relation R on the domain B = <m+2
Now enlarge R so that R (B0 x Bi) is the natural bijection from B0 to Bi
156
when 1 i m + 2. Next, enlarge B by adding elements bo,b0,...,

and then add the pairs (bi, b) to R for each i m + 2 and b Bi. Define
to be (B, R}. We see that if bo, bi,..., bm+2 are known, then the relations
RO , R1 , . . . , Rm+2 can be recovered in and in fact we may use the natural isomorphisms from B0 to Bi to define an isomorphic image of ' with
domain B0.
Relativize the quantifiers of 'w to a unary relation symbol D, thereby
forming ('w)D. This sentence contains relation symbols D, Po, P1, . . . ,
Pm+2. Put the explicit definitions [D(x) P(x0,x)], [P0(x, y) = P(x, y)],
and, for 1 i m + 2,
before this formula. Here x0, x1 , . . . , xm+2 are new free variables whose intended interpretations in are bo,b1,..., bm+2. Now existentially quantify
X0 , X 1 , . . . , xm+2. There is a reset log-lin reduction that takes the resulting
formula to an equivalent prenex formula w . (Since each variable in 'w is
quantified just once the relativizations may be pushed inward. Then since
all of the explicit definitions are of fixed length, conversion to prenex form
is straightforward.)
If M accepts w, then 'w is true in some model ' of power at most
. It follows that w is true in some model of power at most
We can assume this quantity is less than T( w) by lengthening w with

dummy quantifiers if necessary and using the definition of time resource
bound to infer that (m + 3)T(n) T((m + 3)n). If M does not accept w,
then w has no models and hence neither does w. Finally, it is easy to
arrange that every variable in w is quantified just once.
I
Remark 4.2. Inspection of the construction of sentences w in Theorem 4.1 reveals that for every constant b > 0 there are constants c0 and c\
such that \w\
C1\w\ + C0 whenever 0 < c < b. The constant c1 depends
only on the size of the input alphabet A and the constant b. (This will be
useful in the proof of Theorem 4.5.) On the other hand, the constant C0
depends on the particular Turing machine M whose runs w describes.
Corollary 4.3. Let T1(n) and T2(n) be time resource bounds such that
NTIME(T2(n)) - NTIME(T1(n))
0.
Suppose that limn 00T1(n)/n = . Then there is a constant c > 0 such

that for each set of satis fiable sentences with satT2(Lo)
,
157
Proof. Let A be an element of NTIME(T2(n)) - NTIME(T1(n)), where

A C A*. By Theorem 4.1 there is a reset log-lin reduction taking each
w A* to a sentence w in L0 so that A is mapped into satT2(L0) and
A* - A is mapped into inv(L0). Suppose that this reduction takes at most
time b\w\.
Let c = 1/6 and be a set of satisfiable sentences containing satT2(Lo).
Suppose that NTIME(T1 (cn)). To decide if w A we will compute w
in time b\w\, and then determine if w
using a T1(cn) time-bounded
nondeterministic Turing machine. Certainly \w\
b\w\ so the composition of these two reductions takes time at most b\w\ + T1(bc\w\). We
know that \w\ TI(\W\) so this time is bounded above by (b + l)T1(|w>|).
Since limn T1(n)/n =
we can apply the linear speed-up theorem (see
Hopcroft and Ullman [1979]) to show that A NTIME(T1(n)), a contradiction. Therefore,
NTIME(T1(cn)).
Remark 4.4. We see from Corollary 4.3 that application of our results
relies on the ability to separate nondeterministic time complexity classes.
The strongest result in this direction for time resource bounds in the range
bounded above by e x p ( n ) is due to Seiferas et al. [1978]. It says that if
T2(n) is a time resource bound and T 1 ( f ( n + 1)) 6 (T 2 (f(n))) for some
recursively bounded, strictly increasing function f(n), then
NTIME(T2(n)} - NTIME(T1(n))
0.
This theorem has interesting implications for us. Let T(n) be a time
resource bound. Take T1(n) = T(dn), where 0 < d < 1, T2(n) = T(n), and
f ( n ) = n. The Seiferas-Fischer-Meyer theorem tells us that if T(dn + d) =
o(T(n)), then
NTIME(T(n)) - NTIME(T(dn))
0.
By taking a slightly smaller d the hypothesis may be simplified to T(dn) =

o(T(n)). By Corollary 4.3 there is a constant c > 0 such that if is a set
of satisfiable sentences with satT(L0)
, then
NTIME(T(cn)).
Most time resource bounds that occur as complexities of theories satisfy
the hypothesis T ( d n ) o(T(n)). Among them are the functions exp, (n)
when r
1, 2n/ logn , and 2nk . Powers do not satisfy this hypothesis, so
when T(n) = nk where k > 1, we can only conclude that
NTIME(g(n))
for all g(n) such that g ( n ) = o(nk).
By considering just one time resource bound T ( n ) we gain another
advantage: we can prove a fully-fledged inseparability theorem. This will
allow us to obtain NTIME lower bounds for problems of the form val( ),
as well as problems of the form sat( ).
Theorem 4.5. If T is a time resource bound such that for some d between
158
0 and 1, T(dn) = o ( T ( n ) ) , then there is a constant c > 0 such that

and inv(L0) are NTIME(T(cn))-inseparable.
Proof. Corollary 4.3 and the preceding remark show that there is a c > 0
such that if satT(L0) C and inv(L0)
= 0, then
NTIME(T(cn)).
(The corollary applies since limn T(n)/n = when T(dn) = o(T(n)).)
We must show that there is a c' > 0 such that if satT(Lo)
and
inv(Lo)
= 0, then , the set of sentences from L0 not in , is not in
NTIME(T(c'n)).
Let b be a positive constant (say 1). By Theorem 4.1, if A C A* is in
NTIME(T(c'n)) for 0 < c' < b, there is a reset log-lin reduction taking
each w 6 A* to a sentence w of L0 such that A is mapped into satT(Lo)
and A is mapped into inv(L0). We know also from the remark following
Theorem 4.1 that \w\ CI\W\ + c0, where c1 is a constant depending only
on A and b, not on d or A. Take c' small enough that c'c1 < c.
Now consider a set such that satT(L 0 )
and inv(Lo) 1 = 0. We
must show that
NTIME(T(c'n)) so suppose the contrary. We can take
A in the previous paragraph to be so there is a reset log-lin reduction
mapping into satT(Lo)
and
into inv(Lo)
. This reduction
takes an input w to a sentence w in time at most b\w\.
Thus, we can determine whether w
by computing w and determining in nondeterministic time T(c'n) if w F. Hence,
NTIME(bn + T(c'(c0n + c1))) C N T I M E ( T ( c n ) )
a contradiction.
Remark 4.6. For simplicity, Theorem 4.5 was stated for sets
and inv(Lo). By Theorem 4.1 it remains true if we take instead
and the set of prenex formulas in inv(L0). Similarly, Theorem 4.3 holds if
we restrict to prenex sentences.
Inseparability results for monadic second-order

theories
In this section we develop inseparability results for monadic second-order

theories analogous to those for first-order theories in section 4. The appropriate complexity classes here are the linear alternating time classes rather
than nondeterministic time classes. Because linear alternating time classes
are closed under complementation, we do not need a special argument like
the one used in Theorem 4.5 to obtain inseparability results. Also, lower
bounds are obtained by simple diagonalization, rather than more sophisticated results such as the theorem of Fischer, Meyer, and Seiferas used in
the previous section.
159
As before, inseparability results are closely related to satisfiability problems that are hard for certain complexity classes. The classes are of the
form
ATIME(T(cn),cn)
which is in many ways more natural than
ATIME(T(cn),n).
If there is a reset log-lin reduction from a problem to a class of the first
form, then we may conclude that
is also in the class. We know of no
speed-up theorem for alternations, so we cannot make the same claim for
classes of the second form.
One of the main results of the section is Theorem 5.2, an analogue of
Theorem 4.1. We could prove this result along the same lines as Theorem 4.1, but we obtain a somewhat sharper result if we appeal to a result
of Lynch [1982] relating nondeterministic time classes to the spectra of
monadic second-order sentences. Lynch encodes Turing machine runs in a
way different from the classical method used in the last section. Rather
than explicitly accounting for symbols at each tape position and time in a
machine run, he keeps track of just the symbol changed (not its position),
the symbol which replaces it, and the direction of head movement at each
time. If the underlying models have enough structure, it is possible to
express derivability between instantaneous descriptions of nondeterministic
Turing machines with just this information. Lynch shows, in particular,
that this is the case if the underlying models have an addition relation
PLUS(x, y, z) which holds when x + y = z.
We begin, therefore, by considering the monadic second-order logic
ML+ whose vocabulary contains just a ternary relation symbol PLUS,
and M+, the monadic second-order theory of addition on initial segments
of the natural numbers. M+ can be axiomatized by a set of first-order
sentences. Explicitly define a relation
by
Then M+
says that
is a discrete linear order with least element 0 and
(The immediate predecessor of an element x is denoted z 1; the immediate

successor is denoted x + 1.) Note that even though M+ consists of firstorder sentences, satT(ME+) is the set of monadic second-order sentences
true in some model of M+ of size at most
160
Theorem 5.1. Let T(n) be a time resource bound and A an alphabet.

Given a problem A C A* in Uc>o ATIME(T(cn),cn), there is a prescribed
set
of sentences over ML+, and a reset log-lin reduction taking each
w . A* to a sentence w in such that if w A, then w satT (M+),
a n di f w ,
then w
inv*(ML+).
Proof. Fix c > 0; we may take c to be an integer. Let M be an alternating Turing machine that accepts A in time T(cn) with at most en
alternations. As in Theorem 4.1 we may assume that on all inputs, all runs
of M eventually halt: incorporate into M a deterministic 'timer' which
halts after some number of moves given by a fully time constructible function dominating T(cn). We assume for simplicity that M has just one tape;
extending to multitape Turing machines requires only minor modifications.
Let a 1 , . . . , am be the tape symbols used by M.
Let r = {0,... ,r 1} be a finite ordinal and + be the usual addition
relation on r, so that (r, +) is a model of M+. In this model we represent
an instantaneous description of M by a sequence of sets X 1 , . . . , Xm+2 = X,
where sets X1,..., Xm partition r and Xm+1 is a singleton set, and Xm+2
is singleton set whose element is one of the states of M. The set of states
is identified with an initial interval of r. We intend that the symbol ai is at
position x when x Xi, that the head scans position x when x Xm+i,
and that M is in state x when x Xm+2 We will need to restrict to initial
intervals in our models because when we consider truth in weak models at
the end of the proof we may not be able to quantify over all subsets, but we
can arrange to quantify over subsets of finite initial intervals. Let ID(x, X)
be the formula specifying that sets X 1 , . . . , Xm partition the interval [0, x],
Xm+1 and Xm+2 are singleton sets contained in this interval, and the
element in Xm+z is a state.
Recall that each state of M is of one of four types: universal, existential,
accepting, and rejecting. Let
be formulas indicating that ID(x, X) holds and the state for the instantaneous description represented by X is of the corresponding type.
Lynch [1982] shows that for each nondeterministic Turing machine M'
there is a monadic second-order formula nM'(X, y) that holds in (r, +)
precisely when X and Y represent instantaneous descriptions for M' and Y
can be obtained from X within r or fewer moves of M' by a computation in
which the head does not reach a tape position greater than or equal to r. We
can regard the alternating Turing machine M as a nondeterministic Turing
machine simply by ignoring state types. We also form the nondeterministic
Turing machine M' by eliminating transitions out of all states in M except
existential states and then ignoring state types, and M" by eliminating
161
transitions out of all states in M except universal states and then ignoring
state types. Let (x,X,y) be the formula
.
Let n (x,X,y) be the formula
Let
be the formula
That is, (x, X, y) expresses derivability between instantaneous descriptions on the interval [0, x]; ( x , X , y ) ( n ( x , X, y)) expresses the same
except that all states, excluding possibly the last, are existential (universal).
Notice, in particular, that n ( x , X , X ) holds for all X. Let TERM(x ,X]
be the formula
and TERM ( x , X ) be the formula
Let
w(x, X) be a prenex sentence asserting the following:

(a) Relation
is a discrete linear order with a least element and a
greatest element; every element other than the greatest has a successor.
(b) The relation PLUS(x 0 ,, x1, x2) holds if and only if either x0 = x2
and x\ = 0 or PLUS(xo, x1 l,x% 1) holds.
(c) There is a set Y with no elements. For every set Y and element y
there is a set Y U {y}.
(d) If y is an element such that for all Y satisfying ID(y, y), TERM(y,
X, y) implies ACC(y, y) or REJ(y, y), then x y.
(e) The sequence X represents the instantaneous description for an
input tape with w written on it, the head scanning the first position,
and M in the initial state.
Each of these items can be expressed by a fixed sentence except the part
of condition (e) concerning the input tape. The prenex formula expressing
this part is constructed in the same way as in Theorem 4.1. As in that
construction, it follows that there is a reset log-lin reduction taking w to
162
Consider any weak model 21 in which conditions (a)(c) hold. For the
moment, let us suppose that the element x from the universe of is finite,
i.e., a finite distance from the least element 0. (By condition (a), this
is a well-defined notion.) Condition (b) ensures that PLUS restricted to
the interval [0,..., x] in
is the usual addition relation. Condition (c)
ensures that quantification over subsets of {0,..., x} in the weak model
is quantification over all subsets of {0,...,a;}. Thus, for finite x, the
formulas n ( x , X, y),
(x, X, y), and
(x, X ,y) have interpretations in
corresponding to computations of M as described above.
Now in consider x and X satisfying conditions (d) and (e). (We no
longer stipulate that x is finite.) Since all runs of M on input w halt, say
within k moves, we see that every such x is at most distance k from 0.
(Note that this is the case even if there is no y as described in (d).) Thus,
such an x will be finite and the observations of the previous paragraph
pertain.
Let (x, X) be the formula
Let
be the sentence
where n = \w\. Clearly, there is a prescribed set of sentences containing

every w. It is also clear that if w A, then w is true in some model of
size at most T w because in such models P interprets acceptance by M
for x = T(cn).
If w
, then pw is true in no model. Suppose on the contrary that
is true in . Then in there are x and X such that w(x, X) and
w
P(x, X) hold, where P is given by the implicit definition
By the remarks above, x must be finite, and hence P describes an accepting

computation of M on input w, which is a contradiction.
I
The next theorem, the analogue of Theorem 4.1, follows from the previous theorem and a result of Kaufmann and Shelah [1983].
Theorem 5.2. Let T(n) be a time resource bound and A an alphabet.
Given a problem A C A* in c>o ATIME(T(cn),cn), there is a prescribed
set
of sentences over MLo, and a reset log-lin reduction taking each

w A* to a sentence
and if w
, then w
in such that if w A, then

inv*(MLo).
163
w
satT
Proof. By the previous theorem we need only show that there is a formula
(x,y, z) from MLo such that for each finite ordinal n = {0, . . . , n 1} there
is a binary relation R on n such that
(X, y, z) is an addition relation on n,
where = (n, R). Kaufmann and Shelah [1983] prove a much stronger result: there is a formula (x, y, z) such that for almost every binary relation
R on n,
(a;, y, z) is an addition relation on n, where = (n, R).
For the sake of completeness, we sketch a proof of the simpler result that
there is a formula that codes an addition relation on 'some binary relation
of each finite power.
First suppose that the vocabulary for the logic has three binary relation
symbols P1, P2, P3, rather than just one, and that they interpret binary
relations R1, R2, R3 on m. To simplify the proof we assume that m =
r3. It is easy to specify a formula (X) saying the relations RI, R2, R3
restricted to m x X are functions, respectively denoted f1, f2, f3, and
that (f1(x),/2(x),/3(x)) ranges over each triple in X3 precisely once as x
ranges over m. Thus |X"|= r and we have defined a bijection between m
and X3. Since we can quantify over subsets of m, we can quantify over
ternary relations on X when (X) holds. Therefore, we can, without much
trouble, define an addition relation on X. Also, we can extend this relation
to define addition modulo r. But then it is easy to define addition on m
using the bijection between m and X3.
Using the construction in the proof of Theorem 4.1, the three binary
relations R1 , R2 , R3 on a set of size m = r3 can be coded as a single binary
relation on a set of size n = 3(m + 1). This set has three disjoint subsets
of size m on which addition and addition modulo m can be coded. It is not
difficult now to define addition on all of n. Thus, there is a binary relation
on n from which an addition relation can be defined when n is of the form
3(r3 + 1). With a little effort this construction can be made to work for
arbitrary n.
I
We now state an analogue of Corollary 4.3.
Corollary 5.3. Let T1{n) and T2(n) be time resource bounds such that
ATIME(T2(n),n) - ATIME(T1(n),n)
0.
Suppose that l i m n - + T 1 ( n ) / n =.
Then there is a constant c > 0 such
that for each set
of satisfiable sentences with satT2(MLo)
,
ATIME(T1(cn),cn).
The proof is the same as for Corollary 4.3. Note, however, that we rely
on a result that says the linear speed-up theorem applies to alternating
164
Turing machines. We must also use Theorem 3.6 to obtain a reset loglin reduction from a prescribed set of sentences over ML0 to equivalent
sentences in ML0.
We also have an analogue for Theorem 4.5.
Theorem 5.4. // T is a time resource bound such that for some d between 0 and 1, T(dn) = o(T(n)), then there is a constant c > 0 such that
and inv(MLo) are ATIME(T (cn), cn) -inseparable.
Proof. The proof is much simpler than that of Theorem 4.5. We can
separate ATIME(T(n), n) and ATIME(T(dn), dn) using a straightforward
diagonalization, so we do not appeal to the more difficult methods used
in separating NTIME classes. Then we use the previous corollary to show
that for some c > 0, if satT(ML 0 )
and inv(ML0)
= 0 then
ATIME(T(cn),cn). Since ATIME(T(cn),cn) is closed under complementation, we have that satT(ML 0 ) and inv(MLo) are ATIME(T(cn),cn)inseparable.
Remark 5.5. By Theorem 5.1, Theorems 5.3 and 5.4 hold with
and inv(ML+) in place of satT(MLo) and inv(MLo).
It is also important to note that even though we reduced the prescribed
sets of sentences in these theorems to equivalent sets of monadic secondorder sentences, it is the prescribed sets which are used to obtain lower
bound results. For example, in the proof of Theorem 5.4 we actually
showed that there is a prescribed set
of sentences over ML0 such that
satT(ML0) n and inv*(ML0) are ATIME(T(cn),cn)-inseprable. In
sections 6 and 7 we will find lower bounds for various theories from logics L by finding a reset log-lin reduction from
to ', a prescribed set
of sentences over L, so that satT(ML 0 )
is mapped into sat*( )
and inv*(ML0)
is mapped into inv*(L) n ' . Thus, for some c > 0
sat*( )
and inv*(L) n
are ATIME(T(cn),cn)-inseparable. Then
by Theorem 3.6, sat( ) and inv(L) are ATIME(T(cn),cn)-inseparable.
We present several useful tools for establishing NTIME lower bounds for
theories by interpreting models from classes of known complexity. We
begin with some definitions regarding interpretations of classes of models
and give a general outline of how interpretations are used to obtain lower
bounds. Theorem 6.2, a specific instance of the method, follows from the
results in section 4. It tells how to obtain lower bounds by interpreting
binary relations. We then show in Theorem 6.3 how to interpret binary
relations in finite trees of bounded height. As a consequence we obtain
hereditary lower bounds for theories of finite trees of bounded height and
a tool for obtaining further lower bounds by interpreting classes of these
165
trees in other theories. We obtain similar results for classes of finite trees
of unbounded height in Theorem 6.7 and its corollaries.
Let be a theory in a logic L' and Co, C1,C2, be classes of models
for a logic L whose vocabulary consists of relation symbols P1 , . . . , Pk . Let
x1 , . . . , Xk, be sequences of distinct variables with the length of xt equal to
the arity of Pi. Suppose that there are formulas n(x, u), 1 / n ( X I , U ) , . . .,
(xk, u) from L' which are reset log-lin computable from n (expressed in
unary notation) so that for each
Cn we have a model ' of
and
elements m in ' with
isomorphic to . The parameter sequence u is allowed to grow as a function

of n. The sequence {In | n 0} where
is called an interpretation of the classes Cn in S. The interpretation is

a simple interpretation if the formulas n,1/n, . . . , kn are fixed with respect to n; this is the situation traditionally found in logic. The interpretation is a prenex interpretation if the formulas n,1/n, . . . , kn are all in
prenex form. The interpretation is an iterative interpretation if the formulas n,1/n . . . , kn* are given by iterative definitions. By this we mean that
there are formulas
and integer functions f, g 1 , . . . , 9 k which are reset log-lin computable (using

unary notation) such that 5n is the formula given by the iterative definition
and in is the formula given by the iterative definition
as in Theorem 3.3. Notice that we may regard simple interpretations as

special cases of either prenex or iterative interpretations.
There is a slightly more general point of view toward interpretations
which is sometimes useful. Suppose C'0
C'1
C'2
are classes of
models of
such that for each n
0 and
Cn, the model
in the
above definition can be found in C'n. Then we will say that we have an
interpretation of the classes Cn in the classes C'n. Sometimes we will not
mention
at all when discussing interpretations in this context. In that
166
case we must say whether we intend the classes C'n to be models for a firstorder or for a monadic second-order logic. Thus, we will say that there is an
interpretation of the classes Cn in the first-order (or monadic second-order)
classes C'n.
Interpretations, inseparability, and prescribed sets are the cornerstones
of our method. Suppose we have an interpretation of classes Cn in classes
C'kn for some nonnegative integer k. (In most cases ; is 1 but occasionally
we need a larger value.) Suppose also that there is a prescribed set of
formulas over L such that
{
is realized in some
Cn where
= n}
and inv*(L) are NTIME(T(cn))-inseparable for some c > 0. (A formula

is realized in if it is true in for some assignment to its free variables.)
Now map each formula in to the formula ' given by
where n =
. By adding dummy quantifiers in the right places we can ensure that
kn. If is realized in some model in Cn, then
is realized
in some model in C'kn. If i is true in no model, then ' is true in no model.
(There is a minor point which should be addressed here. To be completely
rigorous we should require for all models ' that
(x) 0 since certain
formulas in inv*(L) may become true when relativized to an empty relation. For example, consider the sentence x (x x). We can always meet
this requirement by replacing 6n(x) with the formula n(x) V x-n(x)
so we can ignore this point in subsequent discussions.) When we have a
prenex interpretation or an iterative interpretation and the definitions in
' are replaced by the appropriate iterative definitions, the sentences all
belong to some prescribed set
of formulas over L'. (If the interpretation
is iterative, then by definition the parameter sequence cannot grow with
n.) We have now that
is realized in some
C'n where
= n}
and inv*(L') are NTIME(T(cn))-inseparable for some c > 0. It follows by

Theorem 3.6 that sat( ) and inv(L') are NTIME(T(cn))-inseparable for
some c > 0 so has a hereditary NTIME(T(cn)} lower bound.
Now let us broaden the definition of interpretation to cover instances
where the formulas n and 1 n , . . . , kn contain free relation variables which
also receive prenex or iterative definitions. For example, if these formulas
contain a free unary relation variable Q we would write
167
for
, the formulas n having the same sort of restrictions as dn and
1n, ... ,kn. In this case we would have
as the elements of our interpretation. If these formulas have all prenex

definitions we could use Theorem 3.1 to rewrite n and 1/n, ... , kn so that
Q occurs just once and substitute 9n for occurrences of Q. For iterative
definitions, we know of no similar substitution which eliminates Q and keeps
the length of
linearly bounded in n. Fortunately, such a substitution
is not needed and is even undesirable. By taking a top-down approach to
the construction of interpretations, building complex relations from simpler
relations, we make our task easier and exposition clearer.
We extend our definitions of simple, prenex, and iterative interpretation
to this more general situation. (In principle, some definitions could be
prenex and others iterative, but this does not seem to occur in practice.)
We see that hereditary lower bounds are obtained using interpretations
to transfer inseparability results from one prescribed set of formulas to
another. One of the advantages of this method is that by establishing
lower bounds in this manner, we also establish tools for proving further
lower bounds. In the situation described above, if we have another prenex
or iterative interpretation of classes C'n in classes C'n of models of A, then
we can use C'n and
in place of Cn and to establish a lower bound for
A. Compare with the well-known methods for establishing NP-hardness of
a problem by reducing to a problem already known to be NP-hard. After
the first lower bound or hardness result has been proved one should never
again have to code Turing machines.
It is worth noting what happens when the interpretation used to establish a lower bound is not prenex or iterative. In that case we do not know
that there is a reset log-lin reduction taking formulas
defined above
to equivalent formulas in L''. As we mentioned in section 3, the shortest equivalent formula in L' we know how to obtain has length (n log n)
in the worst case. We can only conclude that sat( ) and inv(L') are
NTIME(T(cn/log n))-inseparable for some c > 0 so has a hereditary
T(cn/log n) lower bound. Successive applications of such interpretations
give increasingly worse bounds. After k interpretations the lower bound
would be T(cn/(log n)k) rather than T(cn). In the case where the formulas in are in prenex form already we do not have this loss in the lower
bound, but even then, when the interpretation is not prenex or iterative,
we cannot use the classes Cn to obtain further lower bounds without a subsequent loss. We have introduced prenex and iterative interpretations to
avoid these losses. In our experience prenex and iterative interpretations
not only achieve sharp lower bounds, but also are easy to manage and occur
quite naturally in applications.
168
Within this framework we can also accommodate the more general kind
of interpretation in which the domain of the interpreted model is not a
subset of ', but a set of k-tuples from ', and the equality relation is
interpreted by an equivalence relation definable in
. We have found
this to be necessary for only two theories treated here and so we avoided
stating these definitions in the fullest generality. However, it would not have
been difficult to introduce these features explicitly. (See Examples 8.12
and 8.14.)
Although we have emphasized inseparability results, we should not lose
sight of the fact that the starting point for our reductions, Theorem 4.1, is
a hardness result: every set -T of satisfiable sentences with satT(Lo)
is hard for the complexity class
NTIME(T(cn))
c>0
via reset log-lin reductions and for the class
NTIME(T(nc))
c>0
via polynomial time reductions. Thus, all our inseparability results can be
reformulated as hardness results. We summarize the previous discussion
and make this point precise in the following theorem:
Theorem 6.1. Let Co,C1,C2,... be classes of models such that for some
prescribed set
of formulas over a first-order logic L,
is realized in some
Cn where
= n}
and inv*(L) are NTIME(T(en))-inseparable for some c > 0. Let C'0 C

C'1 c'2 be classes of models of a theory
in a logic L'. If there is
a prenex or iterative interpretation of the classes Cn in the classes C'kn for
some nonnegative integer k, then the following are true.
(i) The sets sat( ) and inv( ) are NTIME(T(cn))-inseparable for some
c> 0.
(ii) If for some d between 0 and 1, T(dn) = o(T(n)), then has a hereditary NTIME(T(cn)) lower bound.
(iii) For each '
val( ), sat( ') and val( ') are both hard for the
complexity class
NTIME(T(cn))
c>0
via reset log-lin reductions.
(iv) For each
complexity class
169
NTIME(T(nc))
c>0
via polynomial time reductions,

(v) There is a prescribed set
of sentences over L' such that
'
is realized in some
C'n where
and inv*(L') are NTIME(T(cn))-inseparable for some c > 0.

Usually when we apply our method we state the result as in (ii) for
brevity, but the reader should be aware that all of the conclusions hold.
The following result is an immediate consequence of the above theorem
and Theorem 4.5. It is one of the most useful tools for establishing NTIME
lower bounds.
Theorem 6.2. Let T(n) be a time resource bound such that for some d
between 0 and I, T(dn) = o(T(n)). Let Cn be the class of binary relations
(i.e., structures for L0) on sets of size at most T(n) and
a theory in a
logic L. If there is an interpretation of the classes Cn in , then has a
hereditary N T I M E ( T ( c n ) ) lower bound.
The first application of this result is to first-order theories of finite trees
of bounded height.
Recall that we express first-order properties of trees in the logic Lt
whose vocabulary contains just a binary relation symbol which interprets
the parent-child relation. Let r be the theory of finite trees of height at
most r and
be the theory of finite trees of arbitrary height. Define
MT and M
similarly for the monadic second-order logic MLt.
Let Tk be the class of finite trees of height k. We inductively define certain restricted classes of finite trees in which the classes Cn in Theorem 6.2
are interpreted. For each m > 0 let Tm0 be the class To (all of whose
elements are isomorphic). The class Tmk+1consists of those trees whose
primary subtrees are all in km, but such that no more than m primary
subtrees may be in the same isomorphism class. Clearly, km C Tk and
isomorphism types, then
Tmk+1contains at most (m + 1)t isomorphism types.
From the following theorem we obtain hereditary lower bounds for theories of finite trees of bounded height and another useful tool for obtaining
other lower bounds.
Theorem 6.3. Let Cn be the class of binary relations on a set of size
exp r _ 2 (n) and m = m(n) be the least integer such that m logm n. Then
there is a prenex interpretation of the classes Cn in the first-order classes
mr when r > 3 and in the first-order classes T 2m r when r = 3.
Proof. Note that m = O(n/logn).
n}
170
First, consider the case r > 3. Define m(x,y) to be a formula, with

free relation variable Q, which says that for all children t1,...,t m of x,
there are children u1 , . . . , um of y such that Q(ti, ui) holds for 1 i < m,
and
We wish to write m as a prenex formula which can be computed from n (in

unary) by a reset log-lin reduction. Unfortunately, the displayed formula
has length (n 2 ) so we replace it with
which is reset log-lin computable from n. Hence, we can write

prenex formula which is reset log-lin computable from n.
When k > 0, the iterative definition
as a
defines an equivalence relation on the vertices of height less than k. For

k = 1, Q is an equivalence relation on the leaves, which are precisely the
vertices of height 0. This relation makes all leaves equivalent. Increasing
k to 2, we must extend the relation to vertices of height 1. These are the
vertices adjacent to a leaf and all of their children are leaves. Two such
vertices are equivalent if they either have the same number of children or
both have at least m children. In general, for larger k we extend the relation
to vertices of height k 1 leaving the relation unchanged for lower heights.
Two vertices of height k 1 are equivalent if for each equivalence class
represented among their children (on which the relation has already been
defined), they either have the same number of children in the class or both
have at least m children in the class. When k = r we have an equivalence
relation on the set of all vertices in a tree of height r except the root. By
Theorem 3.3 there is a reset log-lin reduction taking the iterative definition
to an equivalent explicit definition
171
Moreover, since r is fixed we can arrange that mr is a prenex formula.

We will say that two vertices x and y in a tree of height r have the same
mr -type if
(x, y) holds.
Define n(x) to be a prenex formula that says x is a child of the root, x
has at least one child, and no two distinct children of x have the same
type. Define nn(x, y) to be a prenex formula that says d(x) and (y) hold
and there is a child z of the root coding (x, y). By z coding (x, y) we mean
that for every
type, if x and y have no child of that type, then neither
does z; if x has a child of that type but y does not, then z has precisely
two children of that type; if x has no child of that type but y does, then z
has precisely three children of that type; and if x and y both have a child
of that type, then z has at least four children of that type. (For this coding
to work, m must be at least 4, but this is not really a problem because if
m < 4, then n < 5 and we can easily formulate interpretations of Cn in 77
when n < 5.) Both n(x) and n(x, y) are reset log-lin computable from n.
Now it is easy to show by induction on k that if x and y are vertices
of height at most k, where k < r - 1, and if the two subtrees formed
by restricting to x and its descendents, and to y and its descendents, are
nonisomorphic trees in T k m, then x and y have different mr types. We
know that
= (m + l)m+1 >2n
and that if |Tkm| = t, then \Tmk+1\ = (m + 1)t so \Tmk\ > expk_1(n) when
k 2. Thus, for vertices of height r - 2 there are at least exp r _ 3 (n)mrtypes. If a; is a child of the root satisfying n(x), its children are of height
at most r 2 and it has either 0 or 1 children of each possible mr-type.
Thus, it is possible to distinguish between as many as exp r _ 2 (n) vertices
x satisfying n(x). Clearly, if 6n(x) and n(y) hold, (x, y) can be coded by
some child of the root. It is easy to see that every binary relation on a set
of size at most exp r _ 2 (n) is isomorphic to {n(x),7r*(x, y)) for some tree
in mr. This concludes the case r > 3.
Now we consider the case r = 3. The construction just given shows that
every binary relation on a set of size at most 2m = 2'n/log n' is isomorphic
to (n (x) , n (x , y)} for some tree in Tm3 We must work harder to remove
the log n denominator in the exponent; to do this we must interpret Cn in
T2m3
We begin by specifying formulas m(x, y) and m(x, y) which will define

equivalence relations on vertices of height 2. The formula 0'm(x, y) says that
for all children t1, . . . , tm of x with at least 1 but no more than m children,
there are children u1 , . . . , um of y with at least 1 but no more than m
children, such that m2(ti,ui) holds for 1 i m, and ti tj
ui, = uj
holds for 1 i,j < m. The formula n' m (x,y) says that for all children
t1,...,t m of x with more than m children, there are children u1 , . . . , um of
y with more than m children, such that 2m2(ti, ui) holds for 1 i < m,
172
and ti = tj
Ui = Uj holds for 1 i, j m. Using the same argument as
above we can say that m(x,y) is a prenex formula which is reset log-lin
computable from n and equivalent to 'm(x, y) m(y, x), and similarly for
m(x,y).
Since m and m define equivalence relations on the set of vertices of
height 2 we can speak of the m-type and m-type of a vertex x of this
height. Define vi(x) to be the minimum of m and the number of children
of x with precisely i children. Define v+i (x) to be the minimum of m and
the number of children of x with at least i children. The m-type of x
is precisely determined by the values v1(x), . . . , vm(x) and the nm-type by
the values v m +1(x), . . . ,v2m-1,v+2m(x).We see then that the m -type and
the m -type of a vertex are independent, and that there are mm+1 > 2
m -types and the same number of m -types.
Let n(x) be a prenex formula that says x is a child of the root and
V0(X) 0. Let n (x, y) be a prenex formula that says 6n(x) and 6n(y) hold
and there is a child z of the root such that V0(Z) > 1 and m(x,z) and
(z,y)
hold.
It is easy to arrange that n(x) and n(x, y) are reset log-lin computable
from n. Each binary relation on a set of size at most 2 is isomorphic to
for some tree in 2m3.
Corollary 6.4. Let r 3. r has a hereditary NTIME(expr_2(cn)) lower
bound.
Corollary 6.5. Let r
3 and
be a theory in a logic L. If there is
an interpretation of the classes mr log n in , then has a hereditary
NTIME(exp r _ 2 (cn)) lower bound.
Remark 6.6. For each r
3 there is a constant d > 0 such that every tree in trn/log n has at most exp r _ 2 (dn) vertices. Hence, we can view
Corollary 6.5 as a significant improvement over Theorem 6.2 for obtaining
NTIME(expr_2(cn)) lower bounds: rather than interpreting all binary relations on sets of size exp,,_2(cn) we need only interpret all trees of height
r on sets of this size. In applications it is often much more natural to
interpret trees than binary relations. See also Theorems 7.5 and 7.9.
We next prove results similar to Theorem 6.3 and Corollaries 6.4 and 6.5
for finite trees of unbounded height.
exp (n 3). Then there is a prenex interpretation of the classes Cn in the
first-order classes T2n.
Proof. Recall from the proof of Theorem 6.3 the formula mr which defines
an equivalence relation on the set of all vertices in trees of depth r except
the root. In that proof r was fixed, so we could assume that mr was in
prenex form, and TO increased with n. In this proof we fix TO = 2 and
173
consider formulas . We see now that

has an iterative definition. By
induction on k, there can be as many as exp(k;) 2n-types among vertices
of height k < n in a tree in 2n
We define n and n in essentially the way as in Theorem 6.3. The
only difference is that when a vertex z coded a pair (x, y) there, z could
have up to four children of the same type. Here, in trees from 2n, we have
at most two, so we refer to types of grandchildren rather than children.
Thus, we interpret binary relations on sets of size e x p ( n 3) rather than
n - 2).
Corollary 6.8.
, has a hereditary NTIME(exp(cn))
lower bound.
Corollary 6.9. // there is an interpretation of the classes T2n in a theory

, then has a hereditary NTIME(ex.p(cn)) lower bound.
The theorems in this section are counterparts of those in the last section. In
order to obtain linear alternating time lower bounds for logical theories we
must introduce a stronger form of interpretability which we call monadic
interpretability. Theorems 7.2 and 7.3 tell how to obtain lower bounds
by monadic interpretation of addition relations and binary relations. We
then show, in Theorems 7.4 and 7.7 that binary relations have monadic
interpretations in certain classes of trees of bounded height. From these
results we obtain useful tools for establishing linear ATIME lower bounds,
and lower bounds for monadic second-order theories of trees of bounded
height.
Suppose is a theory in a logic L' and C o , C i , C 2 , . - - are classes of
models for a monadic second-order logic ML whose vocabulary consists
of relation symbols P1, ... .Pk. Suppose that there are formulas 6n(x, u),
reset log-lin computable from
n, so that for each
Cn there is a model ' of and elements m in '
with
isomorphic to
, and the sets
range over all subsets of n (x, m) as p ranges over '. The parameter
sequence u is allowed to grow as a function of n but t must remain fixed.
The sequence {In | n 0} where
In =
is called a monadic interpretation of the classes Cn in . We define simple,

prenex, and iterative monadic interpretations similarly to definitions in the
174
Kevin J, Compton and C. Ward Henson
previous section. We also define the notion of monadic interpretation of

classes Cn in classes C'n as in the previous section.
Evidently, a monadic interpretation of classes Cn is nothing more than
an interpretation where the models in Cn are regarded as models for a
monadic second-order logic. Note that if we have an interpretation of
classes Cn in a theory
in some monadic second-order logic L', then we
can automatically extend to a monadic interpretation by taking n(x, X)
to be the formula x 6 X where X is a new set variable.
The framework for obtaining linear alternating time lower bounds is
essentially the same as before. Suppose we have a monadic interpretation
of classes Cn in classes C'kn for some nonnegative integer k and that there
is a prescribed set of formulas over ML such that
is realized in some
Cn where
= n}
and inv*(ML) are ATIME(cn),cn)-inseparable for some c > 0. Now

given formula
in ML we form
as follows. Replace each monadic
quantification X or X with a quantification tx or tx, where tx is a
variable sequence of the same length as t, uniquely determined by X, and
not in conflict with the other variables in . (We may need to change other
indices to avoid conflicts.) Introduce a relation variable 5 and replace each
atomic formula x X by S(x, tx)- We can easily arrange that there be a
reset log-lin reduction taking to . Now map each formula in to
the formula
given by
where n . As before, it is easy to arrange that

kn. If is realized
in some model in Cn, then
is realized in some model in C'kn; if is true
in no weak model, then
is true in no model or weak model (depending
on whether L' is first-order or monadic second-order). When we have a
prenex interpretation or an iterative interpretation and the definitions in
' are replaced by the appropriate iterative definitions, the sentences all
belong to some prescribed set
of formulas over L'. We have now that
is realized in some
C'n where
= n}
and inv*(L') are ATIME (T(cn),cn)-inseparable for some c > 0. Then

sat( ) and inv(L') are ATIME(T(cn),cn)-inseparable for some c > 0 so
has a hereditary ATIME(T(cn),cn) lower bound.
As before we allow a more elaborate definition of monadic interpretation
where formulas n, 1n , . . . , kn , and n may contain free relation variables
which also receive prenex or iterative definitions.
We summarize these remarks in the following theorem which parallels
Theorem 6.1:
175
Theorem 7.1. Let Co,C1,C2, be classes of models such that for some
prescribed set of formulas over a monadic second-order logic L,
is realized in some
Cn where
= n}
and inv*(L) are ATIME(T(cn),cn)-inseparable for some c > 0. Let C'0 C

C'0 C'2 C be classes of models of a theory in a logic L'. If there is a
prenex or iterative monadic interpretation of the classes Cn in the classes
C'kn for some nonnegative integer k, then the following are true.
(i) The sets sat() and inv( ) are ATIME(T(en), en)-inseparable for
some c > 0.
(ii) If, for some d between 0 and 1, T(dn) = o(T(n)), then has a
hereditary ATIME(T(cn),cn) lower bound.
(iii) For each ' C val(), sat( ') and val( ) are both hard for the
complexity class
ATIME(T(nc)nc)
via reset log-lin reductions.
(iv) For each
complexity class
ATIME(T(nc),nc)
c>0
via polynomial time reductions,
(v) There is a prescribed set ' of sentences over L' such that
' is realized in some
C'n where
= n}
and inv*(L') are ATIME(T'(cn), cn) -inseparable for some c> 0.

The following theorems are immediate consequences of the preceding
theorem and Theorems 5.1, 5.2, and 5.4.
Theorem 7.2. Let T(n) be a time resource bound such that for some d
between 0 and I, T(dn) = o(T(n)). Let Cn be the class of addition relations
on sets of size at most T(n) and a theory in a logic L. If there is a
monadic interpretation of the classes Cn in , then has a hereditary
ATIME(T(cn),cn) lower bound.
Theorem 7.3. The previous theorem holds with binary relations in place
of addition relations.
From the following theorem we obtain a useful tool for obtaining lower
bounds, but not the best lower bounds for monadic second-order theories
of trees of bounded height.
176

exp r _ 1 (n). Then there is an iterative monadic interpretation of the classes
Cn in the monadic second-order classesT2nrwhen r > 2 and in the monadic
second-order classesT22nrwhen r = 2.
Proof. The proof is very similar to the proof of Theorem 6.3. First, consider the case r > 2.
We iteratively define a relation Q'(X, Y) which says that \X\ = \Y\
2". Write Z = X U Y as an abbreviation for Z = X Y A X Y = 0. Let
p(X, Y) be the formula
The iterative definition [Q'(X, Y) = p]n+l gives the desired relation.

Now let (x, y) be a formula, with free relation variable Q, which says
that if X is a subset of the set of children of x, and Q(XI, x2) holds for all
Xi,x2
X, then there is a set Y which is a subset of the set of children
of y such that Q'(X, Y) holds, and Q(y1, y2) holds for all y1,y 2 Y, and
holds for all x\ 6 X and y1 Y.
Consider a tree in72nr. When k > 0, the iterative definition
defines an equivalence relation on the vertices of height less than k. For

k = 1, Q is an equivalence relation making all leaves equivalent. Increasing
k to 2, two vertices of height 1 are equivalent if they have the same number
of children. (In Theorem 6.3 this was true only up to O(n/ log n) children.
This is the reason why we get an additional level of exponentiation here.)
For larger k extend to vertices of height k-1, leaving the relation unchanged
at lower heights. Two vertices of height k - 1 are equivalent if, for each
equivalence class represented among their children (on which the relation
has already been defined), they either have the same number of children
in the class or both have at least 2" children in the class. There is a reset
log-lin reduction taking the iterative definition
to an equivalent explicit definition
Moreover, since r is fixed this can be expressed as a simple definition. The

rest of the theorem proceeds as in the proof of Theorem 6.3 except that nr is
177
used in place of mr 2nr is used in place of Trm, and we automatically have a

monadic interpretation since we are interpreting in a monadic second-order
theory.
Let us consider the case r = 2. Our formulas will now have parameters
U, V, W, and Z. Let 2 n ( x , y , U ) and 2 n ( x , y , V ) be defined as ( x , y )
above except that, rather than comparing the number of children of vertices
x and y of height 1, 0n2 (x, y, U) compares the number of children of x and
y in U, and 2n(x ,y, V) compares the number of children of x and y in V.
Now let n(x) be the formula x Z. Let n(x, y) be a prenex formula that
asserts the following:
(a) x Z and y Z.
(b) If x there is a t Z such that 2n (x, t) holds and n2n(t, y) holds.
(c) If x = y, then x W.
Every binary relation on a set of size at most 2nis interpreted in some tree
in T22n2. For every pair (x, y) in the relation with x
y there is at least
one t Z such that m(x,t) and m(t,y) hold.
I
Corollary 7.5. Let r
2 and
be a theory in a logic L. If there is a
monadic interpretation of the classes 2nr in , then has a hereditary
ATIME(expr-1(cn),cn)
lower bound.
Remark 7.6. For each r 2 there is a constant d > 0 such that every tree
in 2nr has at most expr_1(dn) vertices, so we can view Corollary 7.5 as
an improvement over Theorem 7.3 for obtaining ATIME(expr_1(cn),cn)
lower bounds. It is instructive to compare this result with Corollary 6.5. It
often happens that an interpretation of the classes Tnr/log n in a theory can
be modified slightly to obtain a monadic interpretation of the classesT2nr-1
even when the theory is first-order. This explains, in part, why NTIME
lower bounds can often be pushed up to linear ATIME lower bounds.
We now prove another theorem about monadic interpretations of classes
of trees of bounded height. We shall see in section 9 that this theorem gives
the best lower bounds for monadic second-order theories of trees of bounded
height.
exp,,([n/logn]). Then there is a prenex monadic interpretation of the
classes Cn in the monadic second-order classes
and in the monadic second-order classes
Proof. First, consider the case r > 1. Formulas will contain parameters
X = X 1 , X - 2 , . . . ,Xm, where m = 1 + [n/log n]. This is the first case we
have encountered where the parameter sequence grows with n. Let Q' be
178
a binary relation variable and

are both leaves and
m(x,y)
a prenex formula that says x and y
Q' will be given by the prenex definition [Q'(x,y) = m]. Q'(x,y) is obviously an equivalence relation on the vertices of height 0.
Now let (x, y) be a formula (with free relation variable Q) that says
x is not a leaf and for every child t of x there is a child u of y such that
Q(t,u) holds. Now the iterative definition
defines an equivalence relation on the vertices of heights less than k. For k =

1, Q is identical to the equivalence relation Q'. For larger k we extend the
relation to vertices of height k - 1 by specifying that two such vertices are
equivalent if precisely the same equivalence classes are represented among
their children. When k = r we have an equivalence relation on the set of
all vertices in a tree of depth r except the root.
The iterative definition
can be converted to a prenex definition
of fixed length since r is constant. By Theorem 3.1 the sequence
of prenex definitions can be replaced by a single prenex definition
where rm(x, y) is reset log-lin computable from n. We will say that two
vertices x and y in a tree of height r have the same rm-type if r m ( x , y )
holds.
Now it is easy to show by induction on k that there is a tree of height
r and sets X1 , . . . , Xm of leaves in this tree such that there are at least
1 + expk+1([n/logn]) rm-types among vertices of height k when k < r:
every nonempty set of rm-types of vertices of height k - 1 determines a
distinct rm-type for a vertex of height k. More is required to see that there
is such a tree in exP2 r([n/log n]) When k = 0 there is no problem Consider
the case k = 1. For i = 1,2, . . . ,exp 2 ([n/logn]) let Tt be the tree of height
179
1 with precisely i leaves. Each of these trees is in exp2(m) Without much

trouble we can choose, from the leaves of each Ti, sets X1 , . . . , Xm so that
the roots of Ti and TJ have different rm-types when i j. Further, for T1,
X1, . . . , Xm can be chosen in at least two ways. Thus, there are at least
1 + exp 2 ([n/ logn]) rm-types among vertices of height 1.
From the set of trees {Ti, | 1 i < exp2(m)} choose a nonempty subset
and form a tree of height 2 by directing edges from a new vertex to the
roots of trees in this subset. We can form at least 1 + exp3 ( [n/ log n] )
such trees, each one in
Texp2
Moreover, if we carry along the
subsets X1,..., Xm in each subtree Ti, each root has a distinct rm-type.
Continue for each k < r, forming at least 1 + expk+1([n/logn n) trees in
Tkexp 2 (|n/logn])
subsets X 1 , . . . , X m ,so that each root has a distinct
The interpretation of binary relations on sets of size exp r ([n/logn])
now uses precisely the same construction used in the proofs of Theorems 6.3
and 7.4.
Let us consider the case r = 1. Our formulas will now have parameters
X = Xi,...,Xm, Y = Y1,...,Y m , and Z and W. Define m(x, y) as
above and n m ( x , y ) in the same way except that Y is used in place of X.
These formulas define independent equivalence relations on leaves so we
can speak of the m- and m-type of a leaf. The relations are independent
and of index at most 2m. The rest of the proof then follows as the in case
r = 2 in Theorem 7.4.
Corollary 7.8. Let r > 1. M rr has a hereditary
ATIME(expr (en/ log n) , en)
lower bound.
Corollary 7.9. Let r > 2 and
be a theory in a logic L. If there is
a monadic interpretation of the classes Trexp2 (n/log n) then has a
hereditary
A TIME (expr (cn/ log n) , cn)
lower bound.
The case r = 1 is worth stating separately. Observe that trees of height
1 do not really have much structure. We can regard them as sets with one
distinguished point, the root. Therefore, we state the result in terms of
interpretations of sets rather than trees.
Corollary 7.10. Let Cn be the class of sets of size at most 2 n /log n and
a theory in a logic L. If there is a monadic interpretation of the classes Cn
in , then has a hereditary ATIME(2 c n / l o g n, cn) lower bound.
180
This concludes our survey of tools for establishing lower bounds. The
next section contains many examples of their application.
Applications
In this section we use the methods developed in earlier sections to give

a representative sample of arguments for known lower bounds of theories.
We believe that the details given here justify the claim that every known
lower bound for a theory can be obtained in this way, with simpler, more
conceptual proofs. In particular, there is no further need to code Turing
machine computations. Moreover, in almost all cases our approach gives
technical improvements on known results: we always obtain hereditary
lower bounds; these bounds hold for both sat( ) and val( ), in contrast
to most published NTIME lower bounds which are for just sat( ); and
the reductions used are reset log-lin reductions rather than polynomial
time, linearly bounded reductions. In a few cases we obtain qualitative
improvements in the bounds. The most significant improvement is that we
always obtain inseparability results.
To simplify the statement of results and avoid repetition, when we say
a theory has a hereditary NTIME(T(cn)) lower bound, we intend each
of the statements (i)-(iv) in Theorem 6.1. When we say a theory
has
a hereditary ATIME(T(cn),cn) lower bound, we intend each of the statements (i)-(iv) in Theorem 7.1. For convenience we will also use functional
notation rather than relations in some examples.
Example 8.1 (The first-order theory of finite linear orders with
an added unary predicate.). We show that this theory has a hereditary
lower bound of
NTIME(ex P (cn))
by iteratively interpreting the classes T2nand applying Corollary 6.9. In
fact, we interpret the classes Tn consisting of the finite trees of height n.
We denote the linear order by and the predecessor and successor of
an element x by x 1 and x+1 (when they exist). Let x < y be the formula
x y Ax y and LAST(x) the formula asserting that x is the last element
in the order. Let P be the unary relation symbol. We can identify each
finite model = (m, R) of this theory (where m = {0,...,m 1}) with a
string a 0 a1... am-1 of 0's and 1's. We stipulate that ai = 1 if and only if
P(i) holds.
Representing a finite tree as a string of O's and 1's is straightforward.
Now with each vertex x in a tree of height n associate a string that begins
0n-rl, where r is the depth of x, followed by the strings associated with
each child y of x. The tree is represented by the string associated with the
root. For example, the tree of Figure 1 is represented by the string
0001001010100100101.
181
Fig. 1. Tree example

In general, T may have many representations, since the children of each
vertex are ordered arbitrarily. Thus, the tree above is also represented by
the string
0001001001010010101.
However, T can be easily interpreted within each of its representations .
Let n(x) be the formula P(x) (indicating that is a position where 1
occurs). Let 0 ( x , y ) be the following formula with free relation variable Q:
Then [Q(x, y)
]n+1 defines a relation Q(x, y) which holds precisely when
the number of consecutive O's preceding position x and the number of
consecutive 0's preceding position y are equal and at most n. Let n(x,y)
be the formula
Thus, n (x,y) holds precisely when there are 1's at positions x and y, x
precedes y, there is exactly one more 0 preceding x than preceding y (but
no more than n 0's preceding y), and there is no position between x and
y which has as many 0's preceding as x has. Now a tree T of height n
represented by a linear order is isomorphic to
when Q
is given by the iterative definition [Q(x ,y)
0]n+l.
Remark 8.2. Note that for some d > 0 each tree in T2n has at most
e x p ( d n ) vertices so for some d' > 0 each representation
of a tree in
this class has at most exp00(d'n) elements. From Theorem 6.1 we see that
we have a tool for obtaining further lower bounds. If there is a prenex or
iterative interpretation of the classes Cn consisting of linear orders of length
at most exp00(n) with added unary predicates in a theory , then has
a hereditary lower bound of N T I M E ( e x p ( c n ) ) .
182
Example 8.3 (The first-order theory of all linear orders). We show

that this theory has a hereditary lower bound of
NTIME(exp(cn))
by a simple interpretation of the models in Example 8.1.
Consider a finite linear order (n, ) together with a unary relation R
on n interpreting the predicate symbol P. We will represent (n, , R) by a
linear order = (S, ) formed by replacing each i n with a copy of the
closed unit interval [0,1] if i is not in R and with a single point followed
by a copy of the closed unit interval [0,1] if i is in R; the order is extended
in the obvious way.
Now we interpret {n, , R) in as follows. Let (x) be the first-order
formula saying that x has no immediate successor and x is either the least
element or has an immediate predecessor. Clearly, (x) picks out all the left
endpoints of the unit intervals in (S, ). There are precisely n elements in
(x).
Let (x) be the first-order formula saying that x has no immediate
successor but does have an immediate predecessor y such that y either has
no immediate predecessor or is the least element. Thus, (X) picks out the
left endpoints of the unit intervals associated with elements i in R. Thus,
(n,<, R ) i s isomorphic t o ( ( x ) ,
(x,y),A(x)).
Remark 8.4. Robertson [1974] and Stockmeyer [1974] showed independently that the first-order theory of finite linear orders with an added unary
predicate is not elementary recursive. They obtained an
NTIME (exp (c log n))
lower bound, but not in the hereditary form. Stockmeyer obtained the
same bound for the first-order theory of linear orders.
Stockmeyer shows in the same paper that if (A, ) is any infinite linear order, then the theory of the models (A, ,R), where R is an added
unary relation, is not elementary recursive. A simple interpretation of Example 8.1 in this theory shows that it has a hereditary NTIME'(exp (cn))
lower bound.
Of course, from Example 8.1 also follows the result of Meyer [1975]
that the weak monadic second-order theory of the natural numbers with
successor is not elementary recursive and, hence, the same result for other
monadic second-order theories, including the monadic second-order theory
of two successors studied by Rabin [1969]. In all cases we have hereditary
NTIME (exp (cn)) lower bounds.
Another result that can be immediately obtained in this way is the
following strengthening of a result announced in Meyer [1974].
Example 8.5 (The first-order theory of ({0, l}*,ro,r1, ), the binary
tree formed by taking the prefix order
on {0,1}*, together with
183
successor functions ro and r1. (Thus, u w precisely when there

is a v such that uv = w, and r0(w) = w0, r1(w) = wl)). We show that
this theory has a hereditary lower bound of
NTIME(ex P (cn))
by a simple interpretation of the classes in Example 8.1.
Let
= ({0, l}*,r 0 ,r1, ). We produce formulas 6(x,w),
and (x, w) such that
X(x,y,w),
includes all models (n, , R) in Example 8.1 as w ranges over {0,1}*. The
formula 6(x, w) is x w A x w. The formula \(x, y, w) is
The formula (X, w) is (x, w) r1 (x)
w.
Example 8.6 (The first-order theory of finite unary functions). A

unary function is a model (B, f) where / is a function from B to itself. We
show that this theory has a hereditary lower bound of
NTIME (exp (en))
by a simple interpretation of the classes n2 and applying Corollary 6.9. In
fact, just as in Example 8.1, we interpret the classes Tn consisting of the
finite trees of height n.
Let (x) be the formula x = x and (X, y) be the formula
Clearly, every finite tree is isomorphic to a model ( ( x ) , ( x , y ) ) for some

unary function . is formed from the tree by mapping every vertex other
than the root to its parent and the root to itself.
Remark 8.7. A lower bound of JVJ7ME(exp00(c log n)) for the first-order
theory of unary functions was announced by Meyer [1974], but no proof
has ever been published.
A simple interpretation in the opposite direction (interpreting unary
functions in trees) appears in Korec and Rautenberg [1975/76]. Thus, the
theory of finite unary functions and the theory of finite trees have the same
complexity up to a constant factor in the argument.
Our next example gives another family of useful theories which are
not elementary recursive: the theories of pairing functions. Lower bounds
184
for these theories were first given by Rackoff [1975b] (see Ferrante and
Rackoff [1979]). Their treatment shows that these theories are in fact
hereditarily not elementary recursive. (To obtain this from the result stated
by Ferrante and Rackoff, we must use the fact that the theory of pairing
functions is finitely axiomatizable.)
Example 8.8 (The theory of any pairing function). A pairing function is a model = (B, f) where / is a one-to-one binary function on B.
We show that the theory of any pairing function has a hereditary lower
bound of
NTIME(ex P (cn))
by iteratively interpreting the classes Cn of linear orders of length e x p ( n )
with an added unary predicate. These classes were discussed in Example
8.1.
The idea behind the interpretation is to have elements of represent
sequences of length e x p ( n ) . One way to do this, say for an element a, is
to find a pair (a0, a1) such that /(a0, a1) = a. (There is at most one such
pair, since / is a pairing function.) Then find a quadruple (a00 ,
a01,a10,a11)
such that f(a00 a01) = ao and /(a10,a11) = a1 and repeat until we have
a sequence (aw w {0,1}m), where m = e x p ( n 1). (The order on
{0, l}m is the lexicographic order.) We could then say that a represents
this sequence. We may not be able to carry out this construction for every
element ae because / may not be onto, but certainly every sequence of
length e x p ( n ) is represented by some element, and every element represents at most one sequence of length e x p ( n ) .
We may regard this construction as giving a labeling of vertices in the
full binary ordered tree of height m. The root is labelled a, its left and
right children are labelled a and 01, respectively, and so on. Unfortunately,
the construction has two limitations that make it unacceptable for our
purposes: a branch in the tree may have several vertices with the same
label; and two different branches may be labelled identically. We must
modify the construction to overcome these difficulties. Rather than taking
awo and aw1 so that f ( a w 0 , a w 1 ) = aw, we will take b and c so that f ( b , c) =
aw and then take awo and aw1 so that f ( a w o , a w 1 ) c. That is, awo and
aw1 are chosen so that x f ( x , f ( a w 0 , a w 1 ) ) = aw holds. Clearly, aw0 and
aw1 are uniquely determined by aw. It is still true that every element
represents at most one sequence of length exp00(n), but now a sequence of
length e x p ( n ) may be represented by many elements.
We claim that with this modified construction, every sequence of length
exp (n) is represented by some element such that no branch in the associated tree has duplicate labels and no two branches are labelled identically.
Consider a sequence
aw w{0,1}
185
where m = exp00(n 1). We can find elements aw for each w 6 {0,1}*

with k < m such that x f ( x , f(a w o,o,a w1 )) = aw always holds; whenever
v is a prefix of w, av
aw; and aw0 a w1 . The elements are selected
in a bottom-up fashion, i.e., working from the leaves of the tree up to the
root. Suppose that elements av are already known when w lexicographically precedes v and we wish to find aw. Since / is a pairing function,
f ( x , f(awo, a w 1 )) takes distinct values as x ranges over the model. Thus,
we can choose x so that aw = f ( x , f ( a W 0 , a w 1 )) is not equal to av when
w lexicographically precedes v since there are only finitely many such v.
Following this procedure we eventually reach a and all labels in the tree
are distinct.
Let LEFT(x, y) be the formula (t, u) f ( t , f ( y , u))=x and RIGHT(x, y)
be the formula (t, u) f ( t , f ( u , y)) = x. Thus, LEFT(x, y) holds when
y is the left child of x in our tree, and similarly for RIGHT(x,y). Let
SUCC(x, y) be the formula LEFT(x, y) V RIGHT(x,y).
We wish to specify three first-order formulas. Formula n(x,u) should
say that x in an element in a sequence of length e x p ( n ) which is represented by u; that the elements of this sequence are distinct; and that
no branch in the associated tree has duplicate labels. Formula n(x, y, u)
should say that n(x, u) and n(y,u) hold, and that either x = y or in
the sequence represented by u, x occurs before y. Formula n(x,x',u,u')
should say that n(x,u) and n(x',u') both hold, and that x occupies the
same position in the sequence represented by u as x' does in the sequence
represented by u'.
Now suppose that we already have relations
that hold under the same conditions as n(x, u), n(x, y, u), and n(x, x',u,
u'), only for sequences of length exp00(n 1) rather than e x p ( n ) . (If
n = 0, take Qo, Q1, and Q2 to be empty relations.)
Suppose n > 0. Using Qo and Q1, we can say, in regard to a sequence of
distinct elements of length exp00(n - 1) represented by v, that a particular
element is first; that a particular element is last; that one element occurs
before another; and that one element occurs immediately before another.
Hence, we can say that v represents a branch of length exp (n -1) from an
element u. By this we mean v represents a sequence of distinct elements of
length exp00(n 1) such that when x is the first element of the sequence,
SUCC(u, x) holds, and when x occurs immediately before y in the sequence,
SUCC(x , y) holds.
Now define formulas , A, and a in terms of Q0, Q1, and Q2 The
formula 6(x, u) says that if Qo is empty, then x = u, and if Qo is not
empty, the following hold.
(a) There is an element v representing a branch of length exp00(n 1)
186
from u with x as the last element.

(b) For every element y occurring in a branch of length exp00(n 1) from
u, if y is not the last element in the branch, then there are distinct
elements z and z' such that LEFT(y, z) and RIGHT(y, z') hold. This
ensures that the binary tree is full and that no two branches in the
tree are labelled identically.
(c) If v and v' represent different branches of length e x p ( n 1) from u,
then the last elements of these two branches are distinct. (It is easy
to tell if v and
represent different branches; this happens if and
only if there are elements y y such that Q2(y,y',v,v') holds.)
The formula (x, y, u) says that if Q1 is empty, then x y u, and if Q1
is not empty, then either x y, or the following hold.
(a) There are branches from u, represented by v and v' and with last
elements x and y, of length e x p ( n - 1).
(b) There is an element z such that if LEFT(z, t) and RIGHT(z, t') hold,
then Q2(t,t',v,v') holds. This guarantees that the branch from u to
x is to the left of the branch from u to y.
The formula (x,x',u, u') says that if Q2 is empty then x u and x' = u',
and if Q2 is not empty, then the following hold.
(a) There is a branch from u, represented by v and with last element x.
There is another from u', represented by v1 and with last element x',
of length e x p ( n 1).
(b) If Q-2(z,z',v,v') holds, z occurs immediately before t in the branch
represented by v, and z' occurs immediately before t' in the branch
represented by v1, then LEFT(z,t) just in case LEFT(z',t') holds.
This says that the same sequence of lefts and rights leads from u to
x as from u1 to x'.
Clearly, , A, and a are first-order expressible in terms of Q0, Q1, and Q2.
The simultaneous iterative definition
gives the desired formulas

, and
By Theorem 3.4, this simultaneous iterative definition can be replaced by just an iterative definition.
For some element
is a linear order of length
exp00(n). Then as u' ranges over the elements in 21, ( x , u )
(x,u')
ranges over all unary predicates on 6 u ( x , u ) . Thus, we can interpret every
linear order of length e x p ( n ) with an added unary predicate.
This is the first example we have encountered where the relations being
iteratively defined do not occur positively in the operator formulas. Hence,
according to the remark following Theorem 3.1, we cannot guarantee that
187
the lower bounds obtained here hold if only the connectives A, V, and are
allowed in formulas. However, with slightly more effort we can overcome
this difficulty and use only formulas where the defined relation symbols
occur only positively. We have not done so to simplify exposition.
Remark 8.9. It is a long-standing open question whether the first-order
theory of the free group Fk on k > 2 generators is decidable. Semenov
[1980] observed that this theory is at least not elementary recursive. He
showed that it is possible to give a first-order definition of a pairing function on Fk, from which it follows that the theory of Fk has a hereditary
NTIME(exp00(cn)) lower bound.
This use of pairing functions is a quick way to show that many decidable
theories are hereditarily not elementary recursive. For example, consider
the first-order theory of the model (N, +,2 X ), where N is the set of nonnegative integers. Semenov [1984] showed that this theory is decidable.
Observe that the function
is a pairing function on this model, so the theory has a hereditary exp00(cn)

lower bound. Variations on the same argument apply to the other models
(N, +,g(x)) treated by Semenov [1984] when g(x) grows rapidly enough.
In particular, when g(x + 1) > 2g(x), the argument gives a hereditary
exp00(cn) lower bound.
This completes our discussion of theories which are not elementary recursive. Note that in all cases treated here, there is an iterative interpretation of the classes T2n in the theory treated. (Sometimes, there is
an iterative interpretation of the classes T2n into classes Cn and another
iterative interpretation of the classes Cn in the theory; the chain of interpretations may be even longer. Nonetheless, these situations still qualify
as interpretations of T2n.) It seems likely that almost all 'natural' theories
that are hereditarily not elementary recursive interpret finite trees (in the
same sense that almost all 'natural' theories that are undecidable interpret
finite binary relations) . Of course, an interpretation of trees can be traced
back, in Theorem 6.3, to an interpretation of binary relations on sets of size
expoc(n), and thence, in Theorem 4.1, to a coding of Turing machines with
a expoo (n) time resource bound. However, the Turing machine encodings
lie very far below the surface and are extremely complicated compared to
the original interpretation of trees.
We now treat various elementary recursive theories for which sharp
lower bounds are known.
Example 8.10 (The first-order theory of models (N,S,P), where
N is the nonnegative integers, S is the successor function on N,
and P is an arbitrary unary relation). We show that this theory has
188
a hereditary lower bound of
by iteratively interpreting the classesT4n/lognand applying Corollary 6.5.

We use the same coding of trees into strings of Os and 1s that was used
in Example 8.1. Given a tree
be a string
that represents it and P a unary relation on N such that P(i) holds if and
only if either i < m and a, = 1, or i is m or m + 1. We want to recover T
in {N, S, P) . The problem is that we have only a successor function rather
than the linear order we had in Example 8.1. When we examine the role
played by the linear order there, however, we see that we did not need the
full linear order. We needed only enough of the order to say x < y when
y is a child of x, and that there is no position between x and y which has
as many O's preceding as x has when y is a child of x. Moreover, we did
not need to make either statement when x is the root because there are
no other positions in the coding which have as many O's preceding as x
has. Thus, we needed only to determine if x < y when x and y belong to
the same primary subtree. For
every primary subtree is in
It
is
not
difficult
to
see
that
for
some
d,
the
trees
in
T3n/log
are
dn
all represented by strings of length at most 2 . Thus, if we can define a

relation which holds when x < y and y x< 2dn we are done. Let 6 be the
formula x y V S(x) = y V 3z(Q(x,z) A Q(z,y)). The iterative definition
[Q(x,y) = 0} d n gives the desired relation.
Remark 8.11. This proof shows that if there is a prenex or iterative interpretation of the classes Cn consisting of successor relations of length at
most exp2(n) with added unary predicates in a theory E, then E has a
hereditary lower bound of NTIME (exp2 (cn)). The same argument shows
that if there is a prenex or iterative interpretation of the classes C'n consisting of successor relations of length at most 2n with added unary predicates
in a theory E, then E has a hereditary lower bound of NTIME(2 c n ).
Example 8.12 (The theory of one-to-one unary functions). We
show that this theory has a hereditary lower bound of
by iteratively interpreting successor relations of length at most 2" with an

added unary predicate (as discussed in the preceding remark).
Let Cn be the class of finite one-to-one unary functions (B, f) such that
the cycle decomposition has, for each k with 1 < k < 2n, at least one
and not more than two cycles of length k. We regard each such model as
189
coding a unary predicate P on {1, 2, . . . , 2n}, the presence of a single k-cycle

indicating that -P(k) holds and the presence of two k-cycles indicating that
P(k) holds.
Define the distance between elements x and y on the same same cycle
to be the least i such that f i ( x ) = y. For elements x, y, and z on the same
k-cycle, we say that y is between x and z if the distance from x to z is the
sum of the distances from x to y and y to z. Now it is a simple exercise to
give a simultaneous iterative definition
such that Q 1 ( x , y , z ) holds precisely when the distance from x to y and

the distance from y to z are at most 2n and y is between x and z, and
Qz(x, y, x', y') holds precisely when the distance from x to y is the same as
the distance from x' to y1 but not more than 2n.
Assume that no cycle has length more than 2n. For Q1 and Q2 as given
above, let n n ( x , y) be the formula Q 2 ( f ( x ) , x , f ( y ) , y ) . It is easy to see that
nn defines an equivalence relation that holds precisely when x and y lie on
cycles of the same length. Let n(x) be the formula
Thus,
(x) holds precisely when there are at least two cycles with the
same length as the cycle containing x. Let an(x,y] be the formula
We see that an(x, y) holds precisely when x lies on a cycle of length one less
than the cycle containing y. These formulas interpret successor relations on
sets of size at most 2n with an added unary predicate. The interpretation
differs from interpretations discussed previously, however, in that we must
take a quotient by the equivalence relation nn, rather than interpret the
domain as a subset.
Remark 8.13. The theories in Examples 8.10 and 8.12 are treated by Ferrante and Rackoff [1979]. They give a matching upper bound for the former
and an upper bound of NTIME(2dn2) for the latter. (Example 8.12 first
appeared in Ferrante [1974].) The inseparability, hereditary, and hardness
results presented here are new. Stern [1988] investigated the complexity of
the theory of commuting permutations.
Example 8.14 (The first-order theory of {{0, l}*,ro,r1), the binary

tree on {0, 1}* together with successor functions r0 and r1 (described in Example 8.5)). We show that this theory has a hereditary
lower bound of
190
by a monadic interpretation of the classes T2n and applying Corollary 7.5.

Each tree in T22n has at most 2dn vertices, for some d > 0; therefore, each
such tree can be represented by a linear order of length 2kn with added
unary predicate, as in Example 8.1.
Thus, we need only give a monadic interpretation of models
in ({0, 1}*,r 0 ,r1). (The unary predicate comes automatically, since we

have a monadic interpretation.) Specifying this monadic interpretation is
straightforward: an integer l in {1, . . . , 2kn} is represented by the equivalence class of strings of length l; < is given by the prefix order; and subsets
of {1, . . . , 2kn} are represented by strings w via
{l | for some v of length l, r1(v) is a prefix of w}.
To complete the construction it suffices to give iterative definitions for
formulas n(u,v) saying that for some l < 2kn, u and v both have length
l, and formulas n (u, v) saying that for some l < 2kn, u has length l and is
a prefix of v. This is done analogously to the iterative definition of linear
order on intervals of length 2dn in Example 8.10. We leave the details to
the reader.
Remark 8.15. Example 8.14 was first treated by Volger [1985]. He also
showed that for some d > 0, ATIME(2dn,n) is an upper bound for this
theory. The hereditary lower bound can be derived from Volger's result
because the theory is finitely axiomatizable.
In Examples 8.12 and 8.14 the equality relation is interpreted by an
equivalence relation rather than true equality. Correspondingly, models
U are interpreted by quotients of defined substructures, rather than the
substructures themselves. This kind of interpretation is common in undecidability proofs (see examples in Rabin [1965] and Ersov et al. [1965]) and
requires no changes in the proofs in sections 6 and 7. In Example 8.14 the
equivalence relation could be avoided by representing an integer l by an
string of l O's. However, in Example 8.12 the use of an equivalence relation
in place of equality seems unavoidable.
Example 8.16 (Any extension E, with an infinite model, of the
the first-order theory of Boolean algebras). We show that E has a
hereditary lower bound of
by giving a monadic prenex interpretation of sets of size up to 2cn/ log n and

applying Corollary 7.10.
191
Fix B, an infinite model of E. Let m = [n/log n] and I < 2m. Define

8 n ( x , u ) to be a prenex formula with parameters u = u1,...,u m that says
x is an atom relative to u. By this we mean that for each i such that
1 < i < m, either x C ui or x D Ui = 0, and x is a maximal element
with this property (with respect to the relation C on B). Clearly, we
may take 8(x, u) to be reset log-lin computable. By appropriately choosing
elements a in B, we can arrange that (8nB (x, a) has precisely l elements. Let
o n (x,u,v) be the formula 8 n ( x , u ) A x C v. As b ranges over the elements
of
ranges over all subsets of S<B(x, a).
Remark 8.17. Lower and upper bounds for the theories of Boolean algebras were first obtained by Kozen [1980]. Note that the apparent discrepancy between Kozen's results and the results presented here arises because
Kozen regards all variables as having unit length, while we take the length
of subscripts into account.
Example 8.18 (The pure logic L having infinitely many monadic
predicates). We show that this theory has a hereditary lower bound of
NTIME(2cn/losn).
Unlike the other bounds given in this section, this bound is obtained by
direct interpretation of binary relations. Also, this is the only NTIME lower
bound we consider which somehow involves the expression n/ log n. We can
show that there is a prenex interpretation of binary relations on sets of size
2cn/log n and then apply Theorem 6.2. The interpretation is essentially the
same as the interpretation in Theorem 7.7 for the case r = 1. The only
difference is that we no longer have a monadic interpretation because we
cannot quantify over the monadic predicates.
Remark 8.19. This result was proved by Meyer and Rackoff (see Rackoff [?]) and a matching upper bound was given by Lewis [1980].
We now turn to discussion of the fundamental lower bound results obtained by Fischer and Rabin [1974] and improved somewhat by Bruss and
Meyer [1980] and Berman [1980].
Example 8.20 (The first-order theory of real addition). This is the
first-order theory of the model (R, +), where R is the set of real numbers.
We obtain a hereditary lower bound of
ATIME(2cn,cn)
by giving a monadic iterative interpretation of sets of size 2n with an addition relation and applying Theorem 7.2. Fischer and Rabin give a simultaneous iterative definition of formulas u n ( x , y, z) and n(x, y, z). Formula
u n ( x , y , z ) holds precisely when x is a nonnegative integer less than 22n
and x y = z; formula n(x, y,z) holds precisely when x, yx, and z are
192
nonnegative integers less than 22n and yx= z.

Prom these formulas we can define directly formulas an(x,u) that hold
when x is a nonnegative integer less than 2, u is a nonnegative integer less
than 2 2 ", and the (x+ l)th bit in the binary representation of u is 1. Thus,
as a ranges over elements of R, (x, a) includes all subsets of {0,..., 2n
1}. We thereby obtain a monadic interpretation of ({0,..., 2n 1}, +}.
Remark 8.21. The same argument will work if the theory of real addition
is replaced by any extension of the theory of semigroups that has, for each
n, a model (B, o) with an element a whose powers a, a 1 , . . . , an are distinct.
Any such theory has an ATIME(2cn, cn) hereditary lower bound.
Example 8.22 (Presburger arithmetic, the first-order theory of
addition on the natural number). This is the first-order theory of the
model (N,+), where N is the set of nonnegative integers. We obtain a
hereditary lower bound of
by giving a monadic iterative interpretation of sets of size 22n with an

addition relation and applying Theorem 7.2. As in Fischer and Rabin
[1974], we use divisibility to push the definition of the multiplication and
exponentiation relations u n ( x , y, z) and n ( X , y, z) in the previous example
up to intervals of length g(n), where g ( n ) > exp3(dn); this estimate comes
from the prime number theorem. We then obtain a monadic interpretation
as in the previous example.
Remark 8.23. Evidently, the basic ideas used in Examples 8.20 and 8.22
are already found in Fischer and Rabin [1974]. However, we obtain several
benefits from our approach. First, by using the machinery of the previous
sections we avoid technicalities concerning coding sequences and Turing
machine computations which Fischer and Rabin needed to address. Second, by emphasizing inseparability instead of just complexity, we obtain
hereditary lower bounds. Finally, by observing that monadic quantification
is implicit in the interpretations, we see why the appropriate lower bounds
are ATIME bounds rather than an NTIME bounds.
The linear alternating time lower bounds in Examples 8.20 and 8.22
were proved by Berman [1980]. A slightly weaker hereditary NTIME(2cn)
lower bound for real addition was obtained by Ferrante and Rackoff [1979],
and a hereditary NTIME (22 cn) lower bound for Presburger arithmetic was
obtained by Young [1985].
Maurin [1996; 1997a] has shown complexity bounds for theories of ordinal addition.
The full strength of the prime number theorem is not needed in Example 8.22. A much simpler result, due to Chebyshev, suffices; see Theorem 7 of Hardy and Wright [1964]. This illustrates a common phenomenon
193
in lower bound results for a theories. Crude arguments often suffice.

Sophisticated mathematics and an intimate knowledge of the theory under
consideration are rarely needed. In this respect, upper bound results may
be much more difficult.
Note that since we have monadic quantification on sets of size 2cn in a
model of real addition (or any extension of the theory of semigroups as described in the remark after Example 8.20) we have a monadic interpretation
of the classes
from the same representation of trees used Example 8.1.
Similarly, since we have monadic quantification on sets of size 22cn in a
model of Presburger arithmetic, we have a monadic interpretation of the
c l a s s e s . These facts will be useful in the next two examples.
Fischer and Rabin [1974] announced two other lower bounds: a lower
bound of NTIME(exp3(cn)) for the first-order theory of integer multiplication; and a lower bound of NTIME(22 c n ) for the theory of finite Abelian
groups. They did not supply proofs (but mentioned the key idea of encoding sequences of integers as exponents in a prime decomposition). To our
knowledge, no proofs have ever been published. In the next two examples
we sketch proofs of the stronger ATIME versions of these results.
Example 8.24 ( The first-order theory of multiplication on the
positive integers). This is the first-order theory of the model (II, ), where
I is the set of positive integers. We obtain a hereditary lower bound of
by giving a monadic iterative interpretation of the classes T42n and applying

Corollary 7.5.
Let Pi be the i-th prime number. Observe that (II,.) is isomorphic
to a direct sum of countably many copies of (N, +) by the mapping that
takes the sequence (a1,a2,...), where ai is 0 for all large i, to
Moreover, each direct summand (i.e., set of powers of some prime Pi) can
be defined. But we saw in Example 8.22 and Remark 8.23 that there is a
monadic interpretation of the classes
in {N, +). The idea here is that
we interpret a tree from
in
by directing edges from a new root to
the roots of trees interpreted in each direct summand.
Clearly, we can specify a first-order formula a(x,y,z,t) that says t is a
prime, x, y, and z are powers of t, and x.y = z. Let 6n(x, u'), n(x,y,u'),
and o n (x,u',v') be formulas giving a monadic iterative interpretation of
in (N,+). We saw in Example 8.22 that such formulas exist. (If we
substitute a(x,y, z,t) for all occurrences of x + y= z we obtain formulas
8' n (x,t,u'), 'n(x,y,t,u'), and o' n (x,t,u',v') in the language of (II,.). For
each fixed prime t, these formulas give a monadic iterative interpretation
of
in (II,.). For S'n(x,t,u') to be satisfied, it is necessary that x and
u' be powers of t. Thus, except possibly for 1, which is a power of every
194
prime, there are no elements common to the interpretations of S'n(x, t,u')

and S'n(x, t',u") when t and t' are distinct primes.
Let n(t,u',u) be a formula that says t is a prime and u' is the largest
power of t dividing u. Define S'n(x,u) to be the formula
.
Define n"(x,y,u) to be the formula
The first disjunct gives an edge from 1, the root of the tree, to the root of
each primary subtree; the second disjunct gives the edges in the primary
subtrees. UsingS"n|and n" we can interpret each tree from
by taking
a disjoint collection of trees in
and 1 as a new rootwe need only
choose u suitably. Define 0 " n ( x , u , v , w ) to be the formula
By varying v and w we obtain all subsets of S"n (x, u), so we have a monadic
interpretation.
Remark 8.25. An upper bound of ATIME(exp3(dn),dn) for the firstorder theory of integer multiplication can be obtained from the treatment
of this theory in Ferrante and Rackoff [1979]. The original reference for
an upper bound on the first-order theory of integer multiplication is Rackoff [l975b; 1976]. Decidability results and complexity bounds for related
theories have been given by Maurin [1997b] and Michel [1981; 1992].
As our last example we consider the first-order theory of finite Abelian
groups. Lo [1988] has given an extensive treatment of upper bounds for
theories of Abelian groups. He states these bounds in terms of the classes
SPACE, but it is clear that his analysis gives ATIME(2 2 d n ,dn) upper
bounds. We derive a matching lower bound, not just for the theory of finite
Abelian groups, but also for the theory of finite cyclic groups.
Example 8.26 (The first-order theory of finite cyclic groups). We
obtain a hereditary lower bound of
by giving a monadic iterative interpretation of the classes

and applying
Theorem 7.5. We use a device similar to the one used in Example 8.24.
Now rather than regarding the positive integers with multiplication as a
direct sum of copies of (N,+}, we regard a finite cyclic group as a direct
sum of cyclic groups whose orders are prime powers.
195
Let C(l) be the cyclic group of order 1. We know from the remarks
following Example 8.22 that there is a d > 0 such that when 1 > 2 2dn ,
there is a monadic iterative interpretation of T2n in C(l). More precisely,
there are formulas S n (x,t',u'), n(x,y,t',u'), and an(x,t',u',v) given by
iterative definitions such that if u' is a generator of C(l), then each tree in
is isomorphic to (Sn (x,t',u'), n (x,y,t',u')) for some t' in C(l),
and
includes all subsets of Sn (x, t' , u') as v' ranges over
elements of C(/). (We need to mention the generator u of C(l) explicitly
in these formulas because there is no preferred generator; this necessitates
only a minor modification of the formulas in Example 8.20.)
Let p1,p2, . . . ,pk be the prime numbers less than 22dn+1 and mi the
largest power of pi less than 22dn+1 . Then since pi mi > 22dn+1 and
Pi < mi, we know that m^ > (22dn+1 )1//2 = 22dn so that there is a monadic
iterative interpretation of
in each C(mi) as described above.
By Chebyshev's theorem (Theorem 7 of Hardy and Wright [1964]) we
know that k, the number of primes less than 22dn+1 , is at least 22dn for
sufficiently large n. By taking d large enough, we can ensure that k is
greater than the maximum number of primary subtrees in each tree of
.
Now take m = m1.m2 mk so that C(m) = C(m l )C(m2)0- C(mk).
We see that m > (22dn )k > 22dn . We need to show that we can combine
the monadic iterative interpretations of
in the direct summands C(mi)
to obtain a monadic iterative interpretation of T32n in C(m). To do this,
we will show that we can define the decomposition of C(m) into the factor
subgroups C(m,i).
Let 0(x, y, t, u) be the following formula with free relation variable Q:
Then by induction on n the relation Q(x,y,t,u) given by the iterative

definition
is true precisely when there is an integer j in the range 0 < j < 22n-1
such that x = jt and y = ju. Notice that we are using an idea first
exploited by Fischer and Rabin [1974] in their proof of a lower bound for
Example 8.20: each integer j < 22n can be written j = j1J2 +j3 +J4, where
j1,j2,J3,J4
< 22n-1.
For the remainder of the proof we will assume that Q(x, y, t, u) is given
by the iterative definition
196
Fix a generator u of C(m). We can specify that x = ju for some integer j

in the interval
by writing Q(x,x,u,u). Since m > 22 , the values ju are distinct for
j E I. Let us identify I with the set of elements ju such that j E I. The
group operation restricted to 7 defines integer addition. We can also define
multiplication: if X1 = j1u and x2 = J2U then y = j1j2u precisely when
Q ( y , x 1 , X 2 , u) holds. Therefore, we can say that s I is prime and also
that s E I is a prime power.
Let a(x,y,z, s,u) be a first-order formula that says that s E I is the
largest power of some prime in I, that x, y, and z are annihilated by s (i.e.,
if a(x, y, z, s, u) holds, then s = mi for some i < k and x,y,z E C(mi). In
other words, a(x, y, z, s, u) defines addition on the direct summands C(mi).
Now every element t in C(m) can be uniquely expressed as a sum
where each ti is an element of C(mi). We can specify a formula n(s, t', t, u)

that says t1 = ti when s is m,. We say simply that t' is annihilated by s
and t t' is divisible by s:
Thus, we can define the decomposition of C(m) into its factor subgroups.
In particular, since u can be expressed as a sum uI + u2 + + Uk , where ui
is a generator of (C(mi), the formula n(s,u',u,u) picks a unique generator
for each factor subgroup as s ranges over maximal prime powers in I.
The rest of the proof proceeds as in Example 8.24. For example, we
form S'n(x, s,t',u',u) by substituting a(x,y,z,s,u) for each occurrence of
x + y = z in Sn(x,t', u'). ThenS"n(x,t, u) is the formula
We define n " ( x , y , t , u ) and a"n(x,t,u,v,w) similarly.
Upper bounds
In this section we give upper bounds that show that most of the lower
bounds obtained in sections 4-7 are the best possible.
First we give upper bounds for satT(Lo), satpT(Lo), and sat*T(Lo). Recall from Theorem 4.5 that when T(dn) = o(T(n)) for some d between 0
and 1, these sets are not in NTIME(T(cn)) for some c > 0.
197
Proposition 9.1. Let T be a time resource bound. Then
Proof. To determine whether a sentence from L0 is in satT(Lo), nondeterministically generate a finite binary relation. We give a nondeterministic
recursive procedure that determines whether is true in this relation.
If satT(Lo), then it holds in some binary relation
a set of size
at most T ( n ) . The representation of this relation requires at most T(n)2
bits. We will show that our recursive procedure halts within time cT(n)n+2
on
The procedure tests the subformulas of and combines results to produce an answer. We may assume that all negations have been pushed
inward so that only atomic formulas are negated. It is clear how the procedure works if is a conjunction or disjunction. If begins with an
existential quantifier, an element of is nondeterministically assigned as
the value of the quantified variable and the enclosed formula is checked.
If begins with a universal quantifier, then each element of is assigned
in turn to the quantified variable and the enclosed formula is checked.
When an atomic formula is reached it can be determined in time O(T(n) 2 )
whether it is true in for the assignment values at that point. Since, for
each of at most n universal quantifiers, T(n) values are generated, the total
time is 0(T(n) 2 T(n) n ), as claimed.
Suppose
is in prenex normal form. For each E > 0, whenever n
is sufficiently large there are at most (1 + E)n/logn universal quantifiers in , so determining whether a prenex formula is in s a t ( L o ) ) is in
then
used, except that when a relation variable is encountered, it is necessary to
jump to its definition (this may take n moves), compute its value by calling
our recursive procedure, and return. Total time, then, is O(nT(n) 2 T(n)n)
because the tree of recursive procedure calls has height at most n and
branches at most n times at each vertex; at the leaves, there is a cost of
T(n) 2 moves to evaluate atomic formulas; at the vertices corresponding
to relation variable references there is a cost of O(n) moves to find the
definition.
For all three bounds we must use the linear speed-up theorem (see
Hopcroft and Ullman [1979]) to eliminate constants in front of the time
bounds.
I
We see that if T(n) n+2 = O(T(dn)) for some d > 0, then satT(L0)
NTIME(T(dn)), so we have essentially the same upper and lower bounds.
Similar remarks pertain in the other cases.
198
Proposition 9.2. Let T be a time resource bound. Then
Proof. Given a sentence of length n in MZ/o, nondeterministically generate a binary relation. We use alternation to determine whether holds
in the relation. If E satT(MLo), then it holds in some binary relation
on a set of size at most T ( n ) . For each set quantifier encountered it is
necessary to generate T(n) bits to assign a value to the quantified variable. There are O(n) such variables so this part of the computation takes
time O(nT(n}). This time is dominated by the O(T(n)2) time needed to
generate and verify atomic formulas. If is a sentence in ML0,we use
the same procedure except that when a subformula with a relation variable
is encountered, the value of the subformula is guessed and verified using
alternation.
I
Notice that if
for some c > 0, then, for some

so
same upper and lower bounds.

We now turn to upper bounds for theories of finite trees. To determine
if a sentence of length n is in s a t ( E r ) , we will show that it suffices to
nondeterministically generate a tree in Trm, where mlog m > n, and verify
that
holds in this tree. In fact, we prove a somewhat stronger result:
given a tree of height r or less, there is a tree in
satisfying precisely
the same sentences of length n or less. Our proof uses Ehrenfeucht games.
Observe that a sentence of length n can have at most m distinct variables
(i.e., variables with different subscripts). Therefore, we will use the formulation of Ehrenfeucht games for logics with a bounded number of variables.
These games were introduced for infinitary logics by Barwise [1977] and
later used by Immerman [1986] to obtain lower bounds for queries on finite
relational structures.
Given two structures A and B for a first-order logic L, write A = B
to indicate that A and B satisfy precisely the same sentences from L of
quantifier rank at most n and with at most m distinct variables. The game
used to characterize = is played for n moves between players I and II
on a pair of structures A and B. Each player begins with m pebbles. On
the first move player I places a pebble on an element of A (or B) and
player II responds by placing a corresponding pebble on an element of 23
(or A). On each remaining move player I has two options: he may place an
unplayed pebble on an element of A (or B), in which case player II places
a corresponding pebble on an element of B (or A) ; or he may remove one
of the pebbles on A (or B) and replay it (not necessarily on the same
structure), in which case player II removes the corresponding pebble from
199
B (or A) and replays it in response to the move of player I. Player II wins

if the mapping from the set of elements of A covered by pebbles at the end
of the game to corresponding elements in 53 is an isomorphism between
substructures of A and B; otherwise, player I wins.
The basic result concerning this game is that player II has a winning
strategy if and only if A = B. We use this fact to prove two simple
lemmas.
We will assume henceforth that in addition to the binary edge relation,
trees also have a unary relation that is true only at the root. This is a
technical convenience to force player II to pebble a root whenever player I
pebbles a root.
For a tree A and a vertex x in A, let Ax be the subtree of A whose set
of vertices consists of x and all of its descendents.
Lemma 9.3. Suppose A is a tree and x is a vertex of A. Let A' be the
result of replacing Ax in A by another tree
Proof. We know that player II has a winning strategy for the m pebble
game of length n on Ax and B. Player II uses this as part of a winning
strategy for the m pebble game of length n on A and A'. Whenever player
I pebbles an element in A Ax or A' 53, player II responds by pebbling
the same element; whenever player I pebbles an element in 2lx or B, player
II responds by pebbling the element dictated by the strategy for Ax and
53. Notice that if player I pebbles the root of Ax, player II pebbles the root
of 53 (and vice versa) so that adjacency to elements in A Ax will be the
same. This is a winning strategy for player II so A =
A'.
I
Lemma 9.4. Let A and B be trees. Suppose that for each isomorphism
type, the set of primary subtrees of A and the set of primary subtrees of
53 either contain the same number of trees of that type, or both contain at
least m trees of that type. Then A = B for every n > 0.
Proof. It is easy to determine a winning strategy for player II. If player I
pebbles the root of A (or B), player II pebbles the root of B (or A). If player
I pebbles an element in a primary subtree A' of A and no other elements
of A' have been pebbled, player II responds by pebbling the corresponding
element in a primary subtree B' = A' of B where no other elements have
been pebbled. Player II responds similarly if player I pebbles an element in
a primary subtree B' of B and no other elements of B' have been pebbled.
If player I chooses an element in a primary subtree A' of A where some
elements have already been pebbled, these elements correspond to elements
already pebbled in some primary subtree B' A' of B. The isomorphism
determines the response of player II. Player II responds similarly if player
I chooses from a primary subtree of 53 where elements have already been
pebbled. Because no more than m elements in a structure are pebbled at
200
any time, it is easy to see that this strategy can always be carried out for
A and B satisfying the hypotheses of the lemma.
I
Theorem 9.5. Given a finite tree A of height at most r, there is a tree
B E Trm such that A = B for all n>0.
Proof. Modify A in the following manner. For each nonleaf vertex x of
depth r 1, consider all children y of x and subtrees Ay; for each isomorphism type, if more than m subtrees Ay are isomorphic, delete enough
of them so that there are precisely m. Continue this modification procedure
for vertices of depth r 2, r 1, and so on, up to the root. Call the resulting
tree B. It is clear from the two preceding lemmas that every time we delete
subtrees in this process, we obtain a tree in the same =-class as A. Thus,
A = B. It is evident that B T.
Remark 9.6. With slight modifications, this proof shows that for any tree
A of height r or less, there is a tree B T such that A = B for all
m > 0.
We have, as an immediate consequence of the preceding theorem, upper
bounds for theories of finite trees.
Corollary 9.7.
Proof. When r > 3 and m is the least integer suc
each tree in Trm has at most exp r _ 2 (cn) vertices. Thus, the time required
to nondeterministically generate a tree in 77 and determine whether a
sentence of length n holds in this tree is exp r _ 2 (cn) n . This function is
dominated by expr_2(dn) for some d > 0 when r > 3 and by expr_2(dn2)
when r = 3.
I
Remark 9.8. This theorem gives matching upper bounds for the lower
bounds obtained in Corollary 6.4 except for the case r = 3. There the lower
bound is NTIME(2cn) and the upper bound is NTIME(2dn2). Ferrante and
Rackoff [1979] get precisely the same bounds for the theory of one-to-one
functions (cf. Example 8.12). It is more satisfying to say that sat(E3) is a
complete problem for
via polynomial time reductions, according to Theorem 6.1(iv).

Both sat(E1) and sat(E2) are in PSPACE since the number of vertices
in trees in T1m and 72m is polynomially bounded in n, where m is the
201
least integer such that m log m > n. (Recall that by Theorem 9.5, for
every finite tree A of height at most r, there is a tree
such that
A = B.) Every first-order theory with a model of power greater than 1
is hard for PSPACE (via log-space reductions), so we know fairly precisely
the complexity of these theories.
Write A &% B to indicate that A and 03 satisfy the same monadic
second-order sentences of quantifier rank n with at most m variables. To
obtain upper bounds for monadic second-order theories of finite trees we
must introduce Ehrenfeucht games characterizing the relation mn.
In such a game, players I and II play for n moves on structures A and B.
Let PI , P2, . . . , Pm be unary relation symbols not in the language of A and
B. During each move of the game one of the symbols Pi will be assigned a
pair of sets. This pair contains a subset of A and a subset of B. Initially,
each of these symbols is assigned the empty set for A and the empty set
for 03. On each move player I picks a relation symbol Pi. The previous
assignment to Pi, is forgotten. Player I assigns a subset of A (or B). Player
II responds by assigning a subset of B (or A) to Pi . Whenever player I picks
a singleton set, player II must respond with a singleton set. (Singleton set
moves correspond to element quantifiers.) Now suppose that at the end of
the game symbols P1 , P2, . . . , Pm are assigned subsets P1 , R2, . . . , Rm of A
and subsets S1 , S2, . . . , Sm of 03. If the set
is an isomorphism between substructures of
then player II wins; otherwise, player I wins.

The basic result concerning this game is that player II has a winning
strategy if and only if A B.
We will sometimes say that an Ehrenfeucht game is played on structures (A, RI , . . . , Rm) and (B, S1 , . . . , Sm), where R1 , . . . , Rm are subsets
of A and S1, . . . ,Sm are subsets of 03. By this we mean that the symbols P1 , . . . , Pm initially have R1 , . . . , Rm and S1 , . . . , Sm assigned to them.
The game then proceeds as before. We will say that (A, R1, . . . , Rm) and
(03, S1, . . . ,Sm) are n-equivalent if player II has a winning strategy for
games of length n on this pair of structures. Clearly, n-equivalence is an
equivalence relation.
Using monadic second-order Ehrenfeucht games, we can show that =
can be replaced by in Lemma 9.3. In fact, we can show more.
Lemma 9.9. Suppose that A is a finite tree with subsets RI, . . . , Rm. Let
x be a vertex
the structure obtained by replacing
the substructure
by another
202
structure (B, S1,..., Sm), where B is a tree. If
are n-equivalent, then so are

We would also like to prove a result like Lemma 9.4, but this is not so
simple. We must prove results like Lemma 9.4 and Theorem 9.5 simultaneously. To do this we need more complicated sets of trees.
Definition 9.10. Define functions f(m,n,r) and g(m,n,r) as follows.
and
Functions f and g are defined for all integers m,n,r

repeatedly use the last equation to obtain
> 0 because we can
and then replace each factor f(m,i,r + 1) by 2m(g(m,i,r) + l)f( m , i , r ).

Now define classes Urm,n of trees of height at most r. Uom,n contains
all trees of height 0.
consists of all trees whose primary subtrees
come f r o m , no more than g(m, n, r) primary subtrees coming from the
same isomorphism class. Define classes Vrm,n of structures (A,R1,..., Rm),
where A is a tree of height at most r and each Ri is a subset ofA.vom,n
contains all structures (A, R1, ..., Rm), where A is a tree of height 0.
by restricting to primary subtrees of A all come from Vrm,n, no more than
g(m,n,r) such substructures coming from the same isomorphism class.
Notice that
.
Theorem 9.11. Given a finite tree A of height at most r and an integer
n>0, there is a tree B Urm,n such that A mnB.
Proof. We prove a more general assertion. Given a structure ( A , R I , ...,
Rm}, where A is a tree of height at most r and R1,..., Rm are subsets of
A, there is a structure
such that
and
n-equivalent.
The proof is by induction on r. For r = 0, the assertion is obvious. Assume that A has height r > 0 and that the assertion holds for trees of lesser
203
height. Consider the substructures of (A, RI ,..., Rm) formed by restricting

to primary subtrees. By the induction hypothesis, each such substructure is
n-equivalent to some structure in
for each n-equivalence class replace
the substructures in that class by a structure from
in the same class
with the provision that if there are more than g(m, n, r 1) substructures in
the class we first eliminate enough of them to make their number precisely
g(m,n,r 1). In this way we form a structure (B,S1,... ,S m ) V'.
We show that (A, RI , . . . , Rm) and (B,S1,..., Sm) are n-equivalent.
Fix an n-equivalence type T. Let (A', R1,..., R'm) be the union of substructures of (A, R1,... ,Rm) of type T formed by restricting to primary
subtrees of A. Define the substructure (B', S'1..., S'm) of (B,S1,..., Sm)
similarly. Thus, A' and B' are forests, and each substructure of (A', R'1,...,
formed by restricting to a tree in the forest is of
type T. Moreover, A' and B' either contain the same number of trees or
both contain at least g(m,n,r 1) trees. We claim that (A', R'1,..., R'm)
and (B',S'1,... ,S'm) are n-equivalent. From this claim it follows easily
that (A,R1,.. .,Rm) and (B,S1,...,S m ) are n-equivalent because player
II can combine the winning strategies on the pairs of substructures.
We establish the claim by induction on n. The case n = 0 is clear.
(Notice, however, that it is crucial that g(m,0,r 1) = 2 because S'i must
be assigned a nonsingleton set whenever R'i is assigned a nonsingleton set.)
Suppose that n > 0 and that the claim is true for smaller values.
Player I will begin by assigning a subset of one of the forestssay
subset Ri of A'to a relation symbol Pi. This gives a new structure
where
when
By the induction hypothesis (for the induction on r), every substructure formed by restricting
this structure to a tree in A' is (n l)-equivalent to some structure in
there
can be at most f(m, n - 1, r 1 ) - e q u i v a
classes represented among such substructures. Player II responds by assigning a subset of Si" of B' to Pi;to obtain a structure (B', S1",..., Sm),
where S" = Sj when i = j. She does this in such a way that for every
(n - 1)-equivalence type
either
have the same number of substructures of type T' formed by restricting
to trees in A' and B', or both have at least g(m,n l,r 1) such substructures of type T'. Player II can always make such a response because
A' and B' either have the same number of trees or both have at least
g(m, n, r 1) = f(m, n 1, r l)g(m, n 1, r 1) trees.
By the induction hypothesis (for the induction on n)
are (n - l)-equivalent so (A',R'1,... ,R'm) and (B',S'1,... ,S'm) are n-equivalent.

I
Theorem 9.12. For each r > 1 there is a d > 0 such that
204
Proof. It is easy to show by induction that for each r > 1 there is a c > 0
such that
If we let h(m, n, r) be the maximum number of vertices of any structure in

see
we
that
For each r > 2 there is a c > 0 such that h(m, n, r) < expr(c(m + logn)).
When r > 2 we can determine if a sentence from MLt is in sat(ME r )
by nondeterministically generating a tree in
, where m log m > n, and
using alternation to verify that holds in this tree. This can be done in
ATIME(expr(dn/ logn), n).
When
r = 1 we must be a little more careful because a tree in
structure. Suppose we have chosen m subsets R1,..., Rm from a tree

A of height 1. Let +Ri, be Ri and Ri be the complement of Ri. For
We
only keep track of which sets Ri contain the root of A and the the values
\d R\ for each d E {+, -}. Thus, {A,R1,..., Rm) can be represented in
space O(2m logn). Using this kind of representation, the argument above
shows that sat
10
Open problems
We close with a list of problems, first presented in Compton and Henson

[1990]. They are mostly concerned with lower bounds for theories arising
in algebra. The only one on which there has been substantial progress is
Problem 10.13. These problems represent only a small number of the decidable theories whose complexities deserve to be investigated. We have not
mentioned many of the decidable theories of modules investigated in recent
yearsPoint [1986; 1993], Point and Prest [1993], Prest [l988a; 1988b], for
example.
Problem 10.1. Determine the complexity of first-order theories of finite
fields.
The first-order theory of finite fields, and several related theories, were
shown to be decidable by Ax [1968] in a paper which has proved to be
205
of great mathematical influence. Later Fried and Sacerdote [1976] gave a

primitive recursive decision procedure, but it is not known if any of these
theories is elementary recursive.
It is not difficult to show that these theories have a hereditary lower
bound of ATIME(exp 2 (cn),cn) The method is to give a monadic interpretation of the classes of binary relations on sets of size at most exp 2 (n),
and then apply Theorem 7.3. We give a brief sketch of the argument. Let
f be any infinite field which is a model of the theory of finite fields and
in which one has the coding of finite sets used by Duret [1980]. That is,
given any two disjoint finite sets A, B C F, there is an element w e f
such that if a A then a + w is a square in f and if b B then b + w
is not a square in f. Construct by iteration formulas an(x,u) such that
for each n there is a choice of parameters u so that an(x,u) is true in f
of exp 2 (n) values of x. For example, if f has characteristic 0, then an(x)
can be constructed as in Fisher and Rabin [1974] so that an(x) holds in
f exactly when x is one of the integers 0,... ,exp 2 (n) 1. Alternatively,
one could use formulas an(x,y) asserting that x is an exp 2 (n)th root of y.
Now consider the formulas B n ( x , t , u ) given by
For an appropriate choice of t in F, the mapping

is oneto-one on
. This together with the coding of finite sets gives every
binary relation on sets of size at most exp 2 (n). The coding of finite sets
also gives every subset of the universe so we have the required monadic
interpretation.
Problem 10.2. Determine the complexity of the first-order theory of linearly ordered Abelian groups.
This theory was shown to be decidable by Gurevich [1965], with later
improvements in Gurevich [1977]. There is a simple interpretation of the
first-order theory of linear orders in this theory, so it has a hereditary
N T I M E ( e x p ( c n ) ) lower bound. (See Example 8.3.) On the other hand, a
primitive recursive decision procedure for the theory was given by Gurevich
[1977]. It would be interesting to improve either of these bounds.
Problem 10.3. Determine the complexity of first-order theories of valued
fields.
Ax and Kochen [1966] and Ersov [1965] proved the decidability of various first-order theories of valued fields, including some power series fields
and the fields of p-adic numbers Qp. Brown [1978] obtained an elementary
recursive upper bound for the first-order theory of 'almost all' of the fields
Qpthat is, the set of sentences true in Qp for all but finitely many p.
Very little is known about lower bounds for this theory or about the other
related theories covered by the Ax-Kochen-Ersov work, with the exception
206
of the theory of p-adic numbers, whose complexity was determined by Egidi

[1993]
Problem 10.4. Determine the complexity of the first-order theory of
Boolean algebras with several distinguished filters.
Ersov [1964] proved decidability of the first-order theory of Boolean algebras with a distinguished filter. Touraille [1985] presents some results
on the elimination of quantifiers for this theory, but does not show decidability. Rabin [1969] showed decidability of the theory of Boolean algebras with quantification over filters by giving an interpretation in the
monadic second-order theory of two successors. This gives an upper bound
of NTIME(exp00(dn)), but nothing is known about lower bounds.
Problem 10.5. Determine the complexity of the first-order theory of the
lattice of closed subsets of the Cantor set.
Rabin [1969] proved that this theory is decidable by interpreting it
in the monadic second-order theory of two successors. As in the previous
problem, this gives an upper bound of NTIME(exp00(dn)). It is not known
if this theory is elementary recursive and no nontrivial lower bounds are
known. A more explicit analysis of this theory has been given by Gurevich
[1982].
Problem 10.6. Determine the complexity of the first-order theory of
the ring of bounded sequences of real numbers.
Cherlin [1980] gave a very explicit and difficult decision procedure for
this theory, but its complexity has not been analysed. It should be possible
to extract an upper bound from Cherlin's work. While it seems unlikely to
us that this theory is elementary recursive, there are no good lower bounds
known.
Problem 10.7. Determine the complexity of the theory of pairs of torsionfree Abelian groups, and of the theory of a vector space V with k distinguished subspaces (k = 1,2,3,4).
The theory of pairs of torsion-free Abelian groups was proved decidable
by Kozlov and Kokorin [1969]; see also Schmitt [1982]. For k > 5, the
theory Tk of vector spaces with k distinguished subspaces (over some fixed
field f) is undecidable; see Baur [1976] or Slobodskoi and Fridman [1976].
Here the vector space is equipped with + and a family of unary scalar
multiplication functions, one for each element of f'. If k < 4, however, the
theory Tk was shown to be decidable by Baur [1980]. See Prest [1988a]
for a discussion of how these theories are related to the representation
theory of finite-dimensional algebras over F. The theories Tk are stable
and hence the undecidability of T5 could not be proved by the usual means
of interpreting arithmetic or finite graphs. There does not seem to be any
corresponding a priori impediment to using the methods of this chapter to

obtain lower bounds on the complexity of
207
,
Problem 10.8. Determine the complexity of the first-order theory of real

closed fields and the theory of the first-order theory of algebraic closed
fields.
These theories are, respectively, the first-order theory of the real numbers and the first-order theory of the complex numbers. Good upper and
lower bounds are known for these theories, but the gap has not been completely closed. Berman's ATIME(2 c n ,n) lower bound for real addition is
the best bound known for the theory of real closed fields. We discussed this
bound in Example 8.20. By the remarks following the example, we have
the same lower bound for the theory of algebraic closed fields. The best
upper bound at present for the theory of real closed fields is SPACE(2dn);
this was proved by Ben-Or et al. [1986]. This bound holds as well for the
theory of algebraic closed fields since there is a simple interpretation of
the complex numbers in the real numbers. For the same reason, any lower
bound for the theory of algebraic closed fields would hold for the theory of
real closed fields.
Robinson [l959b] showed that if A is the field of real algebraic numbers,
then the first-order theory of (R, +, -, A) is also decidable. It would be
interesting to know if this theory has a somewhat higher complexity than
the theory of real closed fields.
Problem 10.9. Determine the complexity of the first-order theory of differentially closed fields.
Robinson [l959a] proved the decidability of this theory, but essentially
nothing more is known about its complexity. See Wood [1976] for a fuller
discussion of this mathematically interesting theory.
Problem 10.10. Is elementary recursiveness of a theory preserved under
product and sheaf constructions?
Decidability of first-order theories is preserved by many general constructions, such as products (Feferman and Vaught [1959]) and sheaf constructions (Macintyre [1973]). Some upper bound results for weak products
are presented in Ferrante and Rackoff [1979], where the question is raised
whether, for every model A whose first-order theory is elementary recursive, the first-order theory of the weak direct product Aw is also elementary
recursive. The same type of question for other product and sheaf constructions is also open and worth investigating. (See Chapter 5 of Ferrante and
Rackoff [1979].)
Problem 10.11. Give nontrivial lower bounds for mathematically interesting theories whose decidability is still open.
Examples include the first-order theories of the field of rational functions over the complex numbers; the real exponential field (R,+,-,exp);
208
the field of meromorphic functions; and many others. It may be possible to

show that some of these theories are not elementary recursive, just as Semenov [1980] did for the theory of free groups. (See the remarks following
Example 8.8.)
Problem 10.12. Is there a 'natural' decidable theory which is not primitive recursive?
Problem 10.13. In [Compton and Henson, 1990], we asked whether there
is there a 'natural' decidable theory with a lower bound of the form
NTIME(exp00(f(n))
where f ( n ) is not linearly bounded.
This was answered affirmatively by Vorobyov [1997; preprint], who
showed that a rudimentary version of the theory of finite typed sets investigated by Henkin [1963] and Statman [1979] is decidable, but has a
lower bound of
Problem 10.14. Determine the complexities of fragments of theories with

given prefix structures.
There has been some interesting work done in this area. (See, for example, Robertson [1974], Reddy and Loveland [1978], Furer [1982], and
Scarpellini [1984].)
In certain cases the methods of this chapter should give results under these restrictions. This is not likely to be true where iterative interpretations are used, since iterative definitions almost always introduce an
unbounded number of alternations of quantifiers. However, where prenex
interpretations are used in conjunction with Theorem 6.1 and Corollary 6.1,
it seems clear that complexity results for sentences with specific limitations
on prefix structure can be obtained.
Other syntactic limitations can also be imposed on decision problems
and have been widely studied in the setting of the decidable/undecidable
distinction. For example, in algebraic theories, one may pay attention to
the degree and number of variables of occurring polynomials.
In decision problems (and, more generally, complexity problems) the
refinements mentioned above, especially limitations to a simpler and more
intelligible prefix structure, often reflect restriction to mathematically more
interesting and significant problems (as has been emphasized to us by G.
Kreisel). Thus, the undecidability of Hilbert's tenth problem is far more
interesting than the undecidability of arithmetic; the undecidability of the
word problem for finitely presented groups is far more interesting than
the undecidability of the theory of groups. One can hope for and expect
to see a similar kind of increasing maturity in the study of complexity of
decidable problems, not only at the level of NP-complete or PSPACEcomplete problems (where it already exists to some extent), but also at
209
higher levels of complexity.

Problem 10.15. Characterize the PSPACE-complete theories.
We noted in section 1 that every theory with a model of power greater
than 1 is PSPACE-haxd. Thus, the PSPACE-complete theories are, in
some sense, the simplest nontrivial theories. A number of different theories
have been shown to be PSPACE-complete. (See Stockmeyer [1977], Ferrante and Rackoff [1979], and Grandjean [1983].) It would be interesting
to have model-theoretic characterization of these theories.
Problem 10.16. If one substitutes 'tree' for 'binary relation' in the definitions of satT(Lo) and satT(Mo), do Theorems 6.1 and 7.1 still hold for
An affirmative answer would give a generalization of Corollaries 6.5, 7.5,
and 7.9.
Problem 10.17. Use the techniques of this chapter to derive a lower
bound for the emptiness problem for *-free regular expressions.
The proof that this problem is not elementary recursive is one of the
more difficult results in Stockmeyer [1974]. McNaughton and Papert [1971]
show that the first-order theory of finite linear orders with an added unary
predicate (Example 8.1) can be reduced to this problem, but it is not clear
that an elementary recursive reduction can be found. Furer [1978] gives a
lower bound of
for the emptiness problem for *-free regular expressions. It would be interesting to know if this could be strengthened to a lower bound of
Acknowledgements
The authors wish to thank Elsevier Scientific for permission to publish an
updated, revised version of the paper [Compton and Henson, 1990].
We would like to thank the referee of Compton and Henson [1990] for
his extraordinarily careful reading of this chapter and helpful comments.
References
[Ax, 1968] J. Ax. The elementary theory of finite fields, Ann. Math., 88,
239-371, 1968.
[Ax and Kochen, 1966] J. Ax and S. Kochen. Diophantine problems over
local fields III: decidable fields, Ann. Math., 83, 437-456, 1966.
[Barwise, 1977] J. Barwise. On Moschovakis closure ordinals, J. Symbolic
Logic, 42, 292-296, 1977.
210
[Baur, 1976] W. Baur. Undecidability of the theory of abelian groups with

a subgroup, Proc. Amer. Math. Soc., 55, 125-128, 1976.
[Baur, 1980] W. Baur. On the elementary theory of quadruples of vector
spaces, Ann. Math. Logic, 55, 125-128, 1976.
[Ben-Or et al, 1986] M. Ben-Or, D. Kozen, and J. Reif. The complexity of
elementary algebra and geometry, J. Comput. System Sci., 32, 251-164,
1986.
[Berman, 1980] L. Berman. The complexity of logical theories, Theoret.
Comput. Sci., 11, 71-77, 1980.
[Borger, 1984a] E. Borger. Decision problems in predicate logic. In Logic
Colloquium 1982, G. Lolli, G. Longo, and A. Marcja, eds., pp. 263-301.
North-Holland, Amsterdam, 1984.
[Borger, 1984b] E. Borger. Spektralproblem and completeness of logical decision problems. In Logics and Machines: Decision Problems and Complexity, E. Borger, G. Hasenjaeger, and D. Rodding, eds., Lecture Notes
in Comput. Sci. 171, pp. 333-356. Springer-Verlag, Berlin, 1984.
[Borger, 1985] W. Borger. Berechenbarkeit, Komplexitdt, Logik. ViewegVerlag, Wiesbaden, 1985.
[Borger et al, 1997] E. Borger, E. Gradel and Y. Gurevich. The Classical
Decision Problem. Springer-Verlag, Berlin, 1997.
[Brown, 1978] S. S. Brown. Bounds on transfer principles for algebraically
closed and discretely valued fields, Mem. Amer. Math. Soc., 204, 1978.
[Bruss and Meyer, 1980] A. Bruss and A. Meyer. On time-space classes
and their relation to the theory of real addition, Theoret. Comput. Sci.,
11, 56-69, 1980.
[Biichi, 1962] J. Buchi. Turing machines and the Entscheidungsproblem,
Math. Ann., 148, 201-213, 1962.
[Cegielski, 1996] P. Cegielski. Definability, decidability, complexity, Ann.
Math. Artificial Intelligence, 16, 311-341, 1997.
[Cegielski et al., 1996] P. Cegielski, Y. Matiyasevich, and D. Richard. Definability and decidability issues in extensions of the integers with the
divisibility predicate, J. Symbolic Logic, 61, 515-540, 1996.
[Chagrov and Zakharyaschev, 1997] A. Chagrov and M. Zakharyaschev.
Modal Logic. The Clarendon Press, New York, 1997.
[Chandra et al, 1981] A. Chandra, D. Kozen, and L. Stockmeyer. Alternation, J. Assoc. Comput. Mach., 28, 114-133, 1981.
[Cherlin, 1980] G. Cherlin. Rings of continuous functions: decision problems. In Model Theory of Algebra and Arithmetic, L. Pacholski, J.
Wierzejewski, and A. J. Wilkie, eds., Lecture Notes in Math. 834, pp.
44-91. Springer-Verlag, Berlin, 1980.
[Compton and Henson, 1990] K. J. Compton and C. W. Henson. A uni-
211
form method for proving lower bounds on the complexity of logical theories, Ann. Pure Appl. Logic, 48, 1-79, 1990.
[Compton et al, 1987] K. J. Compton, C. W. Henson, and S. Shelah. Nonconvergence, undecidability, and intractability in asymptotic problems.
Ann. Pure Appl. Logic, 36, 207-224, 1987.
[Duret, 1980] J.-L. Duret. Les corps pseudo-finis ont la propriete
d'independence. C. R. Acad. Sci. Paris Ser. A-B , 290, A981-A983,
1980.
[Egidi, 1993] L. Egidi. The complexity of the theory of p-adic numbers. In
Proceedings of the 34th Annual Symposium on Foundations of Computer
Science, Palo Alto, CA, pp. 412-421. IEEE Computer Society Press, Los
Alamitos, CA, 1993.
[Emerson and Halpern, 1985] E. A. Emerson and J. Halpern. Decision procedures and expressiveness in the temporal logic of branching time, J.
Comput. System Sci., 30, 1-24, 1985.
[Ersov, 1964] Y. Ersov. Decidability of the elementary theory of relatively
complemented distributive lattices and the theory of filters, Algebra i
Logika, 3, 17-38, 1964. (In Russian.)
[Ersov, 1965] Y. Ersov. On the elementary theory of maximal normed
fields, Soviet Math. Dokl., 6, 1390-1393, 1965. (English translation.)
[Ersov et al., 1965] Y. Ersov, I. A. Lavrov, A. D. Taimanov, and M. A.
Taitslin. Elementary theories, Russian Math. Surveys, 20, 35-100, 1965.
(English translation.)
[Fagin et al., 1995] R. Fagin, J. Halpern, Y. Moses, and M. Vardi. Reasoning about Knowledge. MIT Press, Cambridge, MA, 1995.
[Feferman and Vaught, 1959] S. Feferman and R. Vaught. The first-order
properties of products of algebraic systems, Fund. Math., 47, 57-103,
1959.
[Ferrante, 1974] J. Ferrante. Some upper and lower bounds on decision procedures in logic, Doctoral thesis, Massachusetts Institute of Technology,
Cambridge, MA, 1974.
[Ferrante and Rackoff, 1979] J. Ferrante and C. Rackoff. The Computational Complexity of Logical Theories, Lecture Notes in Math. 718.
Springer-Verlag, Berlin, 1979.
[Fischer and Ladner, 1979] M. J. Fischer and R. Ladner. Prepositional dynamic logic of regular programs, J. Comput. System Sci., 18, 194-211,
1979.
[Fischer and Rabin, 1974] M. J. Fischer and M. Rabin. Super-exponential
complexity of Presburger arithmetic. In Complexity of Computation, R.
M. Karp, ed. SIAM-AMS Proc., vol VII, pp. 27-42. American Mathematical Society, Providence, RI, 1974.
[Fleischmann et al., 1977] K. Fleischmann, B. Mahr, and D. Siefkes.
212
Bounded concatenation theory as a uniform method for proving lower

complexity bounds. In Logic Colloquium 1976, R. Gandy and M. Hyland,
eds. pp. 471-490. North-Holland, Amsterdam, 1977.
[Fried and Sacerdote, 1976] M. Fried and G. Sacerdote. Solving Diophantine problems over all residue class fields of a number field and all finite
fields, Ann. Math., 104, 203-233, 1976.
[Furer, 1978] M. Furer. Nicht-elementare untere Schranken in der
Automaten-theorie, Doctoral thesis, ETH, Zurich, 1978.
[Furer, 1982] M. Furer. The complexity of Presburger arithmetic with
bounded quantifier alternation, Theoret. Comp. Sci., 18, 1-5-111, 1982.
[Gradel, 1988] E. Gradel. Subclasses of Presburger arithmetic and the
polynomial-time hierarchy, Theoret. Comput. Sci., 56, 289-301.
[Gradel, 1989] E. Gradel. Dominoes and the complexity of subclasses of
logical theories, Ann. Pure Appl. Logic, 43, 1-30, 1989.
[Grandjean, 1983] E. Grandjean. Complexity of the first-order theory of
almost all finite structures, Inform. Control, 57, 180-204, 1983.
[Gurevich, 1965] Y. Gurevich. Elementary properties of ordered Abelian
groups, Amer. Math. Soc. Transl, 46, 165-192, 1965.
[Gurevich, 1977] Y. Gurevich. Expanded theory of ordered Abelian groups,
Ann. Math. Logic, 12, 192-228, 1977.
[Gurevich, 1982] Y. Gurevich. Crumbly spaces, In Proc. 1979 Intl. Cong.
Logic, Methodology and Philosophy of Science, pp. 179-191. NorthHolland, Amsterdam, 1982.
[Halpern and Moses, 1992] J. Halpern and Y. Moses. A guide to completeness and complexity for modal logics of knowledge and belief, Artificial
Intelligence, 54, 319-379, 1992.
[Halpern and Vardi, 1986] J. Halpern and M. Vardi. The complexity of reasoning about knowledge and time. In Proc. 18th Ann. ACM Symp. on
Theory of Computing, pp. 304-315. Association for Computing Machinery, New York, 1986.
[Hardy and Wright, 1964] G. H. Hardy and E. M. Wright. Theory of Numbers. Oxford University Press, Oxford, 1964.
[Harel, 1984] D. Harel. Dynamic logic. In Handbook of Philosophical Logic,
Vol. II, D. M. Gabbay and F. Guenthner, eds., pp 497-604, Reidel,
Dordrecht, 1984.
[Henkin, 1963] L. Henkin. A theory of prepositional types, Fund. Math.,
52, 323 344, 1963.
[Hopcroft and Ullman, 1979] J. Hopcroft and J. D. Ullman. Introduction to
Automata Theory, Languages and Computation. Addison-Wesley, Reading, MA, 1979.
[Immerman, 1986] N. Immerman. Relational queries computable in polynomial time, Inform. Control, 68, 86-104, 1986.
213
[Kaufmann and Shelah, 1983] M. Kaufmann and S. Shelah. On random

models of finite power and monadic logic, Discrete Math., 54, 285-293,
1983.
[Korec and Rautenberg, 1975/76] I. Korec and W. Rautenberg. Model interpretability into trees and applications, Arch. Math. Logik Grundlag,
17, 97-104, 1975/76.
[Kozen, 1980] D. Kozen. Complexity of Boolean algebras, Theoret. Comp.
Sci., 10, 221-147, 1980.
[Kozen and Tiuryn, 1990] D. Kozen and J. Tiuryn. Logics of programs. In
Handbook of Theoretical Computer Science, Vol. B, pp. 789-840, Elsevier, Amsterdam, 1990.
[Kozlov and Kokorin, 1969] G. T. Kozlov and A. I. Kokorin. Elementary
theory of Abelian groups without torsion, with a predicate selecting a
subgroup, Algebra and Logic, 8, 182-190, 1969. (English translation.)
[Kutty et al, 1995] G. Kutty, L. Moser, P. Melliar-Smith, Y. Ramakrishna, and L. Dillon. Axiomatizations of interval logics, Fund. Inform.,
24, 313-331, 1995.
[Lewis, 1980] H. R. Lewis. Complexity results for classes of quantificational
formulas, J. Comput. System Sci., 21, 304-315, 1980.
[Lo, 1988] Libo Lo. On the computational complexity of the theory of
abelian groups, Ann. Pure Appl. Logic, 37, 205-248, 1988.
[Lynch, 1982] J. F. Lynch. Complexity classes and finite models, Math.
Systems Theory, 15, 127-144, 1982.
[Machtey and Young, 1978] M. Machtey and P. Young. Introduction to the
General Theory of Algorithms. North-Holland, New York, 1978.
[Macintyre, 1973] A. Macintyre. Model completeness for sheaves of structures, Fund. Math., 81, 73-89, 1973.
[Maurin, 1996] F. Maurin. Exact complexity bounds for ordinal addition,
Theoret. Comp. Sci., 165, 247-273, 1996.
[Maurin, 1997a] F. Maurin. Ehrenfeucht games and ordinal addition, Ann.
Pure Appl. Logic, 89, 53-73, 1997.
[Maurin, 1997b] F. Maurin. The theory of integer multiplication with order
restricted to primes is decidable, J. Symbolic Logic, 62, 123-130, 1997.
[McNaughton and Papert, 1971] R. McNaughton and S. Papert. Counter
Free Automata. MIT Press, Cambridge, MA, 1971.
[Meyer, 1974] A. Meyer. The inherent computational complexity of theories of ordered sets. In Proc. 1974 Intl. Cong, of Mathematicians, Vancouver, BC, pp. 477-482, 1974.
[Meyer, 1975] A. Meyer. Weak monadic second order theory of successor
is not elementary recursive. In Logic Colloquium (Boston 1972-73), R.
Parikh, ed., Lecture Notes in Math. 453, pp. 132-154. Springer-Verlag,
Berlin, 1975.
214
[Michel, 1981] P. Michel. Borne superieure de la complexite de la theorie

de N muni de la relation de divisibilite. In Model Theory and Arithmetic
(Paris, 1979-1980), C. Berline, M. McAloon, and J.-P. Ressayre, eds.,
Lecture Notes in Math. 890, pp. 242-250. Springer-Verlag, Berlin, 1981.
[Michel, 1992] P. Michel. Complexity of logical theories involving coprimality, Theoret. Comp. Sci., 106, 221-241, 1992.
[Moschovakis, 1974] Y. Moschovakis. Elementary Induction on Abstract
Structures. North-Holland, Amsterdam, 1974.
[Point, 1986] F. Point. Problemes de decidabilite pour les theories de modules, Bull. Soc. Math. Belg. Ser. B, 38, 58-74, 1986.
[Point, 1993] F. Point. Decidability questions for theories of modules.
In Logic Colloquium '90 (Helsinki, 1990), J. M. R. Oikkonen and J.
Vaananen, eds., Lecture Notes in Logic 2, pp. 266-280. Springer, Berlin,
1993.
[Point and Prest, 1993] F. Point and M. Prest. Decidability for theories of
modules, J. London Math. Soc. (2), 38, 193-206, 1988.
[Prest, 1988a] M. Prest. Model theory and representation type of algebras.
In Logic Colloquium '86 (Hull, 1986), pp. 219-260. North-Holland, 1988.
[Prest, 1988b] M. Prest. Model Theory and Modules, Cambridge University
Press, Cambridge, 1988.
[Rabin, 1965] M. Rabin. A simple method for undecidability proofs and
some applications. In Proc. 1964 Intl. Cong. Logic, Methodology and
Philosophy of Science, pp. 58-68. North-Holland, Amsterdam, 1964.
[Rabin, 1969] M. Rabin. Decidability of second order theories and automata on infinite trees, Trans. Amer. Math. Soc., 141, 1-35, 1969.
[Rabinovich, 1998] A. Rabinovich, Non-elementary lower bound for prepositional duration calculus, Inform. Process. Lett., 66, 7-11, 1998.
[Rackoff, 1975a] C. Rackoff. The computational complexity of some logical
theories, Doctoral thesis, Massachusetts Institute of Technology, Cambridge, MA, 1975.
[Rackoff, 1975b] C. Rackoff. The complexity of theories of the monadic
predicate calculus, Research Report no. 136, INRIA, Roquencourt,
France, 1975.
[Rackoff, 1976] C. Rackoff. On the complexity of the theories of weak direct
powers, J. Symbolic Logic, 41, 561-573, 1976.
[Ramakrishna et al, 1992] Y. Ramakrishna, L. Dillon, L. Moser, P.
Melliar-Smith, and G. Kutty. An automata-theoretic decision procedure
for future interval logic. In Foundations of Software Technology and Theoretical Computer Science, R. Shyamasundar, ed., Lecture Notes in Comput. Sci. 652, pp. 51-67. Springer-Verlag, Berlin, 1992.
[Ramakrishna et al., 1996] Y. Ramakrishna, P. Melliar-Smith, L. Moser,
L. Dillon, and G. Kutty. Interval logics and their decision procedures. I.
215
An interval logic, Theoret. Comput. Sci., 166, 1-47. 1996.

[Reddy and Loveland, 1978] C. R. Reddy and D. Loveland. Presburger
arithmetic with bounded quantifier alternation. In Proc. 10th Ann. ACM
Symp. on Theory of Computing, pp. 320-325. ACM, New York, 1978.
[Robertson, 1974] E. L. Robertson. Structure of complexity in the weak
monadic second-order theories of the natural numbers. In Proc. 6th Ann.
ACM Symp. on Theory of Computing, pp. 161-171. ACM, New York,
1974.
[Robinson, 1959a] A. Robinson. On the concept of a differentially closed
field, Bull. Res. Council Israel, 8F, 113-128, 1959.
[Robinson, 1959b] A. Robinson. Solution of a problem of Tarski, Fund.
Math., 47, 179-204, 1959.
[Scarpellini, 1984] B. Scarpellini. Complexity of subcases of Presburger
arithmetic, Trans. Amer. Math. Soc., 284, 203-218, 1984.
[Schmitt, 1982] P. Schmitt. The elementary theory of torsion free Abelian
groups with a predicate specifying a subgroup, Z. Math. Logik Grundlagen Math., 28, 323-329, 1982.
[Schoning, 1997] U. Schoning. Complexity of Presburger arithmetic with
fixed quantifier dimension, Theory Comput. Syst., 30, 423-428, 1997.
[Seiferas et al., 1978] J. Seiferas, M. Fischer, and A. Meyer. Separating
nondeterministic time complexity classes, J. Assoc. Comput. Much., 25,
146-167, 1978.
[Semenov, 1980] A. L. Semenov. An interpretation of free algebras in free
groups, Soviet Math. Dokl, 21, 952-955, 1980. (English translation.)
[Semenov, 1984] A. L. Semenov. Logical theories of one-place functions
on the set of natural numbers, Math. USSR-Izv., 22, 587-618, 1984.
(English translation.)
[Slobodskoi and Fridman, 1976] A. M. Slobodskoi and E. I. Fridman. Theories of abelian groups with predicates specifying a subgroup, Algebra
and Logic, 14, 353-355, 1976. (English translation.)
[Stern, 1988] J. Stern. Equivalence relations on lattices and the complexity
of the theory of permutations which commute. In Methods and Applications of Mathematical Logic (Campinas, 1985), W. Carnielli and L. de
Alcantara, eds., pp. 229-240. American Mathematical Society, Providence, RI, 1988.
[Statman, 1979] R. Statman. The typed -calculus is not elementary recursive, Theoret. Comput. Sci., 9, 73-81, 1979.
[Stirling, 1992] C. Stirling. Modal and temporal logics. In Handbook of
Logic in Computer Science, Vol. 2, pp. 477-563. Oxford University Press,
Oxford, 1992.
[Stockmeyer, 1974] L. Stockmeyer. The complexity of decision problems in
216
automata and logic, Doctoral thesis, Massachusetts Institute of Technology, Cambridge, MA, 1974.
[Stockmeyer, 1977] L. Stockmeyer. The polynomial-time hierarchy, Theoret Comp. Sci., 3, 1-22, 1977.
[Stockmeyer, 1987] L. Stockmeyer. Classifying the computational complexity of problems, J. Symbolic Logic , 52, 1-43, 1987.
[Tetruashvili, 1984] M. Tetruashvili. The computational complexity of the
theory of abelian groups with a given number of generators. In Frege Conference, 1984 (Schwerin, 1984), PP- 371-375. Akademie-Verlag, Berlin,
1984.
[Touraille, 1985] A. Touraille. Elimination des quantificateurs dans la
theorie elementaire des algebres de Boole munies d'une famille d'ideaux
distingues, C. R. Acad. Sci. Paris, Ser. I, 300, 125-128, 1985.
[Trakhtenbrot, 1950] B. A. Trakhtenbrot. The impossibility of an algorithm for the decision problem for finite models, Dokl. Akad. Nauk SSSR,
70, 569-572, 1950.
[Turing, 1937] A. M. Turing. On computable numbers with an application
to the Entscheidungsproblem, Proc. London Math. Soc. (2), 42, 230-265,
1937. Correction, ibid., 43, 544-546, 1937.
[Vardi, 1997] M. Vardi. Why is modal logic so robustly decidable? In Descriptive Complexity and Finite Models (Princeton, NJ), pp. 149-183.
Amer. Math. Soc., Providence, RI, 1997.
[Vaught, 1960] R. Vaught. Sentences true in all constructive models, J.
Symbolic Logic, 25, 39-58, 1960.
[Vaught, 1962] R. Vaught. On a theorem of Cobham concerning undecidable theories. In Proc. 1960 Intl. Cong. Logic, Phil, and Methodology of
Sci., pp. 14-25. Stanford University Press, Stanford, CA, 1962.
[Volger, 1985] H. Volger. Turing machines with linear alternation, theories
of bounded concatenation and the decision problem of first-order theories, Theoret. Comp. Sci., 23, 333-337, 1983.
[Vorobyov, 1997] S. Vorobyov. The 'hardest' natural decidable theory. In
Proc. 12thd Ann. IEEE Conf. on Logic in Computer Science, pp. 294305. IEEE Computer Society Press, 1988.
[Vorobyov, preprint] S. Vorobyov. The most nonelementary theory,
preprint.
[Wood, 1976] C. Wood. The model theory of differential fields revisited,
Israel J. Math., 25, 331-352, 1976.
[Young, 1985] P. Young. Godel theorems, exponential difficulty and undecidability of arithmetic theories: an exposition. In Recursion Theory,
A. Nerode and R. Shore, eds., Proc. Symp. Pure Math. 42. American
Mathematic Society, Providence, RI, 1985.
Algebraic specification of abstract data

types
J. Loeckx, H.-D. Ehrich and M. Wolf
Contents
1
2
Introduction
Algebras
2.1 The basic notions
2.2 Homomorphisms and isomorphisms
2.3 Abstract data types
2.4 Subalgebras
2.5 Quotient algebras
Terms
3.1 Syntax
3.2 Semantics
3.3 Substitutions
3.4 Properties
Generated algebras, term algebras
4.2 Freely generated algebras
4.3 Term algebras
4.4 Quotient term algebras
5.1 Signature morphisms
5.2 Reducts
5.3 Extensions
Logic
6.1 Definition
6.2 Equational logic
6.3 Conditional equational logic
6.4 Predicate logic
7.1 Models
7.2 Logical consequence
7.3 Theories
7.4 Closures
219
220
220
223
224
225
225
228
228
229
230
230
231
231
234
235
236
236
236
238
239
240
240
241
242
242
244
244
245
246
247
218
9
10
11
12
13
14
15

7.5 Reducts
7.6 Extensions
Calculi
8.1 Definitions
8.2 An example
8.3 Comments
Specification
10.3 Loose specifications with free constructors
11.1 Initial specifications in equational logic
11.2 Examples
11.3 Properties
11.4 Expressive power of initial specifications
11.5 Proofs
11.6 Term rewriting systems and proofs
11.8 Initial specifications in conditional equational
logic
11.9 Comments
13.1 A simple specification language
13.2 Two further language constructs
13.3 Adding an environment
13.4 Flattening
13.5 Properties and proofs
13.7 Further language constructs
13.8 Alternative semantics description
14.1 Modularized abstract data types
14.2 Atomic module specifications
14.3 A modularized specification language
14.4 A parameterized specification language
14.5 Comments
14.6 Alternative parameter mechanisms
Further topics
15.1 Behavioural abstraction
15.2 Implementation
15.3 Ordered sorts
15.4 Exceptions
249
249
250
250
251
252
253
254
254
256
257
258
258
259
261
261
262
264
266
267
267
268
271
272
275
279
282
283
283
283
284
285
285
286
288
291
295
296
298
298
300
302
303
16
15.5
15.6
15.7
The
16.1
16.2
Dynamic data types

Objects
Bibliographic notes
categorical approach
Categories
Institutions
305
307
309
310
310
310
1 Introduction
It is widely accepted that the quality of software can be improved if its design is systematically based on the principles of modularization and formalization. Modularization consists in replacing a problem by several "smaller"
ones. Formalization consists in using a formal language; it obliges the software designer to be precise and principally allows a mechanical treatment.
One may distinguish two modularization techniques for the software design. The first technique consists in a modularization on the basis of the
control structures. It is used in classical programming languages where it
leads to the notion of a procedure. Moreover, it is used in "imperative"
specification languages such as VDM [Woodman and Heal, 1993; Andrews
and Ince, 1991], Raise [Raise Development Group, 1995], Z [Spivey, 1989]
and B [Abrial, 1996]. The second technique consists in a modularization
on the basis of the data structures. While modern programming languages
such as Ada [Barstow, 1983] and ML [Paulson, 1991] provide facilities for
this modularization technique, its systematic use leads to the notion of abstract data types. This technique is particularly interesting in the design
of software for non-numerical problems. Compared with the first technique
it is more abstract in the sense that algebras are more abstract than algorithms; in fact, control structures are related to algorithms whereas data
structures are related to algebras.
Formalization leads to the use of logic. The logics used are generally
variants of the equational logic or of the first-order predicate logic.
The present chapter is concerned with the specification of abstract data
types. The theory of abstract data type specification is not trivial, essentially because the objects considered viz. algebras have a more
complex structure than, say, integers. For more clarity the present chapter
treats algebras, logics, specification methods ("specification-in-the-small"),
specification languages ("specification-in-the-large") and parameterization
separately. In order to be accessible to a large number of readers it makes
use of set-theoretical notions only. This contrasts with a large number of
publications on the subject that make use of category theory [Ehrig and
Mahr, 1985; Ehrich et a/., 1989; Sannella and Tarlecki, 2001].
Our attention is restricted to those topics that are now standard. Proofs
of theorems are omitted. For more details the reader is referred to the literature and, in particular, to the textbook [Loeckx et al., 1996]. This
220
textbook treats the subject along the same lines as the present chapter,
uses the same notation and contains the proofs of most of the theorems.
A book treating more advanced issues is [Sannella and Tarlecki, 2001]. A
comprehensive state-of-the-art report on recent advances in algebraic foundations of systems specification may be found in [Astesiano et al., 1999b].
A broad survey of the topic together with an annotated bibliography is in
[Cerioli et al., 1997].
Sections 2 to 8 describe the fundamental specification tools. More precisely, sections 2 to 5 are devoted to many-sorted algebras and sections 6
to 8 to logic. Section 9 introduces the general notion of a specification.
Sections 10 to 12 present three specification methods for specification-inthe-small: loose specifications, initial specifications and constructive specifications. Section 13 presents a simple prototypical specification language
for specification-in-the-large and discusses in some detail the language constructs. Section 14 shows how specification languages may be generalized
for modularization and parameterization. Section 15 shortly discusses some
further issues. Finally, section 16 briefly indicates how the notions of a category and of an institution may be used in the study of abstract data type
specifications.
Algebras
The algebras to be discussed here are essentially the universal algebras

discussed by Meinke and Tucker in [Tucker and Meinke, 1992]. As a difference the present section only treats those aspects that play a major role in
specification.
2.1
The basic notions
The first notion introduced is that of a signature. Informally, a signature

constitutes the syntax of an algebra by fixing the names and the arities of
the operations.
Definition 2.1 (Signature). A signature is a pair (S, ) of sets, the elements of which are called sorts and operations, respectively. Each operation
consists of a (k + 2)-tuple
with
n is called the operation name of the
operation and
its arity; the sorts s1,..., sk are called the
argument sorts of the operation and the sort s its target sort. If k = 0 the
operation n: ) s is called a constant of sort s.
Note that different operations may have the same operation name. Actually, the equality of two operations implies the equality of their names
and the equality of their arities.
221
The preceding definition differs from Definition 3.1.1 in [Tucker and

Meinke, 1992] essentially by explicitly distinguishing between an operation
and its name. This avoids difficulties when several operations have the
same name.
Example 2.2. The following signature (S, ) is intended for an algebra
with Boolean values and natural numbers:
Signatures may be represented graphically. In this representation sorts

correspond to labelled nodes and operations to edges pointing from the
argument sorts to the target sort. A graphical representation of the signature of Example 2.2 is in Figure 1. While such a representation is easily
understandable it may be ambiguous in that it does not fix the order of the
argument sorts. For instance, the graphical representations of operations
such as n : s x t > u and n : t x s u coincide.
True
False
Succ
Fig. 1. A graphical representation of the signature of Example 2.2.

Informally, an algebra provides a meaning to a signature.
Definition 2.3 (Algebra). Let E = (S, n) be a signature. An algebra
for this signature (or a E -algebra) assigns:
a set A(s) to each sort s S, called the carrier set of the sort s; the
222

elements of a carrier set are called carriers;
a total function
to each
operation.
It is understood
that A(n: - s) denotes an element of the carrier set A(s).
The class of all E-algebras is denoted Alg(E).

Whenever no ambiguity arises one may write A(n) instead of
A(n: S1 x . . . x sk > s). Note that many publications including [Tucker
and Meinke, 1992] use the notation As and nA instead of A(s) and A(n),
respectively. By the way, Alg(E) is in general a class and not merely a set
(see [Loeckx et al, 1996] for a proof).
Example 2.4. Let E = (S, ) be the signature of Example 2.2.
(i) The "classical" algebra for E is the algebra A defined by:
and similarly for the other operations. Note that, for instance,
stands for
(ii) The following "fancy" algebra B is also a E-algebra:
etc.
While the last example may suggest that a signature allows any algebra
provided its functions respect the arities, the following example illustrates
the contrary.
Example 2.5. Let E = (S, ) be the signature with
For
any E-algebra A the carrier sets A(s) and
not empty. In fact,
Further examples of algebras may be found in [Tucker and Meinke,
1992].
It is of course possible to generalize the definition of an algebra by
allowing the functions associated with an operation to be partial. Unfortunately, this generalization leads to serious problems with homomorphisms
223
(see section 2.2) as well as with the logic (see section 6) and is therefore
not further considered.
2.2
Homomorphisms and isomorphisms
Informally, homomorphisms are mappings between algebras or, more precisely, mappings between their carrier sets that "respect" their functions.
The following definition is "classical" . Examples of the different notions
and the proofs of the theorems may be found in [Tucker and Meinke, 1992]
or any textbook on universal algebra.
Definition 2.6 (Homomorphism). Let A, B be two E-algebras, E =
homomorphism
h : A > B from A to B is a, family
(h s )sES of functions
such that for any operation
the following holds:
say
Equation (2.1) is called the homomorphism condition of the operation

u for the homomorphism h.
Theorem 2.7. The composition of two homomorphisms yields a homomorphism. More precisely, if E = (S, ) is a signature and if h : A > B,
g : B C are two E -homomorphisms then g oh = (gshs)ses constitutes
a E -homomorphism too.
Definition 2.8 (Homomorphic image). The homomorphic image of
the E-algebra A under the homomorphism h : A > B is the E-algebra
h(A) defined by:
denotes the restriction of the function B(w) to the set h(A)(s1) x .. . x

Definition 2.9 (Isomorphism).
(i) A (E)-isomorphism is a bijective S-homomorphism.

(ii) Let E be a signature. Two E-algebras A and B are called isomorphic
if there exists a E-isomorphism from A to B. In that case one writes
A~B.
Informally, isomorphic algebras are "abstractly" identical in that they

differ only by the nature of their carriers. This property is illustrated by
224
the following two theorems, the proofs of which are straightforward.

Theorem 2.10. The relation of isomorphism between algebras is an equivalence relation.
Theorem 2.11. Let A, B, C be algebras of the same signature. If A ~ B
then the following facts hold:
(i) whenever there exists a homomorphism from B to C, then there exists
a homomorphism from A to C;
(ii) whenever there exists a homomorphism from C to B, then there exists
a homomorphism from C to A.
In the following theorem 1A : A > A and 1B : B > B stand for the
identity homomorphisms in A and B, respectively.
Theorem 2.12. A homomorphism h : A > B is an isomorphism, if and
only if there exists a homomorphism g : B A such that h o g = 1B and
gh = 1A.
The following definition plays an important role in section 11.
Definition 2.13 (Initial algebra, final algebra). Let C C Alg(E) be a
class of E-algebras for a signature E.
(i) An algebra A 6 C is called initial in the class C, if for each B E C
there exists exactly one homomorphism from A to B.
(ii) An algebra A C is called final in the class C, if for each B E C there
exists exactly one homomorphism from B to A.
Examples may be found in section 4.2 and in [Tucker and Meinke, 1992,
Example 5.1.15].
Theorem 2.14. Let C C Alg(E.) be a class of"E-algebras and let A,B C.
(i) Assume A is initial in C. Then B is initial in C if and only if A ~ B.
(ii) As (i) with "final" instead of "initial".
2.3
Abstract data types
Informally, an abstract data type is a class of algebras closed under isomorphism (cf. [Tucker and Meinke, 1992]). This definition fits the study of
specification well because the logics to be used cannot distinguish between
isomorphic algebras.
Definition 2.15 (Abstract data type). An abstract data type for a
signature E is a class C C Alg(E) satisfying the condition:
for any pair of E-algebras A, B.
An abstract data type is called monomorphic if all its algebras are
isomorphic to each other; otherwise it is called polymorphic.
225
2.4 Subalgebras
Informally, a subalgebra is an algebra with some carriers deleted and with
the functions restricted accordingly.
Definition 2.16 (Subalgebra). Let E = (S, ) be a signature and let
A and B be E-algebras. The algebra B is called a subalgebra of A if the
following two conditions hold:
Examples may be found in [Tucker and Meinke, 1992].

Fact 2.17. Let C be a class of E-algebras, i.e. C C Alg(E). The relation
"is a subalgebra of" constitutes a partial order on C.
As a result it makes sense to speak, for instance, of a minimal algebra of a
class.
Subalgebras may be defined by predicates as is now shown.
Definition 2.18 (Induced subalgebra). Let E = ( S , ) be a signature,
A a E-algebra and P = ( P s ) s e s a family of predicates Ps on A(s), s E S.
The subalgebra induced on A by P is the E-algebra B defined by:
To be consistent the definition requires that the following closure condition

holds:
A proof of the following theorem may be found in [Tucker and Meinke,

1992].
Theorem 2.19. Let A and B be E-algebras and let h : A > B be a
homomorphism. The homomorphic image h(A) is a subalgebra of B.
2.5
Quotient algebras
Informally, a quotient algebra is an algebra in which some carriers are

identified with the help of a "congruence relation" . A congruence relation
is an equivalence relation which is "compatible" with the functions of an
algebra in that equivalent arguments lead to equivalent function values.
Definition 2.20 (Congruence relation). Let E = (S, ) be a signature,
A a E-algebra and Q = (Qs)ses a family of equivalence relations Qs on
A(s), s E S. If Q satisfies the following substitutivity condition:
226
then it is called a congruence relation on A.

Definition 2.21 (Quotient algebra). Let E = (S, ) be a signature, A
a E-algebra and Q a congruence relation on A. The quotient algebra of A
by Q is the E-algebra A/Q defined by:
where, for instance,

denotes the equivalence class of a with respect
to the equivalence relation Qs.
Building a quotient algebra is called factorization.
It is not evident that this definition is consistent. In fact, the value of the
right-hand side of the second equality in principle depends on the choice
of the representative ai for the equivalence class [ai] on the left-hand side.
The consistency proof as well as examples of quotient algebras may be
found in [Tucker and Meinke, 1992].
The following two definitions and the subsequent theorem show that
there exists a one-to-one correspondence between homomorphisms and quotients.
Definition 2.22 (Induced congruence relation). Let E = (S, ) be
a signature, let A and B be E-algebras and let h : A > B be a homomorphism. Furthermore,
be the family of equivalence
relations on A defined by:
for all
induced by the homomorphism h.
is called the congruence relation
Definition 2.23 (Quotient homomorphism). Let E = (S, ) be a

signature, A a E-algebra and Q a congruence relation on A. The family
homQ : A A/Q of mappings defined by:
for all a E A(s), s S, is called the quotient homomorphism of the congruence relation Q.
Of course, it has to be proved that the relation of Definition 2.22 is indeed
a congruence relation and that the family of functions of Definition 2.23
indeed constitutes a homomorphism.
The following fact expresses the "one-to-one correspondence" announced.
227
Fact 2.24. With the notation of Definitions 2. 22 and 2.23 one has: =
Q.
The following theorem is called the first homomorphism theorem [Tucker
and Meinke, 1992] and plays an important role in section 11.
Theorem 2.25. Let E be a signature and let A and B be two 'E-algebras.
Furthermore, let h : A B be a homomorphism and
the congruence relation induced by h. If the homomorphism h is surjective, then
Terms
If an algebra is viewed as a functional programming language, a program in

this language consists of a term. This explains why terms play a prominent
role in the specification of abstract data types.
3.1
Syntax
First the notion of a variable has to be made precise.

A family V = ( V s ) s e s of pairwise disjoint infinite sets is assumed to be
associated with any given signature E = (S, ). An element of Vs is called
a variable of sort s, s E S. A family X with X C V is called by abuse
of language a set of variables for the signature . It is required that the
variables of V and the operation names of have different denotations.
Informally, V constitutes a "universe" of variables whereas the variables
effectively used in a particular application are those of X. The existence
of the universe V makes it possible to add "at any time" "new" variables
(i.e. variables of V - X) to X provided V - X is infinite.
Definition 3.1 (Syntax of terms). Let E = (S, ) be a signature and
X a set of variables for it. The sets constituting the family
are
defined by simultaneous induction:
An element of
A
is called a E(X)-term of sort s or, shortly, a term.
term without variables is called a ground term. One writes
As different operations may have the same operation name, a term

may have several sorts. A trivial example is a signature containing the
constants n:> s, n:t s'; in that case the term n has two sorts, viz. s
and s' . In practice terms with different sorts are a nuisance because they
are a potential cause of "programming errors". In fact, the introduction of
228
typing was a milestone in the development of programming languages such

as Algol and Pascal. This consideration justifies the following definition.
Definition 3.2 (Strongly typed signature). A signature E is strongly
typed if for any set X of variables for E each E(X)-term has a single sort.
Clearly, a signature in which all operations have different names is
strongly typed. The following theorem provides a less restrictive criterion.
Theorem 3.3. Let E = (S, ) be a signature. If for any two different
operations
following
condition holds:
then the signature E is strongly typed.
Informally, the theorem states that operations with the same name must
have a different number of arguments or differ in the sorts of at least one
argument. Of course, this still excludes signatures with, for instance, constants n: -> s and n: - s' as does a programming language such as
Pascal that uses the constants 1 and 1.0 to distinguish between the sorts
integer and real. From now onwards all signatures will be assumed to be
strongly typed.
Infix and mixfix notation allow us to write, for instance, t1 < t2 and if
b then t1 else t2 fi instead of < (t1,t2) and ifthenelse(b,t1,t2). Priorities
allow us to write, for instance, t1+t2*t3 instead of (t1 + (t2*t3)). While the
formal parts of this chapter will stick to Definition 3.1, examples will make
use of these notational facilities. For the case of infix and mixfix notation
the position of the arguments is classically indicated by underscores in the
signature; for instance:
3.2
Semantics
Variables are given a semantics through "assignments".

Definition 3.4 (Assignment). Let E (5, ) be a signature, X a corresponding set of variables and A a E-algebra. An assignment of X for A
is a family
of (total) functions as Xs > A(s). One writes
a : X > A.
The following definition is classical.
Definition 3.5 (Semantics of terms). Let E = (5, ) be a signature, X
a set of variables for
a term, A a E-algebra and a : X A
an assignment. The value A(a)(t) of t for a and A is defined by induction
on the structure of t:
229
When t is a ground term the value of t does not depend on a and one may
write A(t) instead of A(a)(t).
3.3
Substitutions
Informally, a substitution is a syntactical operation replacing variables by

terms.
Definition 3.6 (Substitution). Let = (5, ) be a signature and X, Y
two (not necessarily distinct) sets of variables for S. A family a = (o s )ses
of functions
is called a substitution a : X > TE(Y)- The application of this substitution to a term t TE(x) yields a term ta ^TE(Y) inductively defined
by:
Where a is the identity except for a finite number of variables, say

x1, . . . , xm , it is common practice to write:
instead of a.
If Y is empty one speaks of a ground substitution.
Example 3. 7. Consider the signature of Example 2.2. Let X be defined by
Then:
3.4
Properties
The following important theorem relates terms to homomorphisms.

Theorem 3.8. Let A and B be two algebras for the same signature E and
let h : A > B be a E-homomorphism. Then the following facts hold:
230
The next theorem states that a term keeps its value in a subalgebra.
Theorem 3.9. Let A and B be E-algebras for some signature = (5, ).
// B is a subalgebra of A, then:
The following theorem states that in a quotient algebra the value of a

term is replaced by the equivalence class of its value in the original algebra.
Theorem 3.10. Let A be a E-algebra for some signature and let Q be
a congruence relation on A. Then:
where B : X > A/Q is the assignment defined by
The substitution theorem expresses the semantical effect of a substitution.

Theorem 3.11 (Substitution theorem). Let X, Y be sets of variables
for a signature E = (S, ) and let a : X > TE(y) be a substitution.
Finally, let A be a E-algebra and B : Y A an assignment of Y for A.
Then
for each
by
A is the assignment of X for A defined
4 Generated algebras, term algebras

A carrier of an algebra can be accessed by a user only through a ground
term. A carrier that fails to be the value of a ground term is therefore
called junk. Generated algebras capture the notion of an algebra without
junk. As an additional important feature, generated algebras allow proofs
by induction.
231
Definition 4.1 (Generated algebra). Let = (S,) be a signature,

A a E-algebra and
a set of operations called constructors. The
algebra A is said to be:
(i) generated by the set c (or sufficiently complete with respect to c),
if for each carrier of A, say a >A(s), s E S, there exists at least one
ground term
with a = A(t);
(ii) generated (or reachable), if it is generated by
The class of all generated E-algebras is denoted Gen(E).
Example 4.2. The algebra A of Example 2.4 is generated by {True,
False, 0,Succ}. The algebra C identical with A except for C(nat) = Z
(= the set of integers) is not generated because no ground term has a
negative value.
As a generated algebra contains no junk, it is "minimal". This is made
precise by the following theorem.
Theorem 4.3. A E-algebra is generated if and only if it is minimal in
Alg(E) with respect to the partial order "is a subalgebra of".
While the above theorem is mainly of theoretical interest, the following
properties play an important role in the theory of specification.
Theorem 4.4. Let h : A t B be a *-homomorphism for some signature
E.
(i) If B is a generated algebra, then h is surjective.
(ii) If A is a generated algebra, then h is the only homomorphism from
A to B.
Theorem 4.5. Let A and B be E-algebras for some signature .
(i) If A is generated and A ~ B, then B is also generated,
(ii) If A and B are generated and there exist a homomorphism from A to
B and a homomorphism from B to A, then A ~ B.
Theorem 4.6. Let A, B be generated E,-algebras for some signature
( S , ) such that B(s) C TE,5 for each s 5. If
(i) there exists a homomorphism h : A > B and
(ii) A(B(t)) = A(t) for all ground terms t e TE,
then A ~ B.
The proofs of these different theorems are not very difficult (see,for
example, [Loeckx et al., 1996]).
During specification one may leave the definition of some sorts pending. Of course, the algebras thus specified fail to be generated because
of the "pending" sorts. This suggests a generalization of the concept of
a generated algebra which consists in disregarding some sorts. While this
idea sounds simple, its realization is less trivial; the reason lies in the fact
232
that the syntax of terms has been defined by simultaneous induction on all
sorts.
Definition 4.7. Let E = (S, ) be a signature, A a E-algebra and Sc C S
a set of sorts. The following notation is introduced:
where each ca: -> s is a "new" constant;

(ii) Ac is the EcA-algebra defined by:
Informally,
contains additional constants but Ac "remains unchanged" .
Definition 4.1 may now be generalized.
Definition 4.8 (Algebras generated in some sorts). Let E = (S, ),
and Ac be as in Definition 4.7. Finally, let
be a set of operations with their target sort in Sc . The E-algebra A is said
to be:
generated in the sorts of Sc by the set c of constructors if the
-algebra
Ac is generated by the set
generated in the sorts of Sc if it is generated in the sorts of Sc by the
operations of with their target sort in ScExample 4.9. Let E = (S, ) be the signature with
and A a E-algebra with

A(el)
= a not further defined set of "elements" ,
A(list) = the set of finite lists of elements,
A([])
= the empty list,
and where
A(Add) adds an element in front of the list.
Moreover, Ac is defined like A with additionally

Clearly, Ac is generated by
For instance,
the list consisting of a single element, say e, is represented by the term
Add(ce, []). Hence, the E-algebra A is generated in the sort list by {[], Add}.
233
Note that A is not generated in the sense of Definition 4.1, because in the
signature E even a list consisting of a single element is not representable
by a ground term.
It should be clear that a generated algebra (Definition 4.1) is simply an
algebra generated in all sorts (Definition 4.8).
When an algebra is generated in some sorts, properties of the carrier
sets of these sorts may be proved by induction. For instance, to prove that
a property P holds for all carriers of the carrier set A(list) of Example 4.9,
it is sufficient to prove:
4.2
Freely generated algebras
Definition 4.10 (Freely generated algebra). A freely generated algebra

is defined as a generated algebra in Definition 4.1 but with the condition
"there exists at least one ground term" replaced by "there exists exactly
one ground term".
Example 4.11. The algebra A of Example 2.4 is freely generated by
The following theorem is relatively easy to prove:

Theorem 4.12. A freely generated E-algebra is initial in the class Alg(E)
of all E,-algebras.
As a direct consequence freely generated algebras are isomorphic. Moreover, there exists exactly one homomorphism from a freely generated Ealgebra to any other S-algebra. By the way, Theorem 4.14 will show that
there effectively exists a freely generated algebra for each signature.
The definition of an algebra freely generated in some sorts may be deduced from Definition 4.8 in a similar way to the above. The algebra A of
Example 4.9 is freely generated by {[], Add} in the sort list.
While generated algebras allow inductive proofs, freely generated algebras also allow inductive definitions of functions. For instance, to define
a function / : A(s) > ... it is sufficient to define the value f ( A ( t ) ) for
all ground terms t of sort s. The reason is that (syntactically) different
ground terms have (semantically) different values; this guarantees that the
function definition is consistent because the function value for given arguments is defined exactly once (see, for example, [Loeckx and Sieber, 1987]
for more details).
234
4.3
Term algebras
With each signature is associated an algebra called a "term algebra" , the

carriers of which consist of ground terms.
Definition 4.13 (Term algebra). The term algebra for the signature
At first sight this definition may be confusing. The reason is that ground
terms now play a dual role: as elements of the set TE they are syntactical objects; as carriers of the algebra T(E) they are semantical objects.
Actually, this dual role is what makes term algebras so interesting.
Theorem 4.14. A term algebra is freely generated.
By Theorem 4.12 there exists a unique homomorphism h : T(E) > A
for any E-algebra A. This homomorphism is called the evaluation homomorphism of A. Note that h(t) = A(t) for any ground term t.
Example 4.15.
(ii) Let A be the classical E-algebra with A(nat) = N
tion homomorphism h is defined by:

Note that in this case the evaluation homomorphism is an isomorphism.
The main property of term algebras is the following.
Theorem 4.16. Let A be a generated E-algebra for some signature E and
let h : T(E) > A be its evaluation homomorphism. Then
(where =h is the congruence relation induced by h according to Definition
2.22).
Example 4.17. Let E be as in Example 4.15 but with the additional
operation:
The set
contains additional carriers such as 0 + S'ucc(O) and
Succ(0 + 0) + 0. Let A again be the "classical" algebra, with A(+) being addition, and let h be its evaluation homomorphism. Then the carrier
4.4
235
Quotient term algebras
Informally, a quotient term algebra is a quotient of the term algebra that

possesses the properties common to a given class of algebras. Such an algebra may be viewed as a generalization of the algebra T(E)/=h introduced
above. Quotient term algebras play a major role in section 11.
Definition 4.18 (Quotient term algebra). Let C C Alg(E} be a nonempty class of E-algebras for some signature E = (S, ). The quotient
term algebra of C is the E-algebra T(E,C) defined by:
This definition is consistent because the relation =c may be proved to be

a congruence relation on T(E).
The following theorem shows the interest of quotient term algebras.
Theorem 4.19. Let C C Alg(E,) be a class of E-algebras for some signature S. For each algebra A C there exists a unique homomorphism from
T(E,C) to A.
Hence, T(E, C) has properties similar to those of an initial algebra. It
is indeed an initial algebra if it belongs to C. More precisely:
Corollary 4.20. LetC C Alg(E) be a class of E-algebras. Jf T(E,C) E C,
then it is initial in C.
The study of algebras above was for a given, fixed signature. The relation
between algebras with different signatures is investigated in the present
section.
5.1
Signature morphisms
Informally, a signature morphism is a mapping of signatures that respects

the arity of the operations.
Definition 5.1 (Signature morphism). Let E = (S, ) and E' =
(5',
) be two signatures.
236

such that, for each operation
exists an operation name m such that
(ii) A renaming is a bijective signature morphism, i.e. a signature morphism u = (us, u) with us and
bijective.
If no ambiguities arise one may write u instead of us and
Example 5.2.
a possible signature morphism

One then speaks of an inclusion and writes
A possible signature morphism
defined by
To extend signature morphisms to terms it is first necessary to extend

them to variables. To simplify the definition it is customary to make the
following assumption. Let u : E > E ' be a signature morphism where
the
associated with E and E', respectively (see section 3.1). It is then assumed
Definition 5.3 (Extension of signature morphisms to variables).
Let u, : E ) E' be a signature morphism with E = (50), E' = (S', ').
If X is a set of variables for E, then u ( X ) is defined to be the following set
of variables for E':
Informally, u ( X ) contains the same variables as X but the sort of a variable

may be different. By the way, thanks to the above assumption u , ( X ) is
indeed a set of variables for E'. In the absence of this assumption, Definition
5.3 would have had to additionally rename the variables.
237
Definition 5.4 (Extension of signature morphisms to terms). Let

E (S, ) and E' be signatures, X a set of variables for E and
a signature morphism. For any term
the term
is defined inductively as follows:
Example 5.5. Let u be the signature morphism of Example 5.2(ii). Then:
Note that in the left-hand side of the equation the variables x and y are of
sorts el1 and e/2, respectively; in the right-hand side they are both of sort
nat.
5.2 Reducts
Reducts constitute a semantical counterpart of (the syntactical notion of)
signature morphisms. As a difference the "mapping" is from E'-algebras
to E-algebras.
Definition 5.6 (Reduct). Let u : E E' be a signature morphism
with E = (S, ) and let A' be a E'-algebra. The u,-reduct of A' is the
E-algebra A' \ u defined by:
If u is an inclusion, one may write A'\ E instead of

Informally,
is a E-algebra with the semantics of A' . In the case of
an inclusion the effect of the u-reduct is simply to "forget" the sorts and
operations from E' E. By the way, it is important not to confuse the
notions of a subalgebra and of a reduct: a subalgebra is an algebra for the
same signature whereas a (non-trivial) reduct is an algebra for a different
signature.
Example 5.7. Resuming Example 5.2(ii), let A' be the "classical"
E'-algebra, i.e. A'(pairnat) = N0 x NO, A' (nat) = NO, A'(Pair)(m,n) =
(m,n), A'(First)((m,n))
= m and A' (Second) ((m, n)) = n for all
m, n N0. The reduct A' \ u is defined by:
238
Definition 5.8 (Reduct of a homomorphism) . Let E, E' be signatures

and
a signature morphism. Let A', B' be E'-algebras and
h' : A' B' a E'-homomorphism. The u-reduct of h' is the E-homomorphism
The now following reduct theorem bears strong similarities with Theorem 3.11.
Theorem 5.9 (Reduct theorem). Let E = (S, ), E' be signatures and
signature morphism. Let X be a set of variables for E and
t a term from TE(x). Finally, let A' be a E' -algebra and a' : u ( X ) > A'
be an assignment for A' . Then:
Note that i f t i s a ground term t h e theorem y
5.3 Extensions
Contrasting with a reduct, an extension is a "mapping" in the same "direction" as a signature morphism, i.e. from Alg(E) to Alg(E').
Definition 5.10 (Extension). Let u : E > E' be a signature morphism.
When u is an inclusion one speaks of an extension instead of a u-extension.

Clearly, an algebra possesses in general several extensions. Note that
the notion of a u-extension of a class is very "liberal" as it only requires
that
does not contain "additional" algebras. Note
also that the term "extension" refers to the signature, not to the "size" of
the class.
239
Logic
Most books on mathematical logic concentrate on first-order predicate

logic. In contrast, specification makes use of a variety of logics such as
equational logic, conditional equational logic, first-order predicate logic or
modal logic. Moreover, depending on the application, the semantical domains may vary from the class of all algebras to the class of algebras generated in some sorts. Hence, it is appropriate to introduce a general notion
of logic encompassing these different logics as particular cases. Such a general notion is introduced in the present section. A still more general notion
called "institution" is based on categories and will be briefly discussed in
section 16.1.
The present section together with section 7 presents a satisfaction-based
view of logic; section 8 will present a proof-based view of logic (cf. [Ryan
and Sadler, 1992]).
6.1 Definition
Definition 6.1 (Logic). An algebra logic (logic for short) L consists of:
(i) a decidable set L() for each signature ; an element of L(E) is called
a (E)formula;
(ii) a function uL ' L(E) L(E') for each signature morphism
u: E > E'; this function ul is called the formula morphism;
(iii) a relation |=E C Alg(E) x L(E) for each signature E; this relation is
called the satisfaction relation (for E); if A |=
for some E-algebra
A and some formula L(E), one says that is valid in A or that
A satisfies
It is required that the following two conditions are satisfied:
(i) (Isomorphism condition.) For any signature , for any formula
E L(E) and for any E-algebras A, B with A ~ B,
(ii) (Satisfaction condition.) For any signatures E, E', for any signature
morphism u, : E ', for any formula
L ( E ) and for any
E'-algebra.A',
One may write u instead of uL, if no confusion arises. The following
definition defines an important subclass of logics.
Definition 6.2 (Logic with equality). A logic L is called a logic with
equality if, for any signature E, any sort s of this signature and any ground
terms t, u T,S, there exists a formula, say
such that
for all E-algebras A.
240
Sections 6.2 to 6.4 now present three different "instances" of this general
logic. Each of these instances constitutes a logic with equality as the
reader may easily verify.
6.2
Equational logic
Definition 6.3 (Equational logic). According to Definition 6.1, the

equational logic EL is defined as follows:
for each signature E,
A formula from EL(E) is also called an equation. An equation V0.t u

is called a ground equation.
It is important not to confuse the symbol "=" of an equation with the
operation name "=" of an operation such as
As a fundamental difference the symbol "=" of an equation is a logical
symbol (i.e. a "metasymbol") with a fixed semantics.
One may write t = u instead of "X.t = u if each variable of X has at
least one occurrence in t or u.
Theorem 6.4. Equational logic satisfies the isomorphism and satisfaction
conditions of Definition 6.1.
Example 6.5.
(i) Let E = (5, ) be the signature with 5 = {bool, nat} and
Let,
moreover, X be a set of variables for E and x,y Xnat, b XbooJExamples of S-equations are:
Note that, for instance, x + 1 = 1 + x stands for V{x;}.x + 1 = 1 + x.

(ii) Let E = (S, ) be the signature with 5 = {s,t} and
Let
X be a set of variables for E and
nally, let A be a E-algebra with A(s) = 0 and A(a) A(b). Clearly,
A = a = b (which stands for A = V0.a = b) does not hold. On
241
the other hand A (= V{x}.a = b does hold because there exists no

assignment a : {x} > A due to the fact that A(s) = 0.
6.3
Conditional equational logic
This logic is a mild generalization of equational logic. Its interest stems

from the fact that in the frame of specification it is easier to use than
equational logic.
Definition 6.6 (Conditional equational logic). The conditional equational logic is the logic CEL defined as follows:
The theorem, the remarks and the notational convention of Section 6.2
may be generalized for conditional equational logic.
Example 6.7. Let E be the signature of Example 6.5(i). Examples of
conditional equations are:
In the same vein a logic PL called predicate logic can be defined by generalizing classical first-order predicate logic for many-sorted algebras. For
more transparency the set PL(E), the formula morphisms UPL and the
satisfaction relation |=E are defined separately.
Definition 6.8 (The set PL(E)). For each signature E the set PL(E) of
formulas is defined inductively:
242
As usual it is possible to introduce additional logical symbols such as

V, D, =, 3 as abbreviations, and to reduce the number of parentheses in
formulas by assigning priorities to the logical symbols. Moreover, one may
write
instead of Vx: s.(p when the sort s of x is known.
Definition 6.9 (The formula morphisms UPL). For each signature
morphism u, : E > E' the corresponding formula morphism uPL is defined
by:
The definition of the satisfaction relation requires two additional notions

introduced in the following definitions.
Definition 6.10 (Free occurrence of a variable). Let E be a signature
and
a formula of predicate logic. The set free((p) of the variables
occurring free in is defined by:
Definition 6.11 (Value of a formula). Let E be a signature,

a formula of predicate logic, X a set of variables for S with free(<p) C X,
A a E-algebra and a : X > A an assignment. The
value
for a and A is a truth value from {true, false} and is defined by:
The following definition concludes the definition of the logic PL.
243
Definition 6.12 (The satisfaction relation of PL). Let S be a signature. The satisfaction relation of first-order predicate logic is defined
by:
A (=s V O- (A(a)(<f) = true for all assignments a : /ree(y?) A)
for each S-algebra A and each formula if PL(E).
Example 6.13. Let E be the signature of Example 6.5(i) and A the "classical" algebra. Then one has, for instance,
A |= -.(x = 0) D 3?/.x = Succ(y),
A |= 3x.3y.-(x = y).
Note that, for instance, "A" is an operation whereas "D" is a logical symbol.
Again, the logic PL may be shown to fulfil the isomorphism and satisfaction conditions.
This section is devoted to the study of the properties of logic.
7.1
Models
Definition 7.1 (Model). Let L be a logic, E a signature and $ C L(E)

a set of formulas.
(i) A E-algebra A is called a model of $ if A \=% $, i.e. A (=s if for each
(f e $.
(ii) A domain (or universe) for E is a class of E-algebras that is closed
under isomorphism, i.e. an abstract data type. The class of all algebras of a domain U for S that are models of $ is denoted Modu, ?,($},
or Modu($) for short.
From a pragmatic point of view a domain consists of those algebras one is
interested in. Practical examples of domains are Alg(E), the class Gen(E)
of all generated S-algebras and the class of E-algebras generated in some
sorts. One writes Modv($) instead of Mod A/J(E)($) an<l /nds($) instead
of Moc/ Gen ( S )($). If E is known, one may even write Mod($) and /nd($).
Example 7.2.
(i) Modz(9) = Alg(L).

(ii) Mod(PL(S)) = 0.
(iii) Let E = ({s}, {0 : -4 s, _ + _: s x s - }) and let x, y, be variables.
Let $ C PL(E) be the set
$ = { x + (y + z) = (x + j/) + z,
z + 0 = z,
0 + z = x,
Vx: s.3j/: s.(x + j/ =
244

The reader may easily check that
= {A e Alg(E) \ A(s) with A(+) forms a group
with neutral element A(0) },
A(s) =
The following theorem illustrates the relation between logic and abstract
data types.
Theorem 7.3. Let L be a logic, E a signature, $ C (S) a set of formulas
and If a domain for E. Then Modu($) is an abstract data type.
A relation between formula sets and their model classes is given in the
following theorem:
Theorem 7.4. Let L be a logic, E a signature, $,$ C L(S) sets of formulas and U a domain for E. Then
(i) Modu(^ U *) = Modu(<b) n MoeJw(#);
(ii) if$CV, then Modu(V) C Modu($).
The notion of a quotient term algebra of Definition 4.18 may now be
generalized for sets of formulas.
Definition 7.5 (Quotient term algebra). Let L be a logic, E a signature and $ C L(E) a set of formulas. The quotient term algebra of $ is the
quotient term algebra of the class Mods($). One writes T(S, <fr) instead of
T(E, Mods (<!>)) The unique homomorphism from T(E, $) to an arbitrary
algebra A of Mods(^) is called the initial homomorphism of A.
Again, T(E, $) is an abstract data type.
The following theorem is a direct consequence of Corollary 4.20. It
forms the basis of the initial specification method (see section 11.1) and
thus justifies the above appellation "initial homomorphism" .
Theorem 7.6. Let L, E, 4> be as in Definition 7.5. If the quotient term
algebra T(S,$) is a model o/$, then it is initial in Mod-z($).
7.2
Logical consequence
Definition 7.7 (Logical consequence). Let L be a logic, E a signature,

f (E) a formula and $ C () a set of formulas. Furthermore, let U
be a domain for E.
(i) The formula ip is called a logical consequence of $ in U if A |=s if for
each A U with A |= $; one then writes $ |=z/, <f>- If W = Alg()
one speaks of a logical consequence of $ and writes $ (=s ip. If
U = Gen(E) one speaks of an inductive consequence of $ and writes
* N/nd,S >
(ii) The formula tp is said to be valid in U if it is a logical consequence
245
of the empty set of formulas in U\ one then writes |=w,s (p instead of

0 |=M,E > If W = -4^(S) the formula </? is said to be logically valid
and is called a tautology; one then writes [=s <f. If W = Gen(S) the
formula y> is said to be inductively valid and one writes (=/nd,E V3If the signature is known the index may be dropped.
Example 7.8.
(i) Let $ be as in Example 7.2(iii). Then
$ |= Vx: s.Vy: s3z: s.z + x = y.
(ii) Let E be the signature of Example 4.17 and $ C EL(S) be the set
$ = {x + Q = x,
(1)
x + Succ(y) = Succ(x + y),
(2)
(a; + j/) + z = z + (j/ + z)}.
(3)
One may prove that $ (=/n<i 0 + x = x. The idea of the proof is to
show that for any generated S-algebra A and any ground term t it is
the case that A(Q + t) = A(t). This is obtained by induction on t.
(iii) Let and $ be as in (ii). One may prove that $ |= 0+z = x does not
hold. To this end one considers the S-algebra A with A(nat) = NO,
,4(0) = 0, A(Succ)(m) = m and A(+)(m,n) m. Clearly, A is a
model of $ but A |= 0 + x = x does not hold.
Among the properties of the notions introduced are (in the notation of
Definition 7.7):
|= if if and only if A |= y for all E-algebras A;
Modu (4>) \= <p if and only if $ \=u <p;
if Modu($) is empty, then $ \=u Z/(S).
7.3
Theories
Definition 7.9 (Theory). Let L be a logic and S a signature.

(i) The theory of a E-algebra A with respect to L is the set
(ii) The theory of a class C of E-algebras with respect to L is
ThLf(C) = { </> L(E) | A Ê V for each A e C }.
Informally, the theory of C consists of all formulas that express common
properties of the algebras of C. Clearly, the theory is "larger" when the
logic is more "powerful" as illustrated in Example 7.11.
Fact 7.10.
(i) A theory is closed under logical consequence.
(ii) A theory contains all tautologies.
246
The first of these facts expresses the fact that, for instance, Thi(C) \= (p
implies if ThL(C).
Example 7.11. Let E = ({nat}, {0 : -> nat, Succ : not -4 nat}) and A be
the "classical" E-algebra.
(i) ThEi(A) contains tautologies only.
(ii) Apart from tautologies, ThpL(A) contains formulas such as
-i(0 = Swcc(O)) and Vx: nat.By: nat.y = Succ(x).
The first part of the following theorem states that theories cannot distinguish between isomorphic algebras.
Theorem 7.12. Let L be a logic, E a signature and A, B 'S-algebras.
(i) A~B implies ThL(A) = ThL(B).
(ii) If L is a logic with equality and if A and B are generated, then
ThL(A) = ThL(B) implies A~B.
The following theorem is a dual of Theorem 7.4.
Theorem 7.13. Let L be a logic, E a signature and C\, C% two classes of
'E-algebras. Then:
(i) ThL(d\JC2) = ThL(d) n 17i(C2);
(ii) Ci C C2 implies ThL(C2) C ThL(Ci).
To be manageable a theory should be recursively enumerable. Only in
that case it is possible to describe it axiomatically.
Definition 7.14 (Axiomatizable algebra).
(i) A E-algebra A is said to be axiomatizable in a logic L if ThL,z(A) is
recursively enumerable.
(ii) An axiomatizable class of algebras is defined similarly.
Example 7.15. Let E be the signature of Example 2.2. The classical algebra A for this signature (with A(nat) = NO) is called the Pea.no arithmetic.
It is well known that this algebra is not axiomatizable.
7.4
Closures
Informally, the closure of a set of formulas is the smallest theory containing

this set as a subset.
Definition 7.16 (Closure of a set of formulas). Let L be a logic, E a
signature, $ C L(E) a set of formulas and 14 a domain for E. The closure
of $ with respect to the domain U is the set of formulas
If U = Alg() one speaks of the closure of $ and writes $ or 3>* instead
of $*Aig<^y If U = Gen(S) one speaks of the inductive closure and writes
or
$
* instead o f $
-
247
The following theorem allows an alternative definition of a closure.

Theorem 7.17. With L, E, $ and U as in Definition 7.16 and * C L(S)
* = ThL(Modu(*)).
Closures possess numerous properties as illustrated in the following theorems.
Theorem 7.18. With L, S, $ and U as in Definition 7.16 and * C L(S):
ft) * C <D;
^ $ C * implies $, C *^.
Theorem 7.19. Let L be a logic, E a signature, U a domain for E and
. Tfcen:
C $, if and onfy if Modu($) C
w C #, / and on/j/ t/ * \=u $.
As a corollary of this theorem two sets $ and $ of formulas have the same
models if and only if $ is a logical consequence of $ and vice versa. Hence,
to prove that Mod^($) Modu(^f) it is sufficient to prove $ \=u * and
* \=u *
A dual notion of the closure of a set of formulas is that of the closure
of a class of algebras.
Definition 7.20 (Closure of a class of algebras). Let L be a logic, S
a signature, U a domain for S and C C U a class of E-algebras. The closure
of C with respect to L and U is the subclass C.*LUTi (or C w for short) of
U:
Clearly, C*L<U^ is an abstract data type.
C'Lu'E rias properties similar to those of $^. In particular, with L, E,
and C'as in Definition 7.20 and with C' C W:
C C C' implies Q)M C CJ*>M.

Moreover, the dual of Theorem 7.19 also holds:
Theorem 7.21. Let L be a logic, E a signature, U a domain for E and
C,C' C U classes of'E-algebras. Then:
ft) Clu Q C'f-u if and only if ThL(C') C
fii; C^ C C'lju if and only ifCL,u C C
248
It is possible to show that Modu and Thi constitute a Galois connection; the interested reader may consult, for instance, Exercise 5.7-4 in
[Loeckx et al, 1996].
7.5
Reducts
The present section investigates the logical properties of reducts. To simplify the presentation, the domain is assumed to be Alg(H); a generalization
for an arbitrary domain U poses no fundamental problems.
The following theorem is a straightforward consequence of the satisfaction condition.
Theorem 7.22. Let L be a logic and fj. : S E' a signature morphism.
(i) Let $ C L(E). Then
Modv(n($)) = { A' Alg(E') \ (A1
(ii) LefD' C Alg(E'). Then
(V | ft) = { ' a signature morphism and
$ C L() o set ofS-formulas. Then p(* E ) C (/*(*))jy.
7.6
Extensions
The present section investigates the logical properties of extensions of

model classes.
Theorem 7.24. Let L be a logic, p, : > E' a signature morphism and
$ C L(E), $' C L(E') sets of formulas.
(i) Mods' ($') is a ^-extension of Mod^Q) if and only if $' )=' /*($)
(ii) If Mods' ($') is a. persistent ^-extension of Modj;($), then
Definition 7.25 (Extension of a set of formulas). Let L be a logic,
H : E > E' a signature morphism and $ C L(E), $' C L(E') two sets
of formulas. The set $' is called a ^-extension of $ if /<(*E) C $^, . The
It-extension is called persistent if /u($s) = Ê ^ ^(M^))Informally, a /i-extension $' of $ contains $ as a subset "modulo /i" . If
the /^-extension is persistent, $' is identical with $ "modulo //" except for
formulas from L(S') - L(^(E)). By the way, L(E') = (//()) whenever
|i is surjective. A reader having difficulties in grasping these notions is
recommended to first consider the particular case in which jj, is an inclusion.
The following theorem links extensions of formula sets to extensions of
model classes.
249
Theorem 7.26. Let L be a logic, fj, : E E' o signature morphism and

$ C L(E), $' C L(E') sets of formulas. Then:
(i) $' is a /4-extension of $ if and only t/ Mods/ ($') is a ^-extension of
Modify;
(ii) if Mod-> ($') is a persistent ^-extension of Modz($), then $' is a
persistent ^-extension
This theorem allows Theorem 7.24 to be rephrased.
Calculi
Informally, a calculus constitutes an inductive definition of a set of strings.

In a calculus for a logic these strings are formulas. The goal of such a calculus is to syntactically grasp the notion of logical consequence. Hence, with
such a calculus it is in principle possible to mechanically prove statements
such as $(=</?.
Calculi for particular logics have been studied extensively in the frame of
mathematical logic and artificial intelligence (e.g. [Ebbinghaus et al., 1984;
Bibel, 1993]). The present section restricts itself to some general definitions,
an example and a few comments.
8.1
Definitions
Definition 8.1 (Calculus). Let L be a logic and E a signature. A calculus

for L and S is a pair K. = (Ax, Inf) where:
Ax is a finite set of decidable subsets of L(E); an element of Ax is
called an axiom scheme and an element of an axiom scheme is called
an axiom;
Inf is a finite set of inference rules each of which consists of a decidable subset of ((S))n x L(E), for some n, n > 0.
Note that an inference rule { ((ipi ,... ,ipn),tp) \ . . . } is generally written
as
V 1 , , <Pn
ip
The "meaning" of a calculus results from the following definition.

Definition 8.2 (Derivable formula). Let L be a logic, E a signature
and 1C a calculus for L and E. Let $ C L(E) be a set of formulas and
ip (E) a formula. The formula (p is said to be derivable from $ in 1C if
there exists a finite non-empty sequence
<f>i,---,<Pk
with tpk = V such that for each ipj, 1 < j < k, at least one of the three
following conditions is satisfied:
(pj $;
250

tpj is an axiom of AC;
there exist indices ii,...,in < j such that (((^ , . . . , <pin),<fj)
element of an inference rule of AC.
is an
One then writes $ l-jc 
The following definition reflects the fact that the purpose of a calculus
is to grasp the notion of logical consequence.
Definition 8.3 (Soundness, completeness). Let L be a logic, S a signature and AC a calculus for L and E. Furthermore, let U be a domain for
E.
(i) AC is called sound with respect to U if, for any set $ C L() and any
formula .
8.2 An example
The following calculus is a calculus for the equational logic EL of Section
6.2. It constitutes a generalization of the calculus presented in [Tucker and
Meinke, 1992] in that it allows empty carrier sets.
Definition 8.4 (Equational calculus). Let E be a signature and X, Y
sets of variables for E. The following axiom scheme (I) and four inference
rules (II) to (V) constitute a calculus for the equational logic EL and the
signature E:
(i) vx.t = t
(ll)
teT^xy,
^7
t = n,VX.u = v
. fc l/
t,uT^x};
t, u, v 6 T E(JC );
a : X > TY.(Y\ a substitution;
251
=U
VX.va = vr
m > 1, ti,Ui T-E(X) fr all z with 1 ?(X) two substitutions satisfying
the condition
for each y Y: either cr(y) = r(y)
or (ff(y) = tj and r(y) = Uj for some j,
1 < 3 < m).
Note that the calculus takes cares of empty carrier sets. More precisely,
assume that Y C X; the calculus allows VX.t = u to be deduced from
VY.t = u; on the other hand it allows VY.t = u to be deduced from VX.t = u
only if for each sort s with Ys = 0 and Xs ^ 0 the set T^^Y),s is not empty
(cf. Example 6.5(ii) with X = {x} and Y = 0).
Theorem 8.5. The equational calculus of Definition 8.4 is sound and complete with respect to Alg(E).
While the proof of the soundness is straightforward, the proof of the completeness is not trivial (see, for example, [Tucker and Meinke, 1992] or
[Loeckx et al., 1996]).
8.3
Comments
The calculus above is of course also sound with respect to any domain
for the signature S, for instance with respect to Gen(E). It is not complete with respect to Gen(S) because the inductive consequence "j=/n<i"
is "stronger" than the logical consequence "|=E" as was illustrated in
Example 7.8(ii) and 7.8(iii).
In the literature several calculi have been proposed for first-order predicate logic all of which are sound and complete with respect to Alg(Ti)
(e.g. [Ebbinghaus et al, 1984; Ryan and Sadler, 1992]). Again, they fail to
be complete with respect to Gen(E). Actually, it is possible to prove that
there cannot exist a calculus for first-order predicate logic which is sound
and complete with respect to Gen(S). This fact holds for equational logic
and conditional equational logic as well.
A calculus which is complete with respect to Alg() together with the
principle of induction is in some sense complete with respect to Gen(S)
(cf. Example 10.7 for more details). This does not contradict the previous
statement because the principle of induction cannot be "axiomatized" in
first-order predicate logic.
Whenever there exists a calculus which is sound and complete with
respect to some domain U an (informal) proof of $ \=u (p may be replaced
by a (formal) proof of $ h (f>. If the calculus is sound without being
complete, it is not guaranteed that $ I- tp holds.
252
The axioms and inference rules of a calculus are generally very "elementary" and especially in the case of first-order predicate logic"nonintuitive" . Proving properties of the form $ h ip in a calculus is therefore
very tedious. To this end calculi have been implemented in the form of
"proof systems" allowing proofs to be carried out automatically or semiautomatically with a computer. Some of these systems allow induction to
be "simulated" and thus inductive consequences to be proved. From what
has been said above it follows that such systems cannot be complete. Instead, the most sophisticated among them use heuristics; if these fail the
user is asked for some "clever" lemma enabling the proof to be carried out.
Specification
The goal of this section is to introduce a few general notions on specification

and thus constitute an introduction to sections 10 to 14 of this chapter.
The fundamental idea of abstract data type specification is to define
abstract data types by formulas. As in the case of programs, specifications
must have a modular structure lest they get incomprehensible. This leads to
the following techniques for the design of "small" and "large" specifications,
respectively.
Specification in the small consists in drawing up specifications "from
scratch". Essentially such a specification consists of a signature and a set
of formulas. The abstract data type defined by the specification is in general a subclass of the model class of the set of formulas. In sections 10 to
12 three different specification techniques will be discussed yielding loose
specifications, initial specifications and constructive specifications, respectively. They differ from each other by the logic used, by the set of formulas
allowed and/or by the subclass defined. Henceforth, a specification obtained by specification-in-the-small is called an atomic specification.
Specification in the large consists in drawing up specifications by putting
(already designed) specifications together. This is performed with the help
of a formalism called specification language. The principles of such languages will be examined in sections 13 and 14.
The followingvery generaldefinition reflects the fact that a specification does not necessarily "exactly" capture the intended abstract data
type.
Definition 9.1 (Adequate specification). Let C be an abstract data
type. Furthermore, let sp be a specification and M(sp) its meaning, i.e. the
abstract data type sp defines. Then:
(i) sp constitutes an adequate specification of C if C C M(sp);
(ii) sp constitutes a strictly adequate specification of C if C = Ai(sp).
By an abuse of language one also speaks of an adequate or strictly adequate
253
specification of an algebra, meaning an adequate or strictly adequate specification of the monomorphic abstract data type containing this algebra.
Note that if M(sp) is a monomorphic abstract data type the notions of
adequacy and strict adequacy coincide.
A specifier or user of a specification may want to prove certain properties of a specification. He may, for instance, want to prove that a given
specification sp constitutes an adequate or strictly adequate specification
of an abstract data type C. Of course, such a proof presupposes that the
abstract data type C has been precisely defined elsewhere. Another interesting question is whether the class M(sp) defined by the specification
sp constitutes a monomorphic abstract data type. A further question is
whether M(sp) is empty (and hence "useless").
Proofs of such properties may take the form of informal "mathematical"
proofs similar to those that may be found in any textbook on theoretical
computer science. A particular case is constituted by those properties
that may be reduced to logical consequences. Such a property may be
written as $ \=u tp, where y is, for instance, a property of the abstract
data type and where $ is the set of formulas of an atomic specification.
According to section 8.3 such properties may be proved automatically or
semi-automatically whenever there exists a sound (and complete) calculus
with respect to U.
As indicated above, proving the adequacy of a specification presupposes that the abstract data type to be specified is exactly known. Except
for "trivial" abstract data types this is generally not the case in practice:
the specification itself often constitutes the only precise definition of the
abstract data type. Instead, the adequacy may be checked by a testing
method called rapid prototyping. Essentially, this testing method consists
in mechanically determining the value of some "critical" terms and comparing this value with one's "expectations". This mechanical evaluation
of terms presupposes that the specification is in some sense "executable"
or "constructive" and hence monomorphicas will be discussed below.
Clearly, being based on testing rapid prototyping may disprove adequacy
but cannot prove it; in other words, rapid prototyping may at best improve
one's confidence in the adequacy.
A specification defining a polymorphic abstract data type is sometimes
called a requirement specification. In contrast, a design specification is a
monomorphic specification that allows rapid prototyping.
10
Loose specifications are atomic specifications in the sense of section 9.

Definition 10.1 (Loose specification). Let L be a logic.
254
(i) (Abstract syntax.) A loose specification in L is a pair sp = (,$)

where S is a signature and $ C L(E) a decidable set of formulas.
(ii) (Semantics.) The meaning M(sp) of a loose specification sp = (, ft)
is defined to be the abstract data type M(sp) =
Informally, a loose specification stands for the class of all models of its set
of formulas.
To improve their readability and allow for a mechanical treatment specifications may be written in a concrete syntax. In this syntax a loose
specification is a string of, for instance, the following form:
loose spec sorts list-of-sorts
opns list-of-operations
vars list- of -variables
axioms list-of- formulas
endspec
Informally, the sorts and operations fix the signature; an element of the
list- of -variables is of the form x: s where x is a variable and s its sort. It is
required that only variables of the list-of-variables occur in the formulas. In
the examples a list of variables such as x: s, y: s, z: s will be written x,y,z: s.
In this chapter examples will be given in concrete syntax while theorems
and definitions will refer to the abstract syntax.
Example 10.2. The logic used in this specification is the first-order predicate logic PL of section 6.4. Note the similarity with Example 4.9.
loose spec sorts
boot, el, list
opns
True : -> bool
False : - bool
[ } : -> list
Add: el x list -> list
. . _ : list x list -> list
Isprefix : list x list > list
vars
l,m,n: list, e: el
axioms []./ = {
Add(e, l).m = Add(e, l.m)
(Isprefix (I, m) True) = (3n.(m = l.n))
endspec
The specification is an adequate specification of the "classical" algebra
because this algebra constitutes a model of the "axioms" as one may
easily check. It is not a strictly adequate specification due to the existence
of models that are not generated in the sorts bool and list.
Example 10.3 (Peano axioms). Again the logic considered is PL.
loose spec sorts
bool, nat
opns
True : - bool
255
False: -+ bool
0: - nat
Succ: nat t nat
_ + _: nat x not > nat
_ * _ : nat x nat nat
. < _: nat x nat -> feooJ
vars
m, n: nat
axioms -i(7Vue = False)
-.(0 = Succ(n))
Succ(n) = Succ(m) D n = m
(0 < n) = Thie
(Succ(n) < 0) = Fake
(Succ(n) < Swcc(m)) = (n < m)
n+0=n
n + Swcc(rn) = Succ(n + m)
n*0 = 0
n * Swcc(m) = n + (n * m)
endspec
Clearly, the specification is an adequate specification of Peano arithmetic
(see Example 7.15). As Peano arithmetic is not axiomatizable, it cannot
be a strictly adequate one.
The following theorem indicates some limits of the expressive power of
loose specifications.
Theorem 10.4. Let sp = (E, $) be a loose specification in a logic L.
Then:
(i) M(sp) = (M(sp)YL;
(ii) if L is a logic for which there exists a sound and complete calculus,
then M(sp) is axiomatizable in L;
(in) if L is one of the logics of sections 6.2 to 6.4 and if M.(sp) contains
an algebra with an infinite carrier set, then M.(sp) also contains nongenerated algebras,
A variant of Theorem 10.4(iii) is also known as the Lowenheim-Skolem
theorem (see, for instance [Ebbinghaus et al, 1984]).
Properties of loose specifications may be proved along the lines discussed in section 9. In general, rapid prototyping is not possible for loose
specifications.

Definition 10.5 (Loose specification with constructors). Let L be
a logic.
(i) (Abstract syntax.) A loose specification with constructors is a 4-tuple
256

sp = (S, $, 5 c ,fl c ) where = (5, fi) is a signature, $ C L(S) a set
of formulas, Sc C. S a set of sorts and flc C fi a set of operations with
target sorts in Sc called constructors.
(ii) (Semantics.) The meaning M(sp) of sp is defined to be the abstract

data type M(sp) = Modu($) where
U
{A AlgCE) \ A is generated in the sorts of Sc by

the set flc}.
The concrete syntax for such specifications may be chosen to be identical

with that of section 10.1 except that in the list- of- operations each sort of
Sc and each operation of fZc is preceded by the keywords generated and
constr respectively.
Example 10.6. Consider the specification sp of Example 10.2 with generated preceding boot and list and with constr preceding each of the first
four operations. By its very definition M(sp) no longer contains algebras
that are not generated in the sorts bool and list. Nevertheless, it still fails
to be a strictly adequate specification because it contains models for which
the carrier set of sort list is a singleton.
Example 10.7. Consider the specification of Example 10.3 with generated preceding bool and nat and with constr preceding each of the first
four operations. It may be shown that the abstract data type defined by
the specification is monomorphic. Hence, it constitutes a strictly adequate
specification of Peano arithmetic. By the way, this specification illustrates
that the first-order predicate calculus together with the induction principle
is in some sense complete with respect to Gen(S) (cf. section 8.3).
The properties of loose specifications including Theorem 10.4 carry
over to loose specifications with constructors. Of course, the effect of the
Lowenheim-Skolem theorem (Theorem 10.4(iii)) is void.
10.3
Loose specifications with free constructors
The definition of these specifications is as in Definition 10.5 with "freely

generated" instead of "generated" . Similarly, one uses the keyword freely
generated instead of generated.
Example 10.8. Consider the specification of Example 10.6 with freely
generated instead of generated. The specification is now a strictly adequate specification of the "classical" algebra. Note that the abstract data
defined is still polymorphic due to the non-generated sort el.
Example 10.9. Consider Example 10.7 but with freely generated instead of generated. The first three formulas are now superfluous and may
be removed.
Example 10.10. Consider the following specification:
257
loose spec sorts

opns
freely generated not

constr 0 : not
constr Succ : nat > not
Pred : nat -> nat
vars
n: no
axioms Pred(Succ(n)) = n
endspec
in which Pred is "intended" to be the predecessor function. This polymorphic specification is a strictly adequate specification of the "classical"
algebra in which the value Prerf(O) is left pending. More precisely, the
abstract data type defined contains non-isomorphic algebras differing from
each other only by the value of Pred(0).
11
Initial specifications are atomic specifications in the sense of section 9.

They differ from loose specifications in that they always define monomorphic abstract data types. Furthermore, initial specifications make use of
equational logic or conditional equational logic. While sections 11.1 to 11.7
treat the case of equational logic, section 11.8 briefly considers the case of
conditional equational logic.
11.1
Initial specifications in equational logic
Definition 11.1 (Initial specifications). Let EL be the equational logic

of section 6.2 and let T(, $) denote the quotient term algebra of Definition
7.5.
(i) (Abstract syntax.) An initial specification in equational logic is a pair
sp = (, $) where S is a signature and $ C EL(E) a set of equations.
(ii) (Semantics.) The meaning M(sp) of an equational specification sp =
(, 4>) is the monomorphic abstract data type
M(sp) = {Ae Alg(E) | A ~ T(E, *) }.
The interest of this definition stems from the following fundamental theorem of equational logic:
Theorem 11.2. Let S be a signature and $ C () a set of equations.
ThenT(,<f>) Morf s ($).
The proof of this theorem is essentially based on the Theorems 3.10 and
3.11.
Together with Theorems 7.6 and 2.14, this leads to the following important result:
Corollary 11.3. Let sp = (,$) be an initial specification. Each algebra
of M(sp) is initial in
258
Prom the properties of algebras and, in particular, of quotient term

algebras one easily deduces the following fact:
Fact 11.4. Let sp = (,$) be an initial specification.
(i) Each algebra of M (sp) is generated.
(ii) For each algebra A 6 Morfs($) there exists a unique homomorphism
h : T(S, $) > A defined by h([t]) = A(i), t Ts, viz. the initial
homomorphism (see Definition 7.5).
(iii) For each algebra B M(sp) there exists a unique and surjective
homomorphism h : T(S) > B defined by h(i) =
A concrete syntax for initial specifications is chosen to be identical with
that of section 10.1 but with the keywords initial and eqns instead of
loose and axioms.
11.2
Examples
Example 11.5.
(i) A trivial initial specification is:
initial spec sorts not
opns 0 : - not
Succ : nat > nat
_ + _ : nat x nat > nat
vars m,n:nat
eqns n + 0 = n
n + Succ(m) = Succ(n + m)
endspec
One may prove that the specification is an adequate specification
of the "classical" algebra. Note, in particular, that T(,$)(nat)
consists of the equivalence classes [0], [5cc(0)],[5cc(5cc(0))], etc.
Note also that, for instance,
[0] = [0 + 0] = [0 + 0 + 0] = . . .
[SMcc(O)] = [SMCc(O) + 0] = [0 + Scc(0)]
= [Succ(O) + 0 + 0] = . . . .
(ii) The following example is the classical example of an initial specification. Its glamour stems from the fact that there is no equivalent
loose specification with free constructors that is equally "abstract" .
initial spec sorts nat,, set
opns 0 : -> nat
Succ : nat > nat
0 : -> set
Insert : set x nat > set
vars m, n: nat,s: set
eqns Insert(Insert(s,n),n) = Insert (s, n)
259
Insert(Insert(s,n),m) = Insert(Insert(s,m),n)
endspec
Informally, the first equation identifies terms in which the same "element" occurs several times; the second equation identifies terms in
which the same "elements" occur in different order.
The following example illustrates the problems resulting from the fact
that initial specifications cannot define polymorphic abstract data types.
Example 11.6. Consider the initial specification deduced from the loose
specification of Example 10.10 by deleting the keywords freely generated
and constr and by replacing loose and axioms by initial and eqns.
This specification is not an adequate specification of the "classical" algebra
because T(S,<l>)(na) now contains additional carriers such as [Pred(O)],
[Pred(Pred(0))} and [Succ(Pred(Q))].
Correcting non-adequate initial specifications is non-trivial and errorprone, as the following example illustrates.
Example 11.7. To correct the non-adequate specification of Example 11.6
the following solutions may be envisaged.
One may add the equation Pred(O) = Swccr'(0) for some fixed n > 0,
and thus use [5wc<rn' (0)] as a default value. Of course, this solution is not
acceptable: the choice of a concrete value of n results in a loss of abstraction
and the dual role played by [5wcc'"'(0)] harms the transparency.
Another solution consists in adding to the specification a constant
Error: -> nat and the equations:
Fred(O)
Pred(Error)
Succ(Error)
= Error,
= Error,
= Error.
(11.1)
(11.2)
(11-3)
This solution leads to an additional carrier, viz. [Error].

A more elegant "solution" consists in adding the equation
Succ(Pred(n)) = n. Actually, it still fails to eliminate superfluous carriers,
viz.
[Pred(O)], [Pred(Pred(G))},....
A combination of the last two solutions that consists in adding the corresponding four equations has a dramatic result: the carrier set is reduced
to a singleton because [Error] = [0] = [SWc(O)] = ... as one can easily
check.
For more examples of initial specifications the reader is referred to the
abundant literature on the subject (e.g. [Ehrig and Mahr, 1985]).
260
11.3
Properties
The following property of equational logic directly follows from Theorem

3.8.
Theorem 11.8. Let E be a signature, A, B Ti-algebras and
h : A > B a homomorphism. Furthermore, lett = u be a ground equation
and VX.v = w an equation of EL(E) .
(i) If A\=t- u, then B\=t = u.
(ii) If h is surjective and A \= VX.v w, then B \= VX.v = w.
(iii) If h is injective and B |= VX.v = w, then A \= VX.v = w.
This leads to the following important property of initial specifications.
Note that T(, $) may be viewed as a representative of the abstract data
type defined by the initial specification (S,J>).
Theorem 11.9. Let (,$) be an initial specification. Let t = u be a
ground equation and VX.v = w an arbitrary equation of (). Then:
(i) T(, $)\=t = u if and only if $ I- t = u;
(ii) T(E, $) |= t = u if and only if A |= t = u for each T,-algebra A from
(iii) T(S, $) f= VX.v -w if and only if $ (=/nd VX.v = w;
(iv) r(S, $) |= VX.v w if and only if A^= VX.v = w for each E-algebra
A from Indz($) (i-e. for each generated 'S-algebra from
Informally, the theorem states that T(S, $) possesses exactly those properties that are common to all generated models (and that are expressible
in equational logic).
11.4
Expressive power of initial specifications
By their very definition initial specifications can only define monomorphic

abstract data types consisting of generated algebras. Conversely, any such
abstract data type can be defined by an initial specification, the equation
set of which consists of a possibly infinite number of ground equations.
Remember that the notions of adequacy and strict adequacy coincide for
specifications defining a monomorphic abstract data type.
Theorem 11.10. Let A be a generated 'S-algebra. The initial specification
(E, { t = u #L(E) | t, u TS, A(t) = A(u) }) is an adequate specification
of A.
In practice one is especially interested in specifications with a finite set
of equations.
Theorem 11.11. There are generated algebras for which there exists an
adequate initial specification with a finite set of equations but no adequate
initial specification with a finite set of ground equations.
261
An example of such an algebra is the S-algebra A with = ({not},

{0: -> nat, Succ: nat -4 nat, Double : nat -> not}) and A(nat) = NO , A(Q)
and A(Succ) "classical", A(Double)(n) = 2 * n. Clearly, the initial specification with:
4> = (Double(G) = 0, Double(Succ(n)) = Succ(Succ(Double(n)))}
is an adequate specification of A. The basic idea of the proof that a finite
number of ground equations does not suffice, is that one needs recursion to
express "doubling" with the help of the successor function.
Theorem 11.12. There are generated algebras for which there exists no
adequate initial specification with a finite set of equations.
An example is the E-algebra A with:
S = ({nat}, {0: > nat, Succ: nat > nat, Square : nat nat})
with A(nat), A(0), A(Succ) as usual and A(Square)(n) = n*n. The basic
idea of the proof is to show that one needs nested recursion to express
squaring with the help of the successor function (in the absence of an
"auxiliary" function such as addition).
The following theorem shows that the use of such "auxiliary" functions
suffices to finitely specify any generated "computable" algebra. The notation ... | E is that of Definition 5.6.
Theorem 11.13. Let A be a generated ^-algebra, the functions of which
are computable. Let C be the monomorphic abstract data type containing
A. Then there exists an initial specification sp = (',<!>') with S C ',
*' C (') and $' finite such that C = (M(ap) \ E).
The idea of the proof is to simulate a Turing machine by an initial specification (cf. [Bergstra and Tucker, 1983]).
11.5
Proofs
Properties of initial specifications may be proved along the lines discussed

in section 9. In addition, one may make use of the specific properties of
these specifications and apply one of the following four principles of proof.
The first principle is based on the fact that the algebra T(, $)
is initial in Modz($). Hence, to prove for a given S-algebra A that
A ~ T(, $), it is sufficient to prove that A is a model of $ and that the
initial homomorphism of A (viz. h : T(, $) > A defined by h([t]) = A(t),
t 6 TE) is bijective. Similarly, to prove that the initial specifications (, 4>)
and (E, *) are equivalent, it suffices to prove that $ |= * and that the
initial homomorphism h : T(, $) > T(, *) is injective.
A second principle is based on the fact that T(E, $) is generated and
on the following property of equational logic.
Theorem 11.14. Let E be a signature, VX.t = u EL(E) an equation and A a generated 'E-algebra. Then A \= VX.t = u if and only if
262
A\=to- = ua for all ground substitutions a : X TE .

Informally, the theorem states that a variable may be replaced by an arbitrary ground term. Hence, to prove T(, $) (= VX.t = u one proves
T(, $) |= ta = ua for all ground substitutions a : X > TE
or, according to Theorem 11.9(i), $ (= ta ua for all ground substitutions
a : X > T. This may be proved by induction on the structure of the
ground terms that are substituted for the variables, i.e. on the structure of
the value cr(x), x 6 X .
Example 11.15. Consider the specification of Example 11.5(i). To prove
that T(S, $) |= V{n}.0 + n = n, it is sufficient to prove:
(i) $ |= 0 + 0 = 0;
(ii) if $ (= 0 + t = t for some t IE, then $ (= 0 + Swcc() = Succ(t);
(iii) i f $ | = 0 + u = w and $ h 0 + u = w for some u,v Ts, then
$ (= 0 + (u + l>) = M + V.
Actually, step (iii) of the proof may be shown to be superfluous. In

fact, one may show that for each ground term t e TH there exists n > 0
such that $ (= t = Succ^n\0). Informally, this means that 0 and Succ are
constructors of the sort nat.
A third principle of proof consists in replacing the algebra T(, 4>) by
an isomorphic but "simpler" algebra. It is based on the following theorem
which is a direct consequence of Theorem 4.6.
Theorem 11.16. Let (S,$) be an initial specification with S = (5,0).
Let C be a generated H-algebra with C(s) C TsiS for each s 6 S. If
(i) C \= $, and if, moreover,
(ii) $ f= C(t) = t for all ground terms t T%,
thenC ~T(,$).
An algebra C satisfying the conditions of the above theorem is called a
characteristic term algebra for the initial specification (E,$). The proof
technique now consists in finding a characteristic term algebra C for the
given specification and replacing the study of T(S, $) by that of C.
Example 11.17. Consider again the specification of Example 11.5 (i). Define the S-algebra C by:
C(0) = 0,
C(Succ)(Succ(n\Q)) =
C-(+)(5cc ( " ) (0),5'wcc (m) (0)) = Succ(n+m)(0).
The reader may check that C satisfies conditions (i) and (ii) of Theorem
11.16. Hence, to prove T(S, $) |= V{n}.0 + n = m it is sufficient to prove
C \= V{n}.0 + n = n, i.e.
263
C(+)(C(Q),at(ri)) = a(n) for all assignments a : {n} > C

or, equivalently, C'(+)(0,5ttcc(n)(0)) = Scc(n)(0) for all n > 0.
Note that C indirectly proves that 0 and Succ are constructors of the
sort not (see the remark in Example 11.15).
The fourth principle of proof consists in the use of term rewriting systems, to which we now turn.
11.6
Term rewriting systems and proofs
Term rewriting systems are particular reduction systems. Both types of

systems are extensively discussed in [Klop, 1992; Avenhaus, 1995]. In order
to fix the notation the main definitions are briefly recalled.
First the notions related to reduction systems are defined.
Definition 11.18 (Reduction system).
(i) A reduction system is a pair (R, ->) where jR is a set and ">" a
relation on R.
(ii) A reduction sequence of a reduction system (R, ) is a possibly infinite sequence r\,..., r / t , . . . of elements of R such that FJ - r,+1
for each i > 1; one then writes r\ ->* r^ for any k>l.
(iii) An equivalence sequence is defined similarly but with r, r+i or
n+i -> Ti for each i > I; one writes r\ ~ r^ for any k > 1.
Definition 11.19 (Noetherian, confluent, locally confluent).
(i) A reduction system is Noetherian if it possesses no infinite reduction
sequence,
(ii) A reduction system (jR, >) is locally confluent if for all r, s, t R the
following holds: if r -> s and r -* t then there exists u R with
s >* w and t >* u.
(iii) The notion of a confluent reduction system is defined as in (ii) but
with r t* s and r >* t instead of r s and r > t, respectively.
Definition 11.20 (Normal form). Let (R, ->) be a reduction system
and r & R. A normal form of r is an element s R such that r * s and
there exists no i .R with s -t t.
Theorem 11.21 (Newman's lemma). A Noetherian and locally confluent reduction system is confluent.
Theorem 11.22. Let (R, ->) be a Noetherian and confluent reduction system.
(i) Each element of R has exactly one normal form.
(ii) Let r,s R. Then r ~ s if and only if r and s have the same normal
form.
The following definition associates a reduction system with each initial
specification.
264
Definition 11.23 (Term rewriting system). The term rewriting system of an initial specification (E, $) is the reduction system (T^, >) with
" ->" inductively defined by:
(i) ta > ucr for each equation VX.t = u $ and each ground substitution a : X > Ts;
(ii) if i -> u, then v[t/y] - w[u/y] for all terms w e ?E({}) containing at
least one occurrence of the variable y.
Note that an initial specification in which an equation VX.t = u is
replaced by VX.u = t leads to a different relation "-*" but to the same
relation "~".
The following definition and theorem constitute the basis of a criterion
guaranteeing that a term rewriting system is Noetherian:
Definition 11.24 (Rewrite ordering, reduction ordering). Let be
a signature with Tg)g ^ 0 for each sort s from . Furthermore, let X be a

set of variables for .
An irreflexive partial order ">" on T(X) is called a rewrite ordering
on TE(X) if fr a^ terms t,u TE(X) :
(i) i > u implies fcr > ucr for all substitutions a : X > ^(-f ) >
(ii) t > u implies v[t/y] > v[u/y] for all terms v 6 ?s(xu{y}) where j/ is a
variable for S, y X, which occurs at least once in v.
A rewrite ordering is called a reduction ordering if there exists no infinite
sequence
< h < *2 < ti,
ti TZ(X) for all i > 1.
Theorem 11.25. Le (E, $) 6e an initial specification and X a set of variables for S containing the variables occurring in $. // there exists a reduction ordering < on T%(x), such that u < t for any equation
VY.t = u e $, /en #je term rewriting system of (,$) is Noetherian.
The main theorem of term rewriting states that the equivalence relation
"~" coincides with the validity of ground equations in the initial algebra:
Theorem 11.26. Let (,$) be an initial specification and (Ts,->) its
term rewriting system. For all ground terms t, u TS it is the case that
t ~ u if and only if T(E, $) |= t = u.
Note that the theorem does not require that the term rewriting system is
Noetherian and/or confluent.
The previous theorem is the basis of the fourth principle of proof mentioned in section 11.5. Suppose one has to prove T(E, $) |= VX.t = u.
It is sufficient to show that for all ground substitutions a : X > T^
it is the case that T(,<J>) |= ta = ua (according to Theorem 11.14) or,
equivalently, that ta ~ ua (according to Theorem 11.26),
265
Example 11.27. Consider the specification of Example 11.5(i).

(i) To prove that T(E, $) \= Vn.n + Succ(Succ(0)) = Succ(Succ(Q)) + n
one proves that t+Succ(Succ(0)) ~ Succ(Succ(t)) + Q for an arbitrary
*TE:
t + Succ(Succ(G)) -> Succ(t + Succ(0))
- Succ(Succ(t) + 0)
-> Succ(Succ(t))
<- Succ(Succ(t)) + 0.
(ii) To prove that T(E, $) (= V{n}.0 + n = n one proves that 0 +1 ~ t for
an arbitrary i 6 IE- This may be done by induction on t (cf. Example
11.15).
Clearly, a term rewriting system has similarities with a calculus for
equational logic. As an advantage over the calculus it leads to an efficient
proof procedure in the following particular but "frequent" case. When the
term rewriting system of an initial specification (S, $) is Noetherian and
confluent, the proof of T(E, $) |= VX.t = u may be replaced by a proof of
the following property: for all substitutions a : X Tg the ground terms
to and ua have the same normal form (see Theorem 11.22). The calculation
of the normal form of a ground term is a straightforward procedure that
allows an efficient implementation. Hence, the (main parts of the) proof of
T(, $) |= VX.t = u may be carried out automatically.
Example 11.28. Consider again Example 11.27(1). One easily proves:
t + Succ(Succ(<0)) ->* Succ(Succ(t)),
Succ(Succ(t)) + 0 ->* Succ(Succ(t)).
Hence t + Succ(Succ(0)) and Succ(Succ(t)) + Q have the same normal form,
viz. the normal form of Succ(Succ(t)).
Reducing proofs to the calculation of normal forms is possible only if
the term rewriting system of the specification is Noetherian and confluent.
Several criteria have been developed that guarantee each of these properties; they are based on Theorem 11.25 and Theorem 11.21, respectively.
The Knuth-Bendix algorithm constitutes a particular implementation of
these criteria: it tries to transform an initial specification sp = (S, $), the
term rewriting system of which is Noetherian, into an initial specification
sp1 = (E,<h) such that M(sp1) = M.(sp) and that, moreover, the term
rewriting system of sp1 is both confluent and Noetherian. For more details
the reader may consult the relevant literature (e.g. [Klop, 1992]).
11.7
Rapid prototyping
Rapid prototyping consists in the evaluation of ground terms. When the

term rewriting system of an initial specification is Noetherian and confluent,
266
rapid prototyping may be reduced to the calculation of normal forms as

will now be shown.
Definition 11.29. Let (E, <J>) be an initial specification, the term rewriting
system of which is Noetherian and confluent. One associates with this
specification a E-algebra C defined by:
C(s) = { t TE>S | Ha a normal form },
for each sort s of E;
C(ui) = the normal form of the term n,
for each operation u> = (n : > s) of E;
C (w) (ti,... , t k ) the normal form of the term n(ti, .. .,**),
for each operation
(jj = (n: si x . . . x Sfc - s) of E.
Theorem 11.30. Let (S,*) and C be as in Definition 11.29. Then C
is a characteristic term algebra of the initial specification (E, $). Hence
Informally, the theorem states that the algebra C of Definition 11.29 may
be viewed as a representative of the abstract data type defined by the initial
specification (S, 4>). This justifies why the evaluation of ground terms in
the algebra C may be defined as rapid prototyping. As this evaluation
consists in the calculation of the normal form of these ground terms, it
may be performed automatically by the term rewriting tools mentioned in
section 11.6.
Example 11.31. Consider the specification of Example 11.5(i). Rapid
prototyping of the ground term Succ(Succ(0)) + Succ(Q) yields the ground
term Succ(Succ(Succ(0))).
11.8
Initial specifications in conditional equational

logic
The main definitions and theorems of sections 11.1 to 11.7 may be generalized in a straightforward way for conditional equational logic. In particular,
Theorem 11.2 holds for conditional equational logic as well.
The use of conditional equational logic often simplifies the design of initial specifications because it allows the expression of implications between
equalities instead of equalities only. On the other hand it may be more
difficult to grasp the structure of the initial algebra T(E, $) and, in particular, of its carriers; moreover, term rewriting systems and their tools are
more complex (see, for example, [Klop, 1992; Padawitz, 1988]).
11.9
Comments
It is tempting to try to generalize initial specifications for logics other

than equational and conditional equational logic. The following example
illustrates the limits of such a generalization.
267
Example 11.32. Let be a signature with a single sort and four constants, viz. a, 5, c, d. Let $ be a set consisting of the single formula (of
predicate logic):
(-.a = 6 A c = d) V (a = b A -ic = d).
Then Mod-s($) has no initial algebra. In fact, by Theorem 3.8 an initial
algebra A has to satisfy both A(a) / A(b) and A(c) ^ A(d). Hence, it
cannot be a model of $.
12
While loose specifications and initial specifications have a model-theoretic

semantics, constructive specifications have an operational semantics.
Hence, constructive specifications allow rapid prototyping by their very
definition.
The literature proposes several notions of constructive specifications,
some of which lack a precise definition. The following general notion encompasses most of them. For more clarity its definition is given in three
steps.
Definition 12.1 (Constructive specification: abstract syntax). A
constructive specification is a triple sp = (,4>, fic) where S = (S,fl) is a

signature, $ C EL(%) a set of equations and J7C C fi a set of operations
called constructors. It is required that the following three constraints are
satisfied. In these constraints X is a set of variables for E, Ec = (S, fl c )
and Var(t) denotes the set of variables occurring in a term t.
(i) Each equation of $ is of the form n(vt , . . . , V k ) t with
(n: Si x ... x at -> s) n H c , k > 0,
*>i TSc(x),,. for all i, 1 < i < k, and t T^X),sMoreover, it must be the case that Var(t) C Var(n(vi,... , r^)).
Finally, no variable may occur more than once in n(i,... ,ut).
(ii) For each ground term n(w\,..., Wk) of IE with
(n: si x ... x Sk - s) ft - ftc, k > 0,
u>i Tzc,si for each i, 1 T^c such that
Wi = Via for all i, 1 < i < k.
(iii) There exists a reduction ordering "<" such that
t < n(v\,..., Vk) for each equation H ( V I , . . . , Vk) = t $.
Informally, constraints (i) and (ii) make $ look like a (generalized version of
a) recursive function definition in the theory of computability. Constraint
268
(iii) makes sure that the calculation of the value of a ground term terminates
(see Definition 12.3).
The concrete syntax for constructive specifications is chosen to be similar to that of an initial specification but with constructive instead of initial and with constr preceding
B each constructor in the list- of -operations.
Example 12.2.
constructive spec
sorts nat
opns constr 0 : nat
constr Succ : nat ) nat
- + . : nat x nat nat
vars m, n: nat
eqns m + 0 = 0
m + Succ(n) = Succ(m + n)
endspec
The reader having difficulties checking that constraints (ii) and (iii) of
Definition 12.1 are satisfied may wait for the remarks preceding Example
12.6.
Definition 12.3 (Constructive specification: semantics). Let sp =
(,$,n c ) be a constructive specification with S = (5, fl). Put Sc =
(5, flc). The meaning M.(sp) of sp is the monomorphic abstract data type
M(sp) = { A 6 Alg(E) \ A ~ C } where C is the E-algebra defined by:
(i) C(s) = T EcjS for each sort s 5;
(ii) C(uj) = n for each constant u> = (n: > s) fic;
(iii) C(u)(wi,...,Wk) = n(wi,...,Wk)
for each u = (n:si x . . . x Sk -> s) (7C, k > 1, and all tUj Tsc<Si,
(iv)
C(w)(wi,...,wk)
for each w = (n:si x . . . xs^ - s) fi n c , k > 0, and all Wi 7s c>Si ,
1 TSC is the univocally defined substitution
for which vna Wi, 1 < i < k, guaranteed by constraint (ii) of
Definition 12.1.
The semantics M (sp) is constructive in that the specification sp constitutes an explicit definition of the algebra C and, more importantly, because
the value C(t) of an arbitrary ground term t IE may be effectively computed in finite time as expressed by the following theorem:
Theorem 12.4. Let sp = (S,$,fi c ) and C be as in Definition 12.3. For
any ground term t 6 TS the computation of the value C(t) is finite and
yields a unique result.
269
A precise definition of the notion of a computation of the value C(t)

and a proof of the theorem may be found in [Loeckx et al., 1996]. Clearly,
the proof of finiteness is founded on constraint (iii) of Definition 12.1. A
computation resembles term rewriting with the algebra C behaving as a
characteristic term algebra.
While the semantics of loose specifications is based on model theory and
that of initial specification on term algebras and quotients, the semantics of
constructive specifications is operational. The following theorem shows a
relation between these three semantics. As constructive specifications may
be viewed as programs, the theorem also shows that the difference between
specifications and programs is not sharp.
Theorem 12.5. Let sp = (E,$,n c ) be a constructive specification with
E = (5, fi). Call spL the loose specification with free constructors (S, $, S,
fic) and spj the initial specification (,$). Then M(sp) = M(spL) =
M(sPl).
Of course, due to the constraints of Definition 12.1 constructive specifications are in some sense less abstract than initial specifications. Similarly, loose specification with free constructors allow, for instance, no "abstract" specification of sets (see Examples ll.S.(ii) and Example 13.11).
They are less expressive than loose specifications becausesimilarly to initial specificationsthey can only define monomorphic abstract data types.
Nevertheless, in concrete "practical" examples the difference between initial
and constructive specifications is often purely notational as is illustrated by
Examples 11.5(i) and 12.2. A similar remark holds for loose specifications
with free constructors where the abstract data type defined is monomorphic
(cf. Example 10.9).
The design of a constructive specification faces the problem of checking
constraints (i) to (iii) of Definition 12.1. Actually, checking constraint (i)
is trivial. Constraint (ii) is verified when the left-hand sides of the equations for any operation of fl Oc constitute a "complete set of constructor
patterns". A precise definition of this notion, which is based on the "unfolding" of variables, may, for instance, be found in [Loeckx et al., 1996].
Complete sets of constructor patterns of the operation "+" of Example
12.2 are, for instance:
{n + m},
{n + 0, n + Succ(m)},
{0 + m, Succ(n) + m},
{0 + 0, Succ(n) + 0,0 + Swcc(m), Succ(ri) + Swcc(m)},
{n + Q,n + Succ(0),n + Succ(Succ(m))}.
Finally, a sufficient condition for constraint (iii) is the following: the operations of fZ fic may be written as w i , . . . , wj, I > 0, such that for each
equation n(v\,..., Vk) t of $, u>i (n : s\ x ... x Sk > s):
270
for each subterm n(ti,...,tk) of t, each ti is a subterm of Uj,

1 < i < A;; moreover, there exists j, 1 < j < fc, such that tj is a
proper subterm of Wj .
The specification of Example 12.2 satisfies these conditions. A more elaborate example is the following:
Example 12.6. The example consists of the constructive specification of
Example 12.2 with the additional sort bool, the additional constructors
True : > bool, False : -> bool, the additional operations
_ < _: nat x nat > nat,
Even : nat > bool
and the additional equations
0 < n = True,
Succ(m) < 0 = False,
Succ(m) < Succ(n) = m < n,
Even(Q) = True,
Even(Succ(0)) = False,
Even(Succ(Succ(m))) = Even(m).
More details on constructive specifications and on the checking of their
constraints as well as a generalization for conditional equational logic may
be found in [Loeckx et al., 1996; Loeckx, 1997].
13
As already mentioned in section 9, a specification language allows "large"

specifications to be constructed out of "small" ones. The basic building
blocks in this construction are the specifications obtained by specificationin-the-small, i.e. the atomic specifications designed along the principles
presented in sections 10 to 12. The present section is concerned with the
principles of specification languages without modularization and parameterization; these concepts will be investigated in section 14.
Several more or less tentative specification languages have been proposed in the literature: CLEAR [Burstall and Goguen, 1980], ASL [Wirsing, 1986], ACT ONE [Classen et al, 1993; Classen, 1989], PLUSS [Bidoit,
1989; Bidoit, 1991], Larch [Guttag et al, 1985; Guttag and Horning, 1993],
OBJ 3 [Goguen and Winkler, 1988], OBSCURE [Lehmann and Loeckx,
1993], and Spectrum [Broy et al., 1993]. A more detailed overview may
be found in [Wirsing, 1995; Sannella and Wirsing, 1999]. A very general
language, called CASL, is presently being developed by an international
Working Group (see, for instance, [protectSannella, 1999; Mosses, 1999]);
the release of the final version of this language scheduled for the end of
271
the year 2000. In this section and in section 14 a very simple specification
language is described that encompasses the main features of these different
languages.
13.1
A simple specification language
The specification language introduced below is a very elementary one and

is called SL. Two additional constructs will be added in section 13.2. The
specification language is general in that it fixes neither the nature of the
atomic specifications nor the logic.
According to its abstract syntax, the language is defined as a set of
"specifications". With each specification, say sp, is associated a signature
S(sp).
Definition 13.1 (Abstract syntax of the specification language
SL). The set of specifications sp of the specification language SL and their
signatures S(sp) are defined inductively:
(i) any atomic specification of sections 10 to 12, say at, is a specification;
S(at) is defined to be the signature of this atomic specification;
(ii) (union) if spi and sp2 are specifications, then
(iii)
(iv)
(v)
(vi)
is a specification with S(spl + sp2) = S(spl)

(renaming) if sp is a specification and // : <S(sp) > ' a renaming,
then
(rename sp by n)
is a specification with <S((rename sp by //)) = fj,(S(sp));
(forgetting) if sp is a specification, S a set of sorts and fl a set of
operations such that (5, 0) C S(sp) and S(sp) (S, f2) is a signature,
then
(sp forget (5, fl))
is a specification with S(sp forget (5,17)) = S(sp) (5, fi);
(extension) if sp is a specification, S a set of sorts and ft a set of
operations such that S(sp) U (5, H) is a signature, then
(extend sp by (5, ft))
is a specification with <S(extend sp by (S, ft)) = S(sp) U (5, H));
(modelling) if sp is a specification and 4> C L(S(sp)) for some logic
L, then
(sp model $)
is a specification with S(sp model $) = S(sp);
(vii) (restriction) if sp is a specification with S(sp) = (5,0), if 5C C 5
and if Qc C fj is a set of operations with target sorts in Sc, then
(sp generated in Sc by Qc)
272

and
(sp freely generated in Sc by flc)

are specifications with
<S(sp generated in Sc by H c )
= S(sp freely generated in Sc by ttc) = S(sp).

It is easy to show that S(sp) is a signature for any specification sp.
Additional syntactical conditions may even guarantee that S(sp) is strongly
typed (cf. Definition 3.2). It is understood that parentheses may be deleted
if no ambiguity arises.
Again, in the examples the abstract syntax is replaced by a concrete
one. In this concrete syntax a pair (S, ft) consisting of a set of sorts and a
set of operations is again written as
sorts
opns
list-of-sorts
list-of-operations
and a set $ of formulas as

vars
list-of-variables
axioms list-of-formulas
Finally, a renaming ^ : S > E' is written
sorts si,...,8k opns u > \ , . . . , u j i
as sorts s(,..., s'k opns LJ{ ,..., u\
with S i , . . . , s/c and s(,..., s'k sorts of S and E' respectively, k > 0, and
with ui,...,u>i and u > [ , . . . ,u[ operations of E and ' respectively, I > 0.
The renaming p, = (us, A*fi) defined by this concrete syntax is
, ,. _ J s'i if s = Si for some i, 1 < i'. < k,
\ s otherwise,
j'j
if u = (jjj for some j, I < j < I,

if u = (n: Si x ... x sk > s) ^ ujj
for all j, 1 < j < /.
Note that the concrete syntax has to satisfy several "context conditions"
lest /z fails to be a renaming. For instance, the sorts s{,..., s'k have to be
pair wise different.
The constructs of the specification language are interpreted as operations on classes of algebras. Alternative semantics descriptions will be
briefly described in section 13.8.
Definition 13.2 (Semantics of the specification language SL). The
meaning M. (sp) of a specification sp of the language SL is defined inductively and follows the structure and notation of Definition 13.1:
273
(i) the meaning M(at) of an atomic specification at is the abstract data

type defined by this atomic specification according to sections 10 to
12;
(ii) M(sp! + sp2)
= {Ae Alg(S(sPl + sp2)) | (A \ S(sPl}) 6 M(sPl),
(A\S(sp2))eM(sp2)};
(ui) X(rename sp by /z) = {A . Alg(p,(S(sp))) \ (A \ n) 6 M ( s p ) } ;
(iv) M(sp forget (5,0)) = (M(sp)) \ (S(sp) - (5,0));
(v) Ai(extend sp by (5,0))
= { A e Alg(S(sp) U (5,0)) | (A \ S(sp)} M(sp) };
(vi) M(sp model $) = M(sp) n Mods(sp)($)\
(vii) M(sp generated in 5C by Oc) =
{ A 6 .M(sp) | ^4 is generated in Sc by Oc }
.M(sp freely generated in 5C by O c ) =
{ A M(sp) I A is freely generated in 5C by Oc }.
Informally, the construct "+" builds a persistent extension of M(spl) and
M(sp2) (see Definition 5.10(ii)); note that, if S(spl) and S(sp2) are not
disjoint, only those algebras of .M(spi) and M(sp2), the common parts of
which "coincide", contribute to the result. The construct rename merely
performs a renaming of sorts and operations because /j. is bijective. The
construct forget drops sorts and operations. The construct extend adds
"loose" sorts and operations. The construct model filters out the algebras
that are not models of $; a similar remark holds for generated and freely
generated.
It is easy to show that M(sp) is an abstract data type of signature
S(sp) for any specification sp.
Prom a user's point of view the construct "+" allows specifications to be
put together. The construct rename allows more appropriate names to be
introduced or name collisions to be avoided during a subsequent application
of the construct "+". The construct forget allows deletion of sorts and
operations that are no longer needed. The construct extend together with
the constructs model, generated and freely generated allows sorts and
operations to be added and the model class to be restricted, respectively.
A non-trivial example of a specification is far too lengthy to be presented
here. Moreover, the specification language SL is too elementary to allow
elegant descriptions. Hence, the goal of the following example is merely to
illustrate the concepts introduced.
Example 13.3. The atomic specifications used within the following specification are loose ones with free constructors:
((extend (loose spec sorts freely generated bool
opns constr True : -4 bool
constr False: -> bool
274
endspec
+
loose spec sorts freely generated nat
opns constr 0: > nat
constr Succ: nat > nat
endspec)
by opns _ < - : nat x nat - bool)
model vars
m,n:nat
axioms 0 < n = True
Succ(m) < 0 = False
Succ(m) < Succ(n) = m < n)
13.2
Two further language constructs
The semantics of the constructs extend and model of the specification

language introduced above has a loose flavour that is illustrated by the
following fact. An atomic loose specification (S, $) has the same semantics
as the specification:
(extend e by S) model $
where e stands for a specification defining the abstract data type for the
empty signature. The present section introduces two additional similar
constructs that have an initial rather than loose flavour.
It is necessary first to introduce two notions that may be viewed as a
generalization of the notion of an initial algebra and of a quotient term
algebra, respectively. Their definition is somewhat technical and may be
difficult to understand at first reading. A more detailed treatment of the
subject may be found in textbooks such as [Loeckx et al., 1996].
Definition 13.4 (Free extension). Let E, E' be signatures with E C S ' .
Let A be a E-algebra and C' a class of S'-algebras.
(i) A homomorphic extension of A for (E',C') is a pair (B',g) where
B' C' and where g : A > B' \ E is a E-homomorphism.
(ii) A free extension of A for (E',C') is a homomorphic extension (E',q)
of A for (S',C') such that for each homomorphic extension (B',g) of
A for (S',C') there exists exactly one E'-homomorphism
h' : E' > B'
with g = (h11 E) o q.
(iii) If C' = Mods- ($') where $' C L(E') is a set of formulas for some
logic L, one speaks of a homomorphic extension and a free extension
of A for (',*')
If the homomorphism q of a free extension (E',q) is known, it is common
practice to identify the algebra E' with (E',q) and to speak of the free
extension E'.
275
E'
ft1 IE
h'
B'
Fig. 2. Illustration of Definition 13.4

Informally, a homomorphic extension is an algebra of C' that is related to
A by a homomorphism. Prom a free extension both components B1 and
g of an extension (B',g) may be "reached" by a unique homomorphism
h'. The definition is illustrated by Figure 2. The use of this graphical
representation may be helpful in understanding proofs.
Clearly, the notion of a free extension for (E',C') coincides with the
notion of an initial algebra of C', when the signature E is empty.
Definition 13.5 (Quotient term extension). Let = (S, fi), E' =
(5', fi') be signatures with C E'. Let A be a E-algebra and $' C (')
a set of equations. Write
0.4 = { ca : > s \ a <E A(s), s 6 5 } where each ca : > s is a "new"
constant;
EC = (s, n u oo, E; = (5', n' u oo;

Ac for the Ec-algebra identical with A but with, additionally,
Ac(ca ' -* s) = a for each new constant ca : - s of fi^;
& = $' U ThÂc) with
ThGEL(Ac) = {(t = u) ThEi(Ac) \ t,u TSc }
(i.e. Th^Âc) consists of the ground equations of ThsL^c))The quotient term extension of the E-algebra A for (E', <') is the S'-algebra
A(E', *') defined as
Informally, the quotient term extension ^4(E', $') is similar to the quotient
term algebra T(E', $') but possesses in addition all "equational properties"
of ^4. This results from the addition of the ground equations of the equational theory of A to $'. This, in its turn, required the introduction of the
constants ca allowing "access" to each carrier of A.
The following corollary constitutes a generalization of Theorem 11.2.
Corollary 13.6. Let E, E' be signatures with E C E'. Let A be a algebra and let $' C EL(H'). The quotient term extension A(E',$') is a
276
model of $'.
Example 13.7. Let and A be as in Example 4.9. Let 6,61,62: el and
/: list be variables and
$ = {Add(e,Add(e,l)) = Add(e,l),
Add(e1,Add(e-2,l)) = Add(e2,Add(ei,l))}.
Consider the quotient term extension A(, $) of A for (, $). Then
A(,$) ~ with (e/) = ^(ei), B(/ist) is the set of all finite sets of
elements from B(el), B([]) is the empty set and B(Add)(e, s) = sU{e} for
all e 6 B(el) and s B(list).
The following theorem shows that all free extensions coincide with the
quotient term extension up to isomorphism. It constitutes a generalization
of Corollary 11.3.
Theorem 13.8. Let , S' be signatures with C ', let A be a ^-algebra
and let $' C EL(S'). Let A(Z',&) be the quotient term algebra of A for
(',$') and q : A A(E',$') | its associated homomorphism.
(i) E' ~ A(', $') for any free extension (E', r) of A for (', $').
(J IfE' ~ A(',$') according to the isomorphism i' : A(',$') > E',
then (E1, (V \ ) o q) is a free extension of A for (', $').
By the way, the preceding theorem allows a free extension (E',r) to
be identified with the algebra E': according to part (ii) of the theorem
the homomorphism r is uniquely determined by E1 (cf. the remark at the
end of Definition 13.4). Moreover, part (i) of the theorem allows the free
extension E' of A for (', $') to be identified with the algebra -A(', $')
In building a free extension of an algebra A the carrier sets may be
modified by a factorizationas illustrated in Example 13.7. The following
property expresses the fact that the carrier sets remain unchangedup to
isomorphism.
Definition 13.9 (Persistent free extension). Let , ' be signatures
with C ', let A be a -algebra and let $' C ('). Also let E1 be a
free extension of A for (', $') and i' : A(E', $') > E' the corresponding
isomorphism. Call q : A > A(',$') the homomorphism associated
with the quotient term algebra j4(',$'). The free extension E' is called
persistent when the homomorphism
(i1 | ) o q : A -> E' \
is an isomorphism.
Finally, it is possible to introduce the "initial counterparts" of the language constructs extend and model.
Definition 13.10 (Two further constructs of the specification language SL). The abstract syntax of the specification language of Definition
13.1 is augmented by two cases:
277
(viii) if sp is a specification, S a set of sorts and ft a set of operations such

that S(sp) U (5, ft) is a signature, then
(freely extend sp by (S, ft))
is a specification with
S(freely extend sp by (5, ft)) = S(sp) U (5, ft);
(ix) if sp is a specification and $ C EL(S(sp)) a set of equations then
(sp quotient $)
is a specification with
S(sp quotient $) = S(sp).
The semantics of Definition 13.2 is accordingly augmented by the cases:
(viii) M(freely extend sp by (5, ft))
= { ' 6 Alg(Z') | E' is a free extension of A for (S', 0),
AeM(sp) }
where S' = S(sp) U (5, ft);
(ix) M.(sp quotient $)
= { E 4fy() | E is a free extension of A for (S, $),
where S =
Informally, in contrast with the construct extend, the construct freely
extend replaces each algebra of M(sp) by its free extensions rather than
by all possible extensions. Similarly, while model removes the algebras
that fail to be a model, quotient presses all algebras into a mould by
factorization. Hence, when no algebras of sp happen to be a model of 4>,
(sp model $) is the empty class of algebras while (sp quotient $) consists
of algebras with carrier sets consisting of a singleton. More generally, in
contrast with the constructs of the specification language, freely extend
and quotient may modify the algebras to which they are applied: whenever the free extension is not persistent, freely extend adds carriers and
quotient identifies carriers by factorization.
Note that an initial (atomic) specification (E, ) has the same semantics
as the specification:
(freely extend e by (S,ft)) quotient $
where e stands for the specification defining the abstract data type for the
empty signature.
The following examples illustrate that the construct quotient may also
be used to overcome a deficiency of loose specifications with free constructors and of constructive specifications. As already indicated, these specifications fail to lead to an "elegant" or "abstract" description of abstract
data types, the carrier sets of which cannot be represented in a "natural
278
way" by a term language. The classical example of such a data type is

"set" (cf. Example 11.5(ii)).
Example 13.11. Informally, the construct quotient makes sets out of
lists; the construct rename introduces more appropriate names:
rename ((loose spec sorts el, freely generated list
opns constr [ ] : ) list
constr Add: el x list - list
endspec)
quotient (vars 6,61,62: el, I: list
eqnsAdd(e,Add(e,l)) = Add(e,l)
Add(ei,Add(e2,l)) = Add(e2,Add(el,l)}))
by sorts list
opns [ ]: list
Add: el x list -> list

as
sorts set
opns 0 : set
Add: el x set - set
13.3
Adding an environment
While a specification language such as the one described above allows specifications to be "structured", a non-trivial specification is a long piece
of text. The idea is to cut this text into "small" specifications and to
give them names according to a technique that is classical in programming. To this end it is necessary to add an "environment" mapping
names into "environment-dependent specifications"henceforth called "especifications". A specification then consists of an e-specification together
with an environment.
While this idea is simple, the corresponding definition is somewhat
subtle. In fact, as the notions of an "environment" and of an "e-specification"
are interrelated, their inductive definition has to be simultaneous.
The definition implicitly makes use of a set of names not further defined.
Definition 13.12 (Environment, abstract syntax of e-speciflcations).
The notions of an environment, of an e-specification, of the signature of an
e-specification in an environment and of the relation "is an e-specification
for the environment" are defined by simultaneous induction. Note that an
environment is defined to be a partial function:
(i) an atomic specification, say at, is an e-specification for the everywhere undefined environment; the signature S(at)(env) of this especification in the environment env is the signature of the atomic
specification at;
279
(ii) if esp1 and esp2 are e-specifications for the environment env, then
(espl + esp2)
is an e-specification for the environment env; the signature of this
e-specification in the environment env is
S(espl + esp2)(env) = S(espl)(env)
(JS(esp2)(env);
(iii) to (ix): as (iii) to (ix) of Definition 13.1 and (the first part of) Definition 13.10 but with:
"e-specification for the environment env" instead of "specification" ;
"S(.. .)(env)" instead of "(...)" where "..." stands for an
(e-)specification;
(x) if env is an environment and n a name such that env(n) is defined,
then n is an e-specification for the environment env; the signature of
the e-specification n in the environment env is
S(n)(env) = S(env (n)) (env};
(xi) the everywhere undefined function is an environment;
(xii) if env is an environment, n a name such that env(ri) is undefined
and esp an e-specification for the environment env, then env[esp/n]
is an environment (where env[esp/n] is identical with env except for
(env[esp/n])(n) = esp);
(xiii) an e-specification for an environment env is also an e-specification for
an environment env1, whenever env C env'.
Informally, an e-specification according to this definition is a specification
according to Definition 13.1, it being understood that a name is also an
e-specification. If esp is an e-specification for the environment env, then
env(n) is defined for each name n occurring in esp. Finally, an environment
env contains no "recursive calls" in the sense that there exists no sequence
HI ,..., rik of names, fc > 1, such that:
env(ni) contains an occurrence of rij + i, 1 < i < k 1;
env(rik) contains an occurrence of n\.
The following definition fixes the meaning of an e-specification in an
environment.
Definition 13.13 (Semantics of e-specifications). Let esp be an e-
-specification for the environment env. The meaning M.(esp)(env) of esp

in env is defined inductively according to cases (i) to (x) of Definition 13.12:
(i) M(at)(env) is the abstract data type defined by the atomic specification at;
(ii) M(esp1 + espz)(env)
= {A 6 Alg(S(esp1 + esp%)(env)) \
280
(A | S(esp1)(env)) e M(espl)(env),
(A j S(esp2)(env)) M(esp2)(env) };
(iii) to (ix): similar to (ii) and in accordance with Definition 13.2 and (the
second part of) Definition 13.10;
(x) Ai(n)(env) = M (env (n)) (env).
It is now possible to define a specification language with an environment.
This specification language is called e-SL; syntactically it consists of a set
of pairs called "specifications" .
Definition 13.14 (The specification language e-SL).
(i) (Abstract syntax.) A specification of the specification language e-SL
is a pair (env, esp) where esp is an e-specification for the environment
env. Its signature is
S((env, esp)) S(esp)(env).
(ii) (Semantics.) The meaning of a specification (env, esp) of the language e-SL is the abstract data type
M((env, esp)) = M(esp)(env).
Again, it is possible to introduce a concrete syntax. One then writes
decl; esp
instead of (env, esp). In this notation decl stands for a string called a "declaration". The set of all declarations decl and the environments (decl)
they describe are defined inductively:
(i) the empty string e is a declaration; it describes the environment
(e) = the everywhere undefined function;
(ii) if decl is a declaration, if esp is an e-specification for the environment
(decl) and if n is a name for which (decl)(ri) is undefined, then
decl; n is esp
is a declaration; it describes the environment
(decl;n is esp) = ((decl))[esp/n\.
Example 13.15. The specification of Example 13.3 may now be written
in a more readable way:
BOOL is loose spec sorts freely generated bool
opns constr True : -> bool
constr False : > bool
endspec;
NAT is loose spec sorts freely generated nat
opns constr 0 : nat
constr Succ : nat nat
endspec;
extend (BOOL + NAT)
281
by opns _ < _ : nat x nat ) nat

model vars
m, n: nat
axioms
0 < n = True
Succ(m) < 0 = False
Succ(m) < Succ(n) = m <n
13.4
Flattening
Flattening consists in "translating" a specification into an atomic specification with the same meaning. The reason for our interest in flattening
will become clear in sections 13.5 and 13.6.
In the process of flattening, constructs such as rename and forget lead
to some minor problems of a syntactical nature. The other constructs of the
specification language SL lead to semantical problems, some of which are
undecidable. The following comments illustrate some of these problems.
For more simplicity they refer to the specification language SL of sections
13.1 and 13.2.
Fact 13.16.
(i) Let spt = (Si,$!), sp-2 = (2,^2) be loose specifications (in the
sense of Definition 10.1). Then Ai(spl + sp2) = M(sp), where sp is
the loose specification ( S i U 2 , $ i U $ 2 ) (ii) Let sp = (,$) be a loose specification in a logic L. Let S be
a set of sorts and (7 a set of operations such that U (5, fi) is
a signature; let \P C ,( U (S, Q)) be a set of formulas. Then
^(extend sp by (S, fi) model $) = M(sp') where sp' is the loose
specification ( U (S, ft), * U #).
This fact does not hold for initial specifications, loose specifications with
(free) constructors or constructive specifications.
Fact 13.17. Let sp = (,$) be an initial specification. Let S and fi be
such that U (S, H) is a signature and let * C EL(, U (5, fi)). Then
.M(freely extend sp by (5,0) quotient <) = M(sp')
where sp1 is the initial specification (E U (5, fi), $ U *).
Again, the fact does not hold for loose specifications or constructive specifications.
As flattening has been studied in some detail for initial specifications,
additional properties for this particular case can be found in the literature
(see, for example, [Ehrig and Mahr, 1985]). A similar approach to deriving so-called "normal forms" of structured specifications can be found in
[Wirsing, 1993].
282
13.5
Properties and proofs
A first family of properties refers to the constructs of the specification

language. Typical properties one may want to prove are:
M(spl + sp2) is a persistent extension of M(spi), i = 1,2 (in the
sense of Definition 5.10);
.M(extend sp by (5, fi) model $) is a persistent extension of M(sp);
each algebra of M(freely extend sp by (S, fi) quotient $) is a
persistent free extension of an algebra of M(sp) (in the sense of Definition 13.9).
While these properties are undecidable in the general case, the latter one
has been studied to some extent in the literature on initial specifications
(see, for example, [Ehrig and Mahr, 1985]).
A further family of properties refers to the abstract data type defined
by a specification (cf. section 9). By flattening the specification the proof
of such a property is reduced to a proof for an atomic specification. Alternatively, it is possible to develop a calculus for the specification language
that reduces the property of a specification to properties of the atomic
specifications contained by it. In this way the proof is again reduced to
proofs for atomic specifications. An example of such a calculus is given in
[Wirsing, 1993; Bidoit et a/., 1999].
13.6
Rapid prototyping
There are two methods that allow the rapid prototyping of a specification.
The first method is based on "compilation" and consists in first flattening the specification into an atomic specification that allows rapid prototyping.
The second method is based on "interpretation" and makes use of a
program that "interprets" the different constructs. This method is particularly simple when the atomic specifications contained by the specification
are constructive (see e.g. [Loeckx and Zeyer, 1995]).
13.7
Further language constructs
The specification languages SL or e-SL may be extended in two ways.

First, it is possible to introduce additional constructs by defining them
as "macros". While these constructs do not increase the expressive power
of the language, they may be very useful by simplifying the notation.
Second, it is possible to introduce additional language constructs. An
example is the construct of "amalgamated union" which constitutes a generalization of the construct "union" (i.e. "+") and which will now be briefly
described. Informally, the amalgamated union avoids name clashes through
automatic renaming and thus reduces the number of algebras disregarded
by "+".
283
Definition 13.18 (Amalgamated union: abstract syntax).

(i) (Abstract syntax.) If spl and sp2 are specifications and if 5 is a set
of sorts and J) a set of operations with (5, 17) C S(spi) C\S(sp2), then
(sPi +(s,fi) sPz)
is a specification with S(spl +(s,n) sp2) A*i(S(sPi)) U M2(<S(P 2 ));
in this definition Hi and /*2 are the surjective signature morphisms
univocally defined as follows:
/, f*\ - / s if s S or s
PiW - j s> otherwise
for all sorts s 6 S(sp1),
s otherwise
for all sorts s e S(sp2),
n:m(s1) x ... x
if w 6 (7 or u & S(sp2),
n':/ii(si) x ... x fj,i(sk) t/j,i(s) otherwise
for all operations w = (n: si x . . . x sfc -> s) e 5(5;?!), fc > 0,
^(w) defined similarly,
where s', s", . .., n', ... are "new", pairwise different sorts and operation names.
(ii) (Semantics.) M(sp1 +(s,n) SP2)
and
By the way, as "+s,n" may be defined as a macro with the help of

"rename" and "+" , it does not increase the expressiveness of the language.
13.8
Alternative semantics description
The semantics of the specification language was defined above as a function M mapping specifications into abstract data types. This method for
describing the semantics is called model- oriented. There exist other description methods, two of which will be briefly discussed. Each of these
methods naturally leads to a slightly different semantics of some of the
language constructs.
According to the specification- oriented (also called presentation-oriented)
description method the semantics of a specification language is a function
AT mapping specifications into atomic specifications defining the same abstract data type. Assume that Af maps specifications into atomic loose
specifications or, alternatively, into atomic initial specifications. Two examples of the semantics of the language constructs are:
Af(at)
at for any atomic specification at;
284
with E!, 2 , *i, $2 defined by ./V(spi) = (i,*i) and.W(sp 2 ) = ( 2 ,$ 2 ).

An advantage of this description method is that flattening is explicit. A
drawback is that the nature of the atomic specifications has to be fixed and,
more importantly, the semantics of some constructs may be less transparent.
According to the theory-oriented description method the semantics is a
function T mapping specifications into theories. Two examples are:
T(at) = $* for the atomic specification at = (, $);
T(*PI + sp2) = (T(sPl) U T(sp2))*.
A more detailed description of these alternative semantics classically
makes use of some additional notions. The following definition is intended
to help the reader in consulting the relevant literature.
Definition 13.19 (Theory morphism, specification morphism, hierarchical specification). Let L be a logic, // : > ' a signature
morphism and $ C L(E), $' C (')
(i) The signature morphism fj, is called a theory morphism and one writes
p, : $* <J>'* if 4>' is a /^-extension of $ (cf. Definition 7.25).
(ii) The signature morphism /z is called a specification morphism and one
writes fj, : (, $) > (', $') if // : $* $'* is a theory morphism.
(iii) The pair ((,<!>), (E',$')) is called a hierarchical specification if the
signature morphism n is an inclusion and fj, : (E, $) > (E', $') is a
specification morphism.
14
The specification languages discussed above have two shortcomings. First,

they are concerned with algebras and thus implicitly suggest a bottom-up
design of specifications. A more general design would require the possibility
of handling incomplete specifications, say "specification pieces". Next, the
languages do not support reusability. This would require the possibility of
providing "specification pieces" with parameters.
Sections 14.1 to 14.3 introduce a notion of "specification piece", henceforth called "module specification" . A facility for parameterization is proposed in section 14.4.
14.1
Modularized abstract data types
Informally, modularized abstract data types are the objects to be specified

by the module specifications to be introduced in sections 14.2 and 14.3.
Definition 14.1 (Module signature). A module signature is a pair
(Si, Se) of signatures; j and Se are called the import signature and export
signature, respectively. A sort or operation from the signature Ej n Se is
called inherited.
285
A graphical representation of the module signature (E,, E e ) with

,r},{ui,u2}), Ee = ({s},{wi,w3}) is:
The dotted lines characterize the inherited sorts and operations.

Definition 14.2 (Modularized abstract data type).
(i) A modularized abstract data type for the module signature (Ej,E e ),
or (S,, E e )-modwJe for short, is a (total) function
F :
such that the class F(A) is an abstract data type for each A
Alg(i)i in this definition Clas9(e) denotes the "collection" of all
classes of Ee-algebras.
(ii) A (Sj,e)-module F is called persistent if
for each A e Alg(Si):
for each B
It is called consistent if F(^4) ^ 0 for each A
(iii) A (Sj, Ee)-module F is called monomorphic if F(A) is monomorphic
for each A Alg(Ei).
Informally, persistency expresses the fact that inherited sorts and operations have the "same" meaning in A and F(A); consistency expresses the
fact that the mapping F is "effective" .
Clearly, an abstract data type (in the sense of Definition 2.15) may be
viewed as a module with an empty import signature.
14.2
Atomic module specifications
The different atomic specifications of sections 10 to 12 are now generalized

for module specifications. By way of restriction, only module signatures
(Ej, E e ) with Sj C Ee are considered. This restriction is irrelevant because
286
the constructs forget and export rename of the specification language

of section 14.3 will allow modules with S, Se to be obtained.
First, the case of loose specifications is treated (cf. Definition 10.1).
Definition 14.3 (Loose module specification). Let L be a logic.
(i) (Abstract syntax.) A loose module specification in L is a pair msp =
((S,,E e ),$) where (j, e ) is a module signature with Sj C Ee and
where $ C L(E e ) is a set of formulas.
(ii) (Semantics.) The meaning of the loose module specification msp
((;, e ), $) is the module M(msp) defined by
M(msp)(A) = {B& Algê) B \= $ and (B \ ,) ~ A}
for each A 6 Alg(Tn).
Clearly, the meaning of a loose module specification is persistent but not
necessarily consistent.
A possible concrete syntax is like that for loose specifications of section
10.1 but with the keyword import preceding each sort and operation of
the import signature and with mspec instead of spec.
Example 14.4. The following example is similar to Example 10.2:
loose mspec sorts
list, import bool, import el
opns
import True: -> bool
import False : > bool
[ ]: -4 list
Add: el x list > list
- . - : list x list > list
Isprefix: list x list -> list
vars
l,m,n: list,e: el
axioms [ ]./ = /
Add(e, l).m Add(e,l.m)
(Isprefix(l,m) True) = (3n.(m = l.n))
endmspec
Hence, S; = ({bool, el}, {True, False}) and Se = ^t\j({list}, {[ ], Add,...}).
Informally, the module specification specifies lists. The abstract data types
bool and el are to be defined "elsewhere". Clearly, the abstract data type
el is intended to be a parameter.
Loose module specifications with constructors and/or free constructors
may be defined similarly.
Next, the case of initial specifications is treated (cf. section 11.1).
Definition 14.5 (Initial module specification).
(i) (Abstract syntax.) An initial module specification in equational logic

is a pair msp = ((Sj, =),$) where (Sj,S e ) is a module signature
with EJ C Ee and where $ C EL(T,e) is a set of equations.
287
(ii) (Semantics.) The meaning of the initial module specification msp =

((j, e ),$) is the module M(msp) defined by
M(msp)(A)
{BÂlg(T,e)\
B is a free extension of A
for(E e ,*)}
for each A Alg(Ei) (cf. Definition 13.4).
Clearly, the meaning of an initial module specification is consistent; it is
persistent only if for each A Alg(Y,i) the free extension of A for (S e ,$)
is persistent (cf. Definition 13.4).
Constructive module specifications may be defined similarly. Their
meaning is persistent and consistent.
By the way, loose module specifications may be simulated by normal
specifications in the following sense. If msp = ((Ej,E e ),$), { C e , is
a loose module specification, consider the loose specification sp = (E e , <).
Then
M(sp) = {M(map)(A) \ At Alg^}}.
In other words, a loose module specification differs from a loose specification
only by the fact that the sorts and operations to be specified "elsewhere",
i.e. those of $, are explicitly marked by the keyword import. Note that
this remark does not hold for initial or constructive module specifications.
14.3
A modularized specification language
An elementary modularized specification language, called MSL, is presented. Like the specification language SL presented in sections 13.1 and
13.2, it is not designed for practical use but merely tries to capture the
main features of the modularized specification languages presented in the
literature.
Again, the following definition associates with each module specification msp a module signature S(msp). The goal of the different "context
conditions" contained in the definition is essentially to avoid name clashes
between the export and import signatures and thus preserve the property
of persistency.
Definition 14.6 (Abstract syntax of the modularized specification
language MSL). The set of module specifications msp of the language
MSL and their module signatures S(msp) are defined inductively:
(i)
any atomic module specification atm is a module specification;
S(atm) is the module signature of this atomic module specification;
(ii)
if mspl and msp2 are module specifications with <S(mspj) (Sit, i e ),
S(msp2) = ( 2 i,2e) and if
each sort and each operation of H\e fl S2i is inherited in
each sort and each operation of E 2e n SH is inherited in
288
\[^
e U S2e
ji
Se
1l
m^ P2
/i
Ei.
msj,
77k!Oo
yl
'1,
i1
E
mt'Pi
S2i
I î
^'
EH US? .
(a) Illustration of Wispj + msp^
VI.
(b) Illustration of msp2
Fig. 3. Illustration of the syntax of the constructs "+" and "o" of the
modularized specification language MSL.
S(msp2),
then
(msp1
is a module specification with S(mspl + msp2) = (E^ U 2*, Sie U
S2e) (cf- Figure 3(a));
(iii)
if mspi and msp2 are module signatures with t^mspj) = (j,E),

S(msp2) = (E,E e ), then
is a module specification with S(msp2msp1 ) = (j, E e ) (cf. Figure
(iv)
if msp is a module specification with

// : Se ^ E' is a renaming such that
or operation so with î(so) ^ so, then
= (Ei,S e ), if
Si for each sort
(rename msp by /j.)

is a module specification with <S (rename msp by /x) = (Ej, /i(E e ));
(v)-(x) the constructs forget, extend, model, generated, freely generated, freely extend and quotient are defined similarly to (iv)
(cf. Definition 13.1(iv) to (vii) and Definition IS.lO(viii) to (ix)).
289
Definition 14.7 (Semantics of MSL). The semantics M(msp) of a

module specification msp is a module (in the sense of Definition 14.2) and
is defined inductively according to Definition 14.6:
(i)
(ii)
the semantics M(atm) of an atomic module specification aim is

the module defined by this atomic module specification (see section
14.2);
if 5(mspj) = (ij, Si e ) and <S(msp2) = ( 2i , 2e ), then
M(mspl + msp2)(A)
=
(iii)
{ B Alg(Zle U S2e) | (B \ le ) M(msPl)(A \ E),

(B|2e)eM(msp2)(.4|2i)}
for all A Alg(Zu U 2i );

if 5(msp!) = (,) and 5(msp2) = (, e ) then
./M(msp2 o msp1)(A) =
(iv)
(^J
.M(msp2)(.B)
for all A e Alg(Zi);

if S(msp) = (Ej,S e ), then
(rename msp by
for all A e
(v)-(x) similar to (iv) (cf. Definition 13.2(iv) to (vii) and Definition 13.10(viii)
to (ix)).
The reader may easily check that these different definitions are consistent.
The different language constructs, except for freely extend and quotient, may be shown to preserve persistency (cf. the remark following Definition 13.10). The constructs also preserve consistency except possibly
+, model, generated and freely generated; the construct + preserves
consistency, when applied to persistent specifications.
As announced above, the constructs rename and forget may lead to
module specifications, the import signature of which is not a subsignature
of the export signature.
An environment may be added in a way similar to that of section 13.3.
Example 14.8. Let msp denote the atomic module specification of Example 14.4. An example of a module specification with environment is:
LIST is msp;
BOOL is loose mspec sorts freely generated bool
opns constr True : > bool
constr False : ^ bool
endmspec;
LIST o BOOL
290
The import signature of this module specification is empty. Hence, it may

be viewed as a specification with signature
({bool, el, list}, {True, False, [ ], Add,...})
defining lists of "elements".
Further comments on the modularized specification language may be
found in section 14.5.
14.4
A parameterized specification language
The parameter mechanism introduced in this section is a very elementary

one. It allows the simulation of most of the parameter mechanisms that
are described in the literature (see section 14.6).
According to this parameter mechanism, a parameter is a distinguished
sort or operation of the import signature of a module specification. In the
module specification of Example 14.4 the imported sort el is predestined as
a parameter in contrast with the imported sort bool. The reason is that the
sort el is concerned with reusability while bool is concerned with modular
design. More precisely, the intended meaning of bool is fixed while the
meaning of el is intentionally left pending. In fact, it makes sense to use
the module specification with different meanings for el, for instance natural
numbers, strings or lists of lists of natural numbers, but it is not sensible
to use the module with a meaning for bool other than the intended one.
By the way, the difference between imported sorts or operations that are
parameters and those that are not is similar to that between parameters
and global variables in the procedure body of an imperative language.
As a result, imported sorts and operations that are parameters and
those that are not do not differ in their semantics but merely differ in their
intended use. Providing a module specification language with a parameter
mechanism may therefore be reduced to the introduction of two additional
language constructs called import rename and import model, respectively. The first of these constructs allows parameter passing by renaming
the (imported sorts and operations that constitute the) formal parameters
into their actual values. In the case of Example 14.4 it allows one to
rename the sort el into, for instance, nat or string. The second construct
allows one to put semantic constraints on the parameters. For instance, a
module specification of "ordered lists" that is parameterized in the sort of
its elements requires that the carriers of this sort satisfy the axioms of a
partial orderas will be illustrated in Example 14.13.
The following two definitions introduce a parameterized specification
language called PSL. This language is identical with the module specification language MSL except for the two additional language constructs mentioned above.
The definition of the construct import rename is slightly more complex than the above comments may suggest. While the construct introduces
291
"new" names for the sorts and operations of the import signature, it generally modifies the export signature too. In fact, the inherited sorts and
operations in the export signature have to be renamed accordingly. The
same holds for the inherited sorts occurring in the arities of the exported
operations. For this reason the signature morphism is defined as a signature
morphism fj,: Ej U Se E' rather than // : EJ > E'.
Definition 14.9 (Abstract syntax of the parameterized specification language PSL). The set of parameterized specifications psp of the
language PSL and their module signatures S(psp) are defined inductively:
(i)-(x) as Definition 14.6(i) to (x) but with "parameterized specification"
instead of "module specification";
(xi)
if psp is a parameterized specification with S(psp) = (Ej,S e ) and
if n : Ej U Ee t E' is a surjective signature morphism satisfying
the following four conditions:
(a) for each sort s from E e \Ej, n(s) = s,
(b) for each operation u> from E e \j, /x(w) and w have the same
operation name,
(c) for any two different sorts or operations so\e and so-ze from
S e , n(soie) n(so?,e) implies that both so\e and soê are
inherited,
(d) for any sort or operation so, from Ej and soe from S e ,
l_t(soi) = n(soe) implies that soe is inherited,
then
(import rename psp by /x)
is a parameterized specification with
^(import rename psp by p.) = (/i(Sj),/x(S e ));
(xii) if psp is a parameterized specification with S(psp) = (Sj, e ) and
if $ C L(Ej) is a set of formulas for some logic L, then
(psp import model *)
is a parameterized specification with
S(psp import model $) = S(psp).
Informally, conditions (xi)(a) and (xi)(b) express the fact that /j, constitutes a renaming of the import signature. More precisely, condition (xi) (a)
expresses the fact that n renames sorts from Se only if they are inherited.
Condition (xi)(b) expresses the same property for operations or, at least,
for their names; the condition does not extend to their arities: if a noninherited operation u from Se contains imported sorts in its arity, w and
n(w) may differ from each other in their arities. Conditions (xi)(c) and
(xi)(d) avoid "name clashes". More precisely, condition (xi)(c) expresses
292
the fact that p. is injective on the non-inherited sorts and operations from
Se. Condition (xi)(d) expresses the fact that p, may identify a sort or operation from , and a sort or operation from Se only if the latter is inherited.
Note that the signature morphism n is not necessarily bijective and hence
may fail to constitute a renaming in the sense of Definition 5.1(ii). This is
sensible because it must be possible that two different formal parameters
get the same actual value (see Example 14.11).
In the concrete syntax one uses pspec and endpspec instead of mspec
and endrnspec.
Definition 14.10 (Semantics of PSL). The meaning M(psp) of a parameterized specification psp is a module (in the sense of Definition 14.2)
and is inductively defined according to Definition 14.9:
(i) to (x) as in Definition 14.7 but with "parameterized specification"
instead of "module specification";
(xi) ifS(psp) = (Si.Se), then
M (import rename psp by n}(A)
= { B 6 Alg((Ee)) | (B | (/z|EJ) M(psp)(A \ (/i| Ej )) }
for each A 6 Alg(fj,(Si));
(xii) if S(psp) = (Ef,E e ), then
...
.
.
,
/ M(psp)(A)
W/n
M(psp
import model1 A$)(/!)
= <
v
(0
for each A E. Alg(i).
ifA\=$,
,,
otherwise
The meaning of the construct import rename is as expected. The effect

of the construct import model is to "eliminate" the imported algebras
that fail to satisfy $.
The construct import rename preserves persistency and, when applied
to persistent specifications, consistency. The construct import model
preserves persistency but not necessarily consistency.
Again, the addition of an environment presents no problem.
Example 14.11. A "declaration" of a parameterized specification is
PAIR is loose pspec sorts freely generated pair,
import eli, import el?
opns constr [_ , _ ]: el\ x el2 -* pair
First :pair > el\
Second : pair -> el2
vars
e\: eli, e2: el-2
axioms Fz'rsi([e1;e2]) = ei
Second([ei,e2]) = e2
endpspec
An instantiation of this parameterized specification is
293
import rename PAIR by sorts e l i , eli as sorts nat, not

The instantiation specifies pairs of natural numbers or, more precisely, of
carriers of sort not. Its module signature (,, S e ) is as expected:
i = ({nat},),
T,e = ({nat,pair}, {[_]: nat x nat -> pair, First -.pair -> na,
Second :pair > nat}).
The example illustrates that import renaming must not be injective.
The notation for an instantiation is clumsy and requires repetition of
the formal parameters. By storing the formal parameters in the environment one may adopt a "sugared" notation similar to that of programming
languages: the formal and actual parameters are written between brackets
after the name of the parameterized specification. This notation has the
additional advantage that it explicitly distinguishes between parameters
and imported sorts and operations that are not parameters.
Example 14.12. The parameterized specification of Example 14.11 may
now be written:
PAIR (sorts eli, el2) is
loose pspec sorts freely generated pair,
import eli, import e/2
opns [_ , _ ] : . . .
endpspec
Similarly, the instantiation is written:
PAIR (sorts nat, nat)
The following example illustrates the use of import model for expressing parameter constraints.
Example 14.13. The following parameterized specification defines ordered lists. In it the construct import model makes sure that the relation
"C" is a partial order.
ORDERED-LISTS (sorts el, opns _ C _ : el x el -> boot) is
((loose pspec sorts freely generated list,
import bool, import el
opns import True: > bool
import False : -4 bool
import _ C _: el x el t bool
constr [ ]: -> list
constr Add : el x list - list
Is-ordered : list bool
vars
e,e\,e^: el, I: list
axioms Is-ordered([ ]) = True
294

Is-ordered(Add(e, [ ])) = True
(d C 62) = True D
Is- ordered ( Add (ei, Add (e^, I))) =
Is-ordered(Add(e<2,l))
(e\ C 62) = Fafae D
endpspec)
import model
vars
6,61,62,63: d
axioms (e C e) = TVwe
(ei C e 2 ) = Trwe A (e2 C e3) = True D
(ei C 63) = True
(ei C e 2 ) = True A (e2 C ei) = True D
ei = e 2 )
Now let
NAT is (loose pspec sorts
freely generated boot,

freely generated nat
opns constr True : > bool
constr False : > 6ooZ
constr 0 : > nat
constr SWcc : nat > na
_ < _ : nat x nai > bool
vars
m, n: nai
axioms (0 < n) = TVue
(5wcc(m) < 0) = Fafee
(Succ(m) < Succ(ri)) = (m < n)
endpspec)
Then
ORDERED-LISTS (sorts not, opns <:natx nat -> 600?) o
is a specification of ordered lists of natural numbers. Of course, this specification makes sense only if the module it defines is consistent (in the sense
of Definition 14.2). Hence, it is necessary to prove that "<" satisfies the
axioms of "C".
By the way, if the reader is still irritated by the clumsy notation he
should remember that the specification languages presented are not intended for "practical" use.
14.5
Comments
The remarks on flattening, properties and proofs, rapid prototyping and

further constructs of sections 13.4 to 13.5 carry over to the specification
languages MSL and PSL. By way of a restriction rapid prototyping is not
possible as long as the meaning of the imported sorts and operations is not
fixed.
14.6
295
Alternative parameter mechanisms
The literature contains a large number of proposals for modularized and

parameterized specification languages and, in particular, for parameter
mechanisms (see, for example, [Ehrig and Mahr, 1985; Ehrig and Mahr,
1990; Ehrich et al., 1989; Burstall and Goguen, 1980; Wirsing, 1986; Broy
et al., 1993; Lehmann and Loeckx, 1993]). Most of them differ from the
languages presented here by being less "elementary". The interface, for
instance, generally consists of signatures or even specifications rather than
single sorts and operations. Two parameter mechanisms are now roughly
sketched.
In the X-calculus approach a parameter consists of a complete specification. More precisely, a parameterized specification is of the form
XX:par.sp
(14.1)
where par and sp are specifications of a specification language with environmentsuch as the specification language PSL (with an environment)and
where X is a name. It is understood that X may occur in the specification
sp. Informally, the notation "A": par" indicates that actual parameters have
to be of "type" par, i.e. have to belong to the abstract data type defined
by par. Somewhat more precisely, (14.1) is equivalent to the following
parameterized specification of PSL:
the environment is extended by the declaration
X is ...
where ... stands for the loose atomic module specification ((S(par),
S(par)), Th(M(par))); informally, this module specification leaves
the signature <S(por) unchanged but adds the formulas of the theory
of the abstract data type defined by par;
sp is turned into a parameterized specification of PSL by defining the
sorts and operations of S(par) as imported sorts and operations or,
more precisely, as parameters.
Alternatively, one may define ... to stand for the loose atomic module
specification ((S(par),S(par)),) and add Th(M(par)) to the parameterized specification obtained from sp with the help of the construct import
model.
The following approach is called the pushout approach because the
parameter passing mechanism is defined as a pushout in an appropriate
category. The approach was first described in [Ehrich and Lohberger,
1979]. It makes use of the notion of a specification morphism (introduced
in Definition 13.19(ii)). To simplify the description of the approach it is
assumed that all specifications are atomic ones or, alternatively, have been
turned into atomic ones by the meaning function J\f of section 13.8. A
parameterized specification is now a specification morphism
296
par
'r
7T
''
sp(par)
\
-^ <?r> /
Fig. 4. The specification sp(act) is the pushout object of the specification

morphisms K and /z.
TT : par '-^ sp(par)
that is an inclusion. The specification par = (E p0 rj3> P ar) constitutes the
formal parameter; the specification sp(par) = ( sp ( pa r)>$s P ( P ar)) constitutes the parameterized specification proper. The notation sp(par) is intended to suggest that par is "part of" sp(par) according to the inclusion ir.
Note that par C sp ( par ) and $*paT C $* , ar j because TT is a specification
morphism. Parameter passing is defined as a specification morphism
: par
act
where act = (Soctâct) is the specification constituting the actual

parameter. Note again that (/i($par))* C $*c< because p. is a specification
morphism; this forces the actual parameter act to "respect" the requirements 4>par imposed on par. Finally, the effect of parameter passing is a
specification sp(act) that is characterized as the pushout object of TT and
fi in the category of specifications and specification morphisms (see Figure
4). This pushout object is unique up to isomorphism and its existence is
granted in the usual category of specifications and specification morphisms.
Roughly speaking, the pushout of TT and fi constitutes the "minimal completion" to a commutative square. It yields the specification morphism
p! : sp(par) > sp(act) describing the relationship between the specifications before and after replacing par by act, and the specification morphism
TT' : act <> sp(act) describing the embedding of the actual parameter into
the resulting specification.
The semantic counterpart of the pushout construction is given by the
amalgamation lemma ([Ehrig and Mahr, 1985], p. 217). The class
M(sp(act)) consists of the sp(act)-algebras C for which (C | TT') = A and
(C | //) = B with A e M(act), B e M(sp(par)) and (A | fj.) = (B | TT).
Informally, (A\ fji) = (B \ ?r) requires that the parameter components of A
and B coincide; C is the algebra B with the par component of B replaced
by A. A similar property holds for the sp(acj)-homomorphisms.
It is not difficult to simulate the pushout approach in the specification
297
language PSL when the parameter passing /j, is surjective. The renaming
effect of parameter passing may then be simulated by the import rename
construct together with the (surjective) signature morphism
A*
Essentially, this signature morphism performs the renaming of the import

signature Epar into E OC ( and of the inherited sorts and operations in the
export signature sp ( por ). The condition that the different morphisms are
specification morphisms may be taken care of by the construct import
model as in the case of the (simulation of the) A-approach. When the
parameter passing \i is not surjective the sorts and operations of SaC(
M(Epar) nave to t>e added to the result of the import rename construct as
inherited sorts and operations. This may require a preliminary renaming
to avoid "name clashes" . Clearly, one of the advantages of the pushout
approach with respect to its simulation in PSL is that all renamings are
performed implicitly.
15
Further topics
The present section discusses topics the treatment of which has not (yet)
reached the level of maturity of the topics treated above. The reader interested in more details is referred to the bibliographic notes of section
15.7.
15.1
Behavioural abstraction
It is a fundamental principle of specification not to distinguish between

"similar" algebras. Clearly, isomorphic algebras are "similar" as they possess, for instance, the same theory. For this reason abstract data types
were defined as algebra classes closed under isomorphism. The interest in
monomorphic abstract data types exhibited throughout this chapter may
suggest that, conversely, "similar" algebras are necessarily isomorphic. The
following example shows that in some situations it may be sensible to use
a notion of "similarity" that is more general than that of isomorphism.
Example 15.1. Let = (S, fi) be a signature with S = {bool,nat,set}
and H = {0 : nat,Succ:nat > nat, 0 : set, Add: nat x set > set,
. . : nat x set -> bool}. Let A and B denote the "classical" algebras of
respectively sets and lists of natural numbers. More precisely:
A(bool) = B(bool), A(nat) = B(nat), A(0) = 5(0), A(Succ) =
B(Succ) are classical;
A(Q) is the empty set, 5(0) is the empty list;
A(Add) adds a number to a set, B(Add) adds a number to the front
of a list;
checks whether a number is in a set and similarly for -B(e).
298
Clearly, A and B are not isomorphic and even fail to have the same
theory. For instance, putting
t = Add(0, 0), u = Add(0, Add(0: 0)),
one has A(t) = A(u), but B(t) ^ B(u).
On the other hand the algebras A and B behave "similarly" with respect
to the operation "e". More precisely, it is easy to show that A(t) = B(t) for
all ground terms t Tsôoi of sort bool. Informally, this property ensues
from the fact that membership depends neither on the order of insertion nor
on the number of times an element has been inserted. Hence the algebras
A and B are "similar" whenever one restricts attention to the membership
problem or, put another way, to the effect of set on the "outside world" of
bool.
This notion is now defined formally.

Definition 15.2 (Behavioural equivalence). Let = (S, J7) be a signature and So C S a set of sorts called observable sorts. Two S-algebras
A and B are said to be behaviourally equivalent on SQ, if
for each sort s 5o,
for all ground terms t, u TE<S,
One then writes A s0 B.
Example 15.3. Let A and B be the algebras of Example 15.1. Let C similarly be the "classical" algebra of multisets (i.e. "sets" in which elements
may occur more than once). Then A f^{booi} B ~{&0oJ} C.
The following corollary states that behavioural equivalence generalizes
isomorphism.
Corollary 15.4. Let E = (5, ft) be a signature, SQ C S be a set of sorts
and A and B be 'Z-algebras.
(i) IfA~B, then A wSo B.
(ii) If A 5 B and both A and B are generated algebras, then A ~ B.
Definition 15.5 (Behavioural abstraction). Let S = (5, fi) be a signature, So C S & set of sorts and C C Alg(^) an abstract data type. The
behavioural abstraction of C with respect to SQ is the class of E-algebras
Behav(C, S0) = { A E Alg(S) \ A wSo B for some B e C }.
By Corollary 15.4 a behavioural abstraction is again an abstract data
type. The following theorem states that a behavioural abstraction of a
monomorphic abstract data type contains final algebras (Definition
299
Theorem 15.6. Let S = (5,0) be a signature, So C 5 a set of sorts

and C C Alg(S) a monomorphic abstract data type. Then Behav(C,Sg)
contains final algebras.
Example 15.7. Let A, B, C be as in Example 15.3. Put C =
{ D Alg(S) \D~A}. Then A, B and C all belong to Behav(C, {bool}).
It is possible to prove that A is final in C.
Theorem 15.6 allows one to introduce one more specification method.
One should remember that final algebras are unique up to isomorphism
(Theorem 2.14(ii)).
Definition 15.8 (Final specification).
(i) (Abstract syntax.) A final (or behavioural) specification is a triple
sp = (, 4>, SQ) where (, $) is an initial specification with = (5, fi)
and where 5o C 5.
(ii) (Semantics.)
The meaning .M(sp) of a final specification
sp = (, $, 5o) consists of the class of final algebras of Behav(C, So)
where C is the (monomorphic abstract data type that constitutes the)
meaning of the initial specification (,$).
Example 15.9. Let A be the algebra of sets and B the algebra of lists of
Example 15.1. If (, 3>) is an initial specification for B, the final specification (, $, {boot}) is a specification for A. Informally, this means that the
effect of behavioural abstraction is the same as that of the equations in an
initial specification
Add(n,Add(n,s)) = Add(n,s)
Add(n, Add(m, s)) = Add(m,Add(n,s))
distinguishing sets from lists.
15.2 Implementation
Informally, an implementation consists in the design of an efficient program
for a given specification. This design includes, in particular, the transformation of a possibly loose non-constructive specification into a constructive
one. It generally also includes a change of data types.
The implementation of data types by other more "concrete" ones is
briefly discussed in the present section. To abstract from specification
details, the notions are defined on data types rather than on specifications.
Example 15.10. A classical example of an implementation is that of
stacks by arrays and integers. Informally, the contents of a stack of depth
n are stored in the elements A[l],..., A[n] of an array A; the integer has
the value n and thus "points" to the topmost stack element. The operation Push is implemented by writing the new element into A[n + 1] and by
adding one to the integer. The operation Pop is implemented simply by
subtracting one from the integer.
300
Clearly, an implementation of stacks by arrays and integers is "sensible" : the abstract data types array and integer are more "concrete" than
the abstract data type stack because they are available in any imperative
programming language and thus are "nearer" to a program.
The example above illustrates three features of an implementation:
(i) a data type is in general implemented by several data types rather
than by a single one; in the example stack is implemented by array
and integer;
(ii) there does not necessarily exist a one-to-one relation between a data
type and its implementation; in the example arrays differing only by
the elements beyond the element pointed to by the integer represent
the same stack;
(iii) the implementing data types may get values that do not represent
values of the implemented data type; in the example an integer may,
for instance, have a negative value.
At first glance one may think that the notion of behavioural equivalence introduced in section 15.1 may capture the notion of implementation.
Actually, this does not work because of feature (iii) above.
The following definition is intended to capture features (ii) and (iii).
Definition 15.11 (Realization). Let A and B be S-algebras for some
signature E. The algebra B is said to realize A if A is isomorphic to a
quotient of a subalgebra of B.
Informally, the definition accounts for feature (iii) by means of the subalgebra and for feature (ii) by means of the quotient.
The next definition is intended to capture feature (i). The specifications
used in it are from a specification language such as SL.
Definition 15.12 (Construction term). Let Bi,...,Bm be algebras
for signatures E 1 ; . . . , E m , m > 1. Let spl,..., spm be strictly adequate
specifications of Bi,...,Bm (cf. Definition 9.1). A construction term of
BI, ..., Bm is a monomorphic specification sp that:
contains (occurrences of) the specifications spl,...,spm instead of
(occurrences of) atomic specifications;
uses only the constructs "+", rename and forget.
Informally, sp is obtained by "putting together" sp1,..., spm.
Finally, it is possible to introduce the notion of an implementation of
an algebra by other algebras.
Definition 15.13 (Implementation). Let A,Bi,...,Bm, m > 1, be
algebras and let sp be a construction term of BI, ..., Bm. The specification
sp is said to constitute an implementation of A by the basis BI ,..., Bm if
each algebra of the abstract data type M(sp) defined by sp realizes A.
301
The condition "sp realizes A" in this definition constitutes the correctness
criterion of the implementation. The investigation of this criterion is one
of the topics in the study of implementations.
The notion of implementation introduced above is for algebras. A generalization of this notion for abstract data types and modularized abstract
data types is straightforward. This generalization naturally leads to a notion of implementation for specifications and parameterized specifications.
An interesting question is whether the realization "is implemented by"
is transitive. Another question is whether the relation is compatible with
the constructs of a specification language.
15.3
Ordered sorts
It is common in mathematics that some data types are "subtypes" of others.

For example, non-zero natural numbers constitute a subtype of natural
numbers which in turn constitute a subtype of integers. These subtypes
"inherit" functions from their supertypes. More precisely, if / : A > B is
a function, if C C A and if B C D, then the function g : C D defined
by 9(c) = f ( c ) fr all c e C is said to be obtained by inheritance.
These notions are now defined formally.
Definition 15.14 (Order-sorted signature). An order-sorted signature
is a triple E = (S, ft, <) such that the following conditions hold true:
(i) (S, ft) is a signature in the sense of Definition 2.1;
(ii) < is a (reflexive) partial order on S;
(iii) whenever H:SI x ... x Sk -* s 6 fl, k > 0, s[,..., s'k, s' S,
s
'i < s i j > s fc < Sfc, s < s', then n: s[ x ... x s'k > s' n too.
Note that an order-sorted signature in general fails to be strongly typed
(see Definition 3.2).
Example 15.15. An example of an order-sorted signature is the triple
S = (S, fl, <) with
5
n
=
=
{nat, int, bool},

{0:->nai,
Succ: nat > nat,
Succ : int > int,
Pred: int -> int,
Root: nat -4 nat,
True : -4 bool, False : -y bool,
Eq: int x int -y bool } U f l c ,
< = {(nat, int)} Li {(nat, nat), (int, int), (bool, bool)}
where, according to Definition 15.14(iii),
302

nc
{ 0: -> int,
Succ: nat > int,
Pred: nat -4 int,
Root: nat > int,
Eq: nat x int > bool,
Eq: int x nat > bool,
Eq: nat x nat > bool }.
Definition 15.16 (Order-sorted algebra). Let E = (S, Q, <) be an

order-sorted signature. An order-sorted algebra for S, or ^-algebra, is an
(5, fi)-algebra (in the sense of Definition 2.3) with the following conditions
holding true:
(i) (Subtype condition.) A(SI) C Afa) for any si,S2 S with si < s 2 .
(ii) (Inheritance condition.) whenever <jj = (n: i x ... x Sk > s) ft and
w' = (n: s[ x . . . x s'k -> s') ft with sj < si,..., s'k < Sk, s < s',
k>0, then
A(u')(ai ,...,ak) = A(ui)(ai,. ..,ak)
for all ai 6 A(s'1), ...,ake A(s'k).
Example 15.17. Referring to Example 15.15, a E-algebra is the "classical" algebra given by the natural numbers and the integersboth equipped
with the number zero as well as the successor, predecessor, square root and
equality functionsand the truth valuesequipped with the values true
and false.
Homomorphisms and terms may be defined in the usual way. As the
signature is in general not strongly typed, a term may have different sorts.
It should also be noted that some terms are no longer correctly typed
that one would consider intuitively so. The term Root (Pred (Succ(Q))), for
example, is not correctly typed, because the subterm Pred(Succ(0)) only
has the sort int. This is unintuitive because in the "classical" algebra the
evaluation of this "term" isintuitively speakingunproblematic.
Logic may be defined in the usual way. By way of an important result,
the initiality results of section 11 remain valid. Moreover, the notion of
term rewriting in the same section may be easily generalized for ordered
sorts while keeping the main properties.
An example of application of ordered sorts is given in section 15.4.
15.4
Exceptions
Informally, an exception is a situation in which a computation cannot be

pursued. Classical examples of exceptions are division by zero, popping an
empty stack, computing the predecessor of zero in N 0 , etc. Imperative programming languages handle exceptions as "emergency exits" by means of
a jump statement. The treatment of exceptions in functional programming
303
languages is less trivial. Hence it is not surprising that there is no simple

solution to the exception problem in algebraic specification.
There exist essentially four different solutions to the exception problem
in algebraic specifications: a logical solution, a partial algebra solution, an
error solution and an order-sorted solution.
In the logical solution the treatment of an exception is left pending by
the use of loose specifications. Such a specification, for instance, axiomatically fixes the value of the predecessor function only for non-zero arguments
(Example 10.10).
In the partial algebra solution a function with exceptions is modelled
as a partial function. Popping the empty stack, for instance, leads to the
undefined value.
In the error solution the partial algebra solution is simulated by total
algebras. To this end an extra carrier is added to each carrier set: it is
called Error and represents the undefined value. This approach leads to
specifications with additional formulas fixing the function values in case
one or more arguments are Error as illustrated by equations (11.2) and
(11.3) in Example 11.7. If one adopts the strictness convention, a function
value is Error whenever one of the arguments is Error and the corresponding formulas need not appear in the description of the specification. Of
course, these formulas may not be ignored in proofs or in rapid prototyping. Unfortunately, there exist operations that are not compatible with the
strictness convention. An example of such an operation is if-then-els e-fi:
if True then ... else Error fi
should yield ... as a value, not Error. By way of a conclusion, the error
solution leads to essentially larger sets of formulas that harm the transparency of specifications and make proofs more elaborate.
The order-sorted solution uses order-sorted algebras. The following
example illustrates the idea.
Example 15.18. Let = (S, ft,<) be the order-sorted signature with
S = {el, stack, nestack} (where nestack stands for "non-empty stack"),
with
fi = {Emptystack : > stack,
Push : stack x el -> nestack,
Pop : nestack stack} U fJc
and with "<" defined by nestack < stack. As in Example 15.15, fic accounts for Definition 15.14(iii); in the present case
fic = {Push: nestack x el -> nestack}.
An order-sorted E-algebra A is defined by:
A(stack) = the set of all stacks with elements from A(el),
A(nestack) = A(stack) {the empty stack},
A(Emptystack) = the empty stack,
304

A(Push), A(Pop): as expected.
The main difference with the "classical" (partial) algebra of stacks is that
A(Pop) is now a total function, its domain being A(nestack) rather than
A(stack).
A precise treatment of the order-sorted solution is outside the scope of
this overview. Let it suffice to note that a sort SQK is added for each
"concerned" sort s. This sort is "safe" in that it does not lead to errors.
In the above example nestack stands for stack OK
15.5
Dynamic data types
Data types are "static" structures consisting of sets and functions. Pieces
of software, however, nearly always contain "dynamic" parts consisting of
processes operating on data. As long as these processes are algorithms,
they can conveniently be described in a functional style that is compatible with algebraic data type specification, i.e. the algorithms are specified
as functions within data types. However, algebraic specification as described in this chapter reaches its limits when the processes are reactive,
i.e. when they havepossibly elaborateinteraction structures with the
environment, and when they are concurrent, i.e. when several processes act
independently and autonomously.
Dynamic data types constitute an extension of "static" data types that
is intended to overcome these limits. Several approaches have been proposed in the literature. The ones most widely discussed so far are based
on the idea that concurrent processes are simply data. Basically, these
approaches introduce an imperative flavour into the functional style of abstract data type specification by introducing sorts for process datasuch
as states and actionsand process operationssuch as state transitions.
On the semantic level some of these approaches use infinitary extensions of
algebrassuch as continuous algebras or projection spacesand a form of
behavioural semantics.
In order to get the flavour of the dynamic data type approach, the basic
concepts of one of the earliest and most elaborate approaches in this area,
viz. SMoLCS [Astesiano and Reggio, 1987], are briefly outlined.
Definition 15.19 (Dynamic signature). A dynamic signature is a triple
(E,S 0 ,n) where:
S = (5, (7) is a signature in the sense of Definition 2.1,
S0 C 5 is a set of sorts called dynamic sorts,
II is a set of transition predicates of the form
n:si x ... x Sfc
where n is a transition name and $1,..., Sk 6 S, k > 1.

It is required that for each dynamic sort d S0:
305
(i) there is a sort l-d 6 S S0 called the label sort of d;

(ii) there is a predicate _ -4 _ : dx l-dx d S II.
Example
tended to
language:
S
So
fi
15.20. The following dynamic signature ((5, n),5 0 ,II) is inmodel state variables of sort s of an imperative programming
= { s,Var[s}}, 1- Var[s] ,
= { Var[S}} ,
= {[]:-+ Vbr[s],
[ _ ] : s -4 Var[s],
:=_: s -> 1 - Vor[s] },
= { . -^ . : Var[s]xl - Var[s]x Var[s] }.
Informally, the sort s stands for the values to be assigned, the sort Var[s]
stands for the variables containing values of sort s and the sort 1 Vor[s]
stands for labels identifying transitions, i.e. "actions" on variables. For
instance, [_L] stands for a variable with undefined contents and [a] stands
for a variable with contents a. Similarly,
:= a
stands for the action of assigning the value a to a variable. Finally, II
is used to denote the possible transitions representing the assignments of
values to variables.
The signature is used in Examples 15.21 and 15.22.
A precise definition of the notion of a dynamic algebra is beyond the
scope of this overview. Informally, a dynamic algebra for the dynamic
signature (S,5 0 ,II) consists of:
a S-algebra (in the sense of Definition 2.3), say A;
for each element of II, say n : s i X . . .xsk, a subset of A ( S I ) X . . .xA(sk).
In such an algebra the triples of the subset defined by "_ -^ _" constitute
the possible transitions.
Example 15.21. A possible dynamic algebra for the dynamic signature
of Example 15.20 is defined as follows:
the E-algebra A is as indicated in the comments on Example 15.20;
the meaning of II is defined to be:
{[JL] ^ [a] | a e A ( s ) } u { [ a ] ^4 [b] \a,b&A(s)}.
The triples of (the meaning of) II represent the possible transitions; each
transition consists in the action of assigning a value to a variable.
Note that in the example the actions of the transition predicate are deterministic. This need not be so in general.
Abstract dynamic data types and dynamic specifications are defined as
usual.
306
Dynamic algebras may model transition systems of various dynamic

sorts. The question remains how dynamic algebras reflecting the isolated
and cooperative behaviour of these systems may be specified. In the case of
isolated behaviour, specification up to behavioural equivalence is practical
and feasible. In the case of cooperative, i.e. concurrent, behaviour, configurations consisting of multisets of local states are introduced, together with
global information on the configuration. Global transitions are specified by
splitting the specification into several steps; at each step some partial moves
are defined using the partial moves at the previous step; at the first step,
the partial moves are defined by using the transitions of the components.
Contrasting with the approaches to dynamic data types discussed above
there exist approaches in which processes are represented as algebras rather
than as data. These approaches offer the possibility of providing states
with an algebraic structure that can be specified along the lines described
in this book. A transition structure on top of the algebras allows one to
move from one state algebra to another. More precisely, a transition allows
one to remove or add carriers, or to redefine (the functions that constitute)
the meaning of the operations.
15.6
Objects
Since the advent of SMALLTALK [Kay and Goldberg, 1976; Kay, 1993],
the underlying paradigm of object-orientation has become quite successful,
as illustrated by the numerous object-oriented programming languages,
database systems, and software development methods. In this paradigm,
software systems are considered to be dynamic collections of autonomous
objects that interact with each other. Autonomy means that each object
encapsulates all features needed to act as an independent computing agent:
individual attributes (data), methods (operations), behaviour (process) and
communication facilities. Moreover, each object has a unique identity that
is immutable throughout its lifetime. Coincidentally, object-orientation
comes with an elaborate system of types and classes, facilitating structuring
and reuse of software.
Object specification combines ideas from algebraic data type specification, conceptual data modelling, behaviour modelling, specification of
reactive systems, and concurrency theory. The basic concepts are now illustrated by means of an example, using an ad-hoc notation in algebraic
specification style.
Example 15.22. The following specification introduces an object class
Var[s] of state variables of sort s (cf. Examples 15.20 and 15.21):
object class Var[s];
uses s, nat;
attributes value:s;
actions create; :=s; delete;
307
axioms var v,w: s;

create = > ( - > > create A >:=v A > delete) Udelete
delete => > create A ->t>:=v A -i> delete
Q:=V => value=D U (0:=w V delete)
end.
A variable x of class Var[s] has an attribute x.value denoting its current
value. It has actions x. create for creation, x: =s for assigning values of
sort s (i.e. an action x:=v for every value v of sort s), and a;.delete for
deletion.
In the class axioms, the predicate a is used for expressing the fact
that action a has just occurred, and >a for expressing the fact that action
a is enabled, i.e. that it may occur at the current state. The temporal
operator (pUip means that, from the current moment on, (p will be true all
the time until \j) becomes true for the next time. The latter must happen
some time, and (p need not be true any more when this happens.
The axioms express the fact that:
after creation, all actions except creation are enabled until deletion;
after deletion, all actions except creation are disabled;
after assignment, the value assigned is kept until the next assignment
is made, or until the variable is deleted.
Enabling creation after deletion gives the possibility of reusing variables.
More generally, an object type is a set of object instances. It is characterized by a data type of object identities along with an object class
describing the prototypical behaviour shared by all instances of the object type. A specification may be defined along the lines described in the
previous chapters of this book in the following way.
As usual, a signature is a pair S = (S, 0) where S is a set of sorts and
n is a set of operations. Data and objects are distinguished by assuming
that the set S of sorts consists of two disjoint subsets SD of data sorts and
So of object sorts.
Interpretation of a signature is given in a E-algebra A. The intended
interpretation of a data sort d e SD in the algebra A is a set A(d) of
data elements that constitutes the carrier set of sort d. The intended
interpretation of an object sort s 6 So in A is a pair A(s) = A(s)ld .A(s)bv
where A(s)'d is a set of identities and A(s)bv is the behaviour of objects of
sort s. In other words, A(s) represents a set of object instances i.A(s)bv,
each one given by an object identity i e A(s)td, and each one having the
same behaviour A(s)bv. The operations are interpreted as usual.
In analogy to data types, one may define an object type as the set
A(s) of object instances of sort s So within a S-algebra A, together
with the operations of fi defined on A(s). Hence, an object type is like
a data type but with object instances taking the place of data elements.
308
The essential difference is that an object instance has a dynamic behaviour

whereas a data element has a static behaviour. Formally, all instances of an
object type have the same behaviour. It is possible, however, that different
parts of this behaviour are relevant for different objects of the type, thus
introducing some heterogeneity.
Object-orientation comes with a rich structure of object relationships
and constructions: inheritance, generalization, aggregation and interaction.
A theoretical basis for their study is given by object type morphisms preserving structure and behaviour of object types: there is a map that relates
the identity sets, and a behaviour morphism between related behaviours.
A crucial point in object specification is how to specify behaviours and
their morphisms, i.e. behaviour preserving maps. In order to describe sequential and concurrent behaviour, many logics and models of concurrency
can be adopted and integrated. One choice is to use temporal logic and its
extensions for specification, and event structures for interpretation. But
other choices are possible, based, for instance, on predicate logic and labelled transition systems (cf. section 15.5).
Another crucial point is how to specify interaction between objects.
Basically, this can be done by constraining the cooperative behaviour of
components within an aggregated object, using the specification logic at
hand.
15.7
Bibliographic notes
Sections 15.1 to 15.4 are short accounts of corresponding chapters in [Ehrich

et al., 1989] where more details can be found. A survey and annotated
bibliography of the state of the art is in [?].
Behavioural abstraction is also treated in [Reichel, 1987; Bidoit and
Hennicker, 1996; Bidoit and Hennicker, 1998]. A first concept of implementation was published in [Ehrich, 1978]. A survey of implementation
and behavioural equivalence may be found in [Orejas et al., 1993].
In [Goguen and Meseguer, 1992; Goguen and Diaconescu, 1993] an alternative approach to order-sorting and exception handling is provided. A
further approach to using order-sorting in algebraic specification is given in
[Mosses, 1993]; this paper also contains an overview and comparison with
related approaches. An approach to exception handling with explicit error
values is pursued in [Gogolla et al, 1984]. Exception handling using partial
algebras is treated in [Reichel, 1987].
Dynamic data type approaches have been described in, for instance,
[Astesiano and Reggio, 1987; Kaplan, 1989; Ehrig et al., 1990]. A standardized specification language and method developed on these grounds is
given in [ISO-LOTOS, 1989]. A survey of algebraic specification of concurrency with an emphasis on dynamic data types is given in [Astesiano
and Reggio, 1993]; this paper also contains a rich collection of references
to the literature. The states-as-algebras approach to dynamic data types
309
is pursued in [Dauchy and Gaudel, 1994; Zucca, 1999; Ehrig et al, 1995].
A recent overview of the topic may be found in [Astesiano et al., 1999a].
Object specification as outlined here is based on work by the second
author of this chapter and others [Sernadas et al., 1987; Ehrich and Sernadas, 1995; Ehrich, 1999; Ehrich and Hartel, 1996] and on the TROLL
language project [Hartmann et al., 1995; Jungclaus et al., 1996; Hartel et
al., 1997]. Other noteworthy object specification approaches related to algebraic specification are FOOPS [Goguen and Meseguer, 1987; Goguen and
Socorro, 1995] and MAUDE [Meseguer, 1993]: FOOPS is based on the specification language OBJ3 [Goguen and Winkler, 1988]; MAUDE is based on
rewriting logic that is a uniform model of concurrency [Meseguer, 1992].
16
16.1
The categorical approach

Categories
Many authors use categories to introduce and discuss the topics treated in
this chapter (e.g. [Ehrig and Mahr, 1985; Ehrig and Mahr, 1990; Sannella
and Tarlecki, 2001]). By its very abstractness category theory can lead
to more general results and avoid repeating similar proofs. On the other
hand the approach may be difficult to understand for a reader who is not
familiar with category theory.
The first clue in this approach is the fact that any class of algebras together with their homomorphisms constitutes a category. A monomorphic
module (in the sense of Definition 14.2(iii)) may then be viewed as a functor on such categories. Several notions introduced and properties proved in
the present chapter may be viewed as notions and properties from category
theory. For instance, the notions of an initial algebra and of a reduct correspond to the categorical notions of an initial object andat least in the
case of an inclusionof a forgetful functor. As another example, the notion
of a free extension is related to the categorical notion of a free functor.
Another interesting category is constituted by the atomic specifications
together with their specification morphisms (see Definition 13.19(ii)). It
allows one to define the amalgamated union (Definition 13.18) and the
parameter passing mechanism as pushouts (see section 14.6).
The reader interested in category theory and its application to the specification of abstract data types may consult [Sannella and Tarlecki, 2001].
16.2
Institutions
An institution constitutes a generalization of the notion of (algebra) logic

introduced in Definition 6.1. For instance, signatures together with their
signature morphisms are merely supposed to form a category instead of
being the concrete objects in Definitions 2.1 and 5.1. While most of the
properties of section 7 still hold, institutions allow a large variety of signatures (including, for instance, order-sorted signatures and higher-order
310
signatures), of models (including, for instance, error-algebras and partial

algebras) and of logics (including temporal logics).
Definition 16.1 (Institution). Let SET be the category of sets and
CAT the category of all categories. An institution is a 4-tuple (SIG, Sen,
Mod, (=) where:
(i) SIG is a category; the objects of SIG are called signatures, and its
morphisms signature morphisms;
(ii) Sen : SIG > SET is a functor; for any signature S of SIG, the elements of the set Sen(S) are called (Z)- formulas (or: (E)-sentences);
(iii) Mod : SIG > CATOJ> is a functor where CATop is the opposite
category of CAT; for any signature of SIG, the objects of the
category Mod(S) are called E-models;
(iv) |= = (|=E)E6SiG is a family of relations denned for each signature
of SIG where (=E C |Mod()| x Sen(S) and where |Mod(E)|
denotes the class of objects of the category Mod(E).
It is required that the following condition is satisfied:
For any signature morphism /j, : E ' of SIG, any formula ip of
Sen(E) and any model M' of Mod(S'),
Mod(fj.)(M') ^vV&M'
The reader interested in more details may consult [Goguen and Burstall,
1992; Sannella and Tarlecki, 2001].
References
[Abrial, 1996] J. R. Abrial. The B-book: Assigning Programs to Meaning.
Cambridge University Press, 1996.
[Andrews and Ince, 1991] D. Andrews and D. Ince. Practical Formal Methods with VDM. McGraw-Hill, 1991.
[Astesiano et al, 1999a] E. Astesiano, M. Broy and G. Reggio. Altebraic
specification of concurrent systesm. In E. Astesiano, H.-J. Kreowski and
B. Krieg-Briickner, editors, Algebraic Foundations of Systems Specification, pages 467-520. Springer- Verlag, 1999.
[Astesiano et al, 1999b] E. Astesiano, H.-J. Kreowski and B. KriegBriickner, editors, Algebraic Foundations of Systems Specification,
Springer- Verlag, 1999.
[Astesiano and Reggio, 1987] E. Astesiano and G. Reggio. An outline of
the SMoLCS methodology. In M. V. Zilli, editor, Proc. Advanced School
on Mathematical Models for the Semantics of Parallelism, Lecture Notes
in Computer Science 280, pages 81-113. Springer- Verlag, 1987.
[Astesiano and Reggio, 1993] E. Astesiano and G. Reggio. Algebraic specification of concurrency. In M. Bidoit and C. Choppy, editors, Recent
311
Trends in Data Type Specification, Lecture Notes in Computer Science

655, pages 1-39. Springer-Verlag, 1993.
[Avenhaus, 1995] J. Avenhaus. Reduktionssysteme. Springer-Verlag, 1995.
[Barstow, 1983] D. Barstow, editor. The Programming Language Ada. Reference Manual. Lecture Notes in Computer Science 155, Springer-Verlag,
1983.
[Bergstra and Tucker, 1983] J.A. Bergstra and J.V. Tucker. Initial and
final algebra semantics: two characterization theorems. SIAM Journal
of Computation, 12(2):366-387, 1983.
[Bibel, 1993] Wolfgang Bibel. Deduction: Automated Logic. Academic
Press, 1993.
[Bidoit, 1989] M. Bidoit. PLUSS, un langage pour le developpement de
specifications algebriques modulaires. These d'etat, Universite ParisSud, Orsay, 1989.
[Bidoit, 1991] M. Bidoit. Development of modular specifications by stepwise refinement using the PLUSS specification language. Rapport de
Recherche LIENS-91-9, Ecole Normale Superieure, 1991.
[Bidoit and Hennicker, 1995a] M. Bidoit and R. Hennicker. Behavioural
theories. In E. Astesiano, G. Reggio, and A. Tarlecki, editors, Recent
Trends in Data Type Specification, Lecture notes in Computer Science
[Bidoit and Hennicker, 1996] M. Bidoit and R. Hennicker. Behavioural'
theories and the proof of behavioural properties. Theoretical Computer
Science, 165(1): 3-55, 1996.
[Bidoit and Hennicker, 1998] M. Bidoit and R. Hennicker. Modular correctness proofs of behavioural implementations. Acta Inforamtica,
35(11):951-1005, 1998.
[Bidoit et al., 1999] M. Bidoit, M. Cengarle, R. Hennicker. Proof systems
for structured specifications and their refinements. In E. Astesiano, H.J. Kreowski and B. Krieg-Briickner, editors, Algebraic Foundations of
Systems Specification. Springer-Verlag, 1999.
[Broy et al, 1993] M. Broy, C. Facchi, R. Grosu, R. Hettler, H. Hettler,
H. Hussmann, D. Nazareth, F. Regensburger, O. Slotosch, and K. St01en.
The requirement and design specification language SPECTRUM: an informal introduction (Version 1.0). Technical report, Technische Universitat Miinchen, 1993.
[Burstall and Goguen, 1980] R. M. Burstall and J.A. Goguen. The semantics of CLEAR, a specification language. In E. Bjorner, editor, Proc. Advanced Course on Abstract Software Specifications, Lecture Notes in
Computer Science 86, pages 292-332. Springer-Verlag, 1980.
[Cerioli et al., 1997]
M. Cerioli, M. Gogolla, H. Kirchner, B. Krieg-Briickner, Z. Qian,
312
and M. Wolf, editors. Algebraic System Specification and Development:

Survey and Annotated Bibliography (Second Edition), Shaker-Verlag,
Aachen, 1997.
[Classen, 1989] I. Classen. I. Classen. Revised ACT ONE: Categorical cnstructions for an algebraic specification language. In H. Ehrig, H. Herrlich, H.-J. Kreowski and G. Preuss, editors, Categorical Mthods in Computer Science, Lecture Notes in Computer Science 393, pages 435-465.
[Classen et al., 1993] I. Classen, H. Ehrig, and D. Wolz. Algebraic Specification Techniques and Tools for Software Development: The ACT Approach. World Scientific Publishing Co., 1993.
[Dauchy and Gaudel, 1994] P. Dauchy and M.-C. Gaudel. Algebraic specifications with implicit state. Technical report, Universite Paris-Sud,
1994.
[Ebbinghaus et al., 1984] H.-D. Ebbinghaus, J. Flum, and W. Thomas.
Mathematical Logic. Springer-Verlag, 1984.
[Ehrich, 1978] H.-D. Ehrich. Extensions and implementations of abstract
data type specifications. In J. Winkowski, editor, Mathematical Foundations of Computer Science, Lecture Notes in Computer Science 64, pages
155-164. Springer-Verlag, 1978.
[Ehrich, 1999] H.-D. Ehrich. Object specification. In E. Astesiano, H.J. Kreowski and B. Krieg-Briickner, editors, Algebraic Foundations of
System Specification, pages 435-465. Springer-Verlag, 1999. To appear.
[Ehrich and Hartel, 1996] H.-D. Ehrich and P. Hartel. Temporal specification of information systems. In A. Pnueli and H. Lin, editors, Logic
and Software Engineering. Proceedings of the International Workshop in
Honor of C. S. Tang, Beijing, pages 43-71. World Scientific, 1996.
[Ehrich and Lohberger, 1979] H.-D. Ehrich and V.G. Lohberger. Constructing specifications of abstract data types by replacements. In
V. Glaus, H. Ehrig, and G. Rozenberg, editors, Proc. Colloq. on Graph
Grammars, Lecture Notes in Computer Science 73, pages 180-191.
[Ehrich and Sernadas, 1995] H.-D. Ehrich and A. Sernadas. Local specification of distributed families of sequential objects. In E. Astesiano,
G. Reggio, and A. Tarlecki, editors, Recent Trends in Data Type Specification, Lecture Notes in Computer Science 906, pages 219-235. SpringerVerlag, 1995.
[Ehrich et al., 1989] H.-D. Ehrich, M. Gogolla, and U. Lipeck. Algebraische
Spezifikation abstrakter Datentypen. Teubner-Verlag, 1989.
[Ehrig and Mahr, 1985] H. Ehrig and B. Mahr. Fundamentals of Algebraic
Specification 1. Equations and Initial Semantics. Springer-Verlag, 1985.
313
Specification 2. Module Specifications and Constraints. Springer-Verlag,

1990.
[Ehrig et al., 1990] H. Ehrig, F. Parisi-Presicce, P. Boehm, C. Rieckhoff,
C. Dimitrovici, and M. Grosse-Rhode. Combining data type and recursive process specifications using projection algebras. Theoretical Computer Science, 71:347-380, 1990.
[Ehrig et al, 1995] H. Ehrig, M. Lowe, and F. Orejas. Dynamic abstract
data types based on algebraic graph transformations. In E. Astesiano,
G. Reggio, and A. Tarlecki, editors, Recent Trends in Data Type Specification, Lecture Notes in Computer Science 906, pages 236-254. SpringerVerlag, 1995.
[Gogolla et al., 1984] M. Gogolla, K. Drosten, U.W. Lipeck, and H.-D.
Ehrich. Algebraic and operational semantics of specifications allowing
exceptions and errors. Theoretical Computer Science, 34:289-313, 1984.
[Goguen and Burstall, 1992] J.A. Goguen and R.M. Burstall. Institutions:
Abstract model theory for specification and programming. Journal of
the Association for Computing Machinery, 39(1):95-146, 1992.
[Goguen and Diaconescu, 1993] J.A. Goguen and R. Diaconescu. A short
Oxford survey of order sorted algebra. In G. Rozenberg and A. Salomaa,
editors, Current Trends in Theoretical Computer Science. Essays and
Tutorials, pages 209-222. World Scientific Series in Computer Science 40,
World Scientific,1993.
[Goguen and Meseguer, 1987] J.A. Goguen and J. Meseguer. Unifying
functional, object oriented and relational programming with logical semantics. In B. Shriver and P. Wegner, editors, Research Directions in
Object-Oriented Programming, pages 417-477. MIT Press, 1987.
[Goguen and Meseguer, 1992] J.A. Goguen and J. Meseguer. Ordersorted algebra I: equational deduction for multiple inheritance, overloading, exceptions and partial operations. Theoretical Computer Science,
105(2):217-273, 1992.
[Goguen and Socorro, 1995] J.A. Goguen and A. Socorro. Module composition and system design for the object paradigm. Journal of Object
Oriented Programming, 7(14), 1995.
[Goguen and Winkler, 1988] J.A. Goguen and T. Winkler. Introducing
OBJ3. Research report SRI-CSL-88-9, SRI International, 1988.
[Guttag and Horning, 1993] J.V. Guttag and J.J. Horning. Larch: Languages and Tools for Formal Specification. Springer-Verlag, 1993.
[Guttag et al., 1985] J. Guttag, J. Horning, and J. Wing. Larch in five easy
pieces. Internal report SRC TR# 5, Digital Equipment Corporation,
1985.
[Hartel et al., 1997] P. Hartel, G. Denker, M. Kowsari, M. Krone and H.-D.
Ehrich. Information systems modelling with TROLLFormal methods
at work. Information Systems, 22(2-3):79-99, 1997.
314
[Hartmann et al., 1995] T. Hartmann, G. Saake, R. Jungclaus, P. Hartel, and J. Kusch. Revised Version of the Modelling Language TROLL
(Version 2.0). Informatik-Bericht 94-03, Technische Universitat Braunschweig, 1995.
[ISO-LOTOS, 1989] ISO-LOTOS. A formal description technique based
on the temporal ordering of observational behaviour. Technical report
IS 8807. International Standards Organization, 1989.
[Jungclaus et al, 1996] R. Jungclaus, G. Saake, T. Hartmann, and C. Sernadas. TROLLa language for object-oriented specification of information systems. ACM Transactions on Information Systems, 14(2): 175211, 1996.
[Kaplan, 1989] S. Kaplan. Algebraic specification of concurrent systems.
Theoretical Computer Science, 69(1):69-115, 1989.
[Kay, 1993] A. Kay. The early history of Smalltalk. ACM SIGPLAN Notices, pages 69-96, March 1993.
[Kay and Goldberg, 1976] A. Kay and A. Goldberg. Smalltalk-72 Instruction manual. Technical report, Xerox PARC, March 1976.
[Klop, 1992] J.W. Klop. Term rewriting systems. In S. Abramsky, D.M.
Gabbay, and T.S.E. Maibaum, editors, Handbook of Logic in Computer
Science. Volume 2. Background: Computational Structures, pages 2-117.
Clarendon Press, 1992.
[Lehmann and Loeckx, 1993] T. Lehmann and J. Loeckx. OBSCURE,
a specification language for abstract data types. Acta Informatica,
30(4):303-350, 1993.
[Loeckx, 1997] J. Loeckx. Hierarchical constructive specifications and their
termination. Internal note, Computer Science Department, University
of Saarbrucken, 1997.
[Loeckx and Sieber, 1987] J. Loeckx and K. Sieber. The Foundations of
Program Verification. Wiley/Teubner, 1987.
[Loeckx and Zeyer, 1995] J. Loeckx and J. Zeyer. Experiences with a specification environment. In M. Broy and S. Jahnichen, editors, KORSO:
Methods, Languages and Tools for the Construction of Correct Software,
Lecture Notes in Computer Science 655,, pages 255-268. Springer LNCS
1009, 1995.
[Loeckx et al., 1996] J. Loeckx, H.-D. Ehrich, and M. Wolf. Specification
of Abstract Data Types. Wiley/Teubner, 1996.
[Meseguer, 1992] J. Meseguer. Conditional rewriting as a unified model of
concurrency. Theoretical Computer Science, 96(1):73-156, 1992.
[Meseguer, 1993] J. Meseguer. A logical theory of concurrent objects and
its realization in the Maude language. In G. Agha, P. Wegener, and
A. Yonezawa, editors, Research Directions in Object-Oriented Programming, pages 314-390. MIT Press, 1993.
315
[Mosses, 1993] P.D. Mosses. The use of sorts in algebraic specifications. In

M. Bidoit and C. Choppy, editors, Recent Trends in Data Type Specification, Lecture Notes in Computer Science 655, pages 66-92. Springer
LNCS 655, 1993.
[Mosses, 1999] P. Mosses. CASL. A guided tour of its design. In J. Fiadeiro, editor, Recent Trends in Algebraic Development Techniques, Lecture Notes in Computer Science 1589. Springer-Verlag, 1999.
[Orejas et al, 1993] F. Orejas, M. Navarro, and A. Sanchez. Implementation and behavioural equivalence: a survey. In M. Bidoit and C. Choppy,
editors, Recent Trends in Data Type Specification, Lecture Notes in Computer Science 655, pages 93-125. Springer-Verlag, 1993.
[Padawitz, 1988] P. Padawitz.
Computing in Horn Clause Theories.
[Paulson, 1991] L.C. Paulson. ML for the Working Programmer. Cambridge University Press, 1991.
[Raise Development Group, 1995] The Raise Development Group. The
Raise Development Method. BCS Practitioners Series. Prentice Hall International, 1995.
[Reichel, 1987] H. Reichel. Initial Computability, Algebraic Specifications
and Partial Algebras. Oxford University Press, 1987.
[Ryan and Sadler, 1992] M. Ryan and M. Sadler. Valuation systems and
consequence relations. In S. Abramsky, D.M. Gabbay, and T.S.E.
Maibaum, editors, Handbook of Logic in Computer Science. Volume 1.
Background: Computational Structures, pages 1-78. Clarendon Press,
1992.
[protectSannella, 1999] D. Sannella. CoFI WG 29432. - Interim Report 1
October 1998 - 30 September 1999. Internal paper, Computer Science
Department, University of Edinburgh, 1999.
[Sannella and Tarlecki, 2001] D. Sannella and A. Tarlecki. Foundations of
Algebraic Specifications and Formal Program Development. Cambridge
University Press, 2001. Scheduled to appear in 2001.
[Sannella and Wirsing, 1999] D. Sannella and M. Wirsing. Specification
languages. In E. Astesiano, H.-J. Kreowski, and B. Krieg-Briickner,
editors, Algebraic Foundations of Systems Specifications, pages 243-272.
[Sernadas et al., 1987] A. Sernadas, C. Sernadas, and H.-D. Ehrich.
Object-oriented specification of databases: an algebraic approach. In
P.M. Stoecker and W. Kent, editors, Proc. 13th Int. Conf. on Very Large
Data Bases, pages 107-116. VLDB Endowment Press, 1987.
[Spivey, 1989] J.M. Spivey. The Z Notation. Prentice Hall, 1989.
[Tucker and Meinke, 1992] J.V. Tucker and K. Meinke. Universal algebra.
In S. Abramsky, D.M. Gabbay, and T.S.E. Maibaum, editors, Hand-
316
book of Logic in Computer Science. Volume 1, pages 189-411. Clarendon

Press, 1992.
[Wirsing, 1986] M. Wirsing. Structured algebraic specifications: a kernel
language. Theoretical Computer Science, 42(2): 123-250, 1986.
[Wirsing, 1993] M. Wirsing. Structured specifications: syntax, semantics
and proof calculus. In F.L. Bauer, W. Brauer, and H. Schwichtenberg,
editors, Logic and Algebra of Specification, pages 411-442. SpringerVerlag, 1993.
[Wirsing, 1995] M. Wirsing.
Algebraic specification languages: an
overview. In E. Astesiano, G. Reggio, and A. Tarlecki, editors, Recent
Trends in Data Type Specification, Lecture Notes in Computer Science
[Woodman and Heal, 1993] M. Woodman and B. Heal. Introduction to
VDM. McGraw-Hill, 1993.
[Zucca, 1999] E. Zucca. From static to dynamic data types: an institution
transformation. Theoretical Computer Science, 216:109-157, 1999.
Computable functions and

semicomputable sets on many-sorted
algebras
J. V. Tucker and J. I. Zucker
Contents
1
Introduction
1.1 Computing in algebras
1.2 Examples of computable and non-computable functions .
1.4 Historical notes on computable functions on algebras . .
1.5 Objectives and structure of the chapter
1.6 Prerequisites
2.1 Signatures
2.2 Terms and subalgebras
2.3 Homomorphisms, isomorphisms and abstract data types
2.4 Adding Booleans: Standard signatures and algebras . . .
2.5 Adding counters: TV-standard signatures and algebras . .
2.6 Adding the unspecified value ui; algebras A" of signature
Eu
2.7 Adding arrays: Algebras A*_of signature IT*
2.8 Adding streams: Algebras A of signature
3.1 Syntax of While(E)
3.2 States
3.3 Semantics of terms
3.4 Algebraic operational semantics
3.5 Semantics of statements for While(Yi)
3.6 Semantics of procedures
3.7 Homomorphism invariance theorems
3.8 Locality of computation
3.9 The language WhileProc("S)
3.10 Relative While computability
3.11 .For() computability
3.12 WhileN and ForN computability
319
322
325
329
335
340
343
344
344
349
350
351
353
355
356
359
360
361
363
363
364
366
368
371
372
374
375
376
377
318

3.13 While* and For* computability
3.14 Remainder set of a statement; snapshots
3.15 */ conservativity for terms
Representations of semantic functions; universality
4.1 Godel numbering of syntax
4.2 Representation of states
4.3 Representation of term evaluation
4.4 Representation of the computation step function
4.5 Representation of statement evaluation
4.6 Representation of procedure evaluation
4.7 Computability of semantic representing functions;
term evaluation property
4.8 Universal WhileN procedure for While
4.9 Universal WhileN procedure for While*
4.10 Snapshot representing function and sequence
4.11 Order of a tuple of elements
4.12 Locally finite algebras
4.13 Representing functions for specific terms or programs . .
Notions of semicomputability
5.1 While semicomputability
5.2 Merging two procedures: Closure theorems
5.3 Projective While semicomputability: semicomputability
with search
5.4 WhileN semicomputability
5.5 Projective WhileN semicomputability
5.6 Solvability of the halting problem
5.7 While* semicomputability
5.9 Homomorphism invariance for semicomputable sets . . .
5.10 The computation tree of a While statement
5.11 Engeler's lemma
5.12 Engeler's lemma for While* semicomputability
5.13 S* definability: Input/output and halting formulae . . .
5.14 The projective equivalence theorem
5.15 Halting sets of While procedures with random
assignments
Examples of semicomputable sets of real and
complex numbers
6.1 Computability on E and C
6.2 The algebra of reals; a set which is projectively While
semicomputable but not While* semicomputable . . . .
6.3 The ordered algebra of reals; sets of reals which are While
semicomputable but not While* computable
6.4 A set which is projectively While* semicomputable but
not projectively WhileN semicomputable
378
380
383
387
388
389
389
390
392
393
394
397
401
402
404
405
406
407
408
409
413
414
416
416
420
421
422
423
425
429
431
434
435
438
439
441
443
445
Computable functions on algebras

6.5
Dynamical systems and chaotic systems on E;

sets which are WhileN semicomputable but not While*
computable
6.6 Dynamical systems and Julia sets on C;
sets which are WhileN semicomputable but not While*
computable
Computation on topological partial algebras
7.1 The problem
7.2 Partial algebras and While computation
7.3 Topological partial algebras
7.4 Discussion: Two models of computation on the reals . . .
7.5 Continuity of computable functions
7.6 Topological characterisation of computable sets in compact algebras
7.7 Metric partial algebra
7.8 Connected domains: computability and explicit
definability
7.9 Approximable computability
7.10 Abstract versus concrete models for computing on the real
numbers
A survey of models of computability
8.1 Computability by function schemes
8.2 Machine models
8.3 High-level programming constructs; program
schemes
8.4 Axiomatic methods
8.5 Equational definability
8.6 Inductive definitions and fixed-point methods
8.7 Set recursion
8.8 A generalised Church-Turing thesis for computability . .
8.9 A Church-Turing thesis for specification
8.10 Some other applications
319
447
449
451
452
453
455
458
460
464
465
465
470
475
479
479
484
488
490
490
492
493
493
496
500
Introduction
The theory of the computable functions is a mathematical theory of total

and partial functions of the form
/ : N -> N,
and sets of the form
SCW1
that can be defined by means of algorithms on the set
320
of natural numbers. The theory establishes what can and cannot be computed in an explicit way using finitely many simple operations on numbers.
The set of naturals and a selection of these simple operations together form
an algebra. A mathematical objective of the theory is to develop, analyse
and compare a variety of models of computation and formal systems for
defining functions over a range of algebras of natural numbers.
Computability theory on N is of importance in science because it establishes the scope and limits of digital computation. The numbers are
realised as concrete symbolic objects and the operations on the numbers
can be carried out explicitly, in finitely many concrete symbolic steps. More
generally, the numbers can be used to represent or code any form of discrete
data. However, the question arises:
Can we develop theories of functions that can be defined by
means of algorithms on other sets of data?
The obvious examples of numerical data are the integer, rational, real and
complex numbers; and associated with these numbers there are data such
as matrices, polynomials, power series and various types of functions. In
addition, there are geometric objects that are represented using the real and
complex numbers, including algebraic curves and manifolds. Examples of
syntactic data are finite and infinite strings, terms, formulae, trees and
graphs. For each set of data there are many choices for a collection of
operations from which to build algorithms.
How specific to the set of data and chosen operations are these
computability theories? What properties do the computability
theories over different sets of data have in common?
The theory of the computable functions on N is stable, rich and useful;
will the theory of computable functions on the sets of real and complex
numbers, and the other data sets also be so?
The theory of computable functions on arbitrary many-sorted algebras
will answer these questions. It generalises the theory of functions computable on algebras of natural numbers to a theory of functions computable
on any algebra made from any family of sets and operations. The notion
of 'computable' here presupposes an algorithm that computes the function
in finitely many steps, where a step is an application of a basic operation
of the algebra. Since the data are arbitrary, the algorithm's computations
are at the same level of abstraction as the data and basic operations of
the algebra. For example, this means that computations over the field E
of real numbers are exact rather than approximate. Thus, the algorithms
and computations on algebras are intimately connected to their algebraic
properties; in particular, the computability theory is invariant under isomorphisms.
Already we can see that, in the general case, there is likely to be a
ramification of computability notions. For example, in the case of computable functions on the set E of real numbers it is also natural to consider
321
computability in terms of computing approximations to the values of a

function. The use of approximations recognises the fact that data like
the real numbers are infinite objects and can, or must, be algorithmically
approximated. This is the approach of computable analysis. We wll present
two approaches to computation on the reals: 'algebraic' and 'topological'.
In our algebraic approach we are looking for what can be computed exactly,
knowing only what the operations reveal about the reals. The operations
may have been chosen to reveal properties that are specific to the reals,
of course. In the topological approach we are looking for what can be
computed with essentially infinite data on the basis of a finite amount of
information. Actually, this is again, at bottom, an algebraic approach, for
the performance of approximate computations.
In this chapter our objective is to show the following:
1. There is a general theory of computable functions on an arbitrary algebra that possesses generalisations of many of the important results
in computability theory on natural numbers.
2. The theory provides technical concepts and results that improve our
understanding of the foundations of classical computability and definability theory on N.
3. The theory has a wide range of applications in mathematics and
computer science.
4. The theory can be developed using many models of computation that
are equivalent in that they define the same class of computable functions.
5. The theory possesses a generalisation of the Church-Turing thesis for
functions and sets computed by algorithms on any abstract algebraic
structure.
6. The theory generalises other less general but still abstract and algebraic, theories of finite computation, including effective algebra and
computable analysis.
Computability theories on particular and general classes of algebras address central concerns in mathematics and computer science. Some, such
as effective algebra, have a long history and several subfields with deep
results, such as the theory of computable rings and fields and the word
problem for groups. However, abstract computability theories of the kind
we will develop have a short and less eventful history: starting in the late
1950s, with theoretical work on flowcharts, many approaches have been presented that vary in their generality and objectives; indeed, there has been
a remarkable amount of reinventing of ideas and results, sometimes with
new motivations, such as obtaining results on: the structure of flowcharts;
the power of programming constructs; the design of program correctness
logics; the development of axiomatic foundations for generalised recursion
theories based on ordinals and higher types; and the study of algorithmic
aspects of ring and field theory, and of dynamical system theory.
322
In this section we will introduce in a very informal way the model of

computation we will use (in section 1.1) and pose some questions about
examples of computable functions (in section 1.2). Then, in section 1.3, we
will outline the relationship between our model and other models of computation, especially effective algebra and computable analysis. In section
1.4 the history of the theory of computable functions on abstract algebras
is sketched. In sections 1.5 and 1.6 the structure of the chapter and its
prerequisites are discussed in more detail.
The chapter is closely linked scientifically with the chapters in this
Handbook on universal algebra (Volume I), computability (Volume I), and
effective algebra (Volume IV); it also connects with other subjects (e.g.,
topology (Volume I) and those on semantics (Volumes III and IV)). Further
information on prerequisites is given in section 1.6.
1.1
Computing in algebras
Let us begin with a basic question:

Let S be a non-empty set of data and let f : Sn > S be a total
or partial function. How do we compute f ?
The methods we have in mind start with postulating an algebra A containing the set 5. The algebra may consist of a finite family of non-empty
sets
Ai , . . . , Ak
called the carriers of the algebra, one of which is the set S and another is
the set B of Booleans. The algebra is also equipped with a finite family
Cl , . . . , Cp
of elements of the sets, called constants, and a finite family
of functions on the sets called operations; these functions are of the form
F : ASl x ...x ASn - As
and can be total or partial. Among the operations are some standard
functions on the Booleans. Such an algebra is called a standard manysorted algebra; we say it is standard because it contains the Booleans and
their special operations. An algebra is often written
(Ai,... ,Ak, ci,... ,cp,Fi,... ,Fq).
A set of names for the data set, constants and operations (and their
arities) of the algebra A is called a signature.
323
For most of the time we will use many-sorted algebras with finitely
many constants and total operations, but we will need the case of partial
operations to discuss the relationship between our computable functions
and continuous functions on topological algebras such as algebras of real
numbers, and algebras with infinite data streams.
The problem is to develop and classify models of computation that
describe ways of constructing new functions on the set 5 from the basic
operations of the algebra A. In particular, each model of computation M is
a method or technique which we use to define the notion that the function
/ on the carriers of A is computable from the operations on A by means
of method M ; and we collect all such functions into the set
M-Comp(A)
of functions X-computable over the algebra A.
There are many useful choices for a model of computation M with
which to develop a computability theory we list several in a survey in
section 8. In this chapter we focus on a theory for computing with a simple
imperative model, namely the While programming language.
In this programming language, basic computations on an algebra A are
performed by concurrent assignment statements of the form
where xi, . : . , xra are program variables and t\ , . . . ,tn are terms or expressions built from variables and the operation symbols from the signature of
the algebra A; and x^ and ti correspond in their types (1 < i < n).
The control and sequencing of the basic computations are performed by
three constucts that form new programs from given programs Si, S^ and
S, and Boolean test b:
(i) the sequential composition construct
(ii) the conditional branching construct

if b then Si else 52 fi
(Hi) the iteration construct
while b do S od.
The set of all programs so constructed over the signature E is denoted
While().
The operational semantics of a While program is a function that,
given an initial state, enumerates every state of a resulting computation.
The input/output (i/o) semantics of a while program is a function that
324
transforms initial states to final states, if they exist. To compute a function

on A by means of a While program we formulate a simple class of function
procedures based on While programs; a function procedure P has the form
P = proc in a out b aux c begin 5 end
where a, b, c are lists of input, output and auxiliary variables, respectively,
and 5 is a While program, satisfying some simple conditions. The semantics of a procedure P is a function [P]"4 on A whose input and output
types are determined by the types of the lists of input and output variables
a and b.
A function / is While computable on algebra A if there is a While
function procedure that computes it, i.e., {P]A = /. All While computable functions on A are collected in the set While(A).
A set is defined to be While computable, or decidable, if its characteristic function is While computable. It is While semicomputable, or
semidecidable, if it is the domain of a partial While computable function;
in other words, if it is the halting set of a While program.
A crucial property of an abstract model of computation is that it is
designed to apply to any algebra or class of algebras. Two important
consequences are the following.
Firstly, it is easy to explore uniform computation where programs generate computations over a class of implementations or representations of
data types in a uniform way. For example, think of a While program that
is intended to implement Euclid's algorithm to calculate greatest common
divisors in a way that is uniform over a class of algebras. By such a 'class'
we could mean, for example, any of the following: (i) the class of all Euclidean domains, (ii) the isomorphism class of all (ideal, infinite) implementations of the ring of integers, (Hi) the class of (actual, finite) machine
implementations of the integers.
Secondly, it is easy to employ certain forms of type constructions. Since
we can compute on any algebra (possessing the Booleans) using the programming model, we can augment an algebra A to form a new algebra A',
by adding new types and operations, and apply the programming model
to A'. Adding new data sets and operations is a key activity in theory and
practice. In particular, three modest expansions of an algebra A that have
significant practical effects and (as we shall show) interesting mathematical
theories are:
(a) adding the set N of natural numbers and its standard operations to
A to make a new algebra AN;
(b) adding finite sequences, and appropriate operations, to A to make an
algebra A*.
(c) adding infinite streams, and appropriate operations, to A to make an
algebra A.
325
We apply the model of computation to form new classes of computable

functions, namely:
While(AN),
While(A*)
and
WhUe(A).
By this means it is trivial to add constructs like counters, finite arrays and
infinite data streams to the theory of computation, though it is not trivial
to chart the consequences.
In summary, what mechanisms are available for computing in an algebra? The methods of computation are merely:
(i) basic operations of the algebra; and
(n) sequencing, branching and iterating the operations.
Is equality computable? Do we have available unlimited data storage?
Can we search the algebra for data?
We will see that for any many-sorted algebra A with the Booleans, by
adding the naturals, we can add
(Hi) any algorithmic construction on a numerical data representation;
and, by adding A*, we can add
(iv) local search through all elements of the subalgebra generated by given
input data;
(v) unlimited storage for data in computations.
To obtain equality we have to postulate it as a basic operation of the
algebra.
We will study these models of computation. The most important turns
out to be the programming language While*, which consists of While
programs with the naturals and finite arrays, and is defined simply by
While" (A) = While(A').
This is the fundamental model of imperative programming that yields a
full generalisation, to an arbitrary many-sorted algebra A, of the theory of
computable functions on the set N of natural numbers, and for which the
generalised Church-Turing thesis for computation on A will be formulated
and justified.
1.2
Examples of computable and non-computable functions
First, let us look at the raw material of our theory, namely problems concerning computing functions and sets on specific algebraic structures. We
will give a list of questions about computing with While programs on
different algebras and invite the reader to speculate on their answers; it is
not essential that the reader understand or recognise all the concepts in
the examples. The idea is to prepare the reader for the role of algebraic
structures in the theory of computable functions and sets, and arouse his
or her curiosity.
326
Let B be the set of Booleans and let N, Z, Q, R and C be the sets of

natural, integer, rational, real and complex numbers, respectively.
1. Are the sets of functions While computable over the following algebras the same as those computable over (N; 0, n + 1)?
(N; 0, n + 1, n + m, n m, n = m)
(N; 0, n + 1, n + m, n m, nm, n m)
(N; 0, 1, n + m, n m, n = m)
(N; 0, n + m, n m, n = m)
(N; 0, n + m, n = m)
(N; 0, n m, n m)
2. Consider each of the following functions:
f(n)
/(n)
f(n)
3.
4.
5.
6.
7.
= 4
=n
=n+1
f(n,m)
n + m
f(n,m)
= n m
In each case is / W7iz/e(N; 0, n 1)?
Let B be the set of Booleans and / : B* - B. Is / eW7Je(B;tt,f,
and, not)?
Let A be a finite set and / : A -> A. Is / 6 While(A; c\,... , cp, FI,
... ,Fq) for any choice of constants c, and operations Fj on Af
Consider the algebra
(B,N,[N ->B]; tt,ff, and, not,0, n + l,eval)
of Booleans expanded by adding the set N of naturals with zero and
successor, and the set [N -> B] of infinite sequences, or streams, of
Booleans, with the evaluation map eval:[N > B] x N B defined
by eval(6, n) = b(n). Are the following functions While computable
over this algebra:
shift: [N - B] x N -> B defined by shift(a,n) = o(n + 1);
Shift: [N -> B] -> [N -> B] defined by Shift(a)(n) = o(n + 1)?
Which of the following sets of Boolean streams are
(i) While computable, and
(n) While semicomputable, over the stream algebra in question 5?
{ a | for some n, a(n) =tt}
{ a I for all n, a(n) =tt)
{ a | for infinitely many n, a(n) = tt}
{ a | a(0) = tt, ... , a(n) =tt} for some fixed n
Consider each of the following functions:
f(x) = 4
f ( x ) = floor(^)
f ( x ) = x/2 f ( x ) = 1*
f(x) = TT
f(x) = sin(x)
f(x) = x
f(x) = cos(a;)
f(x) = x5
f(x) = tan(x)
/(x) = v/x /(x) = ex
327
In each case, is / While computable over (E;0, l,x + y,x,

x-y,x'1)
8. Are cos(a;) and tan(x) While computable over (E;0, l,a; + |/, x,
x-y,x~l,sin(x})'?
9. Let / : E2 -> E be the step function
f(^r)
10.
11.
12.
13.
/Oifa;<7= { , ., ^
I 1 if x > r.
Is / While computable over (E; 0, 1, x + y, -x, x y, x""1)?

Which of the following subsets of E are
(a) While computable, and
(6) While semicomputable, over the field of real numbers?
(z) The rational subfield Q of the field of reals
(ii) The subfield Q(>/2) of the field of reals generated by Q and \/2
(Hi) The subfield Q(y^ | p prime) of the field of reals generated by
Q and the set {^/p \ p prime}
(iv) The subfield Q(r) of the field of reals generated by Q and a
non-computable real number r
(v) The subfield AR of the field of reals containing precisely the real
algebraic numbers
Is the subalgebra A of (E; 0, 1, x + y, x, x y, a;"1, ex) generated
by Q While semidecidable?
Is there a While program over (E; 0, 1, x + y, -x, x y, a;"1, \/x)
that computes all the real roots of all quadratic equations with real
coefficients?
Consider the polynomial
p(X) = a0 + aiX + a 2 X 2 + ... + anXn
(a 0 ,... , an E).
(a) Is the set {x 6 M | p(x) = 0} of roots of p While decidable over

(E; 0, 1, x + y, -x, x-y, x~l, o 0 ,... ,a n )?
(ft) For each n find operations to add to the algebra (E; 0, 1, x +
y, x, x y, x"1) to calculate the n roots of the polynomial as functions of the coefficients.
14. Consider the algebra (E, B; 0, 1, x + y, x, x y, x~l, x = y) which
adds equality =: E2 - B to the field of reals. What new functions
/ : E* -> E can be computed?
15. Consider the algebra (E, B; 0, 1, x + y, x, x-y, x~*, x = y, x < y)
which adds ordering <: E2 -* B to the field of reals. What new
functions / : E* > E can be computed?
16. Is every cyclic subgroup (t) of the circle group S1 While decidable?
328
17. If / : E -> E is While computable on (E; 0, 1, x+y, -x, x-y, x~l),

is / continuous?
18. Can any continuous function / : E E be approximated (in some
suitable metric) by a function While computable over (E; 0, 1, a; +
2/, -x, a;-?/, a;"1)?
19. What is the relationship, for functions on E, between computability
in the sense of computable analysis, and While computability on
(E; 0, I , x + y, -x, x - y , or1)?
20. Is there an algebra A(E) containing E, for which
Jtec(R) =
While(A(R)),
where JZec(fi) is the set of functions computable on E in the sense

of recursive or computable analysis?
21. Consider the many-sorted algebra
(E, N, [N - E]; OR, 1R, x + y, -x, 0 N , n + 1, eval)
that is an expansion of the additive Abelian group of reals, made
by adding the naturals with zero and successor, infinite sequences or
streams of real numbers, and the evaluation map eval : [N > E] x N >
E defined by eval(o,n) = a(n). Are the following functions While
computable on this algebra:
add: [N -> M]2 x N -> E defined by add(a,b,n) = a(n) + b(n);
Add: [N - M]2 -> [N -> E] defined by Add(a, b)(n) = a(n) + b(n)l
22. Are complex conjugation z and modulus \z\ of a complex number
z While computable over the following algebras?
(i) (C; 0, 1, x + y, -x, x y, x~l)
(ii) (C; 0, l,i,x + y, -x, x y, 2T1)
23. Is the set {i} While decidable over either of the fields listed in
question 22?
24. Consider the function f ( x ) = 4x(l x) on the reals. Is the orbit of
/, defined by
orb(f,x)
= (fn(x)
| n e N, 0 < x < 1}
While computable over the field of real numbers?

25. Are the fractal subsets of C, such as the Mandelbrot and Julia sets,
While decidable over the field of complex numbers?
26. Are the following subsets of C either While decidable, or While
semidecidable, over the algebra (C, B; 0, 1, i, z\, x+y, x, x-y, a;"1,
= )?
(i) The set {i}
(ii) The set of all roots of unity
(Hi) The set of all algebraic complex numbers
329
27. Consider the rings TL\X\,... ,Xn] of all polynomials in n indeterminates over the integers. Is the ideal membership relation
q (pi,... ,p m )
(in q,pi,... ,pm) While decidable over this ring?
28. Consider the rings F[Xi,... ,Xn] of all polynomials in n indeterminates over a field F. Is the ideal membership relation While
decidable over this ring?
29. Consider the algebra T(S, X) of all terms over signature in the
finite set X of indeterminates. Let Ax be the set of assignments to
X in an algebra A. Define the term evaluation function
T: TE(E, X) x Ax - A
by TE(t,a) = t(a). Is TE While computable over the algebra

formed by simply combining the algebras T(,X) and A!
30. (a) Are all first-order definable subsets of natural numbers While
computable with respect to the following algebras?
(i) (N; 0, n + 1, n + m, n m)
(M) (N; 0,n + l,n + m)
(in) (N; 0, n + 1)
(6) Are the While semicomputable sets precisely the Ei-definable
sets with respect to these algebras?
31. Is any set of complex numbers that is first-order definable over the
field of complex numbers While decidable over this field? Is any set
of real numbers that is first-order definable over the ordered field of
real numbers While decidable over this field?

In computer science, many-sorted algebras are used to provide a general
theory of data and, indeed, of whole computing systems. They have been
employed to
specify and analyse many new forms of data types;
classify data representations;
characterise which data types are implementable;
model systems;
analyse the modularisation of computing systems;
formalise the correctness of systems; and
reason about systems.
A many-sorted algebra models a concrete representation of a data type or
system; such representations are compared by homomorphisms, axiomatised by equations and conditional equations, and prototyped by term rewriting methods. There is a considerable theoretical and practical literature
330
available which may be accessed through survey works such as Meseguer

and Goguen [1985], Wirsing [1991], Wechler [1992] and Meinke and Tucker
[1992].
The theory of computable functions and sets on many-sorted algebras
is intended to provide an abstract theory of computing to complement this
abstract algebraic theory of data. With this in mind we ask the question:
How is the theory of While computable functions and sets on
many-sorted algebras related to other theories of computability
on such algebras?
We have mentioned earlier that there are many models of computation
that can be applied to an arbitrary algebra and that turn out to define the
same class of functions and sets as the While language; these equivalent
models belong to the computability theory and are the subject of section
8. Here we will discuss an important approach to analysing computability
on algebras called effective algebra. Effective algebra is concerned with
what algebras are computable, or effective, and what functions and sets
on these algebras are computable, or effective. The subject is explained in
Stoltenberg-Hansen and Tucker [1995; 1999a].
A starting point for the discussion is the theory of the computable
functions on the set N = {0,1,2,...} of natural numbers. According to
the Church-Turing thesis, the class Comp(N) of computable function on
N, defined by any one of a number of models of computation, is precisely the
class of functions definable by means of algorithms on the natural numbers.
As we have noted, the algorithms are often over some algebraic structure
on N. In fact, seen from the algebraic theory of data, the algebras used
form a class of concrete representations of the natural numbers that is
parameterised by both the choice of operations and the precise nature of
the number representations (e.g., binary, decimal and roman). The extent
to which the theory of computable functions on N varies over the class of
these algebras of numbers is an important question, but one that is not
often asked. We expect there to be very little variation in practice (but
compare questions 1 and 2 of section 1.2).
In general terms, a computability theory consists of
(a) a class of algebraic or relational structures to define data and operations; and
(b) a class of methods, which we call a model of computation, to define
algorithms and computations on the data using the operations.
A generalised computability theory is one which can be applied
to a structure containing the set N of natural numbers to define the set
C7omp(N) of computable functions on Comp(H). An abstract computability theory is a computability theory in which the theory is invariant up to
isomorphism (in some appropriate sense).
To develop an abstract generalised computability theory for any algebra
A, and classify the computable functions and sets on A, one can proceed
331
in either of the following two directions. One can apply computability theory on N to algebras using maps from sets of natural numbers to algebras
called numberings. The long-established theories of decision problems in
semigroups, groups, rings and fields, etc. are examples of this approach.
Furthermore, the theory of computable functions Comp(R) on the set
E of real numbers in computable analysis uses computability theory on
Comp(N) to formalise how real number data and functions are approximated effectively. Theories based on these approaches are parts of what
we here call effective algebra.
Alternatively, one can generalise the computability theory on N to accommodate abstract structures; the theory of computable functions on
many-sorted algebras developed in this chapter is an example, of course,
and more will be said about equivalent models of computation in section
8. However, there are examples of generalised computation theories that
are strictly stronger, such as ordinal recursion theory, set recursion theory, higher type recursion theory and domain theory. Typically these
four generalised computability theories allow infinite computations to return outputs. To appreciate the diversity of some of these theories it
is necessary to examine closely their original motivations; seen from our
simple finitistic algebraic point of view, generalised recursion theories have
a surprisingly untidy historical development.
Let us focus on the first direction. Effective algebra is a theory that
provides answers for questions such as:
When is an algebra A computable? What functions on A are
computable? What sets on A are decidable or, at least, semidecidable?
It attempts to establish the scope and limits of computation by means of
algorithms for any set of data, by applying the theory of computation on N
to universal algebras containing the set of data using numberings. Thus, it
classifies what data can be represented algorithmically, and what sets and
functions can be defined by algorithms, in the same terms as those of the
Church-Turing thesis for algorithms on N. Assuming such a thesis, we may
then use the theory of the recursive functions on N to give precise answers
to the above questions about algebras, and to the question:
What sets of data and functions on those data can be implemented on a computer in principle?
The numberings capture the scope and limits of digital data representation and, thus, effective algebra is a general theory of the digital view of
computation. More specifically, in effective algebra we can investigate the
consequences of the fact that
1. an algebra is computable;
2. an algebra is effective in some weaker senses; and
332
3. a topological algebra can be approximated by a computable or effective algebra.

Among the weaker senses are the concepts of semicomputable, cosemicomputable and, most generally, effective algebras. For an algebra to be effective it must be countable, so that its elements may be enumerated. For an
algebra to be effectively approximable it must have a topological structure,
so that its elements may be approximated; the bulk of interesting topological algebras are uncountable. A full account of these concepts is given in
Stoltenberg-Hansen and Tucker [1995]. At the heart of the theory of effective algebra is the notion of a computable algebra: a computable algebra is
an algebra that can be faithfully represented using the natural numbers in
a recursive way. Here is the definition for a single-sorted algebra:
Definition 1.1. An algebra A = (A; c\ , . . . , cp, F\ , . . . , Fq) is computable
if: (?) the data of A can be computably enumerated there exists a recursive subset J7a C N and a surjection
a: na - N
called a numbering, that lists or enumerates, possibly with repetitions,
all the elements of A; (ii) the operations of A are computable in the
enumerationfor each operation Fj : An^ > A of A there exists a recursive function
that tracks the f, in the set $la of numbers, in the sense that for all
Xi, . . . , X n j
& ' 'a
(Hi) the equivalence of numerical representations of data in A is decidable

the equivalence relation =a defined by
= a(x-2)
s recursve.
An equivalent formulation, in the algebraic theory of data, is that A is
computable if it is the image of a recursive algebra Ha of numbers under a
homomorphism a : J7Q ) A whose kernel =a is decidable. (This simple
algebraic characterisation leads to new methods of generalising computability theories: see Stoltenberg-Hansen and Tucker [1995]).
What mechanisms are available for computing in a computable algebra?
Via the enumeration, the methods include:
(i) basic operations of the algebra;
(ii) sequencing, branching and iterating the operations;

(Hi)
(iv)
(v)
(vi)
333
any algorithmic construction on the numerical data representation;

global search through all elements of the algebra;
unlimited storage for data in computations;
the equality relation on the algebra via the congruence.
Conditions (i) and (ii) are shared with our While programming model
and, indeed, are necessary for an algebraic theory: recall section 1.1. There
are also a number of features that extend the methods of our While model,
including conditions (Hi) and, more dramatically, (iv). Using the properties
of the numbers that represent the data we can perform global searches
through the data sets (by means of an ordering on the code set), and
store data dynamically without limitations on data storage (by means of a
pairing on the code set). Note that condition (vi) is a denning feature of
computable algebras and can be relaxed (as in the case of semicomputable
or effective algebras, for instance).
Note that an algebra A is computable if there exists some computable
numbering a for A. The computability of functions and sets over A may
depend on the numbering a; thus, to be more precise, we should say that
A, its functions and subsets etc. are a-computable. Let us define the computable subsets and functions for such an algebra.
Definition 1.2 (Sets and maps). Let A be an algebra of signature S,
computable under the numbering a : Oa A.
(1) A set 5 = Ak is a-decidable, a-semidecidable or a-cosemidecidable if
the corresponding set
a~l(S) =
{(x1,...,xk)eflc,k\(a(xi),...,a(xk)S}
of numbers is recursive, recursively enumerable (r.e.) or co-recursively

enumerable (co-r.e.) respectively.
(2) A function </> : A -4 A is an a-computable map if there exists a
recursive function / : $la > HQ such that for all x f l a , f ( a ( x ) ) =
a(f(x)); or, equivalently, / commutes the following diagram:
a]
1-
\ o_
Let Compa(A) be the set of all a-computable maps on A.

For any computable algebra, there are many computable numberings,
some of which may have desirable properties; for example, it is the case
that every computable algebra has a bijective numbering with code set N.
334
Let C(A) be the set of all computable numberings of the algebra A. The
choice of a numbering a C(A) suggests that the effectiveness of a subset
or function on A may depend on a. To illustrate, let S C A and consider
the following questions:
Is S decidable for all computable numberings of A; or decidable for some, and undecidable in others; or undecidable for all
computable numberings of A?
Another question concerns the invariance of computable maps.
// A is computable under two numberings a and /? then what
is the relation between the sets Compa(A) and Compg(A)?
What is
Compa(A)t
Consider our abstract model based on While programs. We have noted
that
While(N; 0, n + 1) = Comp(N).
The question then arises for our algebras:
What is the relationship between While(A) and Compa(A)
for an arbitrary computable representation a ?
We can prove that if A is computable then
While(A) C
P|
Compa(A).
(1.1)
aC(A)
(In fact this inclusion holds for much weaker hypotheses on A.) The converse inclusion does not hold in general. To see why, consider the algebra
(N; 0, n - 1),
and the use of a While program to compute a function / : N > N. It

turns out that for any x\ , . . . , xn N,
f(xi,...,xn)
< max(z1 , . . . , xn)
because assignments can only reduce the value of the inputs. It follows
that
While(N; 0, n - 1) C
p|
Compa(N; 0, n - 1)
(1.2)
aec(A)
because in any numbering the successor function S(o:) = x + 1 can be
computed.
335
More difficult to answer is the question: When is

While(A) =
p|
Compa(A)l
OtC(A)
Some results in this direction are known.

Inequality (1-2) is not a weakness of the abstract theory. Rather it is
an indication of the fact that the abstract models provide a more sensitive
analysis of finite computations. For example, the abstract theory reveals
the special properties of the algebras of numbers that give computability
theory on N its special characteristics: the theory of Compa(A) is the
same as the theory of While* (A) when A is an algebra finitely generated
by constants.
1.4
Historical notes on computable functions on algebras
The generalisation of the theory of computable functions to abstract algebras has a complicated history. On the one hand the connections between
computation and algebra are intimate and ancient: algebra grew from problems in computation. However, the fact that it is now necessary to explain
how computation theory can be connected or applied to algebra is an aberration, and is the result of interesting intellectual and social mutations in
the past. It is a significant task to understand the history of generalisations of computability theory, with questions for research by historians of
mathematics, logic and computing, as well as sociologists of science.
The story that underlies this work involves the development of algebra; the development of computability theory; interactions between computability theory and algebra; and applications to computing. Some of the
connections between computation theory and algebra have been provided
in other Handbook chapters: for notes on the histories of
effective algebra, see Stoltenberg-Hansen and Tucker [1995];
computable rings and fields, see Stoltenberg-Hansen and Tucker [l999a];
algebraic methods in computer science, see Meinke and Tucker [1992].
In the following notes we discuss the nature of generalisations and point
out the earliest work on abstract computability theory. Section 8 is devoted
to a fairly detailed survey of the literature.
We first list some common-sense reasons for generalising computability
theory. A common view is to say that the purpose of a generalisation of
computability theory is one or more of the following:
(i) to say something new and useful about the original theory;
(it) to provide new methods of use in computer science and mathematics;
(Hi) to illuminate and increase our understanding of the nature of computation.
336
As will be seen, the theory of computable functions on many-sorted algebras

is certainly able to meet the goals (i)-(iii). For a discussion of these and
other reasons for generalising computability theory, see Kreisel [1971].
Broadly speaking, it is often the case that a new mathematical generalisation of an old theory focuses on a few basic technical ideas, results or
problems in the old theory and makes them primary objects of study in the
new theory. If the generalised theory is technically satisfying then a substantial subject can be built on foundations consisting of little more than
some modest technical motivations. Recent history records many attempts
at generalisations of computability theory that have different, narrower,
technical aims than those of the original theory. Indeed, in some cases, if
the generalisation can be applied to analyse computation on algebras then
its aims need not be particularly useful or meaningful.
Generalised computability theories bear witness to the fact that computability theory has several concepts, results and problems that can bear
the weighty load of a satisfying generalisation. For instance, on generalising finiteness, and allowing infinite computations, theoretical differences
can be found that allow models of computation to cleverly meet goal (i),
but not (if) or (in).
Computability theory can also support a good axiomatic framework in
which deep results can be proved, and generalised computability theories
are models. For example, the axiomatic notion of computation theory
developed by by Moschovakis and Fenstad elegantly captures basic results
and advanced degree theory: see Stoltenberg-Hansen [1979] and Fenstad
[1980].
There is usually a good market for general frameworks in theoretical
subjects because there is more space in which to seek ideas and show results. Generality is attractive: there are many new technical concepts and
the original theory can underwrite their value. Generalisations are developed, gain an audience and reputation, and, like so many other technical
discoveries, await an application. Applications can arise in more exotic or
commonplace areas than their creators expected. In the case of generalising computability theory, some theories have useful applications (e.g. in set
theory), and some languish in the museum of possible models of axiomatic
theories of computation.
Abstract computability theory developed rather slowly, and owes much
to the development of programming languages.
A starting point is the notion of the flowchart. The idea was first seen
in examples of programs for the ENIAC from 1946, published in Goldstine
and von Neumann [1947]. Flowcharts were adapted and used extensively
in practical work. For example, standards were provided by the American Standards Association (see American Standards Association [1963]
and Chaplin [1970]).
To define mathematically the informal idea of a flowchart required
a number of papers on flow diagrams, graph schemata and other mod-
337
els; some commonly remembered papers are: lanov [i960], Peter [1958],
Voorhes [1958], Asser [1961], Corn [*196l] and Kaluzhnin [1961]. By the
time of the celebrated Bohm and Jacopini [1966] paper on the construction
of normal forms for flowcharts, the subject of flowcharts was well established.
In some of these papers the underlying data need not be the natural
numbers, strings or bits. In particular, in Kaluzhnin [1961] flowcharts are
modelled using finite connected directed graphs. These have vertices either
with one edge to which are assigned an operation, for computation, or two
exit edges to which are assigned a discriminator, for tests. The graph
has one vertex with no incoming edge, for input, and one vertex with no
outgoing edge, for output. To interpret a so-called graph scheme, a set of
functions is used for the operations, and a set of properties is used for the
discriminators.
Kaluzhnin's work was used in various studies, such as Bigot's early work,
and in Thiele [1966], a major study of programming, in which flow diagrams
are presented that are not necessarily connected graphs. The semantics of
flow diagrams is denned here formally, in terms of the functions
El&(n) = object or data after the nth step in flow diagram A
starting at state ,
Kl&^(n) = edge in flow diagram A traversed after the n-th step
starting at state .
using simultaneous recursions. Thiele's work influenced the formal development of operational semantics as found in the Vienna Definition Language:
see Lauer [1967; 1968] and Lucas et al. [1968]. The important point is
that predicate calculus with function symbols and equality is extended by
adding expressions that correspond with flow diagrams to make an algorithmic language involving graphs.
Thus, in the period 1946-66, some of the basic topics of a theory of computation over any set of data had been recognised, including: equivalence of
flowcharts; substitution of flowcharts into other flowcharts; transformations
and normal forms for flow charts; and logics for reasoning about flowcharts.
Flowcharts were not the only abstract model of computation to be developed.
Against the background of early work on the principles of programming
by A. A. Lyapunov and theoretical work by lanov and others in the former Soviet Union, Ershov [1958] considered computation with any set of
operations on any set of data. In Ershov [i960; 1962] the concept of operator algorithms is developed. These are imperative commands made from
expressions over a set of operations; the algorithms allow self-modification.
The model was used in early work on compilation in the former Soviet
Union. See Ershov and Shura-Bura [1980] for information on early programming.
Of particular interest is McCarthy [1963], which reviewed the requirements and content of a general mathematical theory of computation. It
338
emphasises the idea that classes of functions can be defined on' arbitrary
sets of data. Starting with a (finite) collection F of base functions on some
collection of sets, we can define a class C{F} of functions computable in
terms of F. The mechanism used is that of recursion equations with an
informal operational meaning based on term substitution. An abstract
computability theory is an aimnot 'merely' a model of programming
structure etc.and McCarthy writes (p. 63):
Our characterisation of C{F} as the set of functions computable
in terms of the base functions in F cannot be independently
verified in general since there is no other concept with which it
can be compared. However it is not hard to show that all partial
recursive functions in the sense of Church and Kleene are in
C{zero, succ}.
This, of course, falls short of a generalised Church-Turing thesis. The
paper also mentions functionals and the construction of new sets of data
from old, including a product, union and function space construction for
two sets, and recursive definition of strings. McCarthy's paper is eloquent,
perceptive and an early milestone in the mathematical development of the
subject.
E. Engeler's innovative work on the subject of abstract computability
begins in Engeler [1967]. This contains a mathematically clear account of
program schemes whose operations and tests are taken from a first-order
language over a single-sorted signature. The programs are lists of labelled
conditional and operational instructions of the form
k :
k:
if 4> then goto p else goto q

do ip then goto p
where k, p and q are natural numbers acting as labels for instructions, <f> is
a formula of the language and ijj is an assignment of one of the forms
x:=c,
x:=y
or
x:=f (y x ,... ,yk)
where x, y , . . . are variables, and c and f are any constant and operation
of the signature. Interpretations are given by means of a notion of state,
mapping program variables to data in a model. A basic result proved here
is this:
To each program TT one can associate a formula <f> that is a
countable disjunction of open formulae such that for all models,
TT terminates on all inputs from A
<=> A |= <j>.
Results involving the definability of the halting sets of programs in terms

of computable fragments of infinitary languages will be proved in section
5 and applied in section 6, where we refer to them as versions of Engeler's
lemma.
339
In Engeler [I968a] two new models of computation are given: one is

based on a new form of Kleene ^-recursion, the other on a deductive system. The functions computable by the programs and these two models
are shown to be equivalent. Engeler's development of the subject in the
period 1966-76 addresses original and yet basic questions including the
computability of geometrical constructs, exact and approximate computation, and a Galois theory for specifications and programs: see Engeler
[1993].
The study of program schemes and their interpretation on abstract
structures grew in the early 1970s, along with the theoretical computer science community. Problems concerning program equivalence, decidability
and the expressive power of constructs were studied and formed a subject called program schematology (see, for example, Greibach [1975]). The
problem of finding decidable properties, and especially finding decidable
equivalence results, is work directly influenced by lanov [i960]. The subject of program schemes, and the promise of decidability results on abstract
structures, was addressed in the unpublished Luckham and Park [1964], and
early undecidability results appeared in Luckham et al. [1970]. Program
schematology was part of the response to the need to develop a comprehensive theory of programming languages, joining early work on programming
language semantics, program verification and data abstraction also characteristic of the period. We will look at the subject again in section 8.
The next milestone is that of Friedman [l971a]. Friedman's paper
has received a fine exegesis in Shepherdson [1985] which we recommend.
Against a backcloth of growing interest in the generalisations of computability theory by mathematical logicians, and inspired by the work of
Moschovakis on computation, Friedman considered the mathematical question (in Shepherdson's words):
What becomes of the concepts and results of elementary recursion theory if, instead of considering only computations on natural numbers, we consider computations on data objects from
any relational structure?
In this he gave four models of computation for an algebra A. The first two
were based on register machines, the programs for which were called finite
algorithmic procedures (or faps). The third was a generalisation of Turing
machines. The fourth was a model based a set of r.e. lists of conditional
formulae of the form
Riik...tcRtkt -* ti
for i = 1,2,..., where the fly are tests and the ti is a term, called
effective definitional schemes. In section 8 we will discuss these models
again.
All four models compute the partial recursive functions on the natural
numbers. Freidman organised some 22 basic theorems of computability
theory on the natural numbers N into six groups which were defined by
340
the properties of a structure A that are sufficient to prove the theorems on

A. Also noteworthy are results which showed some of these models are not
equivalent in the abstract setting.
Friedman's paper is technically intense, with several good ideas and
results. Looking back at the literature, one wonders why such an indispensable paper had not appeared before.
The theory of computation on natural numbers and strings began in
mathematical logic, motivated by questions in the foundations of mathematics. However, the theory of computation on arbitrary algebraic and relational structures began and was sustained in computer science, motivated
by the need to model programming language constructs. Mathematical
logic plays two roles: firstly, it provides knowledge of abstract structures,
formal languages and their semantics; and secondly, it provides a deep
theory of computation on natural numbers.
Both the complicated history of algebra and computability theory mentioned earlier (and sketched in the historical notes of other Handbook chapters), and the development of abstract computability since the 1950s, have
much to offer those interested in the historical development of mathematical
theories. In the matter of the development of abstract computability these
brief notes, coupled with our survey in section 8, suggest some questions a
historical analysis might answer. Why have there been many independent
attempts at making models of computation but relatively few attempts
to show equivalencies, or undertake sustained programmes of theoretical
development and applications? Why have there been so many demonstrations of an ability to ignore earlier work and to reinvent ideas and results?
Why was the development of the theory so slow and messy? Why was
computability theory on the natural numbers not generalised to rings and
fields, or even relational structures, before the Second World War? Why
did the subject not find a home in mathematical logic?
It is clear that computer science played an essential role in creating the
theory of computable functions on abstract algebras. One is reminded of
McCarthy's [1963] commonly quoted words:
It is reasonable to hope that the relationship between computation and mathematical logic will be as fruitful in the next century
as that between analysis and physics in the last. The development of this relationship demands a concern for both applications and for mathematical elegance.
It also demands patience.
1.5
Objectives and structure of the chapter
Computability theory over algebras can be developed in many directions

and can be used in many applications. In this short introduction we have
chosen to emphasise computation on general many-sorted algebras.
We see algebra as providing a general theory of data that is theoretically
satisfying and practically useful. Therefore, theories of what is computable
341
over algebras are fundamental for a general theory of data.

In section 2 we define the basic algebraic notions we will need: algebras with Booleans and naturals, relative homomorphisms, terms and their
evaluation, abstract data types, etc. In particular, we look at expanding
an algebra A, by adding new types such as finite sequences to make a new
algebra A* that models arrays, and adding infinite sequences to make a
new algebra A that models infinite streams of data.
In section 3 we begin the study of computing on algebras with While
programs. For a satisfactory theory, the algebras are required to include
the Booleans and standard Boolean operations. Such algebras are called
standard algebras. The semantics of While programs on A is given by a
new technique called algebraic operational semantics (AOS). This involves
axioinatising a function CompA that defines the state CompA (S, o~, t) at
time t in the computation by program 5 starting in intial state a. From
this we obtain a state transformer semantics in which a program 5, applied
to a state o~, may give rise to a final state [S']"4^).
Simple but important properties of computations are examined. First,
the invariance of computations under homomorphisms and isomorphisms:
if algebras A and B are isomorphic, then the semantical interpretations
of any While program S on A and B are isomorphic. This result has
many consequences; for example, it comfirms that executing a While program on equivalent implementations of a data type results in equivalent
computations.
The second property is that each computation by a While program
S takes place in the subalgebra of A generated by the input. This is a
key to understanding the nature of abstract computation: in any algebra
computations are local to the input in this sense and, for instance, searches
are at best local.
Next, in section 4, we consider the universality of computation by
While programs. Let A be an algebra with Booleans and naturals. We
can code the While programs
So , S\ , 82,
by the natural numbers in A and ask if there exists a universal While

program to compute the function Univ"4 on A such that
We prove that the universal function is While computable on A if, and

only if, the term evaluation function is While computable on A.
The evaluation of terms is not always computable. However, it is
While computable in several commonly used algebras such as: semigroups, groups, rings, fields, lattices, Boolean algebras; this because such
algebras have computationally efficient normal forms for their terms. For
any algebra A, the algebra A" of finite sequences from A has the property
342
that term evaluation is always While computable on it; hence, the model
of While* programs is universal.
In section 5 we turn our attention to sets. We begin with a study of
computable and semicomputable sets. We prove Post's theorem in the
present setting. We also study the ideas of projections of computable and
semicomputable sets. It turns out that the classes of computable and semicomputable sets are not closed under projection. The notion of projection is
very important since it distinguishes clearly between forms of specification
and computation. Furthermore, it focuses our attention to the difference
between local search and global search in computation.
Projections also lead us to consider the relationship between While
programming and certain non-deterministic constructs on data. These include: search procedures; initialisation mechanisms; and random assignments.
Next, with each While program is associated a computation tree. With
this technique, we prove that every semicomputable set is definable by an
effective infinite disjunction of Boolean terms over the signature.
In section 6 we illustrate the core of the theory with a study of its
application to computing sets of real and complex numbers over various
many sorted algebras. We include some pleasing examples from dynamical
systems.
In section 7 we return to the special properties and problems of computation of the reals. More generally, we study computation on topological
algebras. A key consideration is the property that if a function is computable then it is continuous. To guarantee a good selection of applications
we use partial functions, which raises interesting topological issues. This
study of programming over topological algebras contains new material.
We also contrast exact versus approximate computation on the reals.
The following fact was observed in Shepherdson [1976]. Let / be a function
on the reals. Then / is computable in the sense of computable analysis if,
and only if, there is a function g which is While computable over the
algebra (E, B, N; 0, 1, x + y, x.y, x,...) such that
\f(x)-g(n,x)\<2-n
for all n N and x 6 K. We extend and adapt this result to topological
algebras.
In section 8 we survey other models of computation and see their relation with While programs. We consider briefly: /^-recursive functions;
register machines; flowcharts; axiomatic methods; set recursion; and equational definability. A generalised Church-Turing thesis is discussed.
There are many subjects that we have omitted from the discussion, for
example: the delicate classification of the power of constucts, including
types; computations with streams; program verification; connections with
proof theory; connections with model theory; degree theory; and generalised complexity theory. There will be good work by many authors that
343
we have neglected to mention, from ignorance or forgetfulness. We will

be pleased to receive reminders, information and suggestions. Abstract
computability theory is a subject that offers its students considerable theoretical scope, many areas of application, and scientific longevity. We hope
this chapter provides a first introduction that is satisfying, stimulating and
pleasurable.
We thank Jan Bergstra (Amsterdam), Martin Davis (NYU and Berkeley), Jens Erik Fenstad (Oslo), Dag Norman (Oslo), Viggo StoltenbergHansen (Uppsala) and Karen Stephenson (Swansea) for useful discussions
on aspects of this work. We thank Peter Lauer (McMaster) and Ithel Jones
(Swansea) for discussions and information on the history of programming
language semantics. We also thank our colleagues and students in Swansea
and McMaster for their helpful responses to the material in courses and
seminars, especially Jeff Koster, Matthew Poole, Dafydd Rees, Kristian
Stewart, Anton Wilder and Ian Woodhouse.
Special thanks are due to Sol Feferman, who presented some of the
material of this chapter at a graduate course in computation theory at
Stanford University in spring 1999, and provided us with valuable feedback.
We are particularly grateful to Jane Spurr for her excellent and essential
work in producing the final version of the chapter.
The second author is grateful for funding by a grant from the Natural
Science and Engineering Research Council of Canada.
1.6
Prerequisites
First, we assume the reader is familiar with the theory of the recursive
functions on the natural numbers. It is treated in many books such as
Rogers [1967], Mal'cev [1973], Cutland [1980] and Machtey and Young
[1978]. An introduction to the subject is contained in this Handbook (see
Phillips [1992]) and other handbooks (e.g. Enderton [1977]).
Secondly, we assume the reader is familiar with the basics of universal
algebra. Some mathematical text-books are: Burris and Sankappanavar
[1981] and McKenzie et al. [1987]. An introduction to the subject with the
needs of computer science in mind is contained in this Handbook (see Meinke
and Tucker [1992]) and in Wechler [1992]. The application of universal
algebra to the specification of data types is treated in Ehrig and Mahr
[1985], Meseguer and Goguen [1985] and Wirsing [1991]. The theory of
computable and other effective algebras is covered by Stoltenberg-Hansen
and Tucker [1995].
Thirdly, we will need some topology. This is covered in many books,
such as Dugundji [1966] and Kelley [1955] and in a chapter in this Handbook
(see Smyth [1992]).
Finally, we note that the subject connects with other subjects, including
term rewriting (see, for example, Klop [1992]) and domain theory (see, for
example, Stoltenberg-Hansen et al. [1994]).
344
In this section we define some basic algebraic concepts, establish notations

and introduce three constructions of many-sorted algebras. We will use
many-sorted algebras equipped with Booleans, which we call standard algebras. Sometimes we use algebras with the natural numbers as well, which
we call N-standard algebras. All our algebras have total operations, except
in section 7, where we compute on topological partial algebras.
We are particularly interested in the effects on computations of adding
and removing operations in algebras. To keep track of these changes, we
use expansions and reducts of algebras, and relative homomorphisms.
The constructions of new algebras from old involve adding (i) unspecified elements, (ii) finite arrays, and (Hi) infinite streams.
2.1
Signatures
Definition 2.1 (Many-sorted signatures). A signature E (for a manysorted algebra) is a pair consisting of (1) a finite set Sort(S) of sorts,
and (2) a finite set Fnc(E) of (primitive or basic) function symbols, each
symbol F having a type si x ... x sm -t s, where m > 0 is the arity of F,
and 81,... ,sm Sort(E) are the domain sorts and s Sort(S) is the
range sort; in such a case we write
F : Si x ... x sm - s.
The case ra = 0 corresponds to constant symbols; we then write F : > s
or just F : s.
Our signatures do not explicitly include relation symbols; relations will
be interpreted as Boolean-valued functions.
Definition 2.2 (Product types over E). A product type over E,
or Yi-product type, is a symbol of the form s\ x . . . x sm (m > 0),
where si,... ,sm are sorts of E, called its component sorts. We define
ProdType(E) to be the set of S-product types, with elements u,v,w,
If u = Si x ... x sm, we put lgth(u) = m, the length of u. When
lgth(u) = 1, we identify u with its component sort. When lgth(u) = 0, u
is the empty product type.
For a E-product type u and E-sort s, let Func(Y,)u^.s denote the set
of all S-function symbols of type u > s.
Definition 2.3 (E-algebras). A ^-algebra A has, for each sort s of E,
a non-empty set As, called the carrier of sort s, and for each E-function
symbol F : si x ... x sm - s, a function FA : ASl x x ASm -> As.
For a E-product type u s\ x ... x sm, we write
Au =df ASl x ... x A8m.
Thus x Au if, and only if, x (x\,... ,xm), where Xi 6 ASi for i =
1,... ,m. So each E-function symbol F : u > s has an interpretation
345
FA : Au - As. If u is empty, i.e., F is a constant symbol, then FA is an

element of As.
We will sometimes use the same notation for a function symbol F and
its interpretation FA. The meaning will be clear from the context.
For most of this chapter, we make the following assumption.
Assumption 2.4 (Totality). The algebras A are total, i.e., FA is total
for each S-function symbol F.
Later (in section 7) we will drop this assumption, in our study of partial
algebras.
We will sometimes write H(A) to denote the signature of an algebra A.
We will also consider classes K of S-algebras. In particular, Alg(E)
denotes the class of all E-algebras.
We will use the following perspicuous notation for signatures E:
signature
sorts
s,
(s Sort(E))
F : si x ... x sm -+ s,
(F eFwnc(E))
functions
end
and for E-structures A:

algebra
carriers
As,
(s Sort(E))
functions
FA : ASl x . . . x ASm - As,
end
Examples 2.5. (a) The algebra of naturals A/o = (N; 0, succ) has a signature containing the sort nat and the function symbols 0: -nat and
succ:nat-nat. We can display this signature thus:
346

signature
sorts
functions
nat
0: nat,
S:nat-nat
end
In practice, we can display the algebra thus:

algebra
carriers
functions
A/o
N
0:
S:
end
from which the signature can be inferred. Below, we will often display the
algebra instead of the signature.
(b) The ring of reals Tô = (K; 0,1, +,-, x) has a carrier ffi of sort real, and
can be displayed as follows:
algebra
carriers
functions
72
R
0,1: _1_ s, .
-r, X .
- :R
end
(c) The algebra Co of complex numbers has two sorts, complex and real, and
hence two carriers, C and HL It includes the algebra 72.Q, and therefore has
all the operations on ]R listed in (b), as well as operations on C, as follows:
algebra
import
carriers
functions
C0
Ti0
C
0, l,i : - C,
+, x : C2 - C,
- : C -> C,
re,im: C -> R,
TT : R2 -> C
end
where TT is the inverse of re and im.

(d) A group has the form

algebra
carriers
functions
347
G
1 : - G,
* : G2 -> G,
inv: G - G
end
where the carrier G has sort grp.

The concepts of reduct and expansion will be important in our work.
Definition 2.6 (Reducts and expansions). Let and ' be signatures.
(a) We write C ' to mean Sor<()C Sort(')and Ftmc()C
Func(S')(6) Suppose C '. Let A and A' be algebras with signatures and
' respectively.
(i) The 'E-reduct A'\- of A' is the algebra of signature , consisting
of the carriers of A' named by the sorts of and equipped with
the functions of A' named by the function symbols of .
(ii) A' is a ''-expansion of A if, and only if, A is the -reduct of A'.
Example 2.7. The algebra Co (see Example 2.5(c)) is an expansion
to E(Cb).
Definition 2.8 (Function types). We collect some definitions and notation. Let A be a -algebra.
(a) A function type over , or -function type, is a symbol of the form
u -> v, with domain type u and range type v, where u and v are
-product types.
(&) For any -function type u -> v, a function of type u -+ v over A is a
function
f :AU -> Av.
(2.1)
If v = si x . . . x sn then the component functions of / are /i , . . . , /n,

where
/> : ^ -> ^
(2-2)
for j = 1, . . . , n, and for all a; Au,

f ( x ) ~ (/!(*),..-,/(*)).
(2.3)
(We will explain the '~' in (c) below.) Conversely, given n functions
fj as in (2.2), all with the same domain type u, and with range types
(or sorts) si, . . . , sn respectively, we can form their vectorisation as
a function / satisfying (2.1) and (2.3).
348
We will investigate computable vector-valued functions (2.1) over A.

(c) Although all the primitive functions of S are total, the computable
functions on the S-algebra may very well be partial, as we will see.
We use the following notation: if / : Au -> As and x Au, then f(x)^
('/(#) diverges') means that x ^ dom(f); f ( x ) ] , (lf(x) converges')
means that x & dom(f); and f ( x ) y ('f(x) converges to y') means
that x dom(f) and f ( x ) = y.
We also make the following convention for convergence of vectorvalued functions: in the notation of (2.1) and (2.2), for any x 6 Au,
we say that f ( x ) if, and only if, fj(x) for every component function
fj o f / , in which case f ( x ) = ( f i ( x ) , . . . , f n ( x ) ) . Otherwise (i.e., if
fj(x) t for any j with 1 < j < n), we say that f ( x ) j. (That is the
meaning of the symbol '~' in (2.3) above.)
Definition 2.9 (Relations; projections of relations). We collect some
more definitions and notation.
(a) A relation on A of type u is a subset of Au. We write R : u if R is a
relation of type u.
Let R be a relation on A of type u = si x . . . x sm.
(b) The characteristic function of R is the function \n ' Au ~+ which
takes the values tt on R and ff off R.
(c) The complement of R in A is the relation
Rc = AU\R = {a Au a R},
also of type u.
(<f) (Projections.) To explain this notion, we begin with an example.
Suppose R : u where u = si x s% x 53 x 54 x 85. Now let v = s\ x s^ x 83
and w = 84 x s5. Then the projection of R on v (or on Av), or
the Au'-projection of R, is the relation 5 : v defined by existentially
quantifying over Aw:
S(xi,x2,x3) <=> 3z 4 ,x 5 Aw : R(x1,... ,x5).
More generally (with R : u where u = si x . . . x s m ) let i be any

list of numbers ii,... ,ir such that 1 < i\ < ... < ir < m, and
~t
~~*
~?
let j = ji,... ,jm-r >list {!,... ,m} \ i. Then u i denotes the
restriction of u to i, that is, the product type s,j x ... x Sirr; and
-^
-+
.-*
-+
pro.7'[M| i ](-R) is the projection of R on i (or on ^4U| * ) , or the Au*3 projection of R, that is, the relation 5 : u i defined by existentially
quantifying over Au\J':
-+
,... ,xm).
2.2
349
Terms and subalgebras
Definition 2.10 (Closed terms over E). We define the class T(E) of
closed terms over E, denoted t, t', ti,..., and for each E-sort s, the class
T(S)gof closed terms of sort s. These are generated inductively by the
rule: if F Func(E) u _ >g and ti 6 T(E)Si for i = 1,... ,m, where
u = si x ... x s m , then F(ti,... , *m) T(E) g .
Note that the implicit base case of this inductive definition is that of
m = 0, which yields: for all constants c : > s , c ( ) T(E)S. In this case we
write c instead of c(). Hence if contains no constants, T() is empty.
Definition 2.11 (Valuation of closed terms). For A Alg() and t
T(S)S, we define the valuation tA As o f t in A by structural induction
on t:
F(ti,...,tm)A = FA((tl)A,...
,(tm)A).
In particular, for m 0, i.e., for a constant c : -4 s,

CA = CA.
We want a situation where T(E) is non-empty, and, in fact, T()s is

non-empty for each s Sort(E). We therefore proceed as follows.
Definition 2.12. The signature E is said to be:
(a) non-void at sort s if T(E) S ^ 0;
(6) non-void if it is non-void at all S-sorts.
Assumption 2.13 (Instantiation). E is non-void.
Throughout this paper we will make this assumption, except where
explicitly stated: see, for example, Remark 2.31(e). It simplifies the theory
of many-sorted algebras (see Meinke and Tucker [1992]).
Definition 2.14 (Default terms; default values).
(a) For each sort s, we pick a closed term of sort s. (There is at least one,
by the instantiation assumption.) We call this the default term of sort
s, written 6s. Further, for each product type u = si x ... x sm of S,
the default (term) tuple of type u, written Su, is the tuple of default
terms (SSl,... ,6s).
(b) Given a S-algebra A, for any sort s, the default value) of sort s in A
is the valuation <5ê Aa of the default term, d s ; and for any product
type u = s\ x ... x sm, the default (value) tuple of type u in A is the
tuple of default values 6U A = (6%,... , 8'j") (E Au.
Definition 2.15 (Generated subalgebras). Let X C Uesoft() ^Then (X)'4 is the (,-)subalgebra of A generated by X, i.e., the smallest
subalgebra of A which contains X, and (X)^ is the carrier of (X)'4 of sort
350
s. (See Meinke and Tucker [1992, 3-2.6 ff] for definitions.) Also for a
product type u = si x ... x sm,
(X)AU = < J f x . . . x <*)..

Similarly, for a tuple a Au, (a)A is the (T,-) subalgebra of A generated by
a, etc.
Remark 2.16.
(a) Using the terminology of sections 3.1-3.3, we can characterise (for all
E-sorts s and S-product types u) the sets (X)A and (X)^ by
(X)A={[t]A(r \ t e Terms (S) and for all x var(t),a(x) X}
(X)A={[t]A(T I t TermTupu(S) and for all x var(t),a(x) X.}
(6) The smallest subalgebra of A is its closed term subalgebra, given by
(9)A = {tA \t e T(E)}.

(c) The instantiation assumption implies that for any X and every sort
s, (X)A 0.
Definition 2.17 (Minimal carriers; minimal algebra).
Let A be a S-algebra, and s a S-sort.
(a) ^4 is minimal at s (or the carrier As is mimimal in A) if As ={0)^,
i.e., As is generated by the closed S-terms of sort s.
(b) A is minimal if it is minimal at every E-sort.
Example 2.18. To take examples from later:
(a) Every N-standard algebra (section 2.5) is minimal at sorts bool and
nat.
(b) The ring of reals 7o (Example 2.5) (or its standardisation (section
2.4) or ./V-standardisation (section 2.5)) is not minimal at sort real.
2.3
Homomorphisms, isomorphisms and abstract data

types
Given a signature E, the notions of 'S-homomorphism as well as E-epzmorphism (surjective), T,-monomorphism (injective), 'E-isomorphism (bijective) and E-automorphism are defined as usual (see [Meinke and Tucker,
1992, 3.4]). We need a more sophisticated notion, that of relative homomorphism.
Definition 2.19 (Relative homomorphism and isomorphism). Let
E and E' be signatures with C E'. Let A and B be two standard E'algebras such that
351
(a) A Y,'-homomorphism relative to S from A to B, or a E'/E-/iomom0rp/iism </>: A -> B, is a Sort(E')-indexed family of mappings
< = {< : As - Bs | s Sort(E'))
which is a S'-homomorphism from A to B, such that for all s
Sort(S), <f>, is the identity on As.
(b) A E'/E-isomorphism from ^4 to B is a E'/E-homomorphism which is
also a S'-isomorphism from A to B.
(c) A and B are E'/S-Momorptac, written A E-/E B, if there is a S'/Eisomorphism from A to B.
Definition 2.20 (Abstract data types). An abstract data type of signature E (S-adt) is defined to be a class K of E-algebras closed under
!Z-isomorphism. Examples of S-adt's are:
(a) the class Mod(S,T) of all models of a first-order E-theory T;
(b) the isomorphism class of a particular E-algebra.
2.4
Adding Booleans: Standard signatures and algebras
An very important signature for our purposes is the signature of Booleans:

signature
sorts
functions
bool
true, false: -bool,
and, or: bool2 ->bool
not: bool->bool
end
The algebra B of Booleans, with signature E(/B), has the carrier B =

{tt, ff} of sort bool, and, as constants and functions, the standard interpretations of the function and constant symbols of E(B). Thus, for example,
true 6 = tt and false6 = ff.
Of particular interest to us are those signatures and algebras which
contain S(B) and B.
Definition 2.21 (Standard signatures and algebras).
(a) A signature E is a standard signature if
(i) S(B) C E, and
(zz) the function symbols of E include a discriminator
if s : bool x s2 > s
for all sorts s of S other than bool, and an equality operator
352

eqs : s2 > bool
for certain sorts s.

(b) Given a standard signature S, a E-algebra A is a standard algebra if
(z) it is an expansion of B, and
(M) the discriminators and equality operators have their standard
interpretation in A; i.e., for 6 e B and x,y As,
ifs(b,x,y)
if b = f,
and eqs is interpreted as the identity on each equality sort s.

Let EqSort(T,)CSort() denote the set of equality sorts of S, and let
StdAlg(Y>) denote the class of standard E-algebras.
Remark 2.22.
(a) Strictly speaking, the definition of standardness of a signature E or
algebra depends on the choice of the set EqSort(%) of equality sorts
of E. However, our terminology and notation will not make this
dependence explicit.
(b) The exact choice of the set of propositional connectives in B is not
crucial; any complete set would do.
(c) Excluding the sort bool from the sorts of the discriminator is not
significant; we can easily define ifbooi from the other Boolean operators. Also, eqb0oi can easily be defined. (Exercise.)
(d) Any many-sorted signature E can be standardised to a signature EB
by adjoining the sort bool together with the standard Boolean operations; and, correspondingly, any algebra A can be standardised
to an algebra AB by adjoining the algebra B and the discriminator
and equality operators. Note that both A and B are reducts of this
standardisation AB. (See the examples below.)
(e) If A and B are two standard E-algebras, then any S-homorphism
from A to B is actually a E/E(#)-homomorphism, i.e., it fixes the
reduct B.
Examples 2.23.
(a) The simplest standard algebra is the algebra B of the Booleans.
(b) The standard algebra of naturals JV is formed by standardising the
algebra .A/o of Example 2.5(a), with nat as an equality sort, and,
further, adjoining the order relation1 lessnat on N:
x
The reason for adjoining lessnat will be clear later: in the proof of Theorem 3.63
(*/ conservativity for terms), we need it for the translation of E*-terms to S^-terms.

algebra
import
functions
353
A/b.B
if Mt : B x N2 -) N,
on
locc
-T^P
L TO,
end
(c) The standard algebra 71 of reals is formed similarly by standardising

the ring HQ of Example 2.5(6), with real as an equality sort:
algebra
U
import
"R-0,13
functions if real :B x
eqreai:
end
(d) We will also be interested (in section 5) in the expansion 7?,< of "R,
formed by adjoining the order relation on the reals lessreai: M2 B,
thus:
algebra
import
functions
K<
H
lessreai:IR2
end
(e) The standard algebra C of complex numbers C is formed similarly

by standardising the algebra Co of Example 2.5(c), with equality on
both E and C.
(/) Again, we will consider the expansion C < of C formed by adjoining
(g) The standard group Q is formed similarly by standardising the group
Go, with equality on G.
Throughout this chapter, we will assume the following, unless otherwise
stated.
Assumption 2.24 (Standardness). The signature and the S-algebra
A are standard.
2.5
Adding counters: N-standard signatures and algebras
Definition 2.25.
(a) A standard signature E is called N-standard if it includes (as well
as bool) the numerical sort nat, as well as function symbols for the
standard operations of zero, successor and order on the naturals:
0:
S:
lessn
-> nat
nat -* nat
bool
nar
354
as well as the discriminator if nat and the equality operator eqnat on

nat.
(6) The corresponding E-algebra A is N-standard if the carrier A nat is the
set of natural numbers N = {0,1,2,...}, and the standard operations
(listed above) have their standard interpretations on N.
Definition 2.26.
(a) The N-standardisation S^ of a standard signature S is formed by
adjoining the sort nat and the operations 0,5, eq na t, lessnat and if nat .
(b) The N-standardisation AN of a standard S-algebra A is the T,Nalgebra formed by adjoining the carrier N together with certain standard operations to A, thus:
algebra
import
carriers
functions
AN
A
N
0 : -> N
S:N-N
if nat :B x N2
eqnat,lessnat:f
end
(c) The N-standardisation ~KN of a class K of E-algebras is (the closure
with respect to E^/E-isomorphism of) the class {AN | A K}.
Examples 2.27.
(a) The simplest ./V-standard algebra is the algebra M of Example 2.23(6).
(6) We can ./V-standardise the real and complex rings Ti and C, and the
group Q of Examples 2.23, to form the algebras HN, CN and QN,
respectively.
Remark 2.28.
(a) For any standard A, both A and N are H-reducts of the ^-standardisation AN (cf. Remark 2.22(d)).
(b) If A and B are two TV-standard E-algebras, then any E-homorphism
from A to B is actually a E/S(^V)-homomorphism, i.e., it fixes the
reduct N (cf. Remark 2.22(e)).
(c) A E-homomorphism (or E-isomorphism) between two standard Ealgebras A and B can be extended to a S-homomorphism (or Eisomorphism) between AN and BN. (Exercise.)
(d) If A is already JV-standard, then AN will contain a second copy of N,
with (only) the standard operations on it. Further, AN can be effectively coded within A, using a standard coding of I^2 in N. (Check.)
(e) In particular, (^4^)^ can be effectively coded within AN.
We will occasionally make use of a notion stricter than ./V-standardness.
355
Definition 2.29 (Strict W-standardness).

(a) An N-standard signature S is said to be strictly N-standard if its
only function symbols with range sort nat are '0', 'S' and 'if nat '.
(b) An AT-standard algebra is strictly N-standard if its signature is.
Note that the TV-standardisation of any algebra is strictly ,/V-standard.
2.6
Adding the unspecified value ui; algebras A" of signature Eu
In this subsection, we need not assume that and A are standard. For each
sort s of let ui be a new object, representing an 'unspecified value', and let
A* = As U {uis}. For each function symbol F of S of type si x . . . x sm ->
s, extend its interpretation FA on A to a function
FA>" : A"Sl x ... x ASm > Aus
by strictness i.e. the value is denned as ui whenever any argument is ui.
Then the algebra A u , with signature Su, contains:
(i) the original carriers A3 of sort s, and functions FA on them;
(ii) the new carriers A" of sort su, and functions F A>U on them;
(Hi) a constant unspecss : su to denote uis as a distinguished element of
A"; and
(TO) an embedding function \s : s - su to denote the embedding of As
into A", and the inverse function js : su - s, mapping ui s to the
default term 5s for each sort s.
Further, if A is a standard algebra, we assume Au also includes:
(v) a Boolean-valued function Unspecss : su - bool, the characteristic
function of ui;
(vi) the discriminator on A* for each sort s; and
(vii) the equality operator on A" for each equality sort s.
Thus, if A is standard, A is constructed from A as follows:
algebra
import
carriers
functions
A"
A
A"
ui, : -> A1
r ' : ^*-ai X ... X AS
i . A
\. A**
>s "-, ^ flg
}s : Al -> As
Unspec s : A" - B
if su : B x (.A")2 -> A*
eqsu : (A")2 - B
end
(s S)
(s e s),
-> -A
(F : si x . . . x sm -> s in E),
(s 6 S),
(s e S),
(s e 5),
(s e S),
(s e Se)
356
where S=Sort(E)and Se = Jg,Sor<(E)(and the superscript A has been

dropped from the new function symbols).
Also, K" is (the closure with respect to Su/E-isomorphism of) the class
{A* | A e K}.
Remark 2.30.
(a) The algebra Au is a ^-expansion of A. If S has r sorts, then Eu has
2r sorts.
(b) If A is standard, then so is Au.
(c) Suppose A (and hence A") is standard. Then A" can be effectively
coded within A. Each element y of Aus is represented by the pair
(b, js(y)) B x As, where b = tt if y ^ ui s and 6 = ff otherwise.
This induces, in an obvious way, a coding of the operations on A"
by operations on A. (The coding is described in [Tucker and Zucker,
1988] for a slightly different definition of Auhowever, it is clear how
to modify that for the present context.)
(d) (Two- and three-valued Boolean operations.) Suppose again that A
is standard. Then Au contains the carrier Bu = {tt, f, ui} as well
as B, with associated extensions of the original standard Boolean
operations, leading to a weak three-valued logic (see [Kleene, 1952;
Tucker and Zucker, 1988]). Further, there are two equality operations
on A" for each equality sort s:
(i) the extension by strictness of eqf to a three-valued function
eq^'u : Aus x Aus -> Bu
which has the value uibooi if either argument is uis; (ii) the standard
(two-valued) equality on A",
eqf : A" x A". ^ B,
which we will usually denote by '=' in infix.

(e) Some of the functions in Au are not strict, namely the (interpretations
of) the discriminator if, the function Unspecs and the two-valued
equality operator equ (see (d)(ii) above).
(/) A E-homomorphism (or S-isomorphism) between two standard Ealgebras A and B can be extended to a E-homomorphism (or isomorphism) between A" and Bu. (Exercise.)
2.7
Adding arrays: Algebras A* of signature S*
Given a standard signature S, and standard E-algebra A, we extend E and

expand A in three stages:
(1) Construct Eu and Au, as in section 2.6.
(2) N-standardise these to form UTJV and A"'N, as in section 2.5.
(3) Define, for each sort s of S, the carrier A*s to be the set of pairs
357
a* = (,/)
where a : N - AJ, / N and, for all n > I,

a(ri) = ui s .
So / is a witness to the "finiteness" of a, or an 'effective upper bound' for

a*. The elements of A*s have "starred sort" s*, and can be considered as
finite sequences or arrays. The resulting algebras A* have signature *,
which extends S u>Ar by including, for each sort s of S, the new starred sorts
s* (in addition to s u ), and also the following new function symbols:
(i) the null array Null s of type s*, where
Null? = (An -in., 0)A*t;
(if) the application operator Ap g of type s* x nat > s" , where
Ap?((a,0,n)=a(n);
(Hi) the Updates operator of type s* x nat x su ->*, where for (a,/)
A*,n e N and x Aus, Update^((a,l),n,x) is the array (0,1) A*
such that for all k e N,
a(fe)
x
uis
if k<l,k^n
if k<l,k = n
otherwise;
(w) the Lgths operator, of type s* -> nat, where
(w) the Newlengths operator of type s* x nat -> s*, where Newlength^1
((a, Z),m) is the array (/3,m) such that for all fc,
Ufc)
I ui s
if k<m
if K > m;
(uz) the discriminator on A* for each sort s; and

(UM) the equality operator on A* for each equality sort s.
The justification for (vii) is that if a sort s has 'computable' equality,
then clearly so has the sort s*, since it amounts to testing equality of finitely
many pairs of objects of sort s, up to a computable length.
For a* A; and n e N, we write a*[n] for j^(Ap^(a*,n)). Thus a*[n]
is the element of As 'corresponding to' Ap(a*,n) 6 A".
358
To depict this construction of A* from a standard A: suppose we have

constructed Au as in section 2.6, and then ^-standardised it to AU'N as in
section 2.5. We now proceed as follows:
algebra
import
carriers
functions
A'
AU,N
A:
Nulls : -> A*s
Aps : A; x N -> A".
Updates : A*s x N x A", -> A*s
Lgths : A; -> N
Newlengths : yl* x N -> A*
if,. : B x (A*) 2 - .4*
eqs, : (A;)2 -+ 1
(aS)
(aS)
(a 5 )
(aS)
(aeS)
(a 5)
(aeS)
(* Se)
end
where again S = Sort(S)and Se = EqSort()(and the superscript has

been dropped from the new function symbols).
Also, K* is (the closure with respect to S*/E-isomorphism of) the class
{A* | A e K}.
Remark 2.31.
(a) The algebra A* is a E*- expansion of A", and (hence) of A. If S has
r sorts, then S* has 3r + 1 sorts, namely s, su and s* for each sort s
of S, and also nat.
(6) S* and A* are W-standard.
(c) (Internal versions of A* and E*.) Suppose A is ./V-standard. Then
AN has a second copy of N, and, according to our definition above,
A* is constructed on AN using this second copy of N. Let A*' (of
sort *') be an alternative version of A" constructed on A, using
the 'original' copy of N. Then A* and A*' can be effectively coded in
each other. (Check; cf. Remark 2.28(d).) We call A*' and *' internal
versions of ^4* and S*, respectively.
(d) We may also need to speak of finite sequences of starred sorts. However, we do not have to introduce an algebra (A*)* of 'doubly starred'
carrier sets containing 'two-dimensional arrays'; such an algebra can
be effectively coded in A*, since we can effectively code a finite sequence of starred objects of a given sort as a single starred object
of the same sort, thanks to the explicit Lgth operation. More precisely, a sequence X Q , . . . , x*k_l of elements of A* (for some sort s) can
be coded as a pair (y*,n*) A*s x N*, where Lgth(n*) = k, and, for
0<j<k, n*\j] = Lgth(xp, and Lgth(j/*) = n*[0] + . . .+n*[fc-l], and
for 1 < j < k and 0<i< n*\j], y*[n*[Q] + . . . + n*\j - 1] + i] = xj[i].
(e) A E-homomorphism (or S-isomorphism) between two standard Ealgebras A and B can be extended to a E-homomorphism (or Eisomorphism) between A* and B*. (Exercise; cf. Remarks 2.28(c)
359
and 2.30(/).)
(/) The reason for introducing starred sorts is the lack of effective coding
of finite sequences within abstract algebras in general.
(g) Starred sorts have significance in programming languages, since
starred variables can be used to model arrays, and (hence) finite but
unbounded memory.
2.8
Adding streams: Algebras A of signature E
Let, again, be a standard signature, and A a standard E-algebra. We

define an extension of and a corresponding expansion of A, alternative
to * and A*.
First we ./V-standardise and A, to form w and AN .
Then we choose a set S C Sort(S) of pre-stream sorts. We then extend
N
T, to a stream signature relative to S: in the following way.
(a) With each s S , we associate a new stream sort s, also written nat >
s. Then SoH(S)=,Sort()US, where S =df {s \ s S}.
(b) Func (E )consists of Fwnc(E), together with the evaluation function
evals : (nat -> s) x nat -> s,
for each s e S.
Now we can expand AN to a S -stream algebra As by adding for each
pre-stream sort s:
(i) the carrier for nat > s, which is the set
of all streams on A, i.e. functions : N -> A;

(ii) the interpretation of evals on A as the function eval^ : [N -> As] x N
As which evaluates a stream at an index, i.e.,
eval? (,) = ();
(Hi) the discriminator on As, for all s S.
The algebra As is the f/u//,) stream algebra over A with respect to S.
This construction of As from a standard A is depicted by:
algebra
import
carriers
functions
As
AN
[N
evalf : [N -Ag] x N -> As
iff : B x ([N ->A g ]) 2 -4 [N
end
where now S is the set of stream sorts.
360
_
c
Also, Ks is (the closure with respect to S /E-isomorphism of) the class
{A | A K}.
Remark 2.32.
_
'S
(a) The algebra As is a E -expansion of A. If S has r sorts, then S

has r + k + 1 sorts, where k is the cardinality of S.
(b) E and As are TV-standard.

(c) Because we have taken As to be the set of all streams on As, we call
As the full stream algebra (with respect to S). Note that if yls_has
cardinality greater than 1 for some s S, then As, and hence A, is
uncountable.
(d) A E-homomorphism (or S-isomorphism) between two standard Ealgebras A and B can be extended to a E-homomorphism (or Sisomorphism) between A and B. (Exercise; cf. Remarks 2.28(c),
2.30(/) and 2.31(e).)
(e) Note that the instantiation assumption does not hold (in general) on
stream algebras.
In this section, we begin to study the computation of functions and relations on algebras by means of imperative programming models. We start
by defining a simple programming language While = While(E), whose
programs are constructed from concurrent assignments, sequential composition, the conditional and the 'while' construct, and may be interpreted on
any many-sorted S-algebra; this takes up sections 3.1-3.6. We will define
in detail the abstract syntax and semantics of this language, and methods
by which its programs can compute functions and relations. In sections
3.7 and 3.8 we prove some algebraic properties of computation on algebras,
with regard to homomomorphisms and locality.
In sections 3.9-3.13, we will add to the basic language a number of
new constructs, namely 'for', procedure calls and arrays, and extend our
model of computation accordingly. In section 3.14 we study the concept
of a sequence of 'snapshots' of a computation, which will be useful later
in investigating the solvability of the halting problem in certain (locally
finite) algebras.
We conclude (section 3.15) with a useful syntactic conservativity theorem for S*-terms over S-terms.
We illustrate the theory with several examples of computations on the
algebras of real and complex numbers.
Throughout section 3, we assume (following Convention 1.4.3) that
E is a standard signature,and A is a standard 'S-algebra.
3.1
361
Syntax of W7ule(E)
We begin with the syntax of the language Whiie(S). First, for each S-sort
s, there are (program) variables a s ,b s ,... , x s , y * . . . of sort s.
We define four syntactic classes: variables, terms, statements and procedures.
(a) Var = Var(S) is the class of S-variables, and Vars is the class of
variables of sort s.
For u = Si x ... x sm, we write x : u to mean that x is a u-tuple of
distinct variables, i.e., a tuple of distinct variables of sorts i , . . . , sm,
respectively.
Further, we write VarTup= VarTup(S)for the class of all tuples
of distinct S-variables, and VarTupu for the class of all u-tuples of
distinct S-variables.
(b) Term = Term(S) is the class of S-terms t,..., and for each S-sort
s, Terms is the class of terms of sort s. These are generated by the
following rules.
(i) A variable x of sort s is in Term$.
(M) If F Ftmc(S)u_>.s and ti TermSi for i = 1,... ,m where
u = si x ... x sm, then F(ti,... ,tm) Terms.
Note again that S-constants are construed as 0-ary functions, and so
enter the definition of Term(S) via clause (ii), with m = 0.
The class Term(S) can also be written (in more customary notation)
as T(S,Var), i.e., the set of terms over S using the set Var of
variables (clause (i) in the definition). Analogously, the set T(S) of
closed terms over S (2.10) can be written as T(S,0).
We write type(t) = s or t: s to indicate that t 6 Terms.
Further, we write TerTn.Tp=TermTup(S)for the class of all tuples of S-terms, and, for u = sj x ... x sm, TermTupu for the class
of u-tuples of terms, i.e.,
TermTupu =# TermSl x ... x Term Sm.
We write type(t) = u or t: u to indicate that t is a u-tuple of terms,
i.e.,, a tuple of terms of sorts s i , . . . , sm.
For the sort bool, we have the class of Boolean terms or Booleans
?ooJ(S) =df Termed) denoted either tboo[... (as above) or b,
This class is given (according to the above definition of Terms) by:
b
::=
xbool|F(*)|eqs(f,^)| true | false

| not(6)| and (61;62)| or(6!,62)| if(Mi,&2)
where F is a S-function symbol of type u -4 bool (other than one of

the standard Boolean operations, which are listed explicitly) and s is
an equality sort.
(c) Stmt = Simt(S) is the class of statements 5,
The atomic statements are 'skip' and the concurrent assignment x := t where for some
product type u, x : u and t : u.
362

Statements are then generated by the rules
S ::= skip|x := t\ Si;S2|if b then Si else S2 fi|while b do S od
(d) Proc = Proc(S) is the class of procedures P, Q,

the form
These have
P = proc D begin S end
where D is the variable declaration and S is the body. Here D has

the form
D = in a out b aux c
where a, b and c are lists of input variables, output variables and

auxiliary (or local) variables, respectively. Further, we stipulate:
* a, b and c each consist of distinct variables, and they are pairwise
disjoint;
* every variable occurring in the body S must be declared in D
(among a, b or c);
* the input variables a must not occur on the Ihs of assignments
inS;
* (initialisation condition:) S has the form Sinit;S', where Smit
is a concurrent assignment which initialises all the output and
auxiliary variables, i.e., assigns to each of them the default term
(section 2.12) of the same sort.
Each variable occurring in the declaration of a procedure binds all
free occurrences of that variable in the body.
If a : u and b : v, then P is said to have type u > v, written
P : u v. Its input type is u.
We write Procu-+v= Proc(S)u_>t; for the class of S-procedures of
type u * v.
Notation 3.1.
(a) We will often drop the sort superscript or subscript s.

(b) We will use E,E',Ei,... to denote syntactic expressions of any of
the three classes Term, Stmt and Proc.
(c) For any such expression E, we define var(E) to be the set of variables
occurring in E.
(d) We use '=' to denote syntactic identity between two expressions.
Remark 3.2 (Structural induction; induction on complexity). We
will often prove assertions about, or define constructs on, expressions E of

a particular syntactic class (such as Term, Stmt or Proc) by structural
induction (or recursion) on E, following the inductive definition of that
class.
Alternatively, we may give such proofs or definitions by course-of-values
induction (or recursion) on compl(E), the structural complexity of E'. One
363
suitable definition of this is the length of the maximum branch of the

parse tree of E. Thus, for example, for a program term t = F(ti ,..., tm),
compl(t) = max.i(compl(ti) + 1). Another possible definition of
compl(E), which would in fact be satisfactory for our purposes, is simply
the length of as a string of symbols.
Sections 3.2-3.6 will be devoted to the semantics of While.
3.2
States
For each standard E-algebra A, a state on A is a family (as\ s & Sort(Z))

of functions
as : Vars -> At.
(3.1)
Let State (A) be the set of states on A, with elements CT, ---- Note that
State(A.) is the product of the state spaces States(A) for all s e Sort(S),
where each StateS(A) is the set of all functions as in (3.1).
We use the following notation. For x 6 Vars, we often writeCT(X)for
<T S (X). Also, for a tuple x = (xi,... ,x m ), we writeCT[X]for (CT(XI),. .. ,<r(x m )).
Now we define the variant of a state. Let a be a state over A, x = (xi , . . . ,
x n ) : u and a = (01, . . . , an) G Au (for n > 1). We define cr{x/a} to be the
state over A formed from a by replacing its value at x, by a* for i = 1, ... , n.
That is, for all variables y:
We can now give the semantics of each of the three syntactic classes:
Term, Stmt and Proc, relative to any A StdAlg(T,). For an expression E in each of these classes, we will define a semantic function |]A.
These three semantic functions are defined in sections 3.3, 3.4-3.5 and 3.6,
respectively.
3.3
Semantics of terms
For t Terms, we define the function

where [^(tf) is the value of t in A at state a.
The definition is by structural induction on t:
\x\Aa
cr(x)
Note that this definition of \t\Aa extends that of t^ for t T(E)

(Definition 2.11). Also the second clause incorporates the cases that (a) F
is a constant; (b) F is a standard Boolean operation, e.g. the discriminator:
364
if [6^(7 = tt
For a tuple of terms t = (t, . . . , tm), we use the notation
\t\Ao =dj ([*i]V...,[*m] y MDefinition 3.3. For any M C Vars, and states <TI and 0^2, fi ~ 0^2 (rel M)
means u\ \ M = a^\ M, i.e., Va; M(cri(x) = (72(2;)).
Lemma 3.4 (Functionality lemma for terms). For any term t and
states a \ and a 2, if &i K &2 (rel var(t)), then [tlAcri = |<J a^.
Proof. By structural induction on t.
3.4
Algebraic operational semantics
In this subsection we will describe a general method for defining the meaning of a statement 5, in a wide class of imperative programming languages,
as a partial state transformation, i.e., a partial function
[SIA : State(A)^- State(A).
We define this via a computation step function
CompA: StmtxState(A)xN->
State(A)L){*}
where '*' is a new symbol or object. The idea is that

CompA(S,o~,n) is the nth step, or the state at the nth time
cycle, in the computation of S on A, starting in state a .
The symbol '*' indicates that the computation is over. Thus
if for any n, CompA(S,a,n) = *, then for all m > n
CompA(S,a,m) = *.
If we put an = CompA(S, a, n), then the sequence of states
<7 =
O~Q, < 7 i , (72,
- . , CTn,
. . .
is called the computation sequence generated by S at <r, written CompSeqA

(S, a). It is either infinite, or terminates in a final state cr/, where CompA
(S, a,l + l) = *.
We will use an algebraic method in which CompA is defined equationally. In section 3.5 we will apply this general method to the present
programming language While(E). In later sections we will apply it to
other languages.
365
Assume, firstly, that (for the language under consideration) there is

a class AtStC Stmt of atomic statements for which we have a meaning
function
fl S \>A : State(A) -> State(A),
for S AtSt, and secondly, that we have two functions
First
RestA
: Stmt -) AtSt
: Stmt x State(A)-^ Stmt,
where, for a statement S and state <r,

First(S) is an atomic statement which gives the first step in
the execution of S (in any state), and ReatA(S,a) is a statement which gives the rest of the execution in state a.
For the languages under consideration here, First(S), unlike RestA(S, a),
will be independent of A and a.
In each language we can define these three functions (\ , First and
RestA).
First we define the 'one-step computation of S at <r'
CompA: Stmt x State(A)-+ State (A)
by
CompA(S,a)
= QFirst(S) \,Aa.
The definition of CompA(S,a,n) now follows by a simple recursion

('tail recursion') on n:
*
if n > 0 and S is atomic
CompA(RestA(S, a), CompA(S, <r),n)
otherwise.
(3.2)
Note that for n = 1, this yields

CompA(S,o-,l)
= CompA(S,a).
We call this approach algebraic operational semantics, first used in Tucker

and Zucker [1988], and developed and applied in Stephenson [1996].
From this semantics we can easily derive the i/o semantics as follows.
First we define the length of a computation of a statement S, starting in
state a, as the function
CompLengthA : Stmt x State(A) -> N U {00}
where
366

least ns.t.
CompLengthA(S,cr)
= {
oo
Then, putting / = CompLengthA(S,a)

we define
\S\A(<r) ~
CompA(S, a, n + 1) = *
if such an n exists
otherwise.
and noting that 0 < / < oo,
If
i ?o o
otherwise.
Remark 3.5 (Tail recursion). Consider the recursive definition (3.2) of

CompA. In the 'recursive call' (the second expression on the right-hand
side of the second equation), notice that (1) CompA is on the 'outside',
and (2) the parameter changes (from a to CompA(S,a,n)). Such a definitional scheme is said to be tail recursive. Because of (2), these equations
(as they stand) do not form a definition by primitive recursion. However,
at least in the classical case, where all the arguments and values range
over N, it can be shown that such a scheme can be reduced to a primitive
recursive definition. (See, for example, Goodstein [1964, 6.1], where this
is called 'recursion with parameter substitution', or Peter [1967, 7], where
a more general scheme, not satisfying (1) only, is considered.)
An alternative, primitive recursive, definition of CompA is given below
in section 3.14.
3.5
Semantics of statements for While(J^)
We now apply the above theory to the language W/iiJe(S). Here there are
two atomic statements: skip and concurrent assignment. We define ^ S tyA
for these:
d skipper
{ x:= t $A(r
= CT
= <r{x/[tjM-
Next we define First and RestA. The definitions of First(S) and

RestA(S, a) proceed by structural induction on S.
Case 1. S is atomic.
First (S)
RestA(S,a]
= S
= skip.
Case 2. S= Si; 82 (the interesting case!).

First(S) = First(Si)
^2 A
Rest (Si,cr);S2
Case 3. S = if b then Si else 52 fi.
if Sl is atomic
otherwise.
First (S)
367
= skip
Case 4- S = while 6 do So od.

First (S)
A
Rest
.ficSl
(S*)
10,17]
= skip
S
i^
S i 1 skip
if
tt
./ ^
r t i 4A = -
if \b\ a = f.
This completes the definition of First and RestA . Note (in cases 3
and 4) that the Boolean test in an 'if or 'while' statement 5 is assumed to
take up one time cycle; this is modelled by taking First(S) = skip.
The following shows that the i/o semantics, derived from our algebraic
operational semantics, satisfies the usual desirable properties.
Theorem 3.6.
(a) For S atomic, [S]A = QSfyA, i.e.,
^ skip \Aa
r 2
= a
[S2]A([Si]Aa).
if [b]A<T = f.
(d)
A
if [blAa = tt
Proof. Exercise. Hint: For part (6), prove the following lemma. Formulate and prove analogous lemmas for parts (a), (c) and (d).
I
Lemma 3.7. CompA(Si; 52, a, n)
CompA(Si,<r,n)
CompA(S2,a',n-n0)
if Vfc < nCompA(Si,a, k + 1) ^ *

if 3fc < nCompA(Si,a, k + 1) = *
where n0 is the least such fc, and
a1 = CompA(Si,a,no).
368
Remark 3.8.
(a) The four suitably formulated lemmas needed to prove parts (a)-(d) of
Theorem 3.6 (of which Lemma 3.7 is an example for part (&)) provide
an alternative definition of CompA(S,(r,n), which does not make
use of First or RestA. This definition is by structural induction on
5, with a secondary induction on n.
(b) The meaning function [S J (i.e., our i/o semantics) was derived from
our operational semantics, i.e., the CompA function. We could also
give a denotational i/o semantics for While statements. Theorem
3.6 would then provide (one direction of) a proof of the equivalence
of the two semantics (as in de Bakker [1980]).
(c) The semantics given here is simpler than that given in Tucker and
Zucker [1988] where the states have an 'error value' almost everywhere
(for uninitialised variables), and there is an 'error state' corresponding to an aborted computation. While such an 'error semantics' is
superior (we feel) to the one given here, the semantics given here is
simpler, and adequate for our purposes.
For the semantics of procedures, we need the following. Let M C Vars,
and a, a' State(A).
Lemma 3.9. Suppose var(S) C M. If a\ a-i (rel M), then for all
n > 0,
CampA(S,ai,n) w CompA(S,a2,n) (rel M).
Proof. By induction on n. Use the functionality lemma (3.4) for terms.
Lemma 3.10 (Functionality lemma for statements). Suppose var(S)
C M. // a\ w <72 (rel M), then either
ft) [S}Ao'i 4- ff'\ and [S]Aff2 4- ""2 (say)> where a[ m cr2 (rel M), or
(ii) \S\Aoi | and [S\Aff2 tProof. From Lemma 3.9.
3.6
Semantics of procedures
Now if
P = proc in a out b aux c begin 5 end

is a procedure of type u > v, then its meaning is a function
defined as follows. For a Au, let a be any state on A such that <r[a] = a.
Then
\p\A(n\ ~ / ff 'M * [s]^*' (s&y)
11 ( )
~ t
if[5]^t-
369
For [P}A to be well defined, we need the fact that the procedure P is
functional, as follows.
Lemma 3.11 (Functionality lemma for procedures). Suppose
P = proc in a out b aux c begin S end.
If a\ ?a <72 (rel a), then either
(i) [5]Acri 4- a\ and [S]A<rz 4- ^2 (say), where a{ (72 (rel b)
(ii) [S]AtTi t and [S]â2 t-
or
Proof. Suppose <TI w 172 (rel a). We can put S=Sinu;S', where 5jnit
consists of an initialisation of b and c to closed terms (see section 3.1).
Then, putting
[$n]A<7i = <//
and
{Sinit\A^ = cr2',
it is easy to see that

a'/WCTg (rela,b,c).
The result then follows from the functionality lemma 3.10 for statements
(with 5', a" and er2 in place of S, <r\ and a 2 , respectively).
I
Remark 3.12.
(a) Functionality of procedures amounts to saying that there are no side
effects from the output variables or auxiliary variables.
(b) The initialisation condition (section 3.1) is a sufficient (but not necessary) syntactic condition for functionality of procedures. A more
general syntactic condition ensuring functionality was given in Jervis
[1988]. A semantic approach to functionality was taken in Tucker and
Zucker [1988, 4.3.2].
We can now define:
Definition 3.13 (While computable functions).
(a) A function / on A is computable on A by a While procedure P if
/ = [P]A. It is While computable on A if it is computable on A by
some While procedure.
(b) A family / =(/A \ A 6 K) of functions is While computable uniformly over K if there is a While procedure P such that for all
A 6 K, fA = IP}A.
(c) While(A) is the class of functions While computable on A.
We will often write PA for \P\A.
Example 3.14.
(a) Recall the standard algebra M of naturals (Example 2.23(6)). The
functions While computable on N of type nat fc > nat are precisely
the partial recursive functions over N (Kleene [1952]). This follows
370

from the equivalence of partial recursiveness and While computability on the naturals (see, for example, McNaughton [1982]), or from
the results in section 8. Hence
every partial recursive function over N is While computable on every N -standard algebra.
(b) In the ./V-standardised group QN (Example 2.27(6)), the partial function ord: G - N, defined by
,. .
I least n s.t. yqn = 1,
ord(g) ~ <
11
if such an n exists
otherwise,
which gives the order of group elements, is While computable, since

the 'constructive least number operator' is (see section 8). Alternatively, we can give directly a While procedure in the signature
proc in g:grp
out n:nat
aux prod:grp
begin
prod:=g;
{temporary product}
n:=l;
while not(prod=l)
do prod:=prod* g;
n:=succ(n)
od
end
We emphasise that this order function is defined uniformly over all Nstandardised groups (of the given signature E(^ Ar )).
The following proposition will be useful.
Proposition 3.15 (Closure of While computability under composition). The class of While computable functions on A is closed under
composition. In other words, given (partial) functions f : Au -t A" and
g : A" t Aw (for any ^-product types u,v,w), if f and g are While
computable on A, then so is the composed function g o / : Au -> Aw .
Proof. Exercise. (Construct the appropriate While procedure for the
composed function.)
I
Remark 3.16. Similarly, we have closure under composition for the related notions of computability still to be considered in this section, namely
WhileN, While*, For, ForN and For* computability, and the relativised versions of these. The results for For computability (etc.) can be
derived from its equivalence with PR computability (etc.) (cf. section 8).
3.7
371
Homomorphism invariance theorems
We will investigate how our semantics of While programs interacts with

homomorphisms between standard S-algebras.
Let A and B be two standard E-algebras. Let (j> = {< \s Sort(S,)}
be a S-homomorphism from A to B.
For a 6 A,, we will write (j>(a) for 0(a); and for a tuple a =
(ai, . . . ,am) 6 Au, we will write 4>(a) for (<^(oi), . . . ,<(a m )).
Lemma 3.17.
(a) </>t>ooi is the identity on B.
(6,) 0g is injective on all equality sorts s.
Proof. Exercise.
Definition 3.18. The mapping </ induces a mapping

4> : State(A) U {*} -> State(B) U {*}
i.e., if a = (as \s Sort(E)>, then ^(tr) = <r; = (<r; |s Sor(E)>,

where for all s Sort(S)and x Var s , (Tj(x) = (s(0-s(x)). Further, we
stipulate
&*) = *.
Now we state some homomorphism invariance theorems.
Theorem 3.19 (Homomorphism invariance for terms). For t e
Terms
Theorem 3.20 (Homomorphism invariance for atomic statements).
For 5 6 AtSt,
4U S \Ao) = 4 S \iB4>(a).
Proof. The case where 5 = skip is trivial. The case where S is an assignment follows from Theorem 3.19.
I
Corollary 3.21 (Homomorphism invariance for the Compi predicate).
S,<r)) = Compf (S,fa)).
Theorem 3.22 (Homomorphism invariance for the Comp predicate).
4>(CtrmpA(S,a,n)) = CompB(S,4>(o-),n).
372
Proof. By induction on n. For the base case n = 1, use Corollary 3.21. I

Theorem 3.23 (Homomorphism invariance for statements). Either
(i) \SlAo- J, a' and IS1]5^) 4. a" (say), where 4>(a') = a", or
(ii) {S\Aa t and lS}Bj>(<r) |Proof. Prom Theorem 3.22.
Theorem 3.24 (Homomorphism invariance for procedures). For a

procedure P : u > v and a Au ,
PB(4>(a)).
(a)) ~
Proof. Prom Theorem 3.23.
3.8
Locality of computation
We will investigate how the semantics of While programs relates to the

subalgebra generated by the input. (Recall Definition 2.15.)
We want to prove the locality theorem: for any While computable
function / on A of type u -> u, and any a Au,
if /(a) J, then /(a) C (a)A.
This will follow immediately from Theorem 3.30 below.
Lemma 3.25. For a term t : s with var(t) C x,
lt\Aa e
(a(x})A.
(Recall the definition of cr[x] in section 3.2.)

Lemma 3.26. For an atomic statement S with var(S) C x : u,
Proof. There are two cases to consider. If S is an assignment, the result

follows from Lemma 3.25. If 5 = skip, then it is trivial.
I
Lemma 3.27. I f v a r ( S ) C x : u, then
CompA(S,a)[x]
C (<T[X])A.
Proof. From Lemma 3.26.
I
A
Lemma 3.28. I f v a r ( S ) C x and Comp (S,cr,n) ^ *, then
373
Comp^S, a, n)[x] C (O-[X})A.

Proof. By induction on n (with 5 and a varying). For the base cases
(n = 1), use Lemma 3.27. For the induction step, use the facts that
var(RestA(S,o-)) C var(S) and that
X C (Y)A => (X)A C (Y)A.

The details are left as an exercise.
I
Theorem 3.29 (Locality for statements). // var(S) C x : u and
lS]A(o-) J, then
[S]V)M e Mx]tf.
Proof. From Lemma 3.28.

I
Theorem 3.30 (Locality for procedures). For a procedure P : u -* v
and a Au such that PA(a) \,,
PA(a) e (a)A.
Proof. Suppose
P = proc in a out b aux c begin Sinu', S1 end
where Sinu consists of an initialisation of b and c to closed terms (see

section 3.1). Put x = a,b,c, and suppose
a[a]=a,
[Sintt]Aa = a" and
[S']Aa"ol.
Then
(a)A = (<,[*])*
= (a"(x})A,
(3.3)
since Sinu consists (only) of the initialisation of b and c to the closed terms,
the values of which lie in every E-subalgebra of A. Also, by the syntax of
procedures (section 3.1(c)), var(Sinu', S1) C x. Hence by Theorem 3.29,
applied to S' and a",
PA(a) =df <r'[b] C a'[x] C (a"[x])^.
(3.4)
The result follows from (3.3) and (3.4).
Certain useful additions to, or modifications of, the While language

defined in section 3.1, with corresponding notions of computability, will be
defined in sections 3.9-3.13.
374
3.9
The language WhileProc(T?)
In the language While(Yi), we use procedures not in the construction of

statements, but only as a convenient device for defining functions (section
3.6). We can, however, define a language WhileProcCS) which extends
While(S) by the adjunction of a new kind of atomic statement, the procedure call
(3.5)
x := P(t),
where P is a procedure of type u -> v (say), t is a tuple of terms of type u

(the actual parameters) and x : v.
The semantics of While is then extended by adding the following clause
to the semantics of atomic statements (section 3.4):
v
._
) | a (say)
Note that the function

d ^ : AiS* -> (5<a<e(A) -> State (4))
is now partial (compare section 3.4).
However, it is easy to 'eliminate' all such procedure calls from a program
statement, i.e., to effectively transform WhileProc statements to While
statements with the same semantics, as follows. For any procedure call
(3.5), suppose
P = proc in a out b aux c begin 5 end.
(3-6)
Then replace (3.5) by the statement

S(a,b,c/*,x,z),
(3.7)
where z is a tuple of distinct 'fresh' variables of the same type as c, and

(...) denotes the simultaneous substitution of t,x,z for a,b,c.
Note that the result of this substitution (3.7) is a syntactically correct
statement, by the stipulation (section 3.1) that the input variables a not
occur on the left-hand side of assignments in 5.
Remark 3.31.
(a) According to our syntax, in the procedure call (3.5) above, 'P' is not
just a name for a procedure but the procedure itself, i.e., the complete
text (3.6)! In practice, it is of course much more convenient and
customary to 'declare' the procedure before its call, introducing
an identifier for it, and then calling the procedure by means of this
identifier.
375
In any case, our syntax prevents recursive procedure calls. The situation with recursive procedures would be quite different from that
described above they cannot be eliminated so simply (de Bakker
[1980]).
(6) Another way of incorporating procedure calls into statements is by
expanding the definition of terms, as was done in Tucker and Zucker
[1994]. The problem with that approach here is that it would complicate the semantics by leading to partially defined terms. In Tucker
and Zucker [1994] this problem does not occur, since the procedures,
being in the For language rather than While, produce total functions.
3.10
Relative While computability
Let g = (gA \ A K) be a family of (partial) functions
We define the programming language While(g) which extends the language While by including a special function symbol g of type u v. We
can think of g as an 'oracle' for gAThe atomic statements of While(g) include the oracle call
z:=g()
where t : u and x : v. The semantics of this is given by
x :=
|<r{x/a} if gA([t]Aa)a (say)

It
if <M(WM t
Similarly, for a tuple of (families of) functions g\,... ,gn, we can define
the programming language While(gi,... ,gn) with oracles gi,... ,g n for
<7i > j 9n, or (by abuse of notation) the programming language While(g\,
-,&)
In this way we can define the notion of While(g\,--., gn) computability, or While computability relative to g\,... ,gn, or While computability
in gi,... , gn, of a function on A.
Similarly, we can define the notion of relative While semicomputability
of a relation on A.
We can also define the notion of uniform relative While computability
(or semicomputability) over a class K.
Lemma 3.32 (Transitivity of relative computability). /// is While
computable in g\,... , gm, hi,... ,hn, and g\,... , gm are While computable in hi,... , hn, then f is While computable in hi,... , hn.
Proof. Suppose that gi is computable by a While(hi,... ,h n ) procedure Pj for t = 1,... ,m. Now, given a While(gi,... ,g m ,hi,... ,h n )
376
J. V. Tucker and 3. I. Zucker
procedure P for /, replace each oracle call x := g t ( t ) in the body of P

by the procedure call x := Pj(t). This results in a WhUe(h\,... ,h n )
procedure actually, a WhileProcfoi,... ,h n ) procedure (section 3.9)
which also computes /.
I
Note that this result holds over a given algebra A, or uniformly over a
class K of E-algebras.
3.11
.For(E) computability
We consider briefly another programming language, For = For(E), which

also plays a role in this paper.
Assume now that E is an N-standard signature, and A an N-standard
algebra. The syntax for For is like that for While, except that Simt(E)
is denned by replacing the loop statement while b do 5 od by
for t do S od,
(3.8)
where t : nat, with the informal semantics: execute S k times, where t

evaluates to k. More formally: first we define the notation Sk (k > 0) to
mean the fc-fold iterate of S, i.e.,
cfc _ I S;... ; 5 (k times) if k > 0
[skip
if jfc = 0.
We now define the semantics of For by modifying the definitions (section
3.5) of the functions First and RestA, replacing case 4 with:
Case 4'. S ~ f o r t do 50 od.
First(S)
RestA(S,a)
= skip
= (S0)k
where k = \t\Aa.
Note that t is evaluated (to k) once, upon initial entry into the loop,
which is then executed exactly k times (even if the value of t changes in
the course of the execution). Thus \S\A is always total, and functions
computable by For procedures are always total.
We define For(A) to be the class of functions For computable on A.
As in section 3.10, we can define the notion of relative For(E) computability, and prove a transitivity lemma for this, analogous to Lemma
3.32.
Example 3.33. The functions For computable on M of type nat* -nat
are precisely the primitive recursive functions over N.
This follows from the equivalence of primitive recursiveness and For
computability on the naturals (proved in Meyer and Ritchie [1967]; see,
Davis and Weyuker [1983], for example) or from section 8. Hence
377
every primitive recursive function over N is For computable on

every N-standard algebra.
(Compare Example 3.14(a).)
Proposition 3.34.
(a) .For(E) computability implies While(S) computability. More precisely, there is an effective translation S > S' of For(E) statements to While(E) statements, and (correspondingly) a translation P -> P' of For(S) procedures to While(S) procedures which
is semantics preserving, i.e., for all For(E) procedures P and Nstandard ^-algebras A, [P}A = [P'1A.
(b) More generally, relative For() computability implies relative
Whtic(S) computability.
Proof. Simple exercise.
3.12
While" and For^ computability
Consider now the While and For programming languages over T,N.
Definition 3.35.
(a) A WhileN(H) procedure is a While(E) procedure in which the input
and output variables have sorts in E. (However the auxiliary variables
may have sort nat.)
(6) ProcN() is the class of While1* (E) procedures.
Definition 3.36 (WhileN computable functions).
(a) A function / on A is computable on A by a WhileN procedure P if
/ = PA. It is WhileN computable on A if it is computable on A by
some WhileN procedure.
(b) A family / = (/A \ A K) of functions is WhileN computable uniformly over K if there is a WhileN procedure P such that for all
A K, fA = PA(c) WhileN(A) is the class of functions WhileN computable on A.
The class of ForJV(E) procedures, and ForN(S) computability, are
defined analogously.
Remark 3.37.
(a) If A is ^-standard (so that For computability is defined on A), then
AN has two copies of N, which we can call N and N', of sort nat
and nat', respectively (each with 0, S and < operations). To avoid
technical problems, we assume then that in the for command ((3.8) in
section 3.11), the term t can have sort nat or nat'. This assumption
helps us prove certain desirable results, for example:
(i) There are For(AN) computable bijections, in both directions,
between the two copies of N.
378
(ii) For computability implies ForN computability (the seemingly

trivial direction '<=' of Proposition 3.38).
(b) ForN computability implies WhileN computability (cf. Proposition
3.34).
(c) Relativised versions of WhileN and ForN computability can be denned as with While computability (section 3.10), and corresponding
transitivity lemmas (cf. Lemma 3.32) proved. Also, relative ForN
computability implies relative WhileN computability.
Proposition 3.38. // A is N-standard, then WhileN (or ForN) computability coincides with While (or For) computability on A.
Proof. For the direction lWhileN (or ForN) computability => While
(or For) computability', we can use the coding of AN in A (see Remark
2.28(d)), or, more simply, represent the computation over AN by computation over A, by 'identifying' the two carriers N* and N with each other, or
(equivalently) 'identifying' the two sorts nat' and nat, renaming variables
of these sorts suitably to avoid conflicts. (See also Remark 3.37(a).)
3.13
While* and For* computability
Recall the algebra A* of arrays over A, with signature E* (section 2.7).

Consider now the While and For programming languages over *.
Definition 3.39.
(a) A sort of E* is called simple, augmented or starred according as it has
the form s, su or s* (respectively), for some s Sort(E).
(b) A variable is called simple, augmented or starred according as its sort
is simple, augmented or starred.
Note that every sort of S* is simple, augmented, starred or nat.
Definition 3.40.
(a) A While*(E) procedure is a While(Y*) procedure in which the input and output variables are simple. (However the auxiliary variables
may be augmented or starred or nat.)
(b) Proc*= Proc*(S) is the class of While*(S) procedures.
(c) Proc*u^v = Proc*()_ is the class of While*(E) procedures of
type u > v, for any S-product types u and v.
Remark 3.41. We can assume that the auxiliary variables of a While*
procedure are either simple or starred or nat, since a procedure with augmented variables as auxiliary variables can be replaced by one with simple
variables, by the device of coding A" in A (see Remark 2.30(c)).
Definition 3.42 (While* computable functions).
(a) A function / on A is computable on A by a While* procedure P if
/ = PA. It is While* computable on A if it is computable on A by
some While* procedure.
379
(6) A family / =(/A \ A K) of functions is While* computable uniformly over K if there is a While* procedure P such that for all
4 6 K , fA=PA(c) While* (A) is the class of functions While* computable on A.
The class of For*(E) procedures, and For*(S) computability, are defined analogously.
Remark 3.43.
(a) While* computability will be the basis for a generalised ChurchTuring thesis, as we will see in section 8.8.
(b) For*(Ti) computability implies While* () computability (cf. Proposition 3.34).
(c) Relativised versions of While* and For* computability can be defined as with While computability (section 3.10) and corresponding
transitivity lemmas (cf. Lemma 3.32) proved. Also, relative For*
computability implies relative While* computability.
(d) In M, WhileN and While* computability are equivalent to While
computability, which in turn is equivalent to partial recursiveness
over N (Example 3.14(o)). Similarly, in JV, For, ForN and For*
computability are all equivalent to primitive recursiveness (Example
3.33).
Theorem 3.44 (Locality of computation for While* procedures).
For a While* procedure P : u > v and a G Au such that PA(a) 4-,
PA() 6 (a)A.
Proof. This follows from the corresponding Theorem 3.30 for While computability, applied to A*, together with E*/E conservativity of subalgebra
generation (to be proved below, in Corollary 3.65).
I
The following observation will be needed later.
Proposition 3.45. On A*, While* (or For*) computability coincides
with While (or For) computability.
This follows from the effective coding of (A*)* in A* (Remark 2.31(d)).
Remark 3.46 (Internal versions of While* and For* computability). If A is ./V-standard, we can consider 'internal versions' of While*
and For* computability, based on the 'internal version' of A*, which uses
the copy of N already in A instead of a 'new' copy (see Remark 2.31(c)).
We can show that these versions provide the same models of computation
as our standard ('external') versions.
Proposition 3.47. Suppose A is N-standard. Let While*' and For*'
computability on A be the 'internal versions' of While* and For* (respectively) computability on A (see previous remark). Then While*' and
380
For*' computability coincide with While* and For* (respectively) computability on A.

Proof. Exercise. (Cf. Proposition 3.38.)
3.14
Remainder set of a statement; snapshots
We now return to the operational semantics of section 3.4. The concepts

developed here will be useful in investigating the solvability of the halting
problem for certain algebras (Section 5.6). First we define the remainder
set RemSet(S) of a statement S, which is (roughly) the set of all possible
iterations of the RestA operation on S at any state.
Definition 3.48. The remainder set RemSet(S) of S is defined by structural induction on S:
Case 1. S is atomic.
RemSet(S) - {S}.
Case 2. S = Si;S2.
RemSet(S) = {S[;S2 \ S[ Re-ruSet^)}
(jRemSet(S2).
Case 3. S = if b then Si else S2 fi.

RemSet(S) = {S} \JRemSet(Si) U RemSet(S2).
Case 4- S = while b do SQ od.
RemSet(S) = {S} U {S'0; S | SQ RemSet(S0)}.

Example 3.49. Consider a statement of the form
S s oj; while 6 do 02; 03; 04 od;05
where the o, are atomic statements (using ad hoc notation) and 6 is a
Boolean test. Then RemSet(S) consists of the following:
S,
while 6 do 02503504 od;o5,
02503504; while b do 02503504 od;o5,
03504; while b do 02503504 od;as,
04; while b do 02;03; 04 od; 05,
a5.
The next proposition says that RemSet(S) contains S, and is closed
under the 'Rest' operation (for any state).
381
Proposition 3.50.
(a) S&RemSet(S).
(b) S' 6 RemSet(S) == RestA(S',a) RemSet(S) for any state
a.
Proof. By structural induction on S.
I
Proposition 3.51. RemSet(S) is finite.
Proof. Structural induction on S.
I
Definition 3.52. The statement remainder function
RemA : Stmtx5ta*e(A)xN ->Stmt
is the function such that RemA(S, cr,n) is the statement (the 'remainder
of 5') about to be executed at step n of the computation of 5 on A,
starting in state cr (or skip when the computation is over). This is defined
by recursion on n (tail recursion again):
RemA(S,tr,Q) = S
RemA(S,(T,n+l) = {
skip
if n > 0 and S is atomic
RemA(RestA(S,a),CompA(S,o-),n)
otherwise.
Note the similarity with the tail recursive definition of CompA (section
3.4). Note also that for n = 1, this yields
RemA (S, a,l) = RestA(S,a).
The two functions Comp and Hem also satisfy the following pair of
relationships, which (together with suitable base cases n = 0) could be
taken as a (re-) definition of them by simultaneous primitive recursion:
Proposition 3.53.
(a) CompA(S,a,n + l) = Compf (RemA(S,o-,n),CompA(S,o-,n))
(b) RemA(S,a,n + 1) = ReatA(RemA(S,a,n),CompA(S,a,n))
provided CompA(S,a,n) ^ *.
Proof. Exercise.
I
A
Proposition 3.54. For all n, Rem (S,a,n) RemSet(S)\j{sk\p}.
Proof. Induction on n. Use Proposition 3.50.
I
A
If we put Sn =Rem (S,a,n), then the sequence of statements 5 =
So, S\, 5-2, is called the remainder sequence generated by S at <r, written
RemSeqA(S,a).
382
Corollary 3.55. For fixed S and a, the range of RemSeqA(S,a) is

finite.
Proof. Prom Propositions 3.51 and 3.54.
Now we introduce the notion of a 'snapshot'.

Definition 3.56.
(a) A snapshot is an element (a,S) of (State(A)D{*})x
(b) The snapshot function
Stmt.
SnapA : Stmt x State(A) x N -) (State(A)U{*}) x Stmt

is denned by
SnapA(S,a,n) = ( CompA (S,a,n), RemA (5,<r,n)).

If we put SnapA(S,a,n) = (<r n ,5 n ), so that an =
and 5n = RemA(S, cr,n), then the sequence
(ff,S)
= (a0,S0),(ffi,Si),
CompA(S,ff,n)
(<7 2 ,S 2 ), ...
is called the snapshot sequence generated by S at a, written SnapSeqA(S, <r).

It is either infinite, or terminates in a 'final snapshot' (<r n ,5 n ), where
CompA(S, ff,n + 1) = * and RemA(S,a, n) skip.
Its importance lies in the following:
Proposition 3.57. If the snapshot sequence generated by S at a repeats a
value at some point, then it is periodic from that point on. In other words,
if for some m,n with m^n
SnapA(S,a,m)
= SnapA (S,a,n) ^ (*,skip)
i.e., ffm = an ^ * and Sm = Sn, then for all k > 0

SnapA(S, a,rn + k) = SnapA(S,a,n + k) ^ (*,skip).
Proof. Exercise.
Corollary 3.58. If the snapshot sequence generated by S at cr repeats a

value, then it is infinite.
Remark 3.59.
(a) The snapshot function will be used later, in considering the solvability
of the halting problem for locally finite algebras (section 5.5).
(6) The snapshot function is adapted from Davis and Weyuker [1983] (or
Davis et al. [1994]). There a 'snapshot' or 'instantaneous description'
383
of a program P is defined as a pair (i, a) consisting of an instruction

number (or line number) i of P, and the state a. The reliance on
instruction numbers is possible here because programs consist of sequences of elementary instructions, including the conditional jump.
However, in the context of our While programming language, the
specification of an instantaneous description by a simple 'instruction
number' is impossible; we need the more complex notion of a particular 'remainder' of the given program (or statement) .
3.15
*/ conservativity for terms
We conclude this section with a very useful syntactic conservativity theorem (Theorem 3.63) which says that every *-term with sort in is
effectively semantically equivalent to a S-term. This theorem will be used
in sections 4 (universality for While* computations: Corollary 4.15) and
5 (strengthening Engeler's lemma: Theorem 5.58).
First we review and extend our notation for certain syntactic classes of
terms.
Notation 3.60.
(a) Terma = Terma() is the class of E-terms t with var(t) C a, and

Term^s = Term aiS () is the class of such terms of sort s.
(b) Further, we define:
Term = Terma(*)
Termf = Term a ( N )
and similarly,
Terma s = Terma)S(S*) for any sort s, etc.
(c) For any ' D E, we write Terma(S'/E) for the class of E'-terms
of sort in S (but possibly with subterms of sort in S' \ S), and
Terma,8 ('/) for the class of such terms of sort s (in S).
We will show that for all s S'ort(S), every term in Term)S (i.e.,
*-term of sort s) is effectively equivalent to a term in Terma>s (i.e., a
E-term of sort s). We will do this in three stages:
(1) Define an effective transformation of *-terms (of sort in EU]7V) to
E^-terms.
(2) Define an effective transformation of Su'N-terms (of sort in S N ) to
Ew-terms.
(3) Define an effective transformation of E^-terms (of sort in S) to Sterms.
Here, in all cases, the program variables of the terms are among a.
In preparation for this, we must define the notion of the maximum value
of a term in Term nat. This is the maximum possible numerical value that
such a term could have, under any assignment to the variables a.
384
Definition 3.61. For t e Term* nat , its maximum value maxval(t) 6 N

is defined by induction on the complexity of t (which we can take as the
length of t as a string of symbols: cf. Remark 3.2). There are four cases:
(a)
(b)
(c)
(d)
t=0 : maxval(t) = 0.
t=St0 : maxval(t) = maxval(t0) + 1.
t=\f(b,ti,t2) : maxval(t) = max(maxval(ti), maxval(t^)).
<=Lgths(r), where r is of starred sort. There are four subcases, according to the form of r:
(i)
(ii)
r = Null : maxval(t) = 0.
r = Update(r 0 ,ii,i2) : maxval(t) =maxval(Lgth(ro)).
(Hi)
r = Newlength(ro,ii) : maxval(t) =maxval(ti).
(iv)
r = if(6,ri,r 2 ) : maxval(t) max.(maxval(Lgth(ri)),
Remark 3.62.
(a) This definition, which is used in stage 1 of the syntactic transformation described in Theorem 3.63 below, uses the assumption that the
variables of t all have sorts in E. If, for example, t (or a subterm of t)
was a variable of sort nat, or was of the form Lgth(z*) for a variable
z* of starred sort, we could not define maxval(t).
(b) Suppose (i) E is strictly TV-standard (and so includes the sort nat),
and (ii) the sorts of a do not include nat. Then, with Terra* s =
Terma)s(S*) with the 'internal' version of S* (using this sort nat
instead of a 'new' sort, cf. Remark 2.31(c)), we can still give an appropriate definition of maxval(t) for t Terra* nat . (Check.)
Theorem 3.63 (E*/S conservativity for terms). Let a be an (arbitary but fixed) tuple of'S-variables. For all s 6 Sort(E), every term in
Terra*;S is effectively semantically equivalent to a term in Terma,s.
Proof. This construction (or transformation) of terms proceeds in three
stages:
Stage 1: from E*-terms (of sort in E""^) to Eu'Ar-terms;
Stage 2: from Eu"/v-terms (of sort in E^) to E^-terms;
Stage 3: from E^-terms (of sort in E) to S-terms.
In all cases, the program variables of the terms are among a.
Stage 1: From Terraa(E*/Su'JV) to Terraa(Eu'Ar). This amounts to
removing subterms of starred sort from a term of unstarred sort.
385
First notice that if a term of unstarred sort contains a subterm of starred

sort, then it must contain a (maximal) subterm r of starred sort in one of
the three contexts:
r = r',
Ap(r,),
Lgth(r).
We will show how to eliminate each of these three contexts in turn.

Step a. Transform all contexts of the form r\ = TI fa of starred sort) to
M
Lgth(n) = Lgth(r2) A
where M =maxwai(Lgth(ri)), and k is the numeral for fc (that is, '0'
preceded by 'S' fc times).
Now all (maximal) occurrences of a subterm r of starred sort are in a
context of the form either Ap(r, t) or Lgth(r).
Step b. Transform all contexts of the form Ap(r, t), by structural induction
on r. There are four cases, according to the form of r:
(i)
(ii)
(Hi)
(iv)
r = Null:
Ap(r, t) i>
r = Update(r 0 ,to,i):
Ap(r,*) i>
r = Newlength(r 0 , to):
Ap(r, t) i>
r = if(6,ri,r 2 ):
Ap(r.t) >
unspec.
M(t = tQ < Lgth(ro), ti, Ap(r 0 ,t)).
if(t < Jo, Ap(r 0 ,<), unspec).
if(6, Ap(n,), Ap(r 2 ,*)).
Note the use of the 'if operator in cases (ii) and (in). Hence the inclusion
of 'if in the definition of standard algebra (section 2.4). Note also the use
of '<' in cases (ii) and (Hi). Hence the inclusion of '<' in the definition of
the standard algebra Af (Example 2.23(6)) and TV-standardisations (section
2.5).
Step c. Transform all contexts of the form Lgth(r), by structural induction
on r. Again there are four cases, according to the form of r:
(i)
(ii)
(in)
(iv)
r = Null:
Lgth(r) -^ 0.
r = Update(r 0 ,*o,*i) :
Lgth(r) i> Lgth(ro).
r = Newlength(ro,to):
Lgth(r) ^ t0.
r = \f(b,ri,r2):
Lgth(r) >>
if(ft,Lgth(n), Lgth(r 2 )).
386
By these three steps, we transform a starred term (i.e., a term of

Terma(S*)), into an unstarred term (i.e., a term of Term a (S u>Ar )), as
desired, completing stage 1.
Stage 2: From Terma(Su'Ar/EAr) to Term*(SN). Let i be a term of
E u>Ar , with sort in T,N. We note the two following assertions:
(1) A maximal subterm ru of t of augmented sort su must occur in one
of the following contexts:
() MO,
(6) Unspec8(ru),
(c) r u = r'u or r'u = r u (for s an equality sort).
(2) Any term r" Term a (E u ' Ar ) of sort su is semantically equivalent
to a term having one of the following forms:
(i) i,(r), where r & Term(N),
(M) unspec s .
Assertion (1) is proved by a simple inspection of the possibilities, and (2)
is proved by structural induction on r". (Details are left to the reader.)
Stage 2 is completed by considering all combinations of cases (a), (b)
and (c) in (1) with cases (i) and (ii) in (2), and (writing '~' for semantic
equivalence over S u>;v ) noting that
(a) JaOsM) - r,
j s (unspec s ) ~ 6s (cf. section 2.6),
(b) Unspecs(is(r)) ~ false,
Unspecs(unspecs)) ^ true,
(c) (i.(r) = i.(r')) * (r = r'),
(is(r) = unspecs) ~ false,
(unspecs = is(r)) ~ false,
(unspecs =unspecs) ~ true.
Stage 3: From Terma(SAr/E) to Terma(S). Let t be a term of ZN, with
sort in S. We note the two following assertions:
(1) A maximal subterm r of t of sort nat must occur in one of the contexts
r < r',
r' < r,
r = r',
r' = r
for some subterm r' of sort nat.

(2) Any term r 6 Terma(SjV) of sort nat is semantically equivalent to a
numeral n.
Again, assertion (1) is proved by a simple inspection of the possibilities,
and (2) is proved by structural induction on r. (Details are left to the
reader.)
387
Stage 3, and hence the proof of the lemma, is completed by noting that
all four cases listed in (1) are then equivalent to m < n or fh = n, and
hence (depending on m and n) to either true or false.
I
Remark 3.64.
(a) The transformation of terms given by the conservativity theorem is
primitive recursive in Godel numbers.
(6) Suppose (i) is strictly AT-standard (and so includes a sort nat),
and (ii) the sorts of a do not include nat. Then, with Term* s =
Term a>s (*) with the 'internal' version of S* (as in Remark 3.62(6)),
the conservativity theorem still holds. (Check.)
Recall Definition 2.15 on generated subalgebras. .
Corollary 3.65 (*/ conservativity of subalgebra generation).
Let X C Usesort(s) -^*- Then for any S-sort s,
(X)f*
= (Xtf.
We can apply this to strengthen Theorem 3.30:

Theorem 3.66 (Locality for While, WhileN or While* computable functions). Let f be a (partial) function on A of type u -> v, let
a Au, and suppose f ( a ) \~ If f is While, WhileN or While* computable, then
/ e ( ) -
Representations of semantic functions; universality
In this section we examine whether or not the While programming language is a so-called universal model of computation. This means answering
questions of the form:
Let A be a -algebra. Does there exist a universal While program Uprog While(H) that can simulate and perform the
computations of all programs in Whife(S) on all inputs from
A? Is there a universal While procedure Uproc G Proc() that
can compute all the While computable functions on A?
These questions have a number of precise and delicate formulations which
involve representing faithfully the syntax and semantics of While computations using functions on A.
To this end we need the techniques of Godel numbering, symbolic computations on terms, and state localisation. Specifically, for Godel numbering to be possible, we need the sort nat, and so we will investigate the
possibility of representing the syntax of a standard S-algebra A (not in
388
A itself, but) in its ./V-standardisation AN, or (failing that) in the array

algebra A*. Among a number of results, we will show that
for any given Yi-algebra A, there is a universal While procedure over A if, and only if, there is a While program for
term evaluation over A.
In consequence, because term evaluation is always While computable on
A*, we have that
for any 'S-algebra A, there is a universal While program and
universal While procedure over A* .
Thus, for any algebra A our While* model of computation is universal. In particular, we can enumerate the While* computable functions
(f>o, <j>i, <t>2, of any type u -> v on A, and evaluate them by a universal
function /_+ : N x Au -4 Av defined by
which is While* computable, uniformly in the types u, v.

If the E-algebra A has a While program to compute term evaluation,
then
While* (A) = WhileN(A).
We consider also the uniformity of universal programs and procedures over
a class K. of algebras. Many familiar classes of algebras, such as groups,
rings and fields, have While programs to compute term evaluation uniformly over these classes.
4.1
Godel numbering of syntax
We assume given a family of numerical codings, or Godel numberings, of the

classes of syntactic expressions of and *, i.e., a family gn of effective
mappings from expressions E to natural numbers rE~( = gn(E), which
satisfy certain basic properties:
rE~* increases strictly with compl(E), and in particular, the code of
an expression is larger than those of its subexpressions.
sets of codes of the various syntactic classes, and of their respective
subclasses, such as {ri~1 | t e Term}, {rr | t Terms}, {rSn
| 5 6 Stmt}, {r5"1 | S is an assignment}, etc. are primitive recursive;
We can go primitive recursively from codes of expressions to codes
of their immediate subexpressions, and vice versa; thus, for example,
r
5i"1 and rS^~< are primitive recursive in rSi;S^'>, and conversely,
r
Si; S?'1 is primitive recursive in rSin and r52n.
In short, we can primitive recursively simulate all operations involved in
processing the syntax of the programming language. This means that the
389
syntactic classes form a computable (in fact, primitive recursive) algebra,

in the sense of Definition 1.1. We will use the notation
r
Termn =% { T 1 1 6 Term},
etc., for sets of Godel numbers of syntactic expressions.

We will be interested in the representation of various semantic functions
on syntactic classes such as Term(S), Stmt() and Proc(E) by functions on A or A* , and in the computability of the latter. These semantic
functions have states as arguments, so we must first define a representation
of states.
4.2
Representation of states
Let x be a w-tuple of program variables. A state cr on A is represented

(relative to x) by a tuple of elements a Au if <r[x] = a. (Recall the
definition of a[x] in section 3.2.)
The state representing function
Rep?: State(A) -> Au
is defined by
Rep* (a) = a[x].
The modified state representing function
Rep*.: State(A)U{*} -> 1 x Au
is defined by
(tt, a[x])
where 6^ is the default tuple of type u in A (section 2.14).
4.3
Representation of term evaluation
Let x be a u-tuple of variables. Let Term* = Term z (E) be the class

of all S-terms with variables among x only, and for all sorts s of E, let
TermItS = TermItS(S) be the class of such terms of sort s. Similarly, we
write TermTup-f for the class of all term tuples with variables among x
only, and TermTup*^ for the class of all u-tuples of such terms.
The term evaluation function on A relative to x
: Term^x State (A)
defined by
is represented by the function
~1 xAu
390
defined by
r, a) =
where a is any state on A such that <r[x] = a. (This is well defined, by

Lemma 3.4.) In other words, the following diagram commutes:
TerraI)S x State (A)
(gn,RepA)
Term^s~l x A"
te
Strictly speaking, if gn is not surjective on N, then teAs is not uniquely

specified by the above definition, or by the diagram. However, we may
assume that for n not a Godel number (of the required sort), teAs(n, a)
takes the default value of sort s (2.12). Similar remarks apply to the other
representing functions given below.
Further, for a product type v, we will define a evaluating function for
tuples of terms
teAv:
Av
similarly, by
, a) -
[t]A<r.
We will be interested in the computability of these term evaluation

representing functions.
4.4
Representation of the computation step function
Let AtSt* be the class of atomic statements with variables among x only.
The atomic statement evaluation function on A relative to x,
AEA: AtSt^x State(A) -> State(A),
defined by
Au
aeA: r
defined by
aeA( r5^, a) where a is any state on A such that <r[x] = a. (Again, this is well defined,
by Lemma 3.14.) In other words, the following diagram commutes:
AtSt x xState(A)
(gn,RepA)
AEA
391
1 State(A)
Rep*
aeA
Next, let Stmtf be the class of statements with variables among x only,
and define
RestA=df RestA\ (StmtxxState(A)).
Then First and Rest* are represented by the functions
r
Stmtn ->.
which are defined so as to make the following diagrams commute:
Stmt
jPirst
gn\
>
AtSt
\gn
first
Resti
gn
r
StmtI"1
Note that first is a function from N to N, and (unlike restf and most
of the other representing functions here) does not depend on ^4 or x.
Next, the computation step function (relative to x)
Comp2= CompA\(StmtIxState(A.)xN}:
Stmt x xState(A)xN -> State (A) U {*}
392

camp?:
Stmt^xAu x N -> 1 x Au
which is denned so as to make the following diagram commute:

CompA
>
State(A)\j{*}
(gn,RepAidw)
RepA
StmtI~lxAu x N
>
B x Au
comp
We put
compA(rS^,a,n)
= (notoverA(rS~*,a,n),
state^^S'*,a,n))
with the two 'component functions'

notoverA:
sfate^1:
r
r
Stmt^xAu x N -> 1
StmtI'1xylu x N -> A"
where notoverA(rS~],a, n) tests whether the computation of rSn at a is

over by step n, and state^^S"*, a, n) gives the value of the state (representative) at step n.
4.5
Representation of statement evaluation
Let Stmt^ be the class of While statements with variables among x only.
The statement evaluation function on A relative to x,
SEA: Strut** State(A) -> State(A),
defined by
SEA(S,a)
= fS]V
is represented by the (partial) function

seA: rStmt^xAu - Au,
defined by
where a is any state on A such that cr[x] = a. (This is also well defined, by
the functionality lemma for statements, 3.10.) In other words, the following
diagram commutes.
StmtIxState(A)
SEf
393
> Stote(A)
Rep?
SxA"
>
Au
We will also be interested in the computability of se^
4.6
Representation of procedure evaluation
We will want a representation of the class Procu_>w of all While procedures of type u > i>, in order to construct a universal procedure for that
type. This turns out to be a rather subtle matter, since it requires a coding for arbitrary tuples of auxiliary variables. We therefore postpone such
a representation to section 4.8, and meanwhile consider a local version, for
the subclass of Procu^v of procedures with auxiliary variables of a given
fixed type, which is good enough for our present purpose (Lemma 4.2 and
Theorem 4.3).
So let a,b,c be pairwise disjoint lists of variables, with types a : u, b : v
and c : w. Let Froca,b,c be the class of While procedures of type u -> v,
with declaration in a out b aux c. The procedure evaluation function on A
relative to a,b,c
defined by
PE^c(P,a) = PA(a)
P<b,c: rProc*,b,^xAu - A"
defined by
P<b,c(rP^, a) = PA(a).
In other words, the following diagram commutes:
394

a ,b,c
X Au
x Au
We will also be interested in the computability of peb c.
4.7
Computability of semantic representing functions;

term evaluation property
By examining the definitions of the various semantic functions in Section

3, we can infer the relative computability of the corresponding representing
functions, as follows.
Lemma 4.1. The function first: N > N is primitive recursive, and
hence While computable on AN , for any standard 'E-algebra A.
Lemma 4.2. Let x be a tuple of program variables and A a standard Ealgebra.
(a) ae and rest are While computable in ( te^s\ s Sort(S)) on
AN.
(b) compA, and its two component functions notover^ and state^,
are While computable in ae^ and rest^ on AN .
(c) se^ is While computable in comp^ on AN .
(d) peb c is While computable in se on AN , where x=a,b,c.
(e) tes is While computable in pe^ on AN , where y is a variable
of sort s, not in x.
The above relative While computability results all hold uniformly for A
Proof. Note first that if a semantic function is defined from others by
structural recursion on a syntactic class of expressions, then a representing
function for the former is definable from representing functions for the latter
by course of values recursion on the set of Godel numbers of expressions of
this class, which forms a primitive recursive subset of N.
We can then prove parts (a)-(d) by examining the definitions of the
semantic functions, and applying Lemma 4.1 and (relativised versions of)
the following facts:
(1) If a function / on ^4^ is defined by primitive recursion or tail recursion on nat from functions g, h, . . . on AN , then / is For(g, h,...)
computable on AN. (Used in (a) and (b).)
395
(2) Course of values recursion on nat with range sort nat is reducible to
primitive recursion on nat. (Used in (a).)
(3) The constructive least number operator, used in part (c) (cf. the
definition of CompLength in section 3.4), is While computable
onAN.
References for facts (1) and (3) are given later (Theorem 8.5). Fact
(2) can be proved by an analogue of a classical technique for computability
on M which can be found in Peter [1967] or Kleene [1952].
We complete the cycle of relative computability by proving (e) as follows: given a term t e Terrors, consider the procedure
P = proc in x out y begin y:=t end.
r
Then since P~" is primitive recursive in rt~[ and teâ(rt~>,a) =

Pex,y,(>(r^>~1') (an(i since For computability implies While computability), the result follows from (1).
Theorem 4.3. The following

StdAlg(-).
are equivalent, uniformly
for A
(i) For all x and s, the term evaluation representing function te^s is
While computable on AN.
(ii) For all x, the atomic statement evaluation representing function ae,
and the representing function rest^, are While computable on AN.
(Hi) For all x, the computation step representing function comp, and its
two component functions notover^ and state^, are While computable on AN.
(iv) For allx., the statement evaluation representing function se^ is While
computable on AN.
(v) For all a,b,c, the procedure evaluation representing function pe^b c
is While computable on AN.
Proof. From the transitivity lemma for relative computability (3.32) and
Lemma 4.2.
Definition 4.4 (Term evaluation).

(a) The algebra A has the term evaluation property (TEP) if for all x
and s, the term evaluation representing function te^s (or, equivalently, any of the other sets of semantic representing functions listed
in Theorem 4.3) is While computable on AN.
(b) The class K has the uniform TEP if the term evaluation representing
function is uniformly While computable on KN.
Examples 4.5.
(a) Many well-known varieties (i.e., equationally axiomatisable classes of
algebras) have (uniform versions of) the TEP. Examples are: semigroups, groups, and associative rings with or without unity. This
396
follows from the effective normalisability of the terms of these varieties. In the case of rings, this means an effective transformation of
arbitrary terms to polynomials. Consequently, the unordered and
ordered algebras of real and complex numbers (R.,'R<,C and C < , defined in Example 2.23), which we will study in section 6, have the
TEP. (See Tucker [1980, 5].)
(b) An (artificial) example of an algebra without the TEP is given in
Moldestad et al. [I980b].
Proposition 4.6. The term evaluation representing function on A* is
For (and hence While) computable on A* , uniformly for A .StdAlg(Y,).
Hence the class StdAlg(*) has the uniform TEP.
Proof. (Outline.) The function te ^* is definable by course of values recursion (cf. Remark 8.6) on Godel numbers of E*-terms, uniformly for
A StdAlg(E). It is therefore uniformly For computable on A*, by Theorem 8. 7(a).
I
Corollary 4.7.
(a) The term evaluation representing function on A is For* (and hence
While*) computable on AN , uniformly for A StdAlg(E).
(b) The other semantic representing functions listed in Theorems 4.3 are
While* computable on AN , uniformly for A (EStdAlg().
Remark 4.8. Suppose and A are ,/V-standard. Then the semantic representing functions listed above (such as te^s) can all be defined over A
instead of AN . In that case, Lemma 4.2, Theorem 4.3, Definitions 4.4 and
Corollary 4.7 can all be restated, replacing 'AN\ 'S^' and 'KN' by 'A', ''
and 'K', respectively. Similar remarks apply to the definitions and results
in Sections 4.8-4.12.
Recall the definitions of generated subalgebras, and minimal carriers
and algebras (Definitions 2.15 and 2.17 and Remark 2.16).
Corollary 4.9 (Effective local enumerability) .
(a) Given any ^-product type u and H-sort s, there is a For* computable
uniform enumeration of the carrier set of sort s of the subalgebra (a)A
generated by a & Au , i.e., a total mapping
enums: Au x N -> As
which is For* computable on AN , such that for each a A" , the
mapping
(where x : u) is surjective.
(b) If A has the TEP, then enums is also While computable on AN .
397
Proof. Define enum^ s simply from the appropriate term evaluation representing function:
p (a, n) = te^s(n,a).
Corollary 4.10 (Effective global enumerability).
(a) If A is minimal at s, then there is a For* computable enumeration
of the carrier As, i.e., a surjective total mapping
enumf:
N - As,
N
which is For* computable on A .

(b) If in addition A has the TEP, then enumf
table on AN .
is also While compu-
Proof.. From Corollary 4.9, using the empty list of generators.
4.8
Universal WhileN procedure for While
It is important to note that the procedure representing function pe^b c of

section 4.6 is not universal for Proc(,)u^.v (where a : u and b : v) . It is only
'universal' for While procedures of type u - v with auxiliary variables of
type type(c). In this subsection we will construct a universal procedure
UniVy J)(rP~1, a) for all P Procu-+vand a Au. This incorporates not
the auxiliary variables of P themselves, but representations of their values
as (Godel numbers of) terms in the input variables a. These can then all
be coded by a single number variable.
We will, assuming the TEP for A, construct a universal procedure for
ProCu-+v on A. For this we need another representation of the computation step function which differs in two ways from comp^ in section 4.4:
(1) it is denned relative to a tuple a of program variables ('input variables'), which does not necessarily include all the variables in S;
(2) it has as output not a tuple of values in A, but a tuple of terms in
the input variables or rather, the Godel number of such a tuple of
terms.
More precisely, given a product type u = s\ x . . . x sm and a u-tuple
of variables a : u, we define
compu*. rVarTup~l x rStmt~* x Au x N -> B x rTermTup~l
as follows: for any product type w extending u, i.e., w = si x . . . x sp for
some p > m, and for any x : w extending a (i.e., x=a, x Sm+1 , . . . , x Sp ),
and for any 5 Stmtx , o, 6 Au and n N,
where
398
(i) bn =notover2(rS~>, (a, 6 A ) , n), and

() tne TermTupl!W and te*w(Vt(a,8A))
n),
where 5^ is the default tuple of type sm+i x . . . x sp. This use of default
values follows from the initialisation condition for output and auxiliary
variables in procedures (section 3.1(d)). (This is also what lies behind the
functionality lemma 3.11 for procedures.)
(If p is not a Godel number of a tuple of variables x which extends a,
or if q is not a Godel number of a statement 5 with var(S)C x, then
we define compu(p,q,a,n) 0 (say). This case is decidable primitive
recursively in p and q. Similarly for the other functions defined below.)
The function compu^ has the two 'component functions'
notoverUx
stateu*
:
:
VarTupxr Strut1 xAu x N - B

VarTupxrStmt~(xAu x N -> rTermTup~l
where, for x extending a and s Sttnt*,

(rxn,r5"l,a,n)
(rx~(,rS^,a,n)
=
=
bn
tn~l.
Compare these functions with comp^ and its components notover^ and
(section 4.4). Note that for any x extending a and S
notover^(rS'1, (a, 6 A), n)
state? (rS^, (a, 8A), n)
=
=
notoveru(ryi~',rS~*, a,n) = bn
Think of compu^ and its component functions as uniform (in x) versions

of cornp^ and its component functions. Only the 'input variables' a are
specified.
We need a syntactic operation on terms and variables.
Definition 4.11. For any term or term tuple t and variable tuple a,
subex(t, a) is the result of substituting the default terms 8s for all variables
xs in t except for the variables in a.
Remark 4.12.
(a) For all t 6 TermTup, subex(t,a) e TermTup*.

(b) subex is primitive recursive in Godel numbers.
(c) Suppose t : w and var(t) C x = a, z where a : u. Then for a Au,
where S A is the default tuple of type type(z). This follows from the 'substitution Lemma' in logic; see, for example, Sperschneider and Antoniou
[1991].
Lemma 4.13. The function compu^, and its component functions
notoveru^ and stateu*, are While computable in (te^s \ s
Sort(Z)} on AN , uniformly for A &StdAlg(E).
399
Proof. (Outline.) We essentially redo parts (a) and (b) of Lemma 4.2,
using uniform (in x) versions of aeA and restA, i.e., we define (1) the
function
aeuA:
VarTup~>xrAtSt~l
TermTup~(
where for any x : w and S AtSt*, we have

aeu /t ( r x~ 1 , r S~ 1 ) !~TermTupI,w~l, such that for any x Aw,
(r^rS^), x) = aeA(rS
and (2) the function
restuA:
VarTup~(xrStmt~>xAu
->
where for any x : w extending a : u, 5 AtSto and a Au,

restuA(r^,rS^,a)
= rest? (''S'1, (a, 6 A)).
We can then show that

(i) aeuA is primitive recursive;
(ii) compuA is While computable in restuA on A; and
(Hi) restuA is While computable in (teAs \ s 6 5or<(S)).
Combining these three facts gives the result.
Note, in (Hi), that the term evaluation functions teAs are used to
evaluate Boolean tests in the course of defining restuA. The one tricky
point is this: how do we evaluate, using teAt3, a (Godel number of) a term
t TermIiS, which contains variables in x other than a? (This is the issue
of 'uniformity in x'.) The answer is that by Remark 4.12(c) the evaluation
of t is given by es(rsu6ea;(t,a)~1, a).
Theorem 4.14 (Universality characterisation theorem for

While(E) computations). The following are equivalent, uniformly for
(i) A has the TEP.

(ii) For all ^-product types u,v, there is a While(N) procedure
Univ U ) U : rProcu_yt,~1 x u -> v
which is universal for Procu->v on A, in the sense that for all P

Procu.^v and a Au ,
UnivjyPâ) ~ PA(a).
Proof.
(i) => (ii): Assume A has the TEP. We give an informal description
of the algorithm represented by the procedure Univ U)t; . With input
(rP"1, a), where P eProcu->vand a Au, suppose
400

P = proc in a out b aux c begin S end
where a : u and b : v. Putting x=a,b,c, evaluate notoveru*
(rx~l,r5~l, a, n) for n = 0, 1, 2, . . . , until you find the (least) n for
which the computation of S at a terminates (if at all), i.e.,, the least
n = HQ such that
notoverUx(rx^,rS~],a, n0 + 1) = ff.
Note that notoveru^ is While computable by Lemma 4.13 and
assumption. Now let us put
stateu^(rx~l,rS~l,a, n0) = rt, t', t"'1,
where the term tuples t, t' and t" represent the current values of a, b
and c, respectively. This is also While computable by Lemma 4.13
and assumption. Finally, the output is
(cf. Remark 4.12(c)). By assumption and Remark 4.12(6), this is

While computable in rt'~l and a, and hence in rP~l and a.
() => (j): Note that for any a,b,c,
where a : u and b : v. Hence pe^b,c ig While(N) computable if
is. The result follows from Theorem 4.3.
I
Corollary 4.15 (Universality for ^4*). For all ^-product types u,v,
there is a While* (EN ) procedure
Univ* )1( : natxu
which is universal for Proc*u_+v, in the sense that for all P
A e StdAlg(S) and a Au,
rPV) ^ PA(a).
Proof. StdAlg(,*) has the uniform TEP, by Proposition 4.6.
Remark 4.16.
(a) For all u, v, the construction of Univ u , v (direction (i) => (ii) in the
proof of Theorem 4.14) is uniform over S in the following sense.
There is a relative While(N) procedure Uu<v : nat x u -> v containing oracle procedure calls (he \ s Sort(S)) (section 3.12) with
hs : natxu > s, such that for any A StdAlgCS,), if hs is interpreted
as tes on A (where a : u), then Uu<v is universal for Procu-+v on
A. (We ignore the question of whether tes is computable on A.)
(b) The use of term evaluation occurs at two points in the construction
of Univ Wjt , (direction ()=>()): (1) in the evaluation of Boolean
tests in the construction of the sequence
401
coTnjm^(rxn,rSn, a, 0), compu^(rx~l,rS~1, a, 1), ... ;

(4.1)
and (2) in the evaluation of the output variables t' (see proof of Theorem 4.14). We can separate, and postpone, both these applications
of term evaluation by modifying the construction of the universal
procedure as follows.
Step 1: Construct from S, not a computation sequence as in (4.1) but
rather a computation tree (section 5.10), specifically comptree(rx~l,
r
S~l,n) (where x = a, b, c), which is the Godel number of the first
n levels of the computation tree from S Stmtx labelled by wtuples of terms in TermTupz<w. Note that comptree:^ - N is
primitive recursive.
Step 2: Select a path in this tree by evaluating Boolean tests (using te^bool
together with the subex operation) until you come (if at all) to a
leaf. Evaluate the terms representing the output variables at this leaf
(again using teB with the subex operation).
4.9
Universal WhileN procedure for While*
We can strengthen the universal characterisation theorem for While computations (4.14) using the */ conservativity thorem (3.63).
Theorem 4.17. (Universality characterisation theorem for While*
computations) The following are equivalent, uniformly for A
(i) A has the TEP.

(ii) For all ^-product types u,v, there is a While(iN) procedure
Univ U)t ,: natxu > v
which is universal for Proc*u^v on A, in the sense that for all P

Proc*u^v and a 6 Au,
'.a) ~ PA(a).
Proof.
(i) => (H): Modify the proof of Theorem 4.14, following the algorithm
of Remark 4.16(6). Construct a computation tree as in 'step 1. Then,
in step 2 (term evaluation), replace all Boolean terms (in selecting a
path) and the output terms (at the leaf) by the corresponding Sterms given by Theorem 3.63, and apply tes (for s S'ort(E)) to
these. Since this transformation of terms is primitive recursive in
402
Godel numbers (Remark 3.64(o)), the whole algorithm can be formalised as a While(SN) procedure.
(M) => (j): This follows trivially from Theorem 4.14.
I
Corollary 4.18. The following are equivalent, uniformly for A StdAlg(E).
(i) A has the TEP.

(ii) While* (A) = WhileN(A).
4.10
Snapshot representing function and sequence
Next we consider the statement remainder and snapshot functions (section 3.14) which will be useful in our investigation of the halting problem
(section 5.6). Let x : u.
The statement remainder function (relative to x)
RemA= RemA\(StmtxxState(A)xN)
Stmt%xState(A)x^ ->
(cf. Definition 3.52) is represented by the function

remA: rStmt^xAu x N -> r
which is denned so as to make the following diagram commute:
RemA
StmtzxState(A)xN
>
Stmt*
Stmt^xAu x N
(Again, this is well defined, by Lemma 3.10.)

The snapshot function (relative to x)
Snap*=
SnapAl(StmtIxState(A)xN):
StmtIxState(A)xN -> (Stote(A)U{*})xStmtx
(cf. Definition 3.56) is represented by the function

snapA:
Stmt^xAu x N -> (B x Au)xrStmtI~l
which can be defined simply as

snapA(rS~l,a,n)
=
=
(compA(rS~l,a,n), remA(rS~l,a,n))
((notoverA(rS~i,a, n), stateA (rS'1 ,a, n)),
403
or (equivalently) so as to make the following diagram commute:

SnapA
> (State(A) U
(gn,RepA ,idN)
(RepAt,gn)
Fix x : u, s 6 Stmtf and a A". Put & = notoverA(rS~t,a, n), an

( r 5~ l ,a,n) and rSn~1 = rem^l(r5"1, a,n). Then the sequences
(tt,a)
(&o,ao)> (&i,ai), (62,02),
are called, respectively, the computation representing sequence, the remainder representing sequence and the snapshot representing sequence generated by S (or rSn) at a (with respect to x), denoted respectively by
compseq(rS~(,a), reraseg^(rS~1,a) and snapseq^(rS^,a). (Compare
the sequences CompSeqA(S,a), RemSeqA(S,a) and SnapSeqA(S,o~)
introduced in section 3.)
The sequences compseqf (r S~* ,a) and snapseqA(rS~*,a) are said to
be non-terminating, if, for all n, notoverA(rS^,a,n) = tt, i.e., for no n is
These representing sequences satisfy analogues of the results listed in
section 3.14; for example:
Proposition 4.19. // snapseqA f~ ^5n ,a) repeats a value at some point,
then it is periodic from that point on, and hence non-terminating. In other
words, if for some m,n with m^n
then, for all k > 0,

snapA(rS-l,a, m + k) = snapA(rS^,an + k) ? ((ff,^),skip)
(Cf. Proposition 3.57 and Corollary 3.58.)
With the function anapA , we can extend the list of relative computability results (Lemma 4.2), and add a clause to Theorem 4.3:
Lemma 4.20. (Cf. Lemma 4-%-) The function snapA, and its two component functions compA and remf, are While computable in (teAs \
s SoH()) on AN, uniformly for A
404
Theorem 4.21. (Cf. Theorem 4-3.)

formly for A StdAlg(Z):
The following are equivalent, uni-
(i) For all x and s, the term evaluation representing function teg is
While computable on AN .
(ii) For all x, the snapshot representing function snap^ , and its two
component functions camp* andrem^, are While computable on
AN.
Proof. As for Theorem 4.3.
A uniform (in x) version of snap* will be used in section 5.6 in our

investigation of the 'solvability of the halting problem'.
4.11
Order of a tuple of elements
Let u be a E-product type, s a E-sort and A a S-algebra. The order

function of type u,s on A is the function
ords: Au -> N
where, for all x 6 A",
i.e., the cardinality of the carrier of sort s of the subalgebra of A generated
by x. (It is undefined when the cardinality is infinite.)
Note that this is a generalisation of the order operation for single elements of groups (Example 3.14(6)).
Note that for a tuple x Au, the subalgebra (x)f can be generated in
stages as finite sets:
<*>i!o C (xfa C (x)^ C...
where (x)*n is defined by induction on n, simultaneously for all S-sorts s
(cf. Meinke and Tucker [1992, 3.12.15ff.] for the single-sorted case), and
Also (x)f is finite if, and only if, there exists n such that
<*>> = +i
(4-2)
in which case
Ws,n
(x/s,n+l
\x)s,n+2
= (X)
Lemma 4.22. For any tuple of variables x : u, there is a primitive

recursive function

SubAlgStageû,s:
405
N -> N
such that SubAlgStagex,u,s(n) is the Godel number of a list (rti~*...

r
fc n ~ 1 ) of Godel numbers of the set of terms generated by stage n, i.e.,
Example 4.23. Suppose s is an equality sort.

(a) The order function ord^ s is While computable in te^s (where x :
u) on AN, uniformly for A StdAlg().
(b) Hence if A has the TEP, then ords is While computable on AN .
Proof. The algorithm to compute ord^ s is (briefly) as follows. Suppose
given an input x e Au. With the help of the functions SubAlgStageI<UtS
and tefs and the equality operator on As, test for n = 0, 1, 2, . . . whether
(4.2) holds. If and when such an n is found, determine card((x)^n), again
using the equality operator on Aa (this time to determine repetitions in the
list (x)*n).
4.12
Locally finite algebras
Definition 4.24. An algebra A is locally finite if every finitely generated

subalgebra of A is finite, i.e., if for every finite X C Usesortffi) ^ an<^
every sort s, (X)^1 is finite.
Note that A is locally finite if, and only if, ords (section 4.11) is total
for all u and s.
Example 4.25. Consider the algebra
AC = (N-; 0,pred)
where N~ is just (a copy of) N, and 'pred' is the predecessor operation on
this: pred(n + 1) = n and pred(O) = 0. We write 'N~ ' to distinguish this
carrier from the 'standard' naturals N, which we can adjoin to form the
./V-standardised algebra. We also write the sort of N~~ as nat~ . Let
M- = (N-,B; 0,pred,eqnat-, ... )
be the standardised version of jV^~ (with nat~ an equality sort). Then both
.A/^ and jV~ are locally finite; in fact for any k\ , . . . , km e N~ ,
where fc = max(fci,... ,fc m ). (Check.) Hence
Theorem 4.26. Suppose A is locally

s Strut* and a Au:
finite.
Then for any x : u,
406
(a) snapseq^(rS~l,a) has finite range.

(b) snapseq^ (rS~l,a) (or, equivalently, compseq(rS~l,a)) is non-terminating <=> snapseqf(rS'l,a) repeats a value (other than ((f, 6^)
Proof.
(a) Consider a typical element of the snapshot representing sequence generated by 5 at a:

(an,rSn^)
(4.3)
where an = comp^(rS~t,a,n) and rSn = rem(rS~l,a, n) for some

n. By Lemma 3.28, an must be in (a)^, which is finite by
assumption. Also, by Proposition 3.54, 5n must be in RemSet(S)\J
{skip}, which is finite, by Proposition 3.51. Hence the pair (4.3) must
be in the product set (a)^ x rRemSet(S)~*, which is also finite.
(b) The direction '=>' follows from (a). The direction '=' follows
from Corollary 3.58 or (equivalently) Proposition 4.19.
I
Local finiteness will be used later, in considering 'solvability of the halting problem' (Section 5.6).
4.13 Representing functions for specific terms or programs

The representing functions that we considered in sections 4.3-4.6 and 4.10
have as arguments (typically)
(i) Godel numbers of terms, statements or procedures, and
(ii) representations of states.
Computability of all these functions is equivalent to the TEP (Theorems
4.3 and 4.21).
Another form of representation which will be useful is to use (i) the
term, statement, etc. as a parameter, not an argument, and just have (ii)
the state representation as an argument.
More precisely, we define (for x : u, t Term XjS , s G Stmtx, a : u,
b : v and P Proc^tC) the functions
Au -+
Au
->
A xN
Au x N -> B x Au
(4.4)
remAs
snapAs
:
:
407
Au x N Au x N - (I x .4") x
seAs
such that
t<. = tc^rr.o),
A r
1
compAs(a,n)
comp ( S~ ,a, n),
and similarly for the other functions listed in (4.4). We then have:
Theorem 4.27.
(a) The functions teAsj and aeAs are While computable on A. The
functions reatAs, notoverAs, 8tateAs, compAs, remAs and
snapAs are While computable on AN . The functions seAs and
peAb c P are WhileN computable on A.
(b) Suppose A is N-standard. Then all the functions listed in (4-4) are
While computable on A.
Proof. For (a): computability of teAs<t is proved by structural induction
on t Termx. To prove computability of rests on AN , put 5 = So; Si,
where So does not have the form S';S" (and ';Si' may be empty), and
rewrite the definition of RestA in section 3.5 as an explicit definition by
cases, according to the different forms of So- For computability of comp^s
on AN , show that the family of functions (comp^ s, \S' RemSet(S))
is definable by simultaneous primitive recursion. (Compare the definition
of CompA in section 3.4.) Use the fact that this family is finite, by Proposition 3.51.
Part (6)followsimmediately from (a).
Notions of semicomputability
We want to generalise the notion of recursive enumerability to many-sorted

algebras. There turn out to be many non-equivalent ways to do this.
The primary idea is that a set is While semicomputable if, and only
if, it is the domain or halting set of a While procedure; and similarly for
WhileN and While" semicomputability. There are many useful applications of these concepts, and they satisfy closure properties and Post's
theorem:
A set is computable if, and only if, it and its complement are
semicomputable.
408
The second idea of importance is that of a projection of a semicomputable set. In computability theory on the set N of natural numbers, the
class of semicomputable sets is closed under taking projections, but this is
not true in the general case of algebras, even with While* computability.
(A reason is the restricted form of computable local search available in
our models of computation.) Protective semicomputability is strictly more
powerful (and less algorithmic) than semicomputability.
In this section we will study the two notions of semicomputability and
projective semicomputability in some detail. We will consider the invariance of the properties under homomorphisms. We will prove equivalences,
such as
projective While* semicomputability = projective For* computability.
In the course of the section, we also consider extensions of the While
language by non-deterministic constructs, including allowing:
(i) arbitrary initialisations of some auxiliary variables in programs;
(if) random assignments in programs.
We prove that in these non-deterministic languages, semicomputability is
equivalent to the corresponding notion of projective semicomputability. We
also show an equivalence between projective semicomputability and
(Hi) definability in a weak second-order language.
We characterise the semicomputable sets as the sets definable by some
effective countable disjunction
\/bk
k=0
of Boolean-valued terms. This result was first observed by E. Engeler.

There are a number of attractive applications, e.g. in classifying the semicomputable sets over rings and fields, where Boolean terms can be replaced
by polynomial identities; we consider this topic in section 6.
These concepts and results are developed for computations with the
three languages based on the While, WhileN and While* constructs;
and their uniformity over classes of algebras is discussed.
We assume throughout this section that E is a standard signature, and
A a standard E-algebra.
5.1
While semicomputability
Definition 5.1. The halting set of a procedure P : u -+ v on A is the

relation
HaltA(P) =df {a e Au \ PA(a) 4.}.
Now let J? be a relation on A.
409
Definition 5.2.
(a) R is While computable on A if its characteristic function is.
(b) R is While semicomputable on A if it is the halting set on A of some
While procedure.
(c) A family R =(RA \ A K) of relations is W^hi/e semicomputable
uniformly over K if there is a W^/iiJe procedure P such that for all
A K, .RA is the halting set of P on A.
It follows from the definition that R is While semicomputable on A
if, and only if, R is the domain of a While computable (partial) function
on A.
Remark 5.3. As far as defining relations by procedures is concerned, we
can ignore output variables. More precisely, if R =HaltA(P), then we may
assume that P has no output variables, since otherwise we can remove all
output variables from P simply by reclassifying them as auxiliary variables.
We will call any procedure without output variables a relational procedure.
Definition 5.4 (Relative While semicomputability). Given a tuple
<?i, 19n of functions on A, a relation R on A is While semicomputable
ingi,... , gn if it is the halting set on A of a While(gi,... , gn) procedure,
or (equivalently) the domain of a function While computable in g\,... ,gn
(cf. section 3.10).
Example 5.5.
(a) On the naturals J\f (Example 2.23(6)), the While semicomputable
sets are precisely the recursively enumerable sets, and the While
computable sets are precisely the recursive sets.
(b) Consider the standard algebra K of reals (Example 2.23(c)). The set
of naturals (as a subset of M) is While semicomputable on Ti, being
the halting set of the following procedure:
is-nat
proc in x: real
begin while not x= 0
do x := x-1 od
end
(c) Similarly, the set of integers is While semicomputable on 7. (Exercise.)

(d) However, the sets of naturals and integers are While computable on
Tl< (section 2.23(d)). (Exercise.)
(e) The set of rationals is While semicomputable on K. (Exercise. Hint:
Prove this first for KN.)
5.2
Merging two procedures: Closure theorems
In order to prove certain important results for While semicomputable sets,

namely (a) closure under finite unions, and (b) Post's theorem, we need to
develop an operation of merging two procedures, i.e., interleaving their
410
steps to form a new procedure. In the context of TV-standard structures,

and assuming the TEP, this is a simple construction (as in the classical case
over N). In general, however, the merge construction is quite non-trivial,
as we shall now see.
Lemma 5.6. Given two relational While(T,) procedures PI and PI, of
input type u, we can construct a While(E) procedure
Q = mg(Pi,P2) : u -> bool,
the merge of PI and P2 , with Boolean output values (written '1 ' and '2 ' for
clarity) such that for all A StdAlg(E) and a A":
or
QA(a) \r 1
PA(a) |,
Proof. We may assume without loss of generality that

PI
P2
=
=
proc in x aux z\ begin Si end

proc in x aux z2 begin 8-2 end
where x : u and ziDz2 = 0. We can construct a procedure

Q = proc in x aux zi,z2, . . . out which begin S end
where S=mg(Si,Sz), the 'merge' of Si and 52, and 'which' is a Boolean
variable with values written as '!' and '2'. The operation m</(Si,S 2 ) is
actually defined for all pairs Si,S2 such that var(Si)nuar(S 2 )C x, and
none of the x occur on the Ihs of any assignment in Si or S2. It has the
semantic property that for all A, a:
or
and if [ra<7(Si,S2)lAcr ^ a' then
a' (which) = 1 = {Si\a\. and [mg(Si, S2)]Aa [Si]Aff (rel worSi),
(/(which) = 2 =* [5 2 JaJ.and [mg(Si,S^)]Aa w [S2]A(r (rel varS2).
The definition of mg(Si,Sz) is by course of values recursion on the sum
of compl(Si) and compl(S2)- Details are left as a (challenging) exercise. (Hint: The tricky case is when both Si and S2 have the form
Sj=while hi do S? od; S< (i = 1, 2), where ';S-' may be empty).
I
Remark 5.7. The construction of mg(Pi , P2) for A is much simpler if we
can assume that (i) A is N-standard, and (ii) A has the TEP. In that case,
by Theorem 4.3, the computation step representing function compA is
While computable on A. Using this, we can construct a While procedure
which interleaves the computation steps of Si and S2, tests at each step
411
whether either computation has halted, and (accordingly) gives an output

of 1 or 2.
Theorem 5.8 (Closure of While semicomputability under union
and intersection). The union and intersection of two While semicomputable relations of the same type are again While semicomputable. Moreover, this result is uniformly effective over StdAlg(E), in the sense that
given two While procedures PI and P2 of the same input type u, there are
two other procedures Piu2 and Pm2 of input type u, effectively constructible
from P\ and PI, such that on any standard ^-algebra A,
(a)
HaltA(Piu2) = HaltA(Pi)U HaltA(P2);
(b)
HaltA(Pln2) = HaltA(Pl)r\ HaltA(P2).
Proof. Suppose again without loss of generality that
PI
P2
=
=
proc in x aux z\ begin Si end

proc in x aux z2 begin S2 end
where z\ n z2 = 0.
(a) Piu2 can be defined as Tn.g(Pi,P2), as in Lemma 5.6. (We ignore its
output here.)
(b) Pm2 can be defined, more simply, as in the classical case:
Pm2 = proc in x aux zi, z2 begin Si; 82 end.
If R is a relation on A of type u, we write the complement of A as
Rc
=df
AU\R.
Theorem 5.9 (Post's theorem for While semicomputability). For

any relation R on A
R is While computable
<=
R and Rc are While semicomputable.
Moreover, this equivalence is uniformly effective over StdAlg(), i.e.,

(considering the reverse direction) given any procedures PI and P2 of the
same input type u, there is a procedure P$ : u > bool, effectively constructible from PI and P2, such that on any standard Y,-algebra A, if the
halting sets of PI and P2 are RA and RCA respectively, then P3 computes
the characteristic function of RA .
Proof.
(=0
This follows, as in the classical case, by modifying a procedure

which computes the characteristic function of R into two procedures
which have R and Rc respectively as halting sets.
(=) Again, we can just take P3 = mg(Pi,P 2 ), as in Lemma 5-6.
Another useful closure result, applicable to ./V-standard structures, is:

Theorem 5.10 (Closure of While semicomputability under N-projections). Suppose A is N-standard. If R C A uxnat is While semicomputable on A, then so is its ^-projection {x Au \ 3n N/t(x,n)}.
412
Proof. From a procedure P which halts on R, we can effectively construct

another procedure which halts on the required projection. Briefly, for input
x, we search by dovetailing for a number n such that P halts on (x,ri). In
other words, the algorithm proceeds in stages (1,2, . . . ), given by the
iterations of a 'while' loop. At stage n, test whether P halts in at most n
steps, with input (x, k), for some k < n. This can be done by computing
notover^s(x,k) for all k < n (see section 4.13). The algorithm halts if
and when we get an output f.
I
Note that if A has the TEP, we could just as well use the computation
step representing function comp in the above proof instead of comps.
(Cf. Remark 5.7.)
We can generalise Theorem 5.10 to the case of an As-projection for any
minimal carrier Aa (recall Definition 2.17), provided A has the TEP:
Corollary 5.11 (Closure of While semicomputability under projections off minimal carriers). Suppose A is N-standard and has the
TEP. Let As be a minimal carrier of A. If R C Au*s is While semicomputable on A, then so is its projection {x e Au \ 3y As R(x,y)}.
Proof. Recall that by Corollary 4.10, there is a total While computable
enumeration of As,
enurn^: N -> As.
u
So for all x A ,
3y e AsR(x,y)
=> 3nR(x,enum(n))
$=> 3nR'(x,n)
where (as is easily seen) the relation

R'(x,n) =df
R(x,enumf(n))
is While semicomputable. The result follows from Theorem 5.10.
Note that there are relativised versions (cf. Definition 5.4) of all the
results of this subsection so far.
Discussion 5.12 (Minimality and search). Corollary 5.11 is a manysorted version of (part of) Theorem 2.4 of [Friedman, 1971a], cited in
[Shepherdson, 1985]. The minimality condition (a version of Friedman's
Condition III) means that search in As is computable (or, more strictly,
semicomputable) provided A has the TEP. Thus in minimal algebras, many
of the results of classical recursion theory carry over, e.g.,
the domains of semicomputable sets are closed under projection (as
above);
a semicomputable relation has a computable selection function;
a function with semicomputable graph is computable.
(Cf.Theorem 2.4 of Friedman [I971a].) If, in addition, there is computable
equality at the appropriate sorts, other results of classical recursion theory
carry over, e.g.,
413
the range of a computable function is semicomputable.

(Cf. Theorem 2.6 of Friedman [I971a].)
5.3
Projective While semicomputability: semicomputability with search
We introduce and compare two new notions of semicomputability: (1)

projective While semicomputability and (2) While semicomputability
with search. First, for (1):
Definition 5.13.
(a) R is protectively While computable on A if, and only if, R is a projection of a While computable relation on A (see Definition 2.9(d)).
(b) R is projective While semicomputable on A if, and only if, R is a
projection of a While semicomputable relation on A.
The notions of uniform projective While computability and semicomputability over K of a family of relations, are denned analogously (cf. Definition 5.2(c)).
Note that projective While semicomputability is, in general, weaker
than While semicomputability. Example 6.15 will show this, using Engeler's lemma.
We do, however, have closure of semicomputability in the case of Nprojections, i.e., existential quantification over N, as we saw in Theorem
5.10. Further, we have from Corollary 5.11:
Proposition 5.14. Suppose A is N-standard and minimal and has the
TEP. Then on A
projective While semicomputability =
While semicomputability.
Now, for (2), we introduce a new feature: definability with the possibility of arbitrary initialisation of search variables. For this, we define a
new type of procedure.
Definition 5.15. A search procedure has the form
Psrch = proc in a out b aux c srch d begin S end,
(5.1)
with search variables d as well as input, output and auxiliary variables, and
with the stipulations (compare section 3.1(d)):
a, b, c and d each consist of distinct variables, and they are pairwise
disjoint;
every variable in S is included among a, b, c or d;
the input and search variables a,d can occur only on the right-hand
side of an assignment in 5;
(initialisation condition): S has the form Smit'iS', where Sina
consists of an initialisation of the output and auxiliary variables, but
not of the search variables d.
414
Again, we may assume in (5.1) that PSrch has no output variables, i.e.,
that b is empty. (See Remark 5.3.)
Definition 5.16. The halting set of a search procedure as in (5.1) on A
(assuming a : u and d : w) is the set
HaltA(Psrch)
=df {a e Au\ for some a with a [a] = a, [5]<r |}.
In other words, it is the set of tuples a Au such that when a is initialised to a, then for some (non-deterministic) initialisation of d, S halts.
Note that this reduces to Definition 5.1 when Psrch has no search variables.
Now let J? be a relation on A.
Definition 5.17. R is While semicomputable with search on A if R is
the halting set on A of some While search procedure.
Again, the notion of uniform While semicomputability with search over
K of a family of relations, is defined analogously.
Now we compare the two notions introduced above.
Theorem 5.18.
(a) R is While semicomputable with search on A *=> R is protectively

While semicomputable on A.
(b) This equivalence is uniform over StdAlg(E), in the sense that there
are effective transformations Psrch >-* P and P i-> Psrch between
search procedures Psrch and ordinary procedures P, such that for all
A StdAlg(T,), HaltA(Psrch) is a projection of HaltAP.
Proof. The equivalence follows easily from the definitions. Suppose R is
the halting set on A by a search procedure Psrch with input variables a : u
and search variables d : w. Let P be the procedure formed from Psrch
simply by relabelling d as additional input variables. (So the input type of
P is ux w.) Then R is the projection onto Au of the halting set of P. The
opposite direction is just as easy.
I
5.4
WhileN semicomputability
Let R be a relation on A.
Definition 5.19.
(a) R is WhileN computable on A if its characteristic function is (section
3.12).
(b) R is WhileN semicomputable on A if it is the halting set of some
WhileN procedure P on AN.
Again, we may assume that P has no output variables. (See Remark
5.3.)
From Proposition 3.38 we have:
415
Proposition 5.20. If A is N -standard, then WhileN semicomputability

on A coincides with While semicomputability on A.
Theorem 5.21 (Closure of WhileN semicomputability under union
and intersection). The union and intersection of two WhileN semicomputable relations of the same input type are again WhileN semicomputable, uniformly over StdAlg(S).
Proof. Prom Theorem 5.8, applied to AN .
Theorem 5.22 (Post's theorem for While

For any relation R on A
semicomputability).
R is WhileN computable =*>

R and Rc are WhileN semicomputable,
uniformly for A
StdAlg(E).
Proof. From Theorem 5.9, applied to AN .
Note that if A has the TEP, then the construction of a 'merged' WhileN
procedure mg(P\,P2) from two WhileN procedures PI and P%, used in
the above two theorems, is much simpler than the construction given in
Lemma 5.6 (cf. Remark 5.7).
Also Theorem 5.10 and Corollary 5.11 can respectively be restated for
WhileN semicomputability:
Theorem 5.23 (Closure of WhileN semicomputability under Mprojections) . Suppose R C yl uxnat ; where u ProdType(E), and R
is While semicomputable on AN , Then its ^-projection {x | 3n
N/?(a;,n)} is WhileN semicomputable on A.
Corollary 5.24 (Closure of WhileN semicomputability under projections off minimal carriers). Suppose A has the TEP. Let As be a
minimal carrier of A. If R C Au*s is WhileN semicomputable on A, then
so is its projection {x Au \ 3j/ ^4S R(x,y)}.
Example 5.25.
(a) (WhileN semicomputability of the subalgebra relation.) For a standard signature E, equality sort s, product type u and standard Salgebra A, the subalgebra relation
(where (x)f is the carrier of sort s of the subalgebra of A generated by
x 6 Au) is While semicomputable (on AN) in the term evaluation
representing function tes, where x : u (section 4.3). To show this,
we note that
(cf. Remark 2.16) and apply (a relativised version of) Theorem 5.23.
Hence if A has the TEP, this relation is WhileN semicomputable on
A.
416
(b) On the standard group Q (Examaple 2.23(#)) the set {g 6 G \

3n(gn = 1)} of elements of finite order is WhileN semicomputable,
being the domain of the order function on QN, which is While computable on QN (Example 3.14(6)). In fact, this set is even While
semicomputable on Q. (Exercise.)
(c) More generally, for any S-product type u and E-equality sort s, the
set
(x e Au \(x)f
is finite}
is While semicomputable in tes. This follows from the fact that

it is the domain of the function ord^ s, which is While computable
in te?s on AN (Example 4.23). Hence if A has the TEP, then this
set is WhileN semicomputable on A.
5.5
Projective WhileN semicomputability
Definition 5.26.
(a) R is protectively WhileN computable on A if, and only if, R is a
projection of a While(EN) computable relation on AN.
(b) R is protectively WhileN semicomputable on A if R is a projection
of a While(N) semicomputable relation on AN.
Proposition 5.14 can be restated for WhileN semicomputability:
Proposition 5.27. Suppose A is a minimal and has the TEP. Then on A
projective WhileN semicomputability =
WhileN semicomputability.
Definition 5.28. R is WhileN semicomputable with search on A if J? is

the halting set of a While(2,N) search procedure on AN.
Note that the While(N) search procedure in this definition has
simple input variables. However, the auxiliary, search and output variables
may be simple or nat.
Again, the following equivalence follows easily from the definitions. (Cf.
Theorem 5.18.)
Theorem 5.29.
(a) R is WhileN semicomputable with search on A 4=> R is projectively WhileN semicomputable on A.

(b) This equivalence is uniform over StdAlg(Y,).
5.6
Solvability of the halting problem
The classical question of the solvability of the halting problem ([Davis,

1958]; implicit in [Turing, 1936]) applies to the algebra of naturals A/o
(Example 2.5(a)) or its standardised version M (Example 2.23(6)). We
417
want to generalise this question to any standard signature E and standard

E-algebra A. We will find that the problem can only be formulated in
./V-standard algebras.
Definition 5.30. Suppose E C S ' , where S is standard and E' is Nstandard, and suppose A is a standard S-algebra and A' is a E'-expansion
of A. Then we say the halting problem (HP) for While(E) computation
on A is While(Y,')-solvable on A', or the HP for While(A) is solvable in
While(A'), if for every S-product type u there is a WhtJe(E') procedure
HaltTestn: natxw -4 bool,
such that HaltTest^ is total, and for every While(E) procedure P of input
type u, and all a Au,
, a) =
'
[f
otherwise.
The procedure HaltTestu in the above definition is called a universal

halting test for type u on While(A).
Proposition 5.31. // the HP for While(A) is solvable in While(A'),

then every While(E) semicomputable set in A is While(') computable
in A'.
The two typical situations are:

() S' = XN and A' = AN;
(ii) S is ./V-standard, '= S and A' = A.
Example 5.32. For the algebra N (Example 2.23(6)), the HP is not solvable in While(N). This is a version of the classical result of [Kleene,
1952].
Theorem 5.34 makes use of the concept of local finiteness (section
4.12). In preparation for it, we define uniform (in x) representations of
the statement remainder function and the snapshot function (cf. section
4.10). Namely, given a product type u = sj x . . . x sm and a w-tuple of
variables a : u (which we think of as input variables) , we define
remu^:
snapu*:
VarTup^xrStmt~(xAu x N -^rStmt~l
l r
u
VarTup~
x Stmt~nl xA
x N ->
r
r
(Bx TermTpa ) x Stmt~l
as follows: for any product type w extending u, i.e.,

w = Si x . . . x sp for some p > m, for any x : w extending a (i.e.,
x = a, x Sm+1 , . . . , x 8)p ), and for any S 6 Stmtj, a Au and n N,
where 5,4 is the default value of type s m +i x . . . x sp, and
418

snapu(rx.~l,rS~l, a, n)
= (compu(rx~l, r5~", a, n),

rermt^(rx~1,rS~', a, "))
=
((bn,V),rSn^
(5.2)
where
bn
notoveru^(rx.~l, I~S~1, a, n)
Sn'] =
Lemma 5.33. The function snapu^, and its components compu^ and
remu, are While computable in (te^s \ s 6 5ort(S)) onAN, uniformly
forAeStdAig().
Proof. Similar to Lemma 4.20.
Theorem 5.34. Suppose

(1) has equality at all sorts,
(2) A has the TEP, and
(3) A is locally finite.
Then the HP for While(A) is solvable in While(AN).
Proof. Given a E-product type u = si x . . . x sm, we will give an informal
description of an algorithm over ^4^ for a universal halting test for type
u on While(A). (Compare the construction of the universal procedure in
section 4.8.)
With input ( r P n , a), where P has input type u, and a 6 Au, suppose
P =. proc in a out b aux c begin S end
where a : u. Put x = a, b, c. Then for n = 0, 1, 2, ...
snapu?(V,rS^,a, n) = ((bn,rtn^,rSn^)
as in (5.2) above. Now put
%n =tew(rtn~l,a) = state^ (r 3^,0, 6A), n).
By Lemma 5.33 and assumption (2), snapu^ is While computable on
AN . In other words, its three components bn, r t n n and rSn~l (as functions
of n) are While computable on AN . Hence by assumption (2) again, the
components of the w-tuple xn are While computable on AN (as functions
of n).
Now for n 0, 1, 2, . . . , evaluate the w-tuple xn, and compare it (componentwise) to xm for all TO < n (which is possible by assumption (1)),
until either
(a) bn = f, which means that the computation of 5 (and hence of P at
a) terminates; or
419
(b) for some distinct m and n, bm = bn = tt, xm = xn and rSrn~l =

r
Sn~>, which means that the computation of 5 never terminates, by
Proposition 3.34.
Exactly one of these two cases must happen, by Theorem 4.26 and assumption (3). In case (a) halt with output tt, and in case (b) halt with output
f
I
Note that Assumption (1) can be weakened to:
(1') Equality on As is WhileN computable, for all E-sorts s.
Also, for all M, the above construction of HaltTestu is uniform over E
in the following sense: t'here is a relative While(,N) procedure Hu :
nat x u -4 bool containing oracle procedure calls (gs \ s Sort(E)) and
(ha | s Sort(S)) with gs : s1 -> bool and hs : nat x u -> s, such that
for any A StdAlg(E), if A is locally finite, then, interpreting gs and /is
as eq^1 and te^s respectively on A (where x : u), Hu is a universal halting
test for type u on A. (Cf. Remark 4.16(a).)
Corollary 5.35. Suppose
(1) E has equality at all sorts,
(T) A has the TEP,
(3) A is locally finite, and
(4) A is N-standard.
Then the HP for While(A) is solvable in While(A).
Example 5.36 (A set which is WhileN but not While semicomputable). The above theory allows us to produce an example to distinguish
between While and WhileN semicomputability. Let A be the algebra
JV~ (Example 4.25). We present an outline of the argument. Check each
of the following points in turn.
(i) In AN there is a computable bijection (n H-> n) from N~ to N.
(U) Hence the WhileN computable subsets of N~ are precisely the
recursive sets of natural numbers (cf. Remark 3.43(d)).
(Hi) Similarly the WhileN semicomputable subsets of N~~ are precisely
the recursively enumerable sets of natural numbers (cf. Example 5.5).
(iv) Since M~ is locally finite (4.25) and has the TEP, the HP for
While(A) is solvable in While(AN). Therefore, by Proposition
5.31, every While semicomputable subset of N~ is WhileN computable, and hence recursive.
The result follows from (Hi) and (iv).
The same algebra, A/""", can be used to distinguish between While
and WhileN computable functions. (Exercise. Hint: There is a universal WhileN(Af~) procedure for all total While(N~) functions of type
nat~-nat~.)
420
5.7
While* semicomputability
Definition 5.37.
(a) R is While* computable on A if, and only if, its characteristic function is.
(b) R is While* semicomputable if, and only if, it is the halting set of
some While procedure P on A*.
Again, we may assume that P has no output variables. (See Remark
5.3.)
From Proposition 3.45 we have:
Proposition 5.38. On A*, While* semicomputability coincides with While
semicomputability.
Theorem 5.39 (Closure of While* semicomputability under union
and intersection). The union and intersection of two While* semicomputable relations of the same type are again While* semicomputable, uniformly over StdAlg(S).
Proof. From Theorem 5.8, applied to A*
Theorem 5.40 (Post's theorem for While* semicomputability).

For any relation R on A
R is While* computable
both R and Rc are While* semicomputable,
uniformly for A &StdAlg(E).
Proof. From Theorem 5.9, applied to A*.
Note that if A has the TEP, then the construction of a 'merged' WhileN
procedure mg(Pi,P-2) from two WhileN procedures PI and P2, used in
the above two theorems, is much simpler than the construction given in
Lemma 5.6 (cf. Remark 5.7).
Note that since A* has the TEP for all A StdAlg(Z), there is a
uniform construction of a 'merged' While* procedure mg(Pi,P2) from
two While* procedures PX and P2, used in the above two theorems, which
is much simpler than the construction given in Lemma 5.6 (cf. Remark
5.7).
Also Theorem 5.10 (and 5.23) and Corollary 5.11 (and 5.24) can be
restated for While* semicomputability:
Theorem 5.41. Suppose R C Au*nat, where u e ProdType(), and
R is While* semicomputable on AN. Then its ^-projection {x \ 3n
N.R(o:,n)} is While* semicomputable on A.
Corollary 5.42 (Closure of While* semicomputability under projections off minimal carriers). Let As be a minimal carrier of A, and
let uProdType().
421
(a) If R C j4 uxs is While* semicomputable on A, then so is its projection {x Au | 3y As R(x, y)}.

(b) If R C Auxs is While semicomputable on A*, then its projection
{x Au | By* 6 A* R(x,y*)} is While* semicomputable on A.
Proof. In (b) we use the fact that if As is minimal in A, then ^4* is minimal
in A*. (Exercise.)
I
Remark 5.43. Unlike the case with Corollaries 5.11 and 5.24, we do not
have to assume the TEP here, since the term evaluation representing function is always While* computable.
Example 5.44. The subalgebra relation is While* semicomputable on
A. This follows from its WhileN semicomputability in term evaluation
(Example 5.25(a)), and While* computability of the latter (Corollary
4.7.)
The semicomputability equivalence theorem, which we prove later (Theorem 5.61), states that for algebras with the TEP, While* semicomputability coincides with WhileN semicomputability.

Definition 5.45.
(a) R is projectively While* computable on A if R is a projection of a
WhileCS,*) computable relation on A*.
(b) R is projectively While* semicomputable on A if R is a projection of
a While("S*) semicomputable relation on A*.
Proposition 5.14 (or 5.27) can be restated for While* semicomputability:
Proposition 5.46. Suppose A is a minimal. Then on A
projective While* semicomputability = While* semicomputability.
Note again that the TEP does not have to be assumed here (cf. Remark
5.43). Also we are using the fact that if A is minimal then so is A*.
Definition 5.47. R is While* semicomputable with search on A if R is
the halting set of a While(E*) search procedure on A*.
Note that the W/iiZe(S*) search procedure in this definition has simple
input variables. However the auxiliary, search and output variables may be
simple, nat or starred.
Again, we have (cf. Theorems 5.18 and 5.29):
Theorem 5.48.
(a) R is While* semicomputable with search on A <=> R is projectively

While* semicomputable on A.
(b) This equivalence is uniform over StdAlg(E).
422
Example 5.49. In J\f, the various concepts we have listedWhile,

WhileN and While* semicomputability, as well as projective While,
WhileN and While* semicomputabilityall reduce to recursive enumerability over N (cf. 5.5(o)).
In general, however, projective While* semicomputability is strictly
stronger than projective While or WhileN semicomputability. In other
words, projecting along starred sorts is stronger than projecting along
simple sorts or nat. (Intuitively, this corresponds to existentially quantifying over a finite, but unbounded, sequence of elements.) An example
to show this will be given in section 6.4.
We do, however, have the following equivalence:
projective While* semicomputability =
projective For* computability.
This is the projective equivalence theorem, which will be proved in section
5.14.
Projective While* semicomputability is the model of specifiability which
will be the basis for a second generalised Church-Turing thesis (section 8.9).
5.9
Homomorphism invariance for semicomputable

sets
For a S-homomorphism cj>: A > B and a relation R : u on A, we write

=df
{<t>(x)\x&R}
which is a relation of type u on B.

Theorem 5.50 (Epimorphism invariance for halting sets). For any
'S-epimorphism 0 : A > B,
<j)[HaltA(P)\ = HaltB(P).
Proof. From Theorem 3.24.
Notice that the above result holds for a given procedure P, and any
epimorphism <f>: A -> B. In particular, taking the case B = A, we obtain:
Corollary 5.51 (Automorphism invariance for semicomputability).
(a) If R is While semicomputable on A, then for any E-automorphism
 of A, <t>[R] =R.
(b) Similarly for While* semicomputable sets.
Corollary 5.52 (Automorphism invariance for projective semicomputability) .
(a) If R is protectively While semicomputable on A, then for any Eautomorphism 4> of A, (f>[R] = R.
(b) Similarly for protectively While* semicomputable sets.
423
Example 5.53. In the algebra C~ of complex numbers (Example 2.23(e)

without the constant i, the singleton set {i} is not While semicomputable,
or even projectively While* semicomputable. This is because there is
an automorphism of C~ with itself which maps i to i. However the set
{i,i} is While semicomputable, and in fact computable, in C~, by the
procedure
proc in x:complex out b:bool
begin
b:= xxx= -1
end.
5.10
The computation tree of a While statement
We will define, for any While statement S over S, and any tuple of distinct
program variables x = x i , . . . , xn of type u = s\ x ... x sn such that
var(S) C x, the computation tree T[S, x], which is like an 'unfolded flow
chart' of 5.
The root of the tree T[S,x] is labelled 's' (for 'start'), and the leaves
are labelled 'e' (for 'end'). The internal nodes are labelled with assignment
statements and Boolean tests.
Furthermore, each edge of T[S, x] is labeled with a syntactic state, i.e., a
tuple of terms t : u, where t = ti,... , , with ti 6 TermKiSi. Intuitively,
t gives the current state, assuming execution of 5 starts in the initial state
(represented by) x.
In the course of the following definition we will make use of the restricted
tree T~[S, x], which is just T[S, x] without the 's' node.
We also use the notation T[S, t} for the tree formed from T[S, x] by
replacing all edge labels t' by t'(x./t}.
The definition is by structural induction on S.
(i) S= skip. Then T[5,x] is as in Fig. 1.
Fig. 1.
(ii) S = y := r, where y = y x , . . . , ym and r = n , . . . , rm, with each y;
in x. Then T[S,x] is as in Fig. 2, where t = ti,... ,tn is defined
by:
( .,
_ I TJ if ~x.i=jj rtor some j
I x,otherwise.
424
Fig. 2.
(m) T = Si;S2- Then T[S,x] is formed from T[Si,x] by replacing each
leaf (Fig. 3) by the tree in Fig. 4.
' t
Fig. 3.
Fig. 4.
(iv) S = if b then Si else S2 fi. Then T[S, x] is as in Fig. 5.
(u) S = while b do Si od. For the sake of this case, we temporarily adjoin
another kind of leaf to our tree formalism, labelled '!' (for 'incomplete
computation'), in addition to the e-leaf (representing an end to the
computation). Then T[S, x] is defined as the 'limit' of the sequence
of trees Tn, where TO is as in Fig. 6, and Tn+i is formed from Tn by
replacing each i-leaf (Fig. 7) by the tree in Fig. 8, where T-,~[Si,t]
is formed from 7~~[Si,i] by replacing all e-leaves in the latter by
i-leaves. Note that the Boolean test b shown in Fig. 8 is evaluated
at the 'current syntactic state't (which amounts to evaluating b(x/t)
at 'the initial state' x). Note also that the 'limiting tree' T[S, x] does
not contain any i-leaves. (Exercise.)
425
Fig. 5.
Fig. 6.
Remark 5.54.
(a) In case (i>) the sequence 7^(5, x] is defined by primitive recursion
on n. An equivalent definition by tail recursion is possible (Exercise;
compare the two definitions of CompA(S,(r,n) in sections 3.4 and
3.14; see also Remark 3.5).
(6) The construction of T[S, x] is effective in S and x. More precisely:
T[S, x] can be coded as a recursive set of numbers, with index primExample 5.55. Let S = while x > 0 d o x := x 1 od, where x is a
natural number variable. Then (in the notation of case (u)) TO, 71 and ?2
are, respectively, as shown in Figs. 9, 10 and 11, and T[S, x] is the infinite
tree shown in Fig. 12.
Notice that each tree in the sequence of approximations is obtained
from the previous tree by replacing each i-leaf by one more iteration of the
'while' loop.
5.11
Engeler's lemma
Using the computation tree for a While statement constructed in the previous subsection, we will prove an important structure theorem for While
semicomputabilty due to Engeler [l968a]. One of the consequences of this
result will be the semicomputability equivalence thorem (5.61).
426
&
Fig. 7.
Fig. 8.
For each leaf A of the computation tree T[S, x], there is a Boolean bs,x,
with variables among x, which expresses the conjunction of results of all the
successive tests, that (the current values of) the variables x must satisfy in
order for the computation to 'follow' the finite path from the root s to A.
Consider, for example, a test node in T[5, x]:
If the path goes to the right here (say), then it contributes to bg,\ the
conjunct
... A --6(x/t) A ...
Next, let (AQ, AI, A a , . . . ) be some effective enumeration of leaves of T[S, x]
(e.g., in increasing depth, and, at a given depth, from left to right). Then,
writing bs,k= bs,\k, we can express the halting formula for S as the countable disjunction
halts =df \/ bs,k
(5.3)
which expresses the conditions under which execution of S eventually halts,

if started in the initial state (represented by) x.
427
Fig. 9.
Fig. 10.
Note that although the Booleans b$,k, and (hence) the formula halts,
are constructed from a computation tree T[S, x] for some tuple x containing
var(S), their construction is independent of the choice of x.
Remark 5.56.
(a) The Booleans b$,k are effective in 5 and k. More precisely, rbs,k~* is
partial recursive in rSn and k.
(b) Further, by a standard technique of classical recursion theory, for a
fixed S, if T[S, x] has at least one leaf, then the enumeration
bs,o,bs,i,bs,z,
can be constructed (with repetitions) so that b$,k is a total function
of k, and, in fact, primitive recursive in k.
Now consider a relational procedure
P = proc in a aux c begin 5 end
428
Fig. 11.
with input variables a : u and auxiliary variables c : w. Then S = Sinit',S',
where Smu is an initialisation of the auxiliary variables c to the default
tuple Sw. The computation tree for P is defined to be
T(P)
=df
with a corresponding halting formula
halts, = V
(cf. (5.3)). Now, for k = 0, 1, . . . , let bk be the Boolean which results from
substituting Sw for c in bs',k- Note that var(bk) C a. Let ft*[a] 1
be the evaluation of bk when a Au is assigned to a. Then by (5.4), the
halting set of P (5.1) is characterised as an effective countable disjunction
a HaltA(P) <=^ \f bk[a]
(5.5)
k=Q
for all a Au. Now suppose R is a While semicomputable relation on

A. That means, by definition, that R =HaltA(P)for a suitable While
procedure P. Hence, by (5.5), we immediately derive the following theorem
429
Fig. 12.
due to Engeler [I968a]:
Theorem 5.57 (Engeler's lemma). Let R be a While semicomputable relation on a standard H-structure A. Then R can be expressed as an
effective countable disjunction of Booleans over .
Actually, we need a stronger version of Engeler's lemma, applied to
While* programs, which we will derive next.
5.12
Engeler's lemma for While* semicomputability
We will use the results of the previous subsection, applied to While*

computation, together with the */ conservativity theorem for terms
(Theorem 3.63), to prove a strengthened version of Engeler's lemma.
430
Fig. 13.
Theorem 5.58 (Engeler's lemma for While* semicomputability).

Let R be a While* semicomputable relation on a standard ^-structure A.
Then R can be expressed as an effective countable disjunction of Booleans
over E.
Proof. Suppose R has type u (over S). By assumption, R is the halting set
HaltA(P] for a While* procedure P. By (5.5) of the previous subsection,
R(a) <=> V bk[a]
(5.6)
for all a e Au, where (now) bk Term* bool, i.e., the Booleans bk, though
not of starred sort, may contain subterms of starred sort for example,
they may be equations or inequalities between terms of starred sort. As
before, bk[a] is the evaluation of 6fc when a Au is assigned to a.
Now for any Boolean 6 Term* bool , let b' be the Boolean in
Terma,booi associated with b by the conservativity theorem (3.63). Then
from (5.6), for all a 6 Au,
R(a) <= \/ bfk(a}.

k=o
(5.7)
Because the disjunction in (5.6) and the transformation b >-> b' are both
effective, the disjunction in (5.7) is also effective.
I
For the converse direction:
Lemma 5.59. Let R be a relation on a standard ^-algebra A. If R can
be expressed as an effective countable disjunction of Booleans over E, then
R is While* semicomputable.
Proof. Suppose R is expressed by an effective disjunction
oo
\/bk[a}
k=0
431
for all a 6 Au, where bk Termôt>\. Then for all a e Au,

R(a) <=> 3k (teôoi (V, a) =
tt)
(5.8)
where rb^ is (total) recursive in k. Hence, by Corollary 4.7, Remark 3.16

and Theorem 5.41, R is While* semicomputable.
I
Combining Engeler's lemma for While* semicomputability with this
lemma gives the following 'structural' characterisation of While* semicomputable relations.
Corollary 5.60. Let R be a relation on a standard Y,-algebra. Then R
can be expressed as an effective countable disjunction of Booleans over
if, and only if, R is While* semicomputable.
If, moreover, A has the TEP, then we can say more:
Theorem 5.61 (Semicomputability equivalence theorem). Suppose
that A is a standard Y,-algebra with the TEP, and that R is a relation on
A. Then the following assertions are equivalent:
(i) R is WhileN semicomputable on A;
(ii) R is While* semicomputable on A;
(Hi) R can be expressed as an effective countable disjunction of Booleans
over T,.
Proof. The step (i) =$ (ii) is trivial, and (ii) = (Hi) is just Engeler's
lemma for While*. The new step here ((in) =* (i)) follows from (5.8) and
Theorem 5.23.
I
Corollary 5.62. Suppose that A is a standard ^-algebra with the TEP,
and that R is a relation on A. Then
R is WhileN computable on A
<=$> R is While* computable on A.
Proof. From Theorem 5.61, or from Corollary 4.18.
5.13
SJ definability: Input/output and halting

formulae
For any standard signature , let Lang*= Lang(*)be the first-order

language with equality over E*.
The atomic formulae of Lang*aie equalities between pairs of terms of
the same sort, for any sort of *, i.e., sort s, su and a*, for all sorts s of E
(whether equality sorts or not), and for the sort nat.
Formulae of Lang* are formed from the atomic formulae by means of
the prepositional connectives and universal and existential quantification
over variables of any sort of S*.
We are more interested in special classes of formulae of Lang*.
432
Definition 5.63 (Classes of formulae of Lang*).

(a) A bounded quantifier has the form 'Vfc < V or '3k < f , where t : nat.
(b) An elementary formula is one with only bounded quantifiers.
(c) A EJ formula is formed by prefixing an elementary formula with
existential quantifiers only.
(d) An extended EJ formula is formed by prefixing an elementary formula with a string of existential quantifiers and bounded universal
quantifiers (in any order).
Proposition 5.64. For any extended E* formula P, there is a E* formula
Q which is equivalent to P over S, in the sense that
Proof. The construction of Q from the P is given in Tucker and Zucker
[1993]. (In that paper, the equivalence is actually shown relative to a
formal system over K with EJ induction. However, we are not concerned
with issues of provability in this chapter.)
I
Because of this result, we will use the term 'SJ' to denote (possibly)
extended EJ formulae.
Proposition 5.65. If P is an elementary formula all of whose variables
are of equality sort, then the predicate defined by P is For* computable.
Proof. By structural induction on P. Equations between variables of
equality sort, and Boolean operations, are trivially computable. Bounded
quantification uses the 'for' loop.
I
In general, formulae over the structure A* (or rather, over the signature
*) may have simple, augmented, starred or nat variables (Definition 3.39).
We are interested in formulae with the property that all free variables are
simple, since such formulae define relations on A. For such formulae, all
bound augmented variables may be replaced by bound simple variables, by
the effective coding of ^4" in A (see Remark 2.30(c)).
Theorem 5.66 (The i/o formula for a procedure). Given a
While* procedure P : u -> v
P = proc in a out b aux c* begin 5 end
(5-9)
where a : u, b : v and c* : w* , we can effectively construct a E* formula

IOp = 7Op(a, b), with free variables among a,b, called the input/output
(or i/o) formula for P, which satisfies: for all A StdAlg(i), a Au and
be Av,
A \= IOp [a, b] <=^ PA(a) \. b.
Note: The left-hand side means that A satisfies IOp at any state which
assigns a to a and b to b.
433
Proof. First we construct an elementary formula

CompMs(x,y,z*)
(where var(S)C x), as in Tucker and Zucker [1988, 2.6.11], by structural
induction on S, with the meaning: 'z* represents a computation sequence
generated by statement S, starting in a state in which all the variables
of S have values (represented by) x, and ending in a state in which these
variables have value y'. From this it is easy to construct a E* formula
Compup(&, b, z*)
with the meaning: 'z* represents a computation sequence generated by
procedure P, starting in a state in which the input variables have values
(represented by) a, and ending in a state in which the output variables have
values b'.
Finally we obtain the SJ i/o formula
IOp(a,b) =df 3z* Corapp(a, b, z*)
as required.
I
Remark 5.67 (Quantification over N sufficient). We can construct
a EJ i/o formula in which there is only existential quantification over N.
Briefly, a formula similar to Compus (in the above proof) is constructed
in which the variable z* representing the computation sequence is replaced
by a Godel number. (Cf. point (2) in section 4.8, concerning the replacement of the function comp^ by compu^.)
Remark 5.68 (Alternative construction of/Op). Let a be the p,PR*
scheme (section 8.1) which corresponds to P according to the construction
given by the proof of Theorem 8.5(d). By structural induction on a, we
construct the formula IOa(= IOp), as in Tucker et al. [1990] or Tucker
and Zucker [1993, 5] (where it is called P0).
Corollary 5.69 (The S* halting formula for a procedure). Given a
While* procedure P : u - v as in (5.9), we can construct a E| definition
for the halting formula haltp = haltp(ei) for P.
Proof. We define
haltP(a) = 3bIO P (a,b)
Alternatively, recalling (Remark 5.3) that in the context of semicomputability we may assume that P has no output variables, we can put, more simply,
haltp (a) = IOp (a).
Since IOp is EJ, so is haltp (in either case).
I
Remark 5.70 (Quantification over N sufficient). Again, by the use
of Godel numbers, we can construct a EJ halting formula in which there
is only existential quantification over N. (Cf. Remark 5.67.)
Note finally that by Corollary 5.69, since for all A eStdAlg(E) and all
a<=Au,
434

a&HaltA(P) <^=> A \= haltP(a),
it follows that
the halting set for While* procedures is SJ definable, uniformly over
StdAlg(X).
5.14
The projective equivalence theorem
Theorem 5.71. Let R be a relation on a standard S-algebra A. Then

R is protectively While* semicomputable <=>
R is projectively For* computable.
We present two proofs of this theorem. The first uses S* definability of
the halting set (and the assumption that S has equality at all sorts) while
the second uses Engeler's lemma (without any assumption about equality
sorts).
First proof. First we restate the theorem suitably.
Suppose E has an equality operator at all sorts. Let R be a relation on A.
Then the following are equivalent:
(i) R is projectively While* semicomputable;
(U) R is EJ definable;
(Hi) R is projectively For* computable.
(i)=>(ii'):
Suppose R : u, and for all a; Au,

R(x)^=*3y* AvtR!(x,y')
(5.10)
where v* is a product type of *, and RI : u x v* is While semicomputable on A*. Then RI is the halting set of a While(*) procedure
P on A*. By Corollary 5.69, RI is J definable on A", say
fl!(a:,y*)<=>.3 6 A""B<>(x,y',z"),
(5.11)
where w** is a product type of **, and RQ(. ..) is given by an elementary formula over S**. Combining (5.10) and (5.11):
R(x)^3y* Av'3z** 6 Aw"Ro(x,y*,z*f).
(5.12)
Finally, by the coding of (A*)* in A* (Remark 2.31(d)), we can

rewrite the existential quantification over (A*)* in ('5.12) ('Bz**
/I**') as existential quantification over A*, yielding a SJ definition
of R on A.
(ii):=>(m): Suppose J? is defined by the formula 3z*P(x,z*), where z*
is a tuple of starred and unstarred variables, and P is elementary.
Then R is a projection of P, which, by Proposition 5.65, is For*
computable. (Here we use the assumption about equality sorts.)
435
); Trivial (using Proposition 3.34).
Second proof. (Here we make no assumption about equality sorts.) Suppose R : u is projectively While* semicomputable on A. Then (as before)
for some product type v* of *,
R(x) <= 3y* Av" ' Rfay*)
where RI : u x v* is While semicomputable on A* .
By Engeler's lemma (Theorem 5.57) applied to A", there is an effective sequence 6fc*(x,y*) (k = 0, 1,2, . . .) of Booleans over E* such that
Ri(x,y*) is equivalent over A to the disjunction of bk*[x,y*]. Further,
by Remark 5.56(6), this sequence can be denned so that r 6fc* n is primitive
recursive in k. (Assume here that R is non-empty, otherwise the theorem
is trivial.) Then
Ri(x,V*) = for some fc, te^*,ibool(rb*;*"1,x,2/*) = tt.
Further, te^ . bool is For computable on A* (by Proposition 4.6).
Hence the function g defined on A* by
g ( k , x , y * ) =4
te. ibool W,
*,*)
is For computable on A* (by Equation 3.8 and Remark 3.16). Hence the
relation
Ro(k,x,y*) <F=*df g(k,x,y*)=\t
is For computable on A* (composing g with equality on bool), and so the
relation
R(x)
is projectively For* computable on A.
The other direction is trivial.
5.15
Halting sets of While procedures with random

assignments
We now consider the While programming language over S, extended by

the random assignment
x:=?
for variables x of every sort of E. This is an example of non-deterministic
computation.
The semantics of the While-random programming language can be
obtained by a modification of the semantics of the While language given
in section 3, by taking the meaning of a statement 5 to be a function [S]
from states to sets of states. In the case that 5 is a random assignment
x := ?, [S]Acr is the set of all states which agree with a on all variables
except x.
436
However we are only interested here in the While-random language

for defining relations, not functions, as the following definition clarifies.
Definition 5.72. Let P be a While-random procedure, with input variables a : u (and, we may assume, no output variables). The halting set of
P on A is the set of tuples a A" such that when a is initialised to a, then
for some values of the random assignments, execution of P halts.
Definition 5.73. Let R be a relation on A.
(a) R is While-random semicomputable on A if R is the halting set of a
W/iife-random procedure on A.
(6) R is While"-random semicomputable on A if R is the halting set of
a W/iiie(S*)-random procedure on A*.
Note that in (6), there could be random assignments to starred (auxiliary) variables.
Remark 5.74. Clearly, semicomputability with random assignments can
be viewed as a generalisation of the notion of semicomputability with
search, i.e., initialisation of search variables (section 5.3), since initialisation
amounts to random assignments at the beginning of the program. We may
ask how these two notions of semicomputability compare. We will show
that, at least over A*, they coincide: both are equivalent to projective
While* semicomputability.
Theorem 5.75. Let R be a relation on A. Then
R is While*-random semicomputable <=>
R is protectively While* semicomputable.
Proof. The direction (4=) follows from Remark 5.74 and Theorem 5.18.
We turn to the direction (=>). For ease of exposition, we will assume first
that R is While-random semicomputable.
We will define a computation tree 7~[S, x] for W/ii/e-random statements S with varS C x = xi,... ,x ra , extending the definition for While
statements given in Section 5.10. There is one new case:
(uz) S = Xi := ?. Then T[S,x] is as in Fig. 14.
So Xj is replaced by a new variable xj of the same sort.
Notice that for a '?'-assignment S, and for terms t = ti,... ,tn, the tree
T[S, t] is asn in Fig. 15.
where xj does not occur in x or t. The intuition here is that there is nothing
we can say about the 'new' value of Xj, so we can only represent it by a
brand new variable x'4. If this assignment is followed by another assignment
Xj := ?, we introduce another new variable x", and so on.
In this way the variables proliferate, and the tree contains (possibly)
infinitely many variables. Hence we cannot simply construct a halting
formula as an (infinite) disjunction of Booleans in a fixed finite number of
variables over E, as we did in section 5.11.
437
Fig. 14.
' t
Fig. 15.
The solution is to represent all the variables x j, xj, x",. which arise
in this way for each i ( l < j < n ) b y a single starred variable x* (with
x*[0],x*[l],x*[2],... representing X j , x ^ , x " , . . . ) . Then to each leaf A of
T[S, x] there corresponds (as in section 5.11) a Boolean b$,\, but now in
the starred variables x*=xj,... , xj^.
Again, as in section 5.11, we can define the halting formula for 5 as a
countable disjunction of Booleans:
halts =df \J
k=0
where the 6s,fc are effective, in fact primitive recursive, in S and k. Note
however that the program variables in halts are now among x*, not x.
Now suppose that the relation R : u is the halting set of a While-
438
random procedure on A,
P = proc in a aux c begin Sjn;S' end
where a : u = i x ... x sm and c : w.
As in section 5.11, let 6* be the Boolean which results from substituting
the default tuple Sw for c in bs',k- Note that war(6/t)C a, c* : u xw*.
Then for all a Au:
a 6 R <^> 3c* Aw 3k
.ibooir&*-', 0) c*) = tt
(cf. (5.8) in section 5.12) which (by Proposition 4.6) is projectively For"
computable on A, and hence projectively While* semicomputable on A.
This proves the theorem for the case that R is W/iiie-random semicomputable on A.
Assume, finally, that R is W/izZe*-random semicomputable, i.e., the
procedure for R may contain starred auxiliary variables, and there may be
random assignments to these. Now we can represent a sequence of random
assignments to a starred variable by a single doubly starred variable, or
two-dimensional array, which can then be effectively coded in A* (Remark
2.31(d)), and proceed as before.
Examples of semicomputable sets of real and

complex numbers
In this section we look at the various notions of semicomputability in the

case of algebras based on the set E of real numbers and the set C of complex
numbers. By doing so, we will find examples proving the inequivalence of
the following notions:
(i)
(ii)
(Hi)
(iv)
While computability;
While semicomputability;
projective While semicomputability;
projective While* semicomputability.
We will also find interesting examples of sets of real and complex numbers which are semicomputable but not computable. Some of these sets
belong to dynamical system theory: orbits and periodic sets of chaotic
systems turn out to be semicomputable but not computable.
Finally we will also reconsider an example of a semicomputable, noncomputable set of complex numbers described in Blum et al. [1989]. The
effective content of their work can be obtained from the general theory.
Our main tool will be Engeler's lemma.
We will concentrate on the following algebras introduced in Example
2.23: the standard algebras
439
U = (B; M; 0, 1, +, -, x,if rea i,eq re ai)

of reals, and
C = (71;C; 0, 1,,+, -, x, re, im, TT)
of complex numbers, and their expansions
K< = (K; lessreai)
and
C< = (C;lessreal)
formed by adjoining the order relation on the reals lessreai: M2 -> B (which
we will write as infix '<')- We will show that:
(a) the order relation on E is projectively While semicomputable, but
not While semicomputable, on 7; and
(6) a certain real closed subfield of M is projectively While* semicomputable, but not projectively While semicomputable, on 'R<.
6.1
Computability on R and C
Based on the general theory of computability developed so far, we can see

that each of these four algebras has a computability theory with several
standard properties (e.g., universality, section 4.9). First, we will list some
preliminary results for computability on the real and complex numbers that
will entail simplicity and elegance of computation on these structures, but
will also show that the analogy with the classical case of computation on
N often breaks down. To begin with, we have:
Proposition 6.1. For A = H,^,C or C<,
WhileN(A) = While(A).
(6.1)
This is proved essentially by simulating the algebra^, i.e., the carrier N,

with zero, successor, etc., in the carrier M, using the non-negative integers
together with 0, the operation +1, etc.
As an exercise, the reader should formulate a theorem expressing a
sufficient condition on an algebra A for (6.1) to hold, from which the above
proposition will follow as a simple corollary.
This situation should be contrasted with that in Example 5.36.
Recall Definition 4.4 and Examples 4.5:
Lemma 6.2 (TEP). The algebras 7^,7^ < ,C andC< all have the TEP.
The TEP has a profound impact on the computability theory for an
algebra. For example, from Corollary 4.18 we know that on Ti,Ti<,C and
C<:
While" computability = WhileN computability
and hence (or from the semicomputability equivalence theorem (5.61))
While* semicomputability = WhileN semicomputability
440
for these four algebras. We will give more detailed formulations of these
facts for each of these algebras shortly.
Example 6.3 (Non-computable functions). Recall Theorem 3.66 which
says that the output of a While, WhileN or While* computable function is contained in the subalgebra generated by its inputs. From this we
can derive some negative computability results for these algebras:
(a) The square root function is not While* computable on TL or 7^<.
This follows from the fact that the subset of R generated from the
empty set by the constants and operations of ~R or 'R.< is the set Z
of integers. But \/2 is not in this set. (For computability in ordered
Euclidean fields incorporating the square root operation, see Engeler
[I975a]).
(b) The mod function (z <-> |z|) is not While* computable on C or C<.
This follows from the fact that the subset of R generated from the
empty set by the constants and operations of C or C< is again Z. But
again, |1 + i\ = V2 is not in this set.
(c) The mod function would be computable in C if we adjoined the square
root function to the algebra "R, (as a reduct of C).
In the rest of this subsection, we will apply Engeler's lemma for While*
semicomputability (section 5.12) to the algebras K,K<,C and C<.
From the semicomputability equivalence theorem (5.61) (which follows
from Engeler's lemma) and from the TEP lemma (6.2), we get:
Theorem 6.4 (Semicomputability equivalences for Tl,'R,<,C,C<),
Suppose A is Tl or U<, and R C R"; or A is C or C<, and R C C".
Then the following are equivalent:
(i) R is WhileN semicomputable on A;
(ii) R is While* semicomputable on A;
(Hi) R can be expressed as an effective countable disjunction of Booleans
over A.
For applications of this theorem, we need the following normal form
lemmas for Booleans over K and 7?.<.
Lemma 6.5 (Normal form for Booleans over 7?.). A Boolean over 71,
with variables x = xi,... ,xn of sort real only, is effectively equivalent over
H. to a finite disjunction of finite conjunctions of equations and negations
of equations of the form
p(x) = 0
and
q(x) ^ 0,
where p and q are polynomials in x with coefficients in Z.

Lemma 6.6 (Normal form for Booleans over Tl<). A Boolean over
Ti<, with variables x x\,... ,xn of sort real only, is effectively equivalent over Tl< to a finite disjunction of finite conjunctions of equations and
441
inequalities of the form
p(x) = 0
and
q(x) > 0,
where p and q are polynomials in x with coefficients

The proofs of these are left as exercises.
6.2
in Z .
The algebra of reals; a set which is projectively

While semicomputable but not While* semicomputable
In this subsection we obtain results distinguishing various notions of semicomputability, using the algebra 71 of reals. In the next subsection we will
obtain other results in a similar vein, using the ordered algebra ?< of reals.
We begin with a restatement of the semicomputability equivalence thorem
(6.4) for the particular case of 71.
Theorem 6.7 (Semicomputability for 71). Suppose R C E n . Then
the following are equivalent:
(i) R is WhileN semicomputable on 71;
(ii) R is While* semicomputable on 71;
(Hi) R can be expressed as an effective countable disjunction
i(x)
(6.2)
where each bi(x) is a finite conjunction of equations and negations of equations of the form
p(x) = 0
and
q(x) 0,
(6.3)
where p and q are polynomials in x = (x\ ,..., xn) Kn , with coefficients

in 1.
Proof. From Theorem 6.4 and Lemma 6.5.
Thus we see that there is an intimate connection between computability,

polynomials and algebraic field extensions on BL
Definition 6.8 (Algebraic and transcendental points). Let us define
a point a = (ai ,..., an) 6 En to be (i) algebraic if it is the root of a polynomial in n variables with coefficients in Z; and (ii) transcendental if it is
not algebraic, or, equivalently, if for each i = 1, . . . , n, aj is transcendental
(in the usual sense) over Q(ai, . . . ,a-i).
The following corollary was stated for n = 1 in Herman and Isard [1970].
442
Corollary 6.9. IfRCW1 is While* semicomputable on "R, and contains

a transcendental point a, then R contains some open neighbourhood of a.
Proof. In the notation of (6.2): a satisfies bt(x) for some i. Then (for this
i) bi(x) cannot contain any equations (as in (6.3)) since a is transcendental,
and so it must contain negations of equations only. The result follows from
the continuity of polynomial functions.
I
An immediate consequence of this is:
Corollary 6.10 (Density/codensity condition). Any subset ofW1 which
is both dense and co-dense in W1 (or in any non-empty open subset ofW1)
cannot be While* computable on 7J.
Example 6.11. The following subsets of Mn are easily seen to be WhileN
semicomputable on 72. in fact While semicomputable (by Proposition
6.1). However, they are not While (= WhileN= While*) computable,
by the density/codensity condition:
(a) the set of points with rational coordinates;
(b) the set of points with algebraic coordinates;
(c) the set of algebraic points.
Of course, a standard example of a While semicomputable but not
While* computable set can be found in .A/*, namely any recursively enumerable, non-recursive set of naturals (Example 5.49).
Next, specialising to n = 1:
Corollary 6.12 (Countability/cofiniteness condition). If R C R is
While* semicomputable on ~R, then R is either countable or cofinite (i.e.,
the complement of a fine set) in M.
Proof. By the fundamental theorem of algebra, each polynomial equation
with coefficients in Z has at most finitely many roots in R. Hence, regarding
the disjunction in (6.2), there are two cases:
Case 1. For some i, bi(x) contains only negations of equations. Then (for
this i) bi(x) holds for all but finitely many x M. Hence R is co-finite in
R.
Case 2. For all i, bi(x) contains at least one equation. Then (for all i)
bi(x) holds for at most finitely many a; E. Hence R is countable.
I
Hence we have:
Corollary 6.13. A subset ofR which is (While or WhileNor While*)
computable on Ti it is either finite or cofinite.
Example 6.14. From Corollary 6.13 we have another example of a subset
of R which is While semicomputable but not While* computable, namely
the integers (Example 5.5(c)).
Example 6.15 (Projectively While semicomputable, not While*
semicomputable set). The order relation on K is a primitive operation
443
in 1i<, but, as we shall see, is not even semicomputable in K. Consider

first the relation
Ro(x,y)
on K. RO is clearly While computable on K, and so its projection on the
first argument,
R =ds {x | 3y(x = y2)}
i.e., the set {x \ x > 0} of all non-negative reals, is projectively While
semicomputable. Prom the countability/cofiniteness condition (6.12) however, it is not (even While*) semicomputable on Ti. From this it is easy
to see that the order relation
x < y <=> (y x) R and x ^ y
is also projectively While semicomputable, but not While" semicomputable, on 71.
6.3
The ordered algebra of reals; sets of reals which

are While semicomputable but not While* computable
In the previous subsection we saw that the order relation on R is not (even)
While* semicomputable on the algebra 7. Let us add it now to K, to
form the algebra K< , and see how this affects the computability theory.
We begin again with a restatement of the semicomputability equivalence
theorem (6.4), this time for the algebra Tl<.
Theorem 6.16 (Semicomputability for 1l<). Suppose RCW1. Then
the following are equivalent:
(i) R is WhileN semicomputable on K< ,
(ii) R is While* semicomputable on 'R,< ,
(Hi) R can be expressed as an effective countable disjunction
\fbi(x)
where each bi (x) is a finite conjunction of equations and inequalities of the
form
p(x) = 0
and
q(x) > 0,
where p and q are polynomials in x = (x\,... , xn) . E n , with coefficients
in Z.
Proof. From Theorem 6.4 and Lemma 6.5.
To proceed further, we need some definitions and lemmas about points

and sets defined by polynomials. (Background information on algebraic
geometry can be found, for example, in Shafarevich [1977] or Brocker and
444
Lander [1975, Chapter 12]. For the application below (section 6.4), we
relativise our concepts to an arbitrary subset D of E.
Definition 6.17.
(a) An interval in E (open, half-open or closed) is algebraic in D if, and

only if, its end-points are.
(b) A patch in E is a finite union of points and intervals.
(c) A D-algebraic patch in E is a finite union of points and intervals
algebraic in D.
Definition 6.18. A set in En is D-semialgebraic if, and only if, it can
be defined as a finite disjunction of finite conjunctions of equations and
inequalities of the form
p(x) = 0
and
q(x) > 0,
where p and q are polynomials in x with coefficients in 1\D\.

We will drop the '>' when it denotes the empty set.
Note that clause (Hi) of Theorem 6.16 can, by Definition 6.18, be written equivalently in the form:
(in1) R can be expressed as an effective countable union of semialgebraic
sets.
Lemma 6.19. A semialgebraic set in E" has a finite number of connected
components.
(See Becker [1986]. This will be used in section 6.6.) It follows that a
semialgebraic subset of E is a patch. However, for n = 1 we need a stronger
result:
Lemma 6.20. A subset of K is D-semialgebraic if, and only if, it is a
D-algebraic patch.
Lemma 6.21. A projection of a D-semialgebraic set in E on Em (m <
n) is again D-semialgebraic.
This follows from Tarski's quantifier-elimination theorem for real closed
fields (see, for example, Kreisel and Krivine [1971, Chapter 4]). From this
and Lemma 6.20:
Corollary 6.22. A projection of a D-semialgebraic set in E" on E is a
D-algebraic patch.
Remark 6.23. Corollaries 6.9 and 6.10 (the density/codensity condition)
hold for fa*- as well as fa, leading to the same examples (6.11) of subsets
of E" which are WhileN semicomputable, but not WhileN (= While')
computable, on fa*-. Another example is given below (6.26).
The following corollary, however, points out a contrast with fa.
Corollary 6.24. In fa<, the following three notions coincide for subsets
ofR":
445
(i) WhileN semicomputability;

(ii) While* semicomputability;
(in) protective WhileN semicomputability.
This follows from Theorem 6.16 and Lemma 6.21. (This corollary fails
in the structure Tl, since in that structure, Lemma 6.21, depending on
Tarski's quantifier-elimination theorem, does not hold.)
However, the above three notions of semicomputability differ in 7^<
from a fourth:
(iv) protective While* semicomputability,
as we will see in section 6.4. But first we need:
Corollary 6.25 (Countable connectivity condition).
(a) If R C K is While* semicomputable on 'R.<, then R consists of
countably many connected components.
(b) If R CM. is While* semicomputable on 'R.<, then either R is countable or R contains an interval.
(This is a refinement of the countability/cofiniteness condition (6.12).)
This follows from Theorem 6.16 and Lemma 6.19, since the connected subsets of K are precisely the singletons and the intervals.
Example 6.26.
(a) The Cantor set in [0,1] is not While* semicomputable on 1i<, by

the countable connectivity condition.
(b) The complement of the Cantor set in [0,1] is While semicomputable
on 7^< (Exercise), but (by (a)) it is not (even While*) computable
on H<.
Other interesting examples of semicomputable, non-computable sets are
given in sections 6.5 and 6.6.
6.4
A set which is projectively While* semicomputable but not projectively WhileN semicomputable
First we must enrich the structure 72.<. Let E = {eo,61,62,...} be a

sequence of reals such that
for all i, ei is transcendental over Q(eo,... ,6j-i).
(6.4)
We define 7t<tE to be the algebra 71*^ augmented by the set as a

separate sort E, with the embedding j : E < R in the signature, thus:
algebra
import
carriers
functions
end
n<'E
n<
E
j :E
446
We write E C M for the real algebraic closure of

It is easy to see that E is projectively While* semicomputable in Ti<'E .
(In fact, E is the projection on K of a While semicomputable relation on
K x E*.) We will now show that, on the other hand, E is not projectively
WhileN semicomputable in K<>E.
Theorem 6.27. Let F C E be projectively WhileN semicomputable in
-fc<,E Then F / E. Specifically, suppose for some While computable
function E>N :
F = {x R | (3y Er)(Bz
(6.5)
(with existential quantification over all four sorts in "R,<<B'N). Then for all
x E F, x is algebraic over some subset of E of cardinality r (= the number
of arguments of (p of sort E in (6.5),).
The rest of this subsection is a sketch of the proof.
Lemma 6.28. (In the notation of the Theorem 6.27,) F can be represented
as a countable union of the form F = (Jô fi> where
Fi = {x\ (By & Er)(3z e ITW.y,*)}
and bi is a finite conjunction of equations and inequalities of the form
p(x,y,z,)=Q
and
q(x,y,z)>Q
where p and q are polynomials in x,y,z with coefficients in Z.

Proof. Apply Engeler's lemma. Also replace existential quantification over
nat and bool by countable disjunctions.
I
Lemma 6.29. (In the notation of Lemma 6.28,) for any r-tuple e = (e^ ,
>Zir) of elements of E, put
Fi[e] =df {x | (3
Then for all e Er , Fi[e] is a (finite) set of points, all algebraic in e.

Proof. Note that Fi[e] is a projection on R of an e-semialgebraic set in
Ks+1 . Hence, by Corollary 6.22, it is an e-algebraic patch. Since by assumption
Fi[e] CFCE,
Fi[e] is countable, and hence cannot contain any (non-degenerate) interval.
The result follows from the definition of e-algebraic patch.
Since F is the union of F<[e] over all i, and all r-tuples e from E, the
theorem follows from Lemma 6.29 and the following:
447
Lemma 6.30. For all n, there exists a real which is algebraic over E but
not over any subset of E of cardinality n.
Proof. Take x = e0 + e\ + ... + en (more strictly, j(e0) + ... + j(en)).
The result follows from the construction (6.4) of E.
I
We have shown that E (although a projection on R of a While semicomputable relation on Rx E*) is not a projection of a WhileN semicomputable relation in 7?.<>B'. In fact, we can see (still using Engeler's lemma)
that E is not even a projection of a While" semicomputable relation on
E" x Em (for any n,m > 0). Thus to define E, we must project off the
starred sort E*, or (in other words) existentially quantify over a finite, but
unbounded sequence of elements of E.
6.5
Dynamical systems and chaotic systems on R; sets

which are WhileN semicomputable but not
While* computable
We will examine algorithmic aspects of certain dynamical systems. Many

physical, biological and computing systems are deterministic and share a
common mathematical form.
Consider a deterministic system (S, F) modelled by means of a set 5
of states, whose dynamical behaviour in discrete time is given by a system
function
F:TxS->S
where T = N = {0,1,2,...} and for t T and s S, F(t, s) is the state
of the system at time t given initial state s.
The orbit of F at state s is the set
Orb(F,s) = {F(t,s) | t G T } .
The set of periodic points of F is
Per(F) = {s e S | 3* T(F(M) = s)}.
In modelling a dynamical system (S,F), the computability of the F and
of sets such as the orbits and periodic points is of immediate interest and
importance.
Now suppose, more specifically, that the evolution of the system in time
is determined by a next state function
f :S-> 5
through the equations
F(0,s)
F(t + l,s)
which have the solution
= s
= f(F(t,s))
448
F(t,s)=ft(s)
for t T and s S. We call such systems iterated maps. In this case, we
write
orb(f,s)
Orb(F,s)
{ f ( s ) \t T}
per(f)
Per(F)
{s 5 | 3t > 0(F(t, a) = )}.
Theorem 6.31. Let A be an N-standard algebra (with N = T), and containing the state space S. If the next state function f is While computable
on A then so is the system function F. Furthermore, the orbits orb(f, s)
and the set of periodic points per(f) are While semicomputable on A.
Proof. By computability of primitive recursion (Theorem 8.5) and closure of semicomputability under existential quantification over N (Theorem
5.23).
I
Now we will consider the computability of some simple dynamical systems with one-dimensional state spaces. More specifically, suppose the
state space is an interval
S = I = [a,b] C R
and so the next state function and system function have the form
/:/->/
F: T x 7 - 7.
F is called an iterated map on the interval I. Dynamical systems based on
such maps have a wide range of uses and a beautiful theory. For example,
such systems will under certain circumstances exhibit 'chaos'. The following discussion is taken from Devaney [1989]. Let (I,F) be a dynamical
system based on the iterated map F.
Definition 6.32.
(o) (/, F) is sensitive to initial conditions if there exists 6 > 0 such that
for all x 6 I and any neighbourhood U of x, there exist y U and
tT such that
}F(t,x)-F(t,y)\>6.
(b) (I, F) is topologically transitive if for any open sets U\ and C/a there
exist x Ui and t T such that F(t,x) C/2Note that if J is compact then (/, F) is topologically transitive if, and
only if, Orb(F,x) is dense in / for some x I. (The direction '=' is
clear. The proof of '=>' depends on the Baire category theorem.)
449
Definition 6.33. The system (/, F) is chaotic if:

(a) it is sensitive to initial conditions;
(b) it is topologically transitive;
(c) the set Per(F) of periodic points of F is dense in /.
Consider the quadratic family of dynamical systems ( I , F ^ ) for // real,
where / = [0,1] and the next state function is
/ M (z) = nx(l-x).
For n = 4 we have:
Theorem 6.34. The system (I, F4) is chaotic. Thus, for the algebras'R
and 7l< ;
(a) for some x [0,1], tfte set Orb(F,x) is WhileN semicomputable
but not WhileN (= While*) computable;
(b) the set Per(F) is WhileN semicomputable, but not WhileN (
While*) computable.
Proof. That (/, F^) is chaotic is proved in Devaney [1989]. The semicomputability of /4 is clear. Semicomputability of Orb(F,x) and Per(F)
follows from Theorem 6.31. Further, it can be shown that Orb(F^,x) and
Per(F) are both dense and codense in /. (Exercise.) Non-computability
then follows from the density/codensity condition (see Remark 6.23).
I
6.6
Dynamical systems and Julia sets on C; sets which

are WhileN semicomputable but not While* computable
We reconsider an example from Blum et al. [1989], and show how it follows
from our general theory of Semicomputability. We work from now on in
C<. First, we must relate computability in the complex and real algebras.
We consider the algebras C and C<.
Notation 6.35. If 5 C C", we write
S =df
{{m(zi),\m(zi),...,n(zn),\m(zn))\(z1,...,zn)C1}
C M 2n .
Lemma 6.36 (Reduction lemma). Let S C Cn .
(a) S is While (or WhileN or While*) semicomputable in C if, and

only if, S is While (or WhileN or While*) semicomputable in 7.
(b) S is While (or WhileN or While*) semicomputable in C< if,
and only if, S is While (or WhileN or While*) semicomputable
in-R<.
This lemma will enable us to reduce problems of Semicomputability
in the algebras C or C< to those in the corresponding real algebras. For
example, from this lemma and Corollary 6.24 we have:
450
Corollary 6.37. InC**, the notions ofWhileN, While* and protective

WhileN semicornputability all coincide for subsets of C".
Note that the reduction lemma would not be true if we included the
mod function (z i-> |z|) in C or C*-, by Example 6.3(6).
We work from now on in C<.
Let g : C -> C be a function. For z 6 C, the orbit of g at z (as in
section 6.5) is the set
orb(g,z) = {<7 n (z)|n = 0,l,2,...}.
Let
U(g) = {z C | orb(g, z) is unbounded}

and
=iz e C | orb(g,z) is bounded}
The set F(g) is the filled Julia set of g; the boundary J(g) of F(g) is the
Julia set of g.
For any r R define
Vr(d) {-2 C | 3n(|<7n(,z)| > r)}.
Clearly, U(g) C Fr(g) for all r.
Theorem 6.38. For g(z) z2 - c, with \c\ > 4, we have U(g) is
While semicomputable but not (even While*) computable. Thus, F(g)
is not While* semicomputable.
Proof. Assume for now that |c| > 1, and choose r = 2|c|. Then for \z\ > r,
\g(z)\ = \z*-c\ > \zf-\c\
> \\z\.
Hence for all n,

/3 N n
and so
gn(z) -> oo as n -> oo.
Hence for such r, Vr(g) C U(g), and so

V(g) = Vr(g) = {zC\ 3n(\gn(z)\ > r)}.
To show that U(g) is semicomputable is routine; for example, as the
halting set of the procedure
451
proc in a: complex
aux b: complex
begin
b:=a;
while | b | 2 < 4|c|2 do b := b2 - c od

end.
(Note that although the function z (-> \z\ is not computable, the function
z )-> \z\2 = re(z)2 + im(z) 2 is.)
To conclude the proof we must show that F(g) is not While* semicomputable. Suppose it was, then (by the countable connectivity condition
and the reduction lemma) it would consist of countably many connected
components. But if we choose |c| > 4 it can be shown that F(g) is compact,
totally disconnected and perfect, i.e., homeomorphic to the Cantor set (see,
for example, Hocking and Young [1961]), and so we have a contradiction
(cf. Example 6.26(a)).
I
Computation on topological partial algebras
We have considered While computations on algebras of reals in section

6. Connections were made between notions of semicomputability and familiar rational polynomial definability; we also made some observations on
connections between projective semicomputability and field extensions of
Q-
There is thus a close relationship between computability properties, and

algebraic properties of sets of reals. (Of course many of these properties
can be reformulated for arbitrary rings and fields.)
In this section we explore the relationship between computability properties and topological properties of sets of reals. We will analyse While
computations on general topological algebras, and using these general concepts and results, we will be able to give a quick guide to the primary case
of computation on BL
The outline of this section is as follows. In section 7.1 we indicate the
basic problem: although computability implies continuity (to be proved
later), total Boolean-valued functions on R such as equality and order are
discontinuous. The solution is to work with partial functions. We therefore define partial algebras in section 7.2, and topological partial algebras
in section 7.3. In section 7.4 we compare the two approaches to computation on the reals: the algebraic model of section 6, and the stream model
which lies behind the models studied in this section. In section 7.5 we
prove that computable functions are continuous, from which it follows that
semicomputable or projectively semicomutable sets are open, and hence
computable sets are clopen (= closed and open). In section 7.6 we infer a
converse of this last statement in the case of compact algebras with open
subbases of semicomputable sets. In section 7.7 we specialise to metric
partial algebras, and in section 7.8 show the equivalence between com-
452
putability and explicit definability in the case of a connected domain. This

result is used in the study of approximate computability in section 7.9, in
which effective Weierstrass computability (generalising the classical notion
of Weierstrass approximability) is shown to be equivalent on connected
domains (under certain broad assumptions) to effective uniform While
(or While*) approximability. Finally, in section 7.10, we discuss the relationship between abstract and concrete models of computability, with
particular reference to computation on the reals.
The material of this section is based on Tucker and Zucker [1999]. Background information on topology can be found in any standard text, such
as Kelley [1955], Hocking and Young [1961], Simmons [1963] or Dugundji
[1966].
7.1
The problem
Consider again the standard algebras

n = (E, 1; 0, 1, +, -, x, if real , eqre.1,...)
and Ti<, which extends 7 with less,eai (or '<').
Not all the functions in While(K) and While^R^) are continuous.
This is obvious, because both algebras contain certain basic operations,
namely eqreai and lessreai ('=' and '<'), that are not continuous (with respect to the usual topology on E).
If A is an algebra built on E such that all its basic operations are
continuous, then is every function in While(A) continuous?
Let us immediately consider this question more generally.
Definition 7.1.
(1) A topological (total) ^,-algebra is a pair (A, T), where A is a S-algebra
and T is a family (Ta \ s e Sort(S)), where for each s Sort(E),
Ts is a topology on As, such that for each basic function symbol
F : u -t s of E, the function FA : A" -> As is continuous.
(2) A standard total topological algebra (A, T) is a total topological algebra in which A is standard, and the carrier Ab00i = B has the
discrete topology.
We will often speak of a 'topological algebra A\ without stating the
topology explicitly.
Remark 7.2. In a topological algebra, the carriers of all equality sorts
must be discrete, in order for the equality operation on them to be continuous. In particular, if A is N-standard, then the carrier Anat = N must be
discrete.
To provide motivation, we state the following theorem here. (It will be
formulated and proved later in a more general context.)
453
Theorem 7.3. Let A be a standard topological algebra.

(a) If f While(A) then f is continuous on A.
(b) If f WhileN(A) then f is continuous on A.
(c) If f While*(A) then f is continuous on A.
At first sight this gives a satisfactory answer to the above question
about continuity of While computable functions. However, a standard
total topological algebra based on E has the following problem. There can
be no non-constant basic operations of the form F : W - B such as '<'
or even '='. This is because if / : M9 -> B is continuous, then /^[tt] and
/-1[f] are disjoint open sets whose union is E g . So one must be ffi?, and
the other 0, by the connectness of M. (We investigate connectedness in
topological algebras in section 7.8.)
Hence the problem with the above theorem is the paucity of useful
applications. In fact, the only continuous equality test is on a discrete
space.
However, equality and order on E do have some properties close to
continuity. For example, given two points x and y with x < j/, there are
disjoint neighbourhoods Ux and Uy of x and y respectively such that for
all u Ux and v 6 Uy, u < v. (Similarly for inequality '/'.)
We will develop notions that allow us to express these 'continuity' properties as follows. Define partial functions
lessp : E2 -I
eqp : E2 - B
so that
tt if x < y
fifx>y
t if x = y,
and
tlf
= (
\fif
These partial functions are continuous, in the sense that the inverse images
of {tt} and {f} are always open subsets of E2.
We will exploit these observations about '<' and '=' to the full by
studying topological partial algebras. We will also prove a more general
version of Theorem 7.3 for such partial algebras (Theorem 7.12).
7.2
Partial algebras and While computation
A partial H-algebra is defined in the same way as a S-algebra (section 2.3),

except that for each F : u -> s in Func(E), the function FA : Au - As
may be partial.
454
Standard and N-standard partial S-algebras are defined analogously,

as are the standardisation and N-standardisation of partial E-algebras (cf.
sections 2.4, 2.5).
Suppose S is a standard signature, and A is a standard partial Ealgebra.
The error partial algebra A", of signature E u , is constructed as before
(cf. section 2.6). In particular, for each F eFnc(E), its interpretation
FA on A is extended by strictness to a partial function FA'U on A".
The array partial algebra A*, of signature E*, is constructed as before
(cf. section 2.7).
_
_
The stream partial algebra A, of signature S, is constructed as before
(cf. section 2.8).
The semantics of While programs on A is similar to that for total
algebras (cf. sections 3.3-3.8), except that many of the semantic functions
are now partial, namely: the term evaluation function \t]A (section 3.3),
the functions StyA, CompA, CompA, CompLengthA (section 3.4), and
(as before) the statement evaluation function [5]A (section 3.5) and procedure evaluation function PA (section 3.6). For example, the definition of
[^becomes (cf. section 3.3):
\JL}Aa
=
<r(x)
[Ffr,...,*)]^
~ F
Here the second clause is interpreted as
[F(ti,...,tm)\Aar
~
t
otherwise.
except for the case that F(. . . ) is the discriminator if (b, t\ , < 2 ), in which case
we have a 'non-strict' computation of either [tiller or [/2]"V, depending
on the value of [fe]"4^:
if [6]^
A 4- tt
]* if[b] <rf
t
if[&]A^t-
The results in sections 3.3-3.10 (functionality lemmas, homomorphism

invariance and locality theorems) still hold, with certain obvious modifications related to divergence. For example, the functionality lemma for terms
(3.4) becomes:
Lemma 7.4 (Functionality lemma for terms). For any term t and
states a\ and 0-2, if a\ <72 (rel vart), then either
(i) {t\Aal I and [t]A<72 4. and [t]A(n = [t]A<T2,
or

(ii) [t]Atn t
7.3
455
[t]A<ri t-
Topological partial algebras
Note that in, this section, by 'function' we generally mean partial function.
Definition 7.5. Given two topological spaces X and Y, a function / :
X > Y is continuous if for every open V C Y, f~l[V] df {x X \ x
dom(f) and f(x) Y} is open in X.
Definition 7.6.
(1) A topological partial ^-algebra is a partial E-algebra with topologies
on the carriers such that each of the basic functions is continuous.
(2) A standard topological partial algebra is a topological partial algebra
which is also a standard partial algebra, such that the carrier B has
the discrete topology. (Cf. Definition 7.1.)
Examples 7.7.
(a) (Real algebra.) An important standard topological partial algebra for
our purpose is the algebra
KP = (R, B; 0, 1, +, -, x,if r e a l , eqp, less,
which is formed from
by the replacement of eqreai and lessreai by
the partial operations eqp and lessp (defined in section 7.1). It becomes a topological partial algebra by giving K its usual topology, and
B the discrete topology. An open base for the standard topology on
M is given by the collection of open intervals with rational endpoints.
These intervals are all While semicomputable on Kp. (Exercise.)
(b) (Interval algebras.) Another useful class of topological partial algebras are of the form
algebra
import
carriers
functions
IP
T^P
/
'/ : 7->R,
mi
Fi : 7 -> /,
Fk
jmk _^ j
end
where I is the closed interval [0,1] (with its usual topology), i/ is the
embedding of J into K, and -Fj : Imi > I are continuous partial functions.
These are called (partial) interval algebras on I.
Example 7.8 (While computable functions on Up). We give two
examples of functions computable by While programs, using the above
Boolean-valued functions (eqp and lessp) as tests. (In both cases, the inputs are taken to be positive reals to simplify the programs, although the
456
programs could easily be modified to apply to all reals, positive and nonpositive) .
(a) The characteristic function of Z on E, isJnt : R+ -> B, where
. . , ,
f t if a; is an integer
8
is-mt(z) = < '
I f otherwise.
This is defined by the procedure
proc in x : pos-real
out b: bool
begin
b: =false;
while x>0 {if x = 0, test diverges!}

do x:=x-l
od
end
(b) The truncation function trunc : R+ Z, where

, .
I LXJ if x is not an integer
6
trunc(:r) = \
Ij
otherwise.
The procedure for this is similar:
proc in x : pos-real
out c: int
begin
c:=0;
while x > 1 {if x = 1, test diverges}

do x:=x1;
c:=c+l
od
end
Until further notice (section 7.8) let A be a standard topological partial

E-algebra.
Definition 7.9 (Expansions of topological partial algebra).
(a) The topological partial algebra A", of signature S u , is constructed

from A by giving each new carrier A" the disjoint union topology of
As and {ui}. (This makes ui an isolated point of A"s.)
(b) The topological partial algebra AN, of signature S", is constructed
from A by giving the new carrier N the discrete topology.
457
(c) The topological partial algebra A*, of signature *, is constructed

from AN as follows. Viewing the elements of each new carrier A*
as (essentially) infinite sequences of elements of A", which take the
value ui for all indices greater than Lgth(a*), we give A*s the subspace
topology of the set (A")N of all infinite sequences from A", with the
product topology over A"s. Equivalently, viewing the elements of A*s
as (essentially) arrays of elements of A" of finite length, we can give
A*s the disjoint union topology of the sets (Aus)n of arrays of length
n, for all n > 0, where each set (Aus)n is given the product topology of
its components ^4". It is easy to check that A* is indeed a topological
algebra, i.e., all the new functions of A" are continuous.
(d) The topological partial algebra A, of signature S, is constructed by
giving each new carrier As the product topology over As. Note that,
if As is compact for any sort s, then so is As, by Tychonoff's theorem
(see Remark 7.28).
Definition 7.10. A is Hausdorffif each carrier of A is Hausdorff (i.e., any
distinct pair of points can be separated by disjoint neighbourhoods.)
Proposition 7.11. If A is Hausdorff, then so are the expansions AU,AN,
A" and A.
Theorem 7.12. Let A be a standard topological partial algebra.
(c) If f & While*(A) then f is continuous on A.
The proof will be given in section 7.5. For now we observe that this
theorem implies the following.
Theorem 7.13. If R is
(a) While* semicomputable on A, or
(b) protectively While* semicomputable on A,
then R is open in A.
Proof.
(a) Suppose R is the halting set of a While* computable function / :
Au -> As. By Theorem 7.12, / is continuous. Hence R = f ~ l [ A s ]
is open.
(6) From (a) and since a projection of an open set is open. (Check.) I
Note that in the above proof, we used the fact that a projection of an
open set is open. (Check.)
Corollary 7.14. A While* computable relation on A is clopen in A.
Proof. By Post's theorems (5.40) and Theorem 7.13.
458
7.4
Discussion: Two models of computation on the

reals
The purpose of this subsection is to explain the conceptual background for

our models of computation on the reals.
There are two types of models of reals, and computations on them:
(1) The algebraic model. Here we work with a many-sorted algebra like
U = (R.N.B; 0,1,+, x , . . . ) ,
This was the approach in section 6.
(2) The stream model. A real number input or output is given as a
stream of
(i) digits (representing a decimal expansion), or
(M) rationals (representing a Cauchy sequence), or
(Hi) integers (representing a continued fraction).
This idea lies behind the partial algebras of reals Ttp and Ip studied in this
section. For convenience, we concentrate on (i). (The decimal representation may be to any base.)
Then a procedure for a computable real-valued function / : Mn -> E
has as input n streams of digits, and as output a stream of digits. Similarly a procedure for a computable relation on the reals, or Boolean-valued
function, R : M" ^ B has as input n streams of digits, and as output a
Boolean value (or bit).
In the algebraic approach, the input and output reals are just 'points'
(elements of E) given in one step. Continuity of the computable functions,
or even of the primitive functions (with respect to the usual topology on
R), is not forced on us and our models in section 6 violated it.
In the stream model, however, the reals form infinite data; at any finite
time, only a finite part has been processed (written or read). Continuity
of the computable functions (which we will prove formally in the next subsection) is then forced on us conceptually by computability requirements,
(a) For / : En - TSL to be computable, we must be able to get the
output real (= stream of digits) to any desired degree of accuracy
(= length) by inputting sufficiently long input streams. (Briefly: the
longer the inputs, the longer the output.)
(b) For R : En - B to be computable, we must be able to get an output
bit after finite (suficiently long) input streams.
We often work with the algebraic model, because of its simplicity. It is
a good source of examples to distinguish various notions of abstract computability and semicomputability (as we saw in section 6). However, the
stream model is more satisfying conceptually, conforming to our intuition
459
of reals as they occur to us, e.g., in physical measurements and calculations. So we can use the stream model as a source of insights for our
requirements or assumptions regarding the algebraic model, notably the
continuity requirement for computable functions.
Recall the problem discussed in Section 7.1 concerning the continuity
requirement for computable relations, i.e., Boolean-valued functions R :
K" -> B: the only continuous total functions from En to any discrete space
such as B are the constant funtions.
The solution, we saw, was to work with partial algebras, i.e., to interpret
the function symbols in the signature by partial functions. We use the
stream model for insight. Consider, for example, the equality and order
relations on the reals. Suppose we have two input reals (between 0 and 1)
defined by streams of decimal digits, which we read, one digit at a time:
a
/3
=
= 0.606162---
Consider the various possibilities:

(a) a < /3. Then for some n, this will be determined by the initial
segments ao . . . an and bo . . .bn.
(6) a > /3. Similarly, this will be determined by some pair of initial
segments.
(c) a ^ (3. This is the disjunction of cases (a) and (c), so again it will be
determined by some pair of initial segments.
(d) a = 0. This case, however, cannot be determined by initial segments
of any length! (Note that this analysis is not affected by the double
decimal representation of rationals.)
This analysis suggests the following definitions for partial functions in the
signature of E:
(compare (i));
(iv)
lseq p (z,y) = < f
if x = y
(same as (m)!).
Note that examples (i) and (iii) were incorporated as basic operations in
the topological partial algebras 7p and Xp in section 7.3.
460
Further, we can add real-valued functions such as division:

,(v)x xdn
.- y =
R
Note that in the above definitions, 't' (undefinedness or divergence) must

not be confused with V (error), which occurs in integer division:
,- vi-N
In the integer case, we can effectively test whether the input y is 0, and so
(if y = 0) give an output, namely an error message (or default value, if we
prefer). In the real case, if y 0, this cannot be effectively decided, and
so no output (error or other) is possible. (Suppose the first n digits of the
input y are 00 ... 0. The (n + l)th digit may or may not also be 0.)
We remark that the concept of reals as streams is reminiscent of Brouwer's notion of reals defined by lawless sequences or choice sequences. In
fact, for Brouwer, a function was a constructively defined function, and he
'proved' that every function on M is continuous! (See, for example, the
discussion in Troelstra and van Dalen [1988, Chapter 12]).
We conclude this discussion by pointing out a related, intensional, approach by Feferman to computation on the reals, based on Bishop's constructive approach to higher analysis (Bishop [1967], Bishop and Bridges
[1985]). This is outlined in Feferman [l992a; 1992b].
7.5
Continuity of computable functions
In this section we will prove that computational processes associated with

While* programs over topological partial algebras are continuous. More
precisely, we will prove Theorem 7.12:

(c) If f & While* (A) then f is continuous on A.
Clearly, part (a) follows trivially from parts (b) and (c). Note that, conversely, parts (b) and (c) follow easily from (a). For example, if / 6
While* (A) then f While(A*), therefore / is continuous on A*, and
hence on A. We will prove part (a) by demonstrating the continuity of
the operational semantics developed in section 3 (as modified for partial
algebras). We will see the advantage of the algebraic approach to operational semantics used there, since these functions are built up from simpler
functions using composition, thus preserving continuity.
We proceed with a series of lemmas. Let X,Y, . . . be topological spaces.
Remember, functions are (in general) partial.
Lemma 7.15 (Basic lemmas on continuity).
(a) A composition of continuous functions is continuous.
461
(b) Let f : X - Ft x . . . x Yn have component functions fa : X ->

Yi fori = l,...,n, i.e., f ( x ) ~ (/i (*),... ,/()) /or otf z e X.
JTien / is continuous if, and only if, all the fa are continuous for
i = l,... ,n.
(c) If D is a discrete space, then a function f : X x D Y is continuous
if, and only if, /( ,d) : X -> Y is continuous for all d 6 D.
Proof. Exercise.
I
2
Corollary 7.16. TTie discriminator f : BxX -> X, defined by /(tt, x, y) =

f ( f , x , y ) = j/, is continuous.
Proof. Exercise.
Corollary 7.17. let / : X -> F fee defined by
if fc(a:) 4- *
otherwise,
w/iere gi , 32 : X -> F and /i : X - B are continuous. Then f is continuous.

Proof. From Corollary 7.16 and Lemma 7.15(a).
Lemma 7.18 (Least number operator). Let g : X x N > Y be continuous, and let yo Y be such that {yo} is clopen in Y. Let f : X > N
be defined by
/(x) ~ nk[g(x,k) 4,y 0 ],
i.e.,
f ( x ) 4- k <=> Vz < k(g(x,i) ^ j/ 0 )A (g(x, k) 4- j/ 0 )

Then f is continuous.
Proof. Since N has the discrete topology, it is sufficient to show that for
any k G N, /-1({fc}) is open. We have
k-l
f}{x\g(xii)^y0}r({x\g(x,k)iry0}
i=0
k-l
t=0
which is a finite intersection of open sets, since by assumption both {yo}

and Y\{y0} are open.
I
The rest of the proof consists of showing the continuity of the various
semantic operations defined in section 3.
462
First we must specify topologies on the various spaces involved in the

operational semantics.
For a product type u = si x ... x sm, the space Au =<*/ AS1 x ... x ASm
has (of course) the product topology of the ASi 's.
The state space State(A) is the (finite) product of the state spaces
States(A) for all s Sort(E) (section 3.2), where each States(A) is an
(infinite) product of the carriers As (indexed by Vars). Thus State(A)
is an infinite product of all the carriers As, and takes the product topology
of the Ag's. The space State(A.)L){*} is formed as the union of State(A)
and the singleton space {*}. Note that this makes the point * clopen in
State(A.)\j{*}.
The syntactic sets Stmt and AtSt have the discrete topology, as do
the sets B and N of Booleans and naturals.
Lemma 7.19. For t Terms, the function {tlA: State (A) -> As (section 3.3) is continuous.
Proof. By structural induction on t. Use the facts that the basic functions of E are continuous, and that continuity is preserved by composition
(Lemma 7.15(a)).
I
Recall that \t\A and the other semantic functions considered below are
actually the partial algebra analogues of the functions defined in section 3
(as discussed in section 7.2).
Lemma 7.20. The state variant function
\o-,a- a{x./a} : State(A) x A" -> State(A)
(for some product type u and fixed tuple of variables x : u) is continuous.
Proof. Exercise.
I
A
Lemma 7.21. For S AtSt, the function S$ : State(A) -> State(A)

(section 3.5) is continuous.
Proof. For 5=skip, this is trivial. For 5=x := t, use Lemmas 7.19, 7.20
and 7.15(6).
I
Lemma 7.22. The functions First and RestA (section 3.6) are continuous.
Proof. For First, this is trivial (a mapping with discrete domain space).
For RestA, it is sufficient, by Lemma 7.15(c), to show that for any fixed
S Stmt, the function
RestA(S, - ) : State(A)-> Stmt
is continuous. This is proved by structural induction on S, making use (in
the case that S is a conditional or 'while' statement) of Corollary 7.17. I
Lemma 7.23. The one-step computation function
463
CompA : Stmt x State(A) -> State(A)

Proof. Again, by Lemma 7.15(c), it is sufficient to show that for any fixed
S Stmt, the function CompA(S, ) is continuous. But by definition,
this is First(S)$A, which is continuous by Lemma 7.22.
I
A
Lemma 7.24. The computation step function Comp (section 3.4) is
continuous.
Proof. Again, it is sufficient to show that for any fixed S Stmt and
n N, the function
CompA(S, -,n): State(A)->S*ate(A)U{*}
is continuous. This is proved by induction on n, using (in the base case)
Lemma 7.23 and (in the induction step) Lemmas 7.22 and 7.23.
I
Lemma 7.25. The computation length function CompLengthA (section
3.4) is continuous.
Proof. This function is defined by
CompLengthA(S, a) ~ im[CompA(S, a, n + 1) 4- *]
Its continuity follows from Lemma 7.18, since {*} is clopen in
State(A)U{*}, and by Lemma 7.24.
I
Lemma 7.26. For S <S Stmt, the function [S[A: State (A)-* State(A)
Proof. Since
[S]A(cr) ~ CompA(S, a,CompLengthA(S,a)),
the result follows from Lemmas 7.24 and 7.25.
Lemma 7.27. For any While procedure P, the function P (section 3.6)
is continuous.
Proof. Suppose P = proc in a out b aux cbegin 5 end, where a : u and
b : v, so that PA : Au -> Av. Fix any stateCTOeState(A). The
imbedding and projection functions
ta : Au -> State (A)
and
?rb : State (A) -> Av
defined by
t a (z) = a0{a./x}
and
7rb(cr) = a[b]
are continuous. (Exercise.) Hence the composition
7Tbo [S]Aota : A->A.
is continuous. But this is just PA, independent of the choice of (TO, by the
functionality lemma (3.11) for procedures.
Theorem 7.12(o) follows from this.
464
7.6
Topological characterisation of computable sets in

compact algebras
For background on compactness, see any of the books listed at the beginning of section 7.
Remark 7.28 (Compactness).
(a) By Tychonoff 's theorem, the product of compact spaces is compact.

(6) The unit interval / is compact. Hence so is the product space I9 for
any q.
Now we have seen (Theorem 7.13 and Corollary 7.14) that for sets:
semicomputable
computable
=>
=
open
clopen.
We can reverse the direction of the implication in the second of these assertions, under the assumption of compactness.
Theorem 7.29. Let Abe a topological partial algebra, and let u = si x . . . x sm
ProdType(T^, where, for i = 1, ... ,n,
(a) ASi is compact, and
(b) As. has an open subbase of While semicomputable sets.
Then for any relation R C Au, the following are equivalent:
(i) R is While computable;
(ii) R is While* computable;
(in) R is clopen in Au.
Proof. (Z):=>(M) is trivial.
(n)=>(m) follows from Corollary 7.14.
(m)=^-(i): Note first that from assumptions (a) and (6), the product space
Au (with the product topology) is compact, and has an open subbase
of While semicomputable sets. Suppose now that R is clopen in Au.
Since R is open, we can write
R=\jBt
where the Bt are basic open sets. Each Bi is a finite intersection of
subbasic open sets, and hence semicomputable, by Theorem 5.8.
Since -R is closed, R is compact, and hence R is the union of finitely
many of the BJ'S, and so R is semicomputable, by Theorem 5.8.
Repeating the above argument for Rc, we infer by Post's theorem (5.9)
that R is computable.
I
7.7
465
Metric partial algebra
A particular type of topological partial algebra is a metric partial algebra.

This is a pair (A, d) where d is a family of metrics (d8 \ s Sort(E)), and
for each s Sort(E), ds is a metric on As, such that for each basic function
symbol F : u > s of S, the function FA : Au As is continuous (where
continuity of a partial function is as per Definition 7.5).
This induces or defines a topological partial algebra in the standard way.
Note that if A is standard, then the carrier B, as well as the carriers of
all equality sorts, will have the discrete metric, defined by
O ifx = y
which induces the discrete topology (see Remark 7.2).

Again, we will often speak of a 'metric algebra A\ without stating the
metric explicitly.
Example 7.30. The real algebra Tlp and interval algebras Ip (Examples
7.7) can be viewed (or recast) as metric algebras in an obvious way.
Remark 7.31. If A is a metric partial algebra, then for each product sort
u = si x ... x sm, we can define a metric du on Au, which induces the
product topology on A", by
i,... ,xm),(yi,... ,ym)) = n
or more generally, by the tp metric
m
*<,W)) P ) 1/P
(l<P<oo)
Metric algebras will be used in our study of approximable computability

(section 7.9).
7.8
Connected domains: computability and explicit

definability
In this subsection we investigate the relationship between computability

and explicit definability for a function on a connected domain.
First we review the concept of connectedness.
Remark 7.32 (Connectedness).
(a) A topological space X is said to be connected if the only clopen subsets

of X are X and 0.
(b) It is easy to see that X is connected if, and only if, the only continuous
466
total functions from X to B (or to any discrete space) are the constant
functions. (Exercise.)
(e) A finite product of connected spaces is connected. (See any of the
references listed at the beginning of section 7.) Hence in a topological
S-algebra A, if u = si x ... x sm ProdType(S), and ASi is
connected for i = 1,... , m, then so is A".
(d) The space R of the reals, with its usual topology, is connected. Therefore, so is the product space E9 for any q. Hence, by Corollary 7.14,
for any topological partial algebra over K, such as the algebra Tip
(Example 7.7(a)), the only While or While* computable subsets
of ! are W itself and 0.
(e) Similarly, by the connectedness of the unit interval / (and hence of
/*), the only While or While* computable subsets of Iq in any
interval algebra over / (Example 7.7(6)) are I9 itself and 0, ... ,
regardless of the choice of (continuous) functions F,... ,Fk as basic
operations!
We will only develop the theory in this section for total functions on
total algebras. The essential idea is that if / is a computable total function
on A, then / is continuous, and so, by Remark 7.32(6), its definition cannot
depend non-trivially on any Boolean tests involving variables of sort s if
As is connected. (We will make this precise below, in the proof of Lemma
7.40.)
Note that many of these results can be extended to the case of total
functions / on connected domains in partial algebras. We intend to investigate this more fully in future work. However, for now we assume in this
subsection:
Assumption 7.33. A is a total topological algebra.
Examples 7.34 (Topological total algebras on the reals). Two important total topological algebras based on the reals which will be important for our purposes are:
(a) The algebra ftf (T for 'total topological'), defined by
algebra
import
functions
1$
TZo.JV, B
ifreal : 1 x E2 -> M,
divnat : M x N -> M,
end
Here K0 is the ring of reals (E; 0, 1, +, -, x) (Example 2.5(6)), JV

is the standard algebra of naturals (Example 2.23(6)), div nat is division
of reals by naturals (where division by zero is defined as zero), and
E has its usual topology.
Note that 7?.f does not contain the (total) Boolean-valued functions
eqreai or lessreai, since they are not continuous (cf. the partial functions
467
eqp and lessp of 72.p). It is therefore not an expansion of the standard

algebra 7J of reals (Example 2.23(c)) which contains eqreai- (Compare
the ^-standardisation KN of K (Example 2.27(6)) which does contain
eqreal-)
(b) (The interval algebra of reals.) Here the unit interval / = [0,1] is
included as a separate carrier of sort 'intvl', again with the usual
topology. This is useful for studying real continuous functions with
compact domain. (We could also choose I = [1,1], etc.) The total
topological algebra If* is defined by
algebra
import
carriers
functions
end
T^
f$
I
i/ : /
Here i/ is the embedding of / into HL

Remark 7.35. Note that both algebras K^ and l are strictly N-standard. The reason why N, and the function div nat , are included in these total
algebras (unlike the partial algebras Tlp and Ip of 7.7) is because of their
applicability in the theory of approximable computability in section 7.9.
Definition 7.36. Let / be a function on A.
(a) f is S- explicitly definable on A if / is definable on A by a S-term.
(6) / is *-explicitly definable on A if f is definable on A by a S*-term.
By the */ conservativity theorem (3.63)', the two concepts defined
above are equivalent:
Proposition 7.37. A function on A is H-explicitly definable if, and only
if, it is %*-explicitly definable.
Remarks 7.38.
(a) Suppose (i) A is strictly N-standard (e.g., K^ and 1^), and () the
domain and range types of / do not include nat (e.g., / : ffi* > R or
/ : / ' R in these algebra, respectively). Then this proposition also
holds with the 'internal' version of S* (Remark 2.31(c)), by Remark
3.64(6).
(6) Because of Proposition 7.37, we shall usually use 'explicit definability'
over an algebra to mean either S- or E*-explicit definability.
In the following lemma, A is any total algebra, not necessarily topological.
Lemma 7.39. Explicit definability on A =* While computability on A.
In preparation for the converse direction, we need the following:
468
Lemma 7.40. Suppose Au is connected. Let P : u ^ v be a (While or

While*) procedure which defines a total function on A, i.e., HaltA(P) =
Au. Then the computation tree T(P) for P is essentially finite, or (more
accurately) semantically equivalent to a finite, unbranching tree.
(The computation tree for a procedure was defined in section 5.11.)
Proof. Put
P = proc in a out b aux c begin S end
where a : u, b : v and c : w, and S = Sinit',S', where Smit is an
initialisation of the variables b,c to their default values. Let T = T(P).
First, we show that all branches in T can be eliminated. Consider a branch
at a test node in T (Fig. 16).
Fig. 16.
This Boolean test defines a function

fb,t : Au ->
where (putting x = a, b, c)
A = b
i.e., /6,t(a) is the evaluation of 6(x/t) when a is assigned to a and the

default tuples SV,6W are assigned to b,c respectively. The function fb,t
is clearly (While or While*) computable, by Lemma 7.39, and hence
continuous, by Theorem 7.12. It is also total, since A is total by assumption
(7.33). By Remark 7.32(6) it must therefore be constant on Au. If it is
constantly tt, we can replace this test node by its left branch (i.e., delete
the node and the right branch), and if it is constantly ff, we can similarly
replace the node by its right branch only.
By repeating this process, we can replace T by a semantically equivalent
tree T' without any Boolean tests, and (hence) without any branching. The
tree T' consists of a single path, which must be finite, since PA is total by
assumption.
I
469
Remarks 7.41.
(o) Examples of the application of this lemma are the total topological
algebras 71^ and if*, and procedures of type real9 > real and
intvl 9 - real, respectively. Note that the result also holds with the
'internal' version of While* computability, by Proposition 3.47.
(b) Without the assumption that Au be connected, Lemma 7.40 is false,
i.e., it is possible for PA to be total, but T(P) to be infinite. (Exercise.)
(c) Note that any computation tree T is finitely branching; therefore,
by Konig's lemma, T is finite if, and only if, all its paths are finite.
Hence any counterexample to demonstrate (b) would be an example
of a computation tree for a procedure which defines a total function,
but nevertheless has infinite paths!
(d) The lemma also holds without the assumption that A be total, as
long as PA is total (and Au is connected). (Exercise.)
(e) In general, this transformation of T(P) to a finite unbranching tree
given by the proof of Lemma 7.40 is not effective in P, since it depends on the evaluation of (constant) Boolean tests. If we want it
to be effective in P (as we will in the next subsection, dealing with
approximable computability), we will need a further condition on A,
such as the Boolean computability property (Definition 7.56).
Lemma 7.42. // a computation tree T(P) for a (While or While*)
procedure P is finite and unbranching, then PA is (-) explicitly definable
on A.
Proof. Exercise.
Remark 7.43. More generally, Lemma 7.42 holds if T(-P) is finite but
(possibly) branching. (Use the discriminator in constructing the defining
term.)
Combining Lemmas 7.39, 7.40 and 7.42, we have conditions for an equivalence between explicit definability and While computability:
Theorem 7.44. Let A be a total topological algebra, and suppose Au is
connected. Let f : Au -* Av be a total function. Then the following are
equivalent:
(i) f is While computable on A;
(ii) f is While* computable on A;
(Hi) f is explicitly definable on A.
Example 7.45. This theorem holds for the total topological algebras Ti^
and If, and total functions / : R* -> R and /:!*-/, respectively.
Note that by Remarks 7.38(o) and 7.41 (a), the theorem also holds in
these algebras with 'internal' versions of While* computability and *explicit definability.
470
7.9
Approximable computability
It is often the case that functions are computed approximately, by a sequence of 'polynomial approximations'. In this way we extend the class of
computable functions to that of approximably computable functions. This
theory will build on the work of section 7.8.
First we review some basic notions on convergence of sequences of functions.
Definition 7.46 (Effective uniform convergence). Given a set X, a
metric space Y, a total function / : X -> Y and a sequence of total
functions gn : X -* Y (n = 0,1,2,...), we say that gn converges effectively
uniformly to f on X (or approximates f effectively uniformly on X) if, and
only if, there is a total recursive function e : N > N such that for all n, k
and all x X,
k>e(n) => dy($*(*),/(*))< 2-".
Remark 7.47. Let M : N -) N be any total recursive function which is
increasing and unbounded. Then (in the notation of Definition 7.46) the
sequence gn converges effectively uniformly to f on X if, and only if, there
is a total recursive function e : N -4 N such that for all n, k and all a; 6 X,
k > e(n) = d Y ( 9 k ( x ) , f ( x ) ) < l/M(n).
(Exercise.)
The theory here will be developed for total functions on metric total
algebras (denned in section 7.5). We therefore assume in this subsection:
Assumption 7.48. A is a metric total algebra.
Example 7.49 (Metric total algebras on the reals). The two total
topological algebras based on the reals given in Example 7.34 can be viewed
as metric algebras in an obvious way. The second of these, the interval
algebra if*, will be particularly useful here.
We will present, and compare, two notions of approximable computability on metric total algebras: effective uniform While (or While*) approximability (Definition 7.50) and effective Weierstrass approximability (Definition 7.54).
So suppose A is a metric total E-algebra. Let u, v ProdType(E)
and s Sort(E).
Definition 7.50. A total function / : Au -> A" is effectively uniformly
While (or While*) approximable on A if there is a While (or While )
procedure
P : nat x u - v
on AN such that PA is total on AN and, putting gn(x) =<y PA
the sequence gn converges to / effectively uniformly on Au.
(n,x),
471
Remark 7.51. If A is ./V-standard, we can replace 'AN' by 'A' in the

above definition (by Proposition 3.38).
Lemma 7.52. If Au is compact, and f : Au > As is effectively uniformly
While* approximate on A, then f is continuous.
Proof. By Theorem 7.12, the approximating functions for / are continuous. The theorem follows by a standard result for uniform convergence on
compact spaces.
Remark 7.53. Note that a function from E* to M is explicitly definable

over n.^ if, and only if, it is definable by a polynomial in q variables over
E with rational coefficients. Similarly, a function from /* to E is explicitly
definable over If* if, and only if, it is definable by a polynomial in q variables
over / with rational coefficients. This explains the following terminology,
since Weierstrass-type theorems deal typically with approximations of real
functions by polynomial functions (uniformly on compact domains).
Definition 7.54 (Effective Weierstrass approximability).
(a) A total function / : Au -t As is effectively S- Weierstrass approximable over A if, for some x : u, there is a total computable function
h : N -> rTermx,s(xr
such that, putting gn(x) q te^s(h(n),x), the sequence gn converges to / effectively uniformly on A".
(b) Effective E*-Weierstrass approximability is defined similarly, by replacing 'E' by '*' and lte^ by 'te'.
(The term evaluation representing function te^s was defined in section 4.3.)
Proposition 7.55. A function on A is effectively Y,-Weierstrass approximable if, and only if, it is effectively ^-Weierstrass approximate.
Proof. From a computable function
h* : N -> rTermI,s(E*)'1
we can construct a computable function
h : N ->
TermI,f(S)~l
where, for each n, h(n) and h*(n) are Godel numbers for semantically equivalent terms, using the fact that the transformation of E*-terms to S-terms
in the conservativity theorem 2.15.4 is effective.
We shall therefore usually speak of 'effective Weierstrass approximability' over an algebra to mean effective Weierstrass approximability in either
sense.
472
We now investigate the connection between effective uniform While

approximability and effective Weierstrass approximability. We are looking
for a uniform version of Theorem 7.44 (i.e., uniform over N-sequences of
functions).
To attain this uniformity, we need an extra condition in each direction: for 'effective Weierstrass =$ effective uniform While' (i.e., a uniform
version of Lemma 7.39) we need the TEP (section 4.7), and for 'effective
uniform While => effective Weierstrass' (i.e., a uniform version of Lemma
7.40) we need a new condition, the Boolean computability property (cf.
Remark 7.41(e)), which we now define.
Definition 7.56. A E-algebra A has the Boolean computability property
(BCP) if for any closed S-Boolean term 6, its valuation 6 A (= tt or ff, cf.
Definition 2.11) can be effectively computed, i.e., (equivalently) there is a
recursive function
with /(rZP) = bA.

Remark 7.57. To avoid confusion: the BCP is not a special case of the
TEP, for closed terms of sort bool. It requires the function / in Definition
7.56 to be recursive, i.e., computable over N (and B) in the sense of classical
recursion theory. The TEP entails only that / be computable over A a
weaker assumption (in general).
Example 7.58. Both ftf and If have the TEP and the BCP. (Exercise.)
We will see how these two conditions (TEP and BCP) are applied in
opposite directions to obtain a uniform version of Theorem 7.44.
In the following lemma, A is any total algebra, not necessarily metric
or even topological (cf. Lemma 7.39).
Lemma 7.59. Suppose A has the TEP. Given variables x : u, let
h : N -+ rTermI,s(S)n
be a total computable function. Then there is a While(EN) procedure
P : nat x u > s such that for all x Au and n N,
PAN(n,x) = teAtl(h(n),x).
For the converse direction:

Lemma 7.60. Suppose Au is connected and A has the BCP. Let P :
nat x u -t v be a (While or While*) procedure over AN which defines
473
a total function on AN . Then there is a computable function h : N ->

TermIiS(sr su^h that for all x Au and n N,
teAs(h(n),x)
= PAN(n,xy
Proof. Suppose
P = proc in n, a out b aux c begin 5 end
where n : nat. Consider the WhileN(E) procedures Pn : u v (n =
0,1,2,...) denned by
Pn = proc in a out b aux n, c begin n := n; S end
where n is the numeral for n. It is clear that for all n 6 N and x Au,
PA(x) = PAN(n,x).
By Lemmas 7.40 and 7.42, PA is definable by a S-term tn. Moreover,
the sequence (tn) is computable in n, by use of the BCP to effectivise the
transformation of the tree T to T' in the construction given by the proof
of Lemma 7.40. (Note that the evaluation of a constant Boolean test can
be effected by the computation of any closed instance of the Boolean term,
which exists by the instantiation assumption.) Hence the function h denned
by
r
h(n) = ^
is computable.
We now have a uniform version of Theorem 7.44:

Theorem 7.61. Suppose Au is connected and A has the TEP and BCP.
Let f : Au -> A8 be a total function. Then the following are equivalent:
(i) f is effectively
(ii) f is effectively
(Hi) f is effectively
uniformly While approximate on A;

uniformly While* approximable on A;
Weierstass approximable on A.
Proof. From Lemmas 7.59 and 7.60.
The requirement in the above theorem that / be total derives from the
application of Lemma 7.60, which in turn used Lemma 7.40, where totality
was required.
Remark 7.62. The equivalence of (i) and (in) was noted for the special
case A = If, Au = / and As = R in Shepherdson [1976], in the course of
proving the equivalence of these with another notion of computability on
the reals (Theorem 7.64).
474
We are especially interested in computability on the reals, and, in particular, a notion of computability of functions from Iq to E, developed
in Grzegorczyk [1955; 1957] and Lacombe [1955]. We repeat the version
given in Pour-El and Richards [1989], giving also, for completeness, the
definitions of computable sequences of rationals and computable reals. Finally (Theorem 7.64),we state the equivalence of this notion with the others
listed in Theorem 7.61.
Definition 7.63.
(a) A sequence (r^) of rationals is computable if there exist recursive
functions a, 6, s : N -* N such that, for all k, b(k) ^ 0 and
rt
Tk
- ( p.(fc)(*)
~ ( lj
&(*)'
A double sequence of rationals is computable if it is mapped onto

a computable sequence of rationals by one of the standard recursive
pairing functions from N2 onto N.
(b) A sequence (x^ of reals is computable if there is a computable double
sequence of rationals (rnk) such that
\i"nk xn\ < 2~k
for all k and n.
(c) A total function / : / ' - * M is GL (or Grzegorczyk-Lacombe) computable if:

(i) f is sequentially computable, i.e., / maps every computable sequence of points in /' into a computable sequence of points in
TO.
JK,
(ii) f is effectively uniformly continuous, i.e., there is a recursive

function 6 : N -> N such that, for all x, y I9 and all n N,
\x-V\<2-iW=>\f(x)-f(v)\<2-n.
Theorem 7.64. Let f : Iq -> K be a total function. Then the following
are equivalent:
(i) f is effectively uniformly While approximate on if1;
(ii) f is effectively uniformly While* approximate on 1;
(Hi f is effectively Weierstrass approximate on 1^;
(iv) f is GL computable.
Proof. As we have noted, / is connected and I? has the TEP and BCP.
Hence the equivalence of the first three assertions is a special case of Theorem 7.61. The equivalence of (Hi) and (iv) is proved in detail in Pour-El
and Richards [1989].
I
Remark 7.65 (Historical). The equivalence (iii)&(iv) was proved in
Pour-El and Caldwell [1975]. An exposition of this proof is given in Pour-El
475
and Richards [1989]. Shepherdson [1976] gave a proof of (i)-e>(iv) by (essentially) noting the equivalence (i)-o(m') and reproving (m)'O(iv). The
new features in the present treatment are: (a) the equivalence (i)t$(iii)
in a more general context (Theorem 7.61), and (6) the equivalence of (ii)
with the rest (Theorems 7.61 and 7.64).
7.10
Abstract versus concrete models for computing

on the real numbers
Our models of computation can be applied to any algebraic structure. Furthermore, our models of computation are abstract: the computable sets
and functions on an algebra are isomorphism invariant. Thus to compute
on the real numbers we have only to choose an algebra A in which (any
one of the representations of) the set E of reals is a carrier set. There
are infinitely many such algebras of representations or implementations of
the reals, all with decent theories resembling the theory of the computable
functions on the naturals. However, unlike the case of the natural numbers,
it is easy to list different algebras of reals with different classes of While
computable functions (see below).
In sections 6 and 7, we have let the abstract theory dictate our development of computation on the reals. The goal of making an attractive and
useful connection with continuity led us to use partial algebras in section 7.
Because of the fundamental role of continuity, this partial algebra approach
is important since it enables us to relate abstract computation on the reals
with concrete computation on representations of the reals (via the natural
numbers). This we saw in section 7.4 and, especially, in section 7.9. Here
we will reflect further on the distinction between concrete and abstract,
following Tucker and Zucker [1999].
The real numbers can be built from the rational numbers, and hence the
natural numbers, in a variety of equivalent ways, such as Dedekind cuts,
Cauchy sequences, decimal expansions, etc. Thus it is natural to investigate
the computability of functions on the real numbers, starting from the theory
of computable functions on the naturals. Such an approach we term a
concrete computability theory. The key idea is that of a computable real
number. A computable real number is a number that has a computable
approximation by rational numbers; the set of computable real numbers
forms a real closed subfield of the reals. Computable functions on the reals
are functions that can be computably approximated on computable real
numbers. The study of the computability of the reals began in Turing
[1936], but only later was taken up in a systematic way, in Rice [1954],
Lacombe [1955] and Grzegorczyk [1955; 1957], for example.
The different representations of the reals are specified axiomatically,
uniquely up to isomorphism, as a complete Archimedean ordered field.
But computationally they are far from being equivalent. For instance,
representing real numbers by infinite decimals leads to the problem that the
trivial function 3x cannot be computable. If Cauchy sequences are used,
476
however, elementary functions on the reals are computable. The problems

of representation are worse when investigating computational complexity
(see Ko [1991]).
It is a general problem to understand concrete representations of infinite data and, to this end, to establish a comprehensive theory of computing in topological algebras. There have been a number of approaches
to computability based on concrete representations for the reals and other
topological structures. Only recently have these approaches been shown to
be equivalent.
The ideas about computable functions on the reals were generalised
to metric spaces in Moschovakis [1964] who proved some of the special
theorems of Ceitin [1959] obtained earlier with a constructive point of view.
An axiomatic approach to computability on Banach spaces is given
in Pour-El and Richards [1989]. This gives general theorems about the
independence of computation from representations, and provides a series
of remarkable results characterising computable operators.
Computability theory on N includes a theory of computation for functionals on the set
B =df [N -> N]
which, with the product topology, is called Baire space. The theory of
computation on B is called type 2 computability theory. Klaus Weihrauch
and his collaborators, in a long series of papers, have created a fine generalisation of the theory of numberings of countable sets (recall section 1.3) to
a theory of type 2 numberings of uncountable sets. In type 2 enumeration
theory, numberings have the following form. Let X be a topological space.
A type 2 enumeration of X is surjective partial map
a : B -> X
(cf. Definition 1.1). Computability on X is analysed using type 2 computability on B. See, for example, Kreitz and Weihrauch [1985] and, especially, Weihrauch [1987].
A more abstract method for the systematic study of effective approximations of uncountable topological algebras has been developed by V.
Stoltenberg-Hansen and J. V. Tucker. It is based on representing topological algebras with algebras built from domains and applying the theory of
effective domains. This method of applying domain theory to mathematical approximation problems was first developed for topological algebras
and used on completions of local rings in Stoltenberg-Hansen and Tucker
[1985; 1988]. It was further developed on universal algebras in StoltenbergHansen and Tucker [1991; 1993; 1995]; see also Stoltenberg-Hansen et al.
[1994, Chapter 8]. We will sketch the basic method; an introduction can be
found in Stoltenberg-Hansen and Tucker [1995]. Suppose A is a topological algebra. The idea is to build an algebra R that represents A by means
477
of the continuous representation map a : R -> A and to computably

approximate R.
We imagine building R from a set P of approximating data that is a
computable structure (in the sense of section 1.3). Each datum in R is
approximated by some sequence of data from P. More specifically, R is a
topological space obtained from P by some form of completion process in
which P is dense in R. The key feature of this approach is that, since P
is computable, some of the approximating sequences are computable. The
subset of R consisting of the computably approximable elements forms a
basis for the computable approximation of R and hence of A. We usually use a special type of approximating structure P called a conditional
upper semilattice, and a completion process called ideal completion. This
process yields an algebraic domain. The method effectively approximates
a large class of examples: ultrametric algebras, locally compact Hausdorff
algebras (Stoltenberg-Hansen and Tucker [1995]), and complete metric algebras (Blanck [1997]).
Similar ideas have been used in Edalat [I995a; 1995b], applying continuous domains to analytical questions, such as integration and measure.
The domain method is related to Weihrauch's generalised computability
theory: a type 2 enumeration is easily shown to give a domain representation, and it is possible to construct a type 2 enumeration for a large class of
domain representations (see also Weihrauch and Schreiber [1981]). Indeed,
in Stoltenberg-Hansen and Tucker [l999b] there is a series of theorems that
show that for a wide class of spaces the concrete models based on effective
metric algebras, axiomatic computation theory, type 2 enumerability, algebraic domain representability, and continuous domain representability are
all equivalent. Thus there is a stable theory of computable functions based
on concrete models.
It is important to understand fully the relationship between the concrete
and abstract computability theories developed here and elsewhere: in the
one direction, we construct concrete representations of abstract models, and
in the other, we abstract from concrete models. Let us examine this more
closely.
The various concrete computability theories discussed above have a
common form, which is similar to that of the theory of computable algebras (see section 1.3), one difference being that, at present, the theory of
effective computation on topological algebras is not completely settled.
Let A be a topological algebra. To compute in A, a concrete representation
a : R - A
(7.1)
of A must be made where:

(i) R is a topological algebra, made from computable data types, on
which we can compute; and
478
(ii) a is a surjective continuous homomorphism that allows us to compute

on A by computing on R.
In particular, there is a set Compa(A) of functions on A computable in
terms of the representation (7.1).
In general terms, when comparing abstract and concrete models of computation, we may expect the following situation.
Let AbsComp(A) be a set of functions on A that is computable in an
abstract model of computation (e.g. the While language).
Let ConcRep(A) be a class of concrete representations of the form
a : R > A (e.g., a type 2 enumeration, or domain representation).
For a ConcRep(A), let Compa(A) be the set of functions on A
computable with the representation a.
Computing with a concrete representation R of an algebra A enables
more functions to be computable than with an abstract model of computation based solely on the operations. In fact, for a class of concrete models
of computation, we expect the following abstraction condition to hold:
AbsComp(A) C
^\aConcRep(A)ComP^(A}-
In the case of classes of concrete models of computation that are designed

to characterise the set of functions on A that can be computed, we can
further postulate (using the generalised Church-Turing thesis, cf. section
8.9):
While*(A) C
naeConcRep(A)CoTnP<*(A)
(compare (1.1) of Section 1.3). In the known concrete models, the computable functions are continuous, therefore the continuity of the abstract
computable functions is essential.
There is much to explore in the border between abstract and concrete
computability. In Stewart [1999] it is shown that if A is an effective metric
algebra with enumeration a, then the While* approximable functions on
A are a-effective. The converse is not true. To bridge this gap, nondeterministic choice must be added to the 'While' language, and manyvalued functions considered (see Tucker and Zucker [2000a]).
A theory of relations (or multi-valued functions) denned by generalised
Kleene schemes has been developed in Brattka [1996; 1997]. Among several
important results is an equivalence between the abstract computability
model based on Kleene schemes and Weihrauch's type 2 enumerability.
The distinction between abstract and concrete models made in Tucker
and Zucker [1999] has practical use in classifying the many approaches
to computability in concrete structures. However, this distinction needs
further theoretical refinement. One is reminded of the distinction between
'internal' and 'external', applied to higher type functionals, in Normann
[1982].
479
A survey of models of computability
In this section we will survey other abstract approaches to computability on

abstract algebras, and discuss two generalised Church-Turing theses: one
for computability of functions, and one for specification of relations, that
draw support from theorems estabilishing the equivalence of different models. Earlier we have surveyed the origins of these abstract generalisations
(section 1.4) and also the 'independent' development of abstract models for
computation on real and complex numbers (sections 6 and 7.10).
The alternative methods for defining While computable functions are
to be found in various mathematical contexts and have various objectives.
Technically, they share the abstract setting of a single-sorted abstract structure (i.e., an algebraic or a relational structure). Here we consider their
common purpose to be the characterisation of those functions effectively
computable in an abstract setting: their generalisation to a class of manysorted abstract algebras is not difficult.
The first alternative approach we look at in some detail, namely: the
class of functions defined from the operations of an algebra by the application of composition, simultaneous primitive recursion and least number search, which we call the fiPR computable functions. This model of
computation was created in Tucker and Zucker [1988] with the needs of
equational and logical definability in mind. A simpler generalisation using
induction schemes was made early on, in Engeler [l968a]. We have found
the various recursion schemes on N to be a primary source of technical
ideas about functions computable on an abstract algebra A, and a useful
tool for applications.
The While computable functions can also be characterised by approaches
based upon
(i) machine models;
(ii) high-level programming constructs;
(iii) axiomatic methods;
(iv) equational calculi;
(v) fixed-point methods for inductive definitions;
(vi) set-theoretic methods;
(vii) logical languages.
We will say something about each in turn.
8.1
Computability by function schemes
We will consider computability on TV-standard algebras formalised by

schemes, which apply uniformly to all algebras of some fixed Af-standard
signature . These generalise the schemes in Kleene [1952], for constructing functions over N by starting with some basic functions and applying to
these composition, simultaneous primitive recursion and the constructive
least number operator. We write a,/3,.,. for schemes.
Each scheme a will have a fixed type u > v, with domain type u and
480
range type v, both product types over E; we will also write a : u > v.
The semantics of such a scheme, for each A E.NStdAlg(E)(ihe class of
TV-standard S-algebras), will then be a function
IO!A : Au -> Av.
We will usually write aA for |a] .

We will consider four notions of computability by schemes: PR, PR*,
p,PR and (j,PR*, and see how they correspond with our basic notions of
computability involving While and For programs.
Definition 8.1 (PR computability). Given a standard signature S, we
will define the family
Pfl(E) = <Pfl(E) u _ + t ,| > ue ProdType(E)}
where PJR(E)U_,.W is the set of schemes of type u > v over E. Then for
any scheme a PR(E)u-+vand any A NStdAlg(), we can define a
function on A:
aA : Au - Av
of type u -> v. These schemes generalise the schemes for primitive recursive
functions over N in Kleene [1952]. They are generated as follows.
Basic function schemes
(i) Initial functions and constants. For each E-product type u, E-sort s
and function symbol F Func(S)u^s, there is a scheme F P/Z(E) U _ >S .
On each A .NStdAlg(), it defines the function
FA : Au - A..
(if) Projection. For all m > 0, u = si x . . . x sm and i with 1 , 6 PJ?(S)u_j.Si . It defines the projection function
u
,i : AU -> A*i on each A NStdAlg(V), where
for all (xi,... ,xm) Au.

(in) Definition by cases. For every E-sort s there is a scheme dc
P.R(E)BXSXS-S- It defines the function dc : B x A% * As on each
A NStdAlg(), where
if 6 = tt
for all 6 B and x,y Ag.
481
Induction: Building new function schemes from old

(iv) Vectorisation. For all S-product types u,v, where v = Si x . . . x s n ,
and for all schemes /31; . . . ,/3n, where /3, PH(E) u ^ Si for i = 1, . . . ,n,
there is a scheme a = vectu?j,(/3i,. . . ,/?) PH(S) tl _ >w . It defines the
function aA : Au -> v4w on each A eJVStd.A/0(S), where
for all x A".

(u) Composition. For all E-product types u,v,w, and for all schemes
/3 PR() U -> u and 7 6 PH(S)tIû, there is a scheme a = compu ,
(/?,7) PR()_y w . It defines the function aA : Au -4 ^l"1 on each
A NStdAlgCS), where
for all x&Au.

(vi) Simultaneous primitive recursion. For all S-product types u,v,w, and
for all schemes f3 6 PJl(E) u _ > ^ and 7 Pfl(S) natX uxt;-n) there is a scheme
a = prim U)t ,(/?,7) 6 -P-R(S) natxu ^ v . It defines the function aA : N X Au ->
Av on each A eTVStdAi^CS), where
aA(0,x)
a (z + l,x)
A
=
-
/3A(x)
7A (z, x, aA(z,x))
for all z e N and x ,4".

Now, for any A .NStdAlg(T,), we define
PR(A) = (PR(A)U^V
where
u,ve
PJl(A)u^v = {a^4 | a
It turns out that a broader class of functions provides a better generalisation of the notion of primitive recursiveness, namely P.R*(S) computability.
Definition 8.2 (PR* computability). We define P.R*(S) to be the

class of PJZ(*) schemes for which the domain and range types are in E,
i.e.,
P#*(E) =# (PR(Z*)u^v\u,vProdType(Z)
pfl(S').
Then any such scheme a e PR* ()_> defines a function aA : Au -> A41
on each A AT,Sttd.A/0(E).
Also PR* (A) is the set of PR* (E)-computable functions on A.
Next we add the constructive least number operator to the PR schemes.
482
Definition 8.3 (p,PR computability). The class of fj,PR schemes over
2,
/xP.R(E) - (nPR(E)u->v
u,v ProdType(E)),
is formed by adding to the PR schemes of Definition 8.1 the following:

(vii) Least number or n operator. For all E-product types u and for all
schemes 0 6 M-P-Ruxnat->booi there is a scheme a=min u (/3) p,PR(S)u^nM.
It defines the function aA : Au - N on each A NStdAlg(E), where for
all x e Au,
hat is, aA (x) \. z if, and only if, {3A (x, y) \. f for each y < z and f3A (x,z] \. ft.
Also fiPR(A) is the set of /xP.R(E)computable functions on A.
Note that this scheme (as well as the scheme for simultaneous primitive
recursion) uses the ./V-standardness of the algebra. Also, [iPR computable
functions are, in general, partial.
Again, however, a broader class turns out to be a better generalisation,
namely:
Definition 8.4 (pPR* computability). The class (iPR*() consists
of those (j,PR(E*) schemes for which the domain and range types are in
E, i.e.,
/xPH*(S) =df (fj.PR(^)u^v
\u,v ProdType(S))
M pfl(E*).
Also, for any A NStdAlgC), nPR*(A) is the set of pPR* (S)-computable

functions on A.
We now compare the above notions of scheme computability with our
notions of computability involving imperative programming languages.
They correspond as follows.
Theorem 8.5. For any N-standard T,-algebra A,
(a) PR(A) = For (A),

(b) PR* (A) = For* (A),
(c) tiPR(A) - While(A),
(d) nPR*(A) = While" (A).
These equivalences hold uniformly over E.
'Uniformity over E' in the above theorem means (taking, for example,
case (a), and writing PorProc(S) for the class of .For(E) procedures)
that there are effective mappings
0:
PJZ(E) - .ForProc(E)
tf>:
.ForProc(E) -> P-R(E)
and
483
(primitive recursive in the enumerated syntax) such that for all PR(H)
schemes a, For(E) procedures P and TV-standard S-algebras A,
[<t>(a)}A = la]A
and
W(P)]A
= [P]A-
and similarly for parts (6), (c) and (d).

Similar uniformity results hold for the equivalences stated in the following subsections.
The above theorem can be proved by the techniques of Tucker and
Zucker [1988] or Thompson [1987]. Part (a), in the classical case over N
or Z, was originally proved in Meyer and Ritchie [1967]. For an exposition
of parts (a) and (c) in the classical case, see, for example, Brainerd and
Landweber [1974], Kfoury et al. [1982], Davis and Weyuker [1983, Chapter
13] or Zucker and Pretorius [1993, Section 13].
Remark 8.6 (Course of values recursion). In our development above,
we considered the class PR(,) of primitive recursive schemes equivalent
to For(E) computability. From this we could obtain the class PB*()
of schemes equivalent to For*(S) computability by operating with the
same schemes PR, but over the extended array signature S*. An alternative approach for strengthening P.R() is to maintain the signature S,
but strengthen the recursion scheme. More precisely, we define the class
CR(E) of course of values recursive schemes by replacing the scheme (vi)
for simultaneous primitive recursion by the scheme
(vi') Simultaneous course of values recursion. For all E-product types
u, v and positive integers d, and for all schemes f3 eCfl(E) u _ K ,, 7
CR(E)natxuxvj_+v!aid6i,... ,6d where Si CB(S) nat xu-nat (i = 1, , d ) ,
there is a scheme
a = cvalu,,.^, 7, i,... ,)
It defines the function aA : N x Au -> A" on each A
where
NStdAlg(Z),
aA(0,x) = f)A(x)
and for z > 0
aA(z,x) =
i(z,x,aA(61(z,x),x),...,aA(Sd(z,x),x)),
where 6i are the 'reducing functions' derived from Si, defined by

Si(z,x) ~ min(S(z,x), z 1)
for z > 0.
We also define the class /*Cfl(S) of course of values recursive schemes

with the least number operator by adjoining the scheme (vii) for the ^
484
operator to CR(S).
8.5):
We then obtain the two equivalences (cf. Theorem
Theorem 8.7. For any N-standard H-algebra A,

(a) CR(A) = PR" (A) ( = For" (A))
(b) nCR(A) = nPR*(A) (= While*(A)).
Part (6) is proved in Tucker and Zucker [1988] by showing that p,CR(A)
While* (A). (Part (a) can be proved similarly.) This proof is more delicate
than the proofs for Theorem 8.5. The direction '<=' is based on local
representability and term evaluation arguments.
Remark 8.8 (Some applications of the scheme models).
(1) These can be used easily in the mathematical modelling of many deterministic systems, from computers (e.g. Harman and Tucker [1993]
to spatially extended non-linear dynamical systems (Holden et al.
[1992]).
(2) The uPR schemes have been adapted and extended to characterise
the computable relations on certain metric algebras, including the
algebra of reals (Brattka [1996; 1997]).
8.2
Machine models
Perhaps the most concrete approach to generalising computability theory

from N to an algebra A is that based upon models of machines that handle
data from A. To be specific, we consider some models called A-register machines that generalise, to a single-sorted relational structure A, the register
machine models on N in Shepherdson and Sturgis [1963] (see also Cutland
[1980] for a development of recursive function theory using register machines); the first A-register machines appeared in Friedman [l971a].
Some of these register machine models are used in work on real number
computation (Herman and Isard [1970], Shepherdson [1976] and Blum et
al. [1989]) and have been developed further independently of the earlier
literature (see our survey in section 1.4).
We will consider four types of A-register machine for an arbitrary singlesorted algebra.
A (basic) A-register machine has a fixed number of registers, each of
which can hold a single element of A. The machine can perform the basic
operations of A and decide the basic relations of A; in addition, it can
relocate data and test when two registers carry the same element.
Thus, the programming language that defines the A-register machine
has register names or variables r0, r\ , r 2 ,... and labels 0,1,2,..., and allows instructions of the form
r\ = F(r^,... ,r M m )
r\ := c
r\ := r^
if R(r^,... , r^ m ) then i else j
485
and, if equality is required,

if r\ = r^ then i else j
wherein A, p., /zi, pm N; i, j N are considered as labels; and F,c,R are
symbols for a basic operation, constant and relation, respectively.
A program for an A-register machine is called, in Friedman [l971a], a
finite algorithmic procedure or fap, and it has the form of a finite numbered
or labelled list of A-register machine instructions I\,... , /. Given a formal
definition of a machine state, containing the contents of registers and the
label of a current instruction, is it easy to formalise an operational semantics for the finite algorithmic procedures one in which the instructions
are given their conventional meaning.
On setting conventions for input and output registers we obtain the class
FAP(A) of all partial functions on A computable by all finite algorithmic
procedures on A-register machines.
Secondly, an A-register machine with counting is an A-register machine
enhanced with a fixed, finite number of counting registers. Each counting
register can hold a single element of N and the machine is able to put 0
into a counting register, add or subtract 1 from a counting register, and
test whether two counting registers contain the same number. Thus, an
A-register machine with counting is an A-register machine augmented by
a conventional register machine on N. (Implicitly, this is concerned with
the process of ^-standardisation of the algebra A by the addition of the
natural numbers N.)
The programming language that defines the A-register machine with
counting has new variables co,ci,C2,... for counting registers, and new
instructions
CA := 0
c\ := CM + 1
CA := CM - 1
if CA = CM then i else j
for A,/z N and i,j N considered as labels.
A program for an A-register machine with counting is called a finite
algorithmic procedure with counting or fapC, and is a finite numbered list
of machine instructions. Once again it is easy to give a formal semantics
for the language and to rigorously define the class FAPC(A) of all partial
functions on A computable by A-register machines with counting. The point
of this model is that it enhances computation on the abstract algebra A with
computation on N.
The A-register machine and A-register machine with counting, and their
classes of partial functions FAP (A) and FAPC(A), were introduced and
studied in Friedman [l971a].
Next, an A-register machine with stacking is an A-register machine augmented with a stacking device into which the entire contents of the algebraic
486
registers of the A-register machine can be copied at various points in the

course of a computation.
The programming language that defines the A-register machine with
stacking has a new variable s for the store or stack and the new instructions:
stack (i,r0,... ,rm)
restore (r 0 ,... , r,-_i, rj+i,... ,rm)
if s = empty then k else marker.
Here i,j, k N are considered as labels, and the machine has m registers and one stack. Intuitively, what they mean for the machine is as
follows. The 'stack' instruction commands the device to copy the contents
of all the registers and store at the top of a (single) stack, along with
the instruction label i. The 'restore' instruction returns to the registers
T O , . . . , TJ\ , TJ+I ,... ,rm the values stored at the top of the stack; the
value of TJ is lost (in order not to destroy the result of the subcomputation
preceding the 'restore' instruction), as is the instruction label. The test
instruction passes control to instruction k if the stack is empty and to the
instruction indexed by the label contained in the topmost element of the
stack otherwise.
A program for an A-register machine with stacking is called a finite
algorithmic procedure with stacking or fapS, and is a finite numbered list of
machine instructions. On formalising the semantics for the language, it is
easy to define the class FAPS(A) of all partial functions on A computable
by A-register machines with stacking.
Of course there are alternative designs for a stacking device of equivalent
computational power. The point of this model is that first, it enhances the
bounded finite algebraic memory available in computation by an A-register
machine with unbounded finite algebraic storage, and secondly, it does not
enable us to simulate counting with natural numbers.
Finally, an A-register machine with counting and stacking is an Aregister machine augmented by both a counting and stacking device. A
program for such a machine is called a finite algorithmic procedure with
counting and stacking or fapCS, and the class of all partial functions on A
computable by such machines is denoted FAPCS(A). This stack device
and its associated classes of functions FAPS(A) and FAPCS(A) were
introduced in Moldestad et al. [1980a; 1980b].
Of course, in the case of computability of the natural numbers A = N
we have
FAP(N)
= FAPC(N)
= FAPS(N)
FAPCS(N)
but in the abstract setting we have:

Theorem 8.9. For any single-sorted algebra A, the inclusion relationship
between the sets of functions is shown in Fig 17. Moreover, there exists an
algebra on which the above inclusions are strict.
487
FAPC(A)
FAP(A)
FAPCS(A)
FAPS(A)
Fig. 17.
This theorem is taken from Moldestad et al. [l980b]. It and other
results about these models make clear the fact that, when computing in
the abstract setting of an algebra A, adding
computation on N
unbounded algebraic memory over A
both separately, and together, increases the computational power of the
formalism.
The connection with the imperative models is easily described. Assuming the straightforward generalisation of the machine models to accommodate many-sorted algebra, we have:
Theorem 8.10. For any standard ^-algebra A,

While(A)
WhileN(A)
While* (A)
= FAP(A),
= FAPC(A),
= FAPCS(A).
Three other machine model formalisms of interest are the finite algorithmic procedures with index registers (fapIR) and countable algorithmic
procedures (cap) in Shepherdson [1973] and the generalised Turing algorithms (gTa) in Friedman [l971a], all equivalent to While* computability.
In the obvious notation, we have:
Theorem 8.11. For any standard 'S-algebra A,

FAPCS(A) = GTA(A) = FAPIR(A) = CAP(A) = While" (A).
In addition, it is convenient at this point to mention Friedman's effective definitional schemes (eds) which are a simple and transparent technical
device for defining and analysing computability on A. The effective definitional schemes have found a useful role in the logic of programs (see Tiuryn
[l981b], for example).
Theorem 8.12. For any standard Ti-algebra A,
FAPCS(A) = EDS(A)
= While* (A).
488
8.3
High-level programming constructs; program

schemes
Practical programming languages, especially imperative languages, are a

rich source of theoretical ideas about computation. However, their development, from the 1940s to the present, has not had a dominant role in
shaping computability theories. The development of high-level constructs,
abstract data types and non-deterministic constructs for algorithmic specification is clearly relevant.
The study of computability via machine models is akin to low-level
programming, where there is a simple correspondence between instructions
and machine operations. In high-level programming, abstractions away
from the machine are achieved wherein a program statement or command
can set off a sequence of machine operations. This break with programming a specific architecture increases the practical need for mathematical
semantics. All our algebraic models are high-level since they are based on
abstract data types that abstract from the data representations and their
algorithms.
We have, of course, already studied some high-level constructs in the
languages for While and While* programs. However, in contemplating
high-level constructs with regard to generalising computability theory, close
attention must be paid to the ideas about algorithms that motivate their
introduction. Clearly, recursion and iteration are distinct tools for defining
algorithms in connection with procedures. Non-deterministic constructs,
by contrast, are proposed as tools for algorithm specification, in order to
abstract away from algorithmic implementation. Non-deterministic control
and data commands, such as those in the guarded command language
if 6 1 - > 5 i | ) . . . , | & f c - > S f c f i
do bi - Si |,... , j bk - Sk od
(Dijkstra [1976]), or the non-deterministic assignment
x := y.$(x,y),
where $ is some condition relating y to x (Back [1983]), or the random

assignment
x :=?
(Apt and Plotkin [1986]), are needed to express appropriately the design
of an algorithm. We have examined some of these non-deterministic constructs in section 5, where we showed, for example, that the random assignment defines projectively semicomputable sets.
In building a generalisation, it is prudent to concentrate on making a
comprehensive deterministic theory, having clear relations with 'classical'
computability theory on N, and its applications to other data types such as
K. Technically, to appreciate non-deterministic constructs, a deterministic
theory is a necessary prerequisite. Unfortunately, there are unanswered
489
questions as to the nature of the relationships between non-determinism,

specification and non-computability, and (correspondingly) between determinism, implementation and computability. The programming of computations involving non-deterministic aspects of control, concurrency and
communication is also an important topic that we leave unexplored. (We
have dealt with synchronous concurrency in concurrent assignments and
in the scheme of simultaneous primitive recursion in section 8.1.) We will
return to the broad theme of programming languages and computability
theory in section 8.9.
Here we will briefly draw attention to a body of early work on the
computational power of elementary control and data structures.
The systematic classification of programming features such as iterations, recursions, 'goto's, arrays, stacks, queues and lists seems to have
begun in earnest with Luckham et al. [1970] and Paterson and Hewitt
[1970]. The central notions are that of a program scheme and its interpretation in a model, and that of the equivalence of program schemes in all
models. These ideas may be considered as technical precursors of the corresponding syntactic and semantic concepts we use here, namely: program,
state transformer semantics, abstract data type, equivalence on K. The
importance of a general syntactic notion of a program scheme that can be
applied to abstract structures was discussed in Luckham and Park [1964]
and Engeler [1967]. We note that in the latter paper computation over
arbitrary classes of structures is treated in the course of analysing program
termination by means of logical formulae from a simple fragment of CWltlt>;
Engeler [1967] is the origin of algorithmic and dynamic logic.
The study of the power of programming features came to be known
as program schematology. Like program verification, the subject was contemporary with, but independent of, research on programming language
semantics. The necessity of introducing abstract structures in such a classification project is easy to understand. From the point of view of programming theory the equivalence of most algorithmic formalisms for computing
on N with the partial recursive functions on N is a mixed blessing. This
stability of the computational models illuminates our perception of the
scope and limits of computer languages and architectures, and has many
technical applications in the mathematical theory of computation. However, the restriction to N fails to support an analysis of the intuitive differences between programming with and without arrays, 'goto's, Boolean
variables, and so forth.
The research on schematology has produced several program constructs
and languages that are weaker than or equivalent to those of the four basic
machine models discussed in section 8.2. We refer the reader to Greibach
[1975] for a general introduction to schematology and, in particular, to
Shepherdson [1985] for a detailed discussion of many important results and
their relation to machine models. Other significant references are Constable
and Cries [1972], Chandra [1973] and Chandra and Manna [1972].
490
High-level imperative programming models were slow to enter mainstream computability theory, despite attention being drawn to the value
of this approach in Scott [1967]. Some early textbooks to feature such
programming models were Brainerd and Landweber [1974], Manna [1974],
Bird [1976] and Clark and Cowell [1976].
8.4
Axiomatic methods
In an axiomatic method one defines the concept of a computation theory as

a set Q(A) of partial functions on an algebra A having some of the essential
properties of the set of partial recursive functions on N. To take an example,
Q(A) can be required to contain the basic algebraic operators of A; be
closed under operations such as composition; and, in particular, possess
an enumeration for which appropriate universality and s-m-n properties
(see, for example, Rogers [1967]) are true. Thus in section 4 we saw that
While* (A) is a computation theory in this sense.
It is important to note that computation theory definitions, of which
there are a number of equivalent examples, require N to be part of the
underlying structures A for the indexing of functions:
axiomatic methods specifically address N-standard structures
and classes of N-standard structures.
With reference to the definition sketched above, the following theorem
is of importance here:
Theorem 8.13. The set While* (A) of While* computable functions on
an N-standard algebra A is the smallest set of partial functions on A to
satisfy the axioms of a computation theory; in consequence, While* (A) is
a subset of every computational theory Q(A) on A.
The definition of a computation theory used here is from Fenstad [1975;
1980] which take up the ideas in Moschovakis [1971]. We note that
the While computable functions coincide with the prime computable functions of Moschovakis.
Theorem 8.13 can be deduced using work in Moldestad et ai [I980b];
see also Fenstad [1980, Chapter 0].
The development of axiomatisations of computable functions includes
Strong [1968] and Wagner [1969]. The axiomatisation of subrecursive functions is tackled in Heaton and Wainer [1996].
8.5
Equational definability
One of the earliest formalisations of effective computability was by means of

functions effectively reckonable in an equational calculus, a method known
as equational or Herbrand-Godel-Kleene definability. This was the method
employed to define the recursive functions in important works such as
Church [1936] and Kleene [1952].
491
Equational definability may be generalised from N to an arbitrary algebra A with the natural result that, if A is an TV-standard structure,
equational definability is equivalent with While* computability. The first
attempt at such a generalisation is Lambert [1968]. We sketch a simpler
treatment from Moldestad and Tucker [1981], adapted to many-sorted algebras.
First we choose a language Eqn= Eqn() for defining equations over
a signature S and transforming them in simple deductions. Let Eqn
have constants a, 6, c,... and variables x, y, z,... for data; and variables
p,q,r,... for functions. Using the basic operations of the signature, we
inductively define E-terms t,... in the usual way. An equation in Eqn is
an expression e = (ti = t^), where t\ and t% are terms of the same sort.
A deduction of an equation e from a set of equations E is a list e\,... ,ek
of equations such that for each i = 1,... , k one of the following holds:
(*) et E;
(ii) ei is obtained from BJ for some j < i by replacing every occurrence
of a variable x in BJ by a constant c;
(Hi) et is obtained from ej for some j = (t = c).
An equation e is defined to be formally derivable or deducible from E,
written E h e, if there is a deduction of e from E.
Thus, it remains to formulate equational deductions with respect to a
given algebra A of signature E in order to formulate what it means for a
function / on A to be equationally definable on A. This is essentially giving
our system a semantics. The first semantical problem is to allow the basic
operations of A to play a role in deductions from a set of equations E, and
this is accomplished by permitting
E\-p(c1,...,cn) = c if FA(cA,...,cA) = CA.

This is the reason why we add the constants to Eqn.
The second semantical problem is to prove a single-valuedness property
of the form:
E\-p(a,... ,c n ) = 01 and E\-p(ci,... ,cn) = a2
=>
01 = a 2 .
This done, we can define / : Au -> A to be equationally definable over A

if for some finite set of equations E and some function symbol p,
E\-p(Cl,... ,cn) = c = f(cA,... ,CA) = CA
for all constants of Eqn.
Let Eqn(A) denote the set of all equationally definable functions on A.
492
Theorem 8.14.
(a) For any standard 'E-algebra A,

Eqn(A) = FAPS(A).
(b) For any N-standard E-algebra A,
Eqn(A) = FAPCS(A) = While* (A).
8.6
Inductive definitions and fixed-point methods
The familiar definition of the recursive functions on N based on the primitive recursion scheme of Dedekind and Godel, and the least number operator of Kleene, appeared in Kleene [1936]. Kleene provided a thorough
revision of the process of recursion on N sufficiently general to include recursion in objects of higher function type: see Kleene [1959; 1963]. In
Platek [1966] there is an abstract account of higher-type recursion.
Studies of higher type inductive definitions have been taken up by D.
Scott and Y. Ershov, whose work forms part of domain theory (see, for
example, Stoltenberg-Hansen et al. [1994]). The central technical notion
is that of fixed points of higher type operators.
In Moldestad et al. [I980a] Platek's methods were analysed and classified in terms of the machine models of section 8.2. Like equational definability, definability by fixed-point operators applies to an arbitrary algebra
A and is there equivalent to fapS computability. Thus, this notion coincides
with While* definability in an JV-standard structure. We will sketch the
method (adapted to many-sorted algebras).
First we construct the language FPD= FPD(S) for defining fixedpoint operators. Let FPD have the data and function variables of Eqn,
the equation language of section 8.5. Using the basic operations of the
signature and the A-abstraction notation, we create a set of fixed-point
terms of both data and function types:
t
::=
x\p\F\T(ti,...,tn)\fy[>(p-yi,...,yn-t].
Here p is a function variable, F is a basic operation of S, T is a term of

type function, t\,... ,tn and t are terms of type data, and y\,... , y n are
data variables.
Each term defines a function on each algebra A of signature E. The
definition of the semantics of terms is by induction on their construction,
the terms of the form
f p [ A p - j / i , . . . ,yn-t]
being assigned the unique least fixed point of the continuous monotonic
operator defined by the notation Xp y\,... , yn t.
A function / : Au A is definable by fixed-point terms over A if there
is a term t such that for all x Au, f ( x ) ~ t(x).
Let FPD(A) denote the set of all functions definable by fixed-point
terms over A.
493
Theorem 8.15.
(a) For any standard 2,-algebra A,
FPD(A) = FAPS(A).
(b) For any N-standard 'S-algebra A,
FPD(A) = FAPCS(A) = While* (A).
For more details see Moldestad et al. [I980a].
An approach to computation on abstract data types, alternative to that
presented in this chapter, is the development in Feferman [I992a; 1992b]
of a theory of abstract computation procedures, defined by least fixed-point
schemes, influenced by Moschovakis [1984; 1989]. The 'abstract data types'
here are classes of structures similar to our standard partial many-sorted
algebras, abstract in the sense that they are closed under isomorphism,
and the computation procedures are abstract in the sense that they are
isomorphism invariant on the data types; cf. Theorem 3.24. Types (or
sorts) and operations can have an intensional or extensional interpretation.
Another treatment of inductive definitions (also influenced by Moschovakis) and a survey of their connections with machine models is given in
Hinman [1999].
8.7
Set recursion
Given a structure on A one can construct a set-theoretic hierarchy H(A.)

over A, taking A as so-called urelements, and, depending upon the construction, develop a recursion theory on H(A). This is the methodology in
Normann [1978] where combinatorial operations on sets are employed to
make a generalisation of computability. In Moldestad and Tucker [1981],
Normann's set recursion schemes are applied to the domain HF(A), the
set of hereditarily finite subsets, so as to invest the general construction
with computational content. HF(A) is inductively defined as follows:
(t) A C HF(A);
(ii) if a i , . . . ,a n e HF(A)then {ai,... ,a n } HF(A), n > 0.
Thus, 0 EHF(A), a copy of N is imbedded in HF(A), and copies
of An (n = 2,3,...) are embedded in HF(A). From computability on
HF(A) a notion of computability on A, set recursiveness, is easily obtained. Then, writing SR(A) for the class of set-recursive functions on A,
we have:
Theorem 8.16. For any standard H-algebra A,
SR(A) = While" (A).
8.8
A generalised ChurchTuring thesis for computability
The While* computable functions are a mathematically interesting and

useful generalisation of the partial recursive functions on N to abstract
494
many-sorted algebras A and classes K of such algebras. Do they also give

rise to an interesting and useful generalisation to A and K. of the ChurchTuring thesis, concerning effective computability on N?
They do; though this answer is difficult to explain fully and briefly. In
this section we will only sketch some reasons. The issues are discussed in
more detail in Tucker and Zucker [1988].
Consider the following naive attempt at a generalisation of the ChurchTuring thesis.
Thesis 8.17 (A naive generalised Church-Turing thesis for
computability).
(a) The functions 'effectively computable' on a many-sorted algebra A
are precisely the functions While* computable on A.
(b) The families of functions 'effectively computable' uniformly over a
class K of such algebras are precisely the families of functions uniformly While* computable over K.
Consider now: what can be meant by 'effective computability' on an
abstract algebra or class of algebras?
In the standard situation of calculation with N, the idea of effective
computability is complicated, as it is made up from many philosophical
and mathematical ideas about the nature of finite computation with finite or concrete elements. For example, its analysis raises questions about
the mechanical representation and manipulation of finite symbols; about
the equivalence of data representations; and about the formalisation of
constituent concepts such as algorithm; deterministic procedure; mechanical procedure; computer program; programming language; formal system;
machine; and the functions definable by these entities.
The idea of effective computability is particularly deep and valuable
because of the close relationships that can be shown to exist between its
distinct constituent concepts. However, only some of these constituent
concepts can be reinterpreted or generalised to work in an abstract setting;
and hence the general concept, and term, of 'effective computability' does
not belong in a generalisation of the Church-Turing thesis. In addition,
since finite computation on finite data is truly a fundamental phenomenon,
it is approriate to preserve the term with its established special meaning.
In seeking a generalisation of the Church-Turing thesis we are trying
to make explicit certain primary informal concepts that are formalised by
the technical definitions, and hence to clarify the nature and use of the
computable functions.
We will start by trying to clarify the nature and use of abstract structures. There are three points of view from which to consider the step from
concrete structures to abstract structures, and hence three points of view
from which to consider the While* computable functions.
First, there is abstract algebra, which is a theory of calculation based
upon the 'behaviour' of elements in calculations without reference to their
495
'nature'. This abstraction is achieved through the concept of isomorphism

between concrete structures; an abstract algebra A is 'a concrete algebra
considered unique only up to isomorphism'.
Secondly, there is formal logic, which is a theory about the scope and
limits of axiomatisations and formal reasonings. Here structures and classes
of structures are used to discuss formal systems and axiomatic theories in
terms of consistency, soundness, completeness, and so on.
Thirdly, in programming language theory, there is data type theory,
which is about data types that users may care to define and that arise
independently of programming languages. Here structures are employed
to discuss the semantics of data types, and isomorphisms are employed
to make the semantics independent of implementations. In addition, axiomatic theories are employed to discuss their specifications and implementation.
Data type theory is built upon and developed from the first two subjects: it is our main point of view.
Computation in each of the three cases is thought of slightly differently.
In algebra, it is natural to think informally of algorithms built from the
basic operations that compute functions and sets in algebras, or over classes
of algebras uniformly. In formal logic, it is natural to think of formulae that
define functions and sets, and their manipulation by algorithms. In data
type theory, we use programming languages to define a computation. Each
of these theories, because of its special concerns and technical emphasis,
leads to its own theory of computability on abstract structures.
Suppose, for example, the While* computable functions are considered
with the needs of doing algebra in mind. Then the context of studying
algorithms and decision problems for algebraic structures (groups, rings
and fields, etc.) leads to a formalisation of a generalised Church-Turing
thesis tailored to the language and use of an algebraist:
Thesis 8.18 (Generalised Church-Turing thesis for algebraic computability).
(a) The functions computable by finite deterministic algebraic algorithms
on a many-sorted algebra A are precisely the functions While*
computable on A.
(b) The families of functions uniformly so computable over a class K
of such algebras are precisely the families of functions uniformly
While* computable over K.
An account of computability on abstract structures from the point of view
of algebra is given in Tucker [1980].
Now suppose that the While* computable functions are considered
with the needs of computer science in mind. The context of studies of data
types, programming and specification constructs, etc., leads to a formulation tailored to the language and use of a computer scientist:
Thesis 8.19 (Generalised ChurchTuring thesis for programming
496
languages). Consider a deterministic programming language over an abstract data type dt.
(a) The functions that can be programmed in the language on an algebra
A which represents an implementation of dt, are the same as the
functions While* programmable on A.
(b) The families of functions that can be programmed in the language
uniformy over a class K of implementations of dt, are the same as
the families of functions While* programmable over K
The thesis has been discussed in Tucker and Zucker [1988].
The logical view of computable functions and sets, with its focus on
axiomatic theories and reasoning, is a more abstract view of computation
than the view from algebra and data type theory, with their focus on algorithms and programs. The logical view is directed at the specification of
computations.
8.9
A Church-Turing thesis for specification
In the course of our study, we have met logical and non-deterministic languages that define in a natural way the projectively computable sets (and,
equivalently, the projectively semicomputable sets). These languages are
motivated by the wish to specify problems and computations, and to leave
open all or some of the details of the programs that will solve the problems
and perform the computations.
To better understand the role of the projective computable sets, we
introduce the idea of an algorithmic specification language which includes
some ideas about non-deterministic programming languages. The properties that characterise an algorithmic specification language are forms of
algorithmically validating a specification. An algorithmic specification language is an informal concept that is intended to complement that of a
deterministic programming language. The problem we consider is that of
formalising the informal notion of an algorithmic specification language by
means of a generalised Church-Turing thesis for specification, based on
projectively computable sets.
There are four basic components to a computation:
(0) a data type;
(1) a specification of a task to be performed or problem to be solved;
(2) specifications for algorithms whose input/output behaviour accomplishes the task or solves the problem; and
(3) algorithms with appropriate i/o behaviour.
We model mathematically these components of a computation, by assuming
that:
(0) a data type is a many-sorted algebra, or class of algebras;
(1) a specification of the task or problem is defined by a relation on the
algebra;
497
(2) specifications of algorithms for the task or problem are defined by

functions on the algebra; and
(3) algorithms are defined by programs that compute functions on the
algebra.
Usually, the relations, functions and programs are defined uniformly over
a class of algebras.
Given a specification
S C Au x Av
on an algebra A, the task is: for all x Au, to calculate all or some y Av
such that R(x, y) holds, if any such y exist. The set
D =df
{xA\3yR(x,y)}
may be called the domain of the task.

Thus the task of computing the relation can be expressed in the following functional form:
R: Au - P(AV)
(where P(A") is the power set of Av), defined for x Au by
R(x) =4 {y e A* \ R(x,y)}.
Quite commonly, the task is 'simplified' to computing one or more so-called
selection functions for the relation.
Definition 8.20 (Selection functions). Let R C Au x Av be a relation.
A function
/ : Au - Av
is a selection function for R if
(i) Vx[3yR(x,y) = f(x) | and R(x,f(x))]; and
(it) Vx[/(ar)4, =**(*,/(*))].
Notice that the domain and range of a selection function / are projections:
dom(f)
ran(f)
= {xeAu\3yR(x,y)},
= {y Av \ 3xR(x,y)}.
Note also that

any partial function f is definable as the unique selection function for its graph G(f) = {(x,y) \ f ( x ) | y}.
Other sets of use in specification theory can be derived from these sets
(e.g. weakest preconditions and strongest postconditions see Tucker and
Zucker [1988]).
498
To define and reason about computations on a data type, we must define

a class of relations, functions and programs on an algebra A. The key ideas
are those of formal languages that define functions, called programming
languages, and those that define relations, called specification languages.
The relation between a programming language P and a specification
language S is that of satisfaction
\= C
PxS
defined for p e P and s 6 S by

p (= s <=>
the function defined by p is a selection function

for the relation defined by s.
What properties of relations are needed for a specification language?

We propose two properties. The first is that it should be possible to
'validate' ('test', 'check', ...) data against each specification. A basic question is, therefore:
For any given data x and y, can we validate whether or not the
given y is a valid output for the given input x ?
We define the following informal concept:
Definition 8.21 (Algorithmic specification language). An algorithmic specification language is a language in which any data for any task can
be validated.
The process of validation depends on the relations defined by the specification. Our theory of computability on algebras presents three cases:
Definition 8.22 (Algorithmic validation of specifications). Let 5
be a specification language.
(a) S has decidable validation if each relation it defines is computable.
(b) S has semidecidable validation if each relation it defines is semicomputable.
(c) 5 has projectively decidable validation if each relation it defines is
projectively computable.
The second property is 'adequacy'. A specification language may be
quite expressive, containing specifications for tasks for which there does not
exist an algorithmic solution. It should, however, be capable of expressing
at least all those tasks which are algorithmic. We therefore define the
following informal concept:
Definition 8.23 (Adequate specification language). A specification
language is adequate if all computations can be specified in it.
499
To specify a function is to define a relation for which it is a selection

function. Recall that any function is definable as the unique selection function for its graph. Consider the adequacy of an algorithmic specification
language with each of the three types of algorithmic validation above.
(a) If a specification language has decidable validation then not every partial computable function can be specified uniquely, since the graph of
a partial computable function need not be computable (by a standard
result of classical computation theory).
(6) If a specification language has semidecidable validation then every
partial computable function can be specified uniquely, since the graph
of a partial computable function is semicomputable.
(c) Thus a specification language with projectively decidable validation is
also adequate for the definition of all possible computations.
Furthermore, there are many occasions when the adequacy of a specification formalism demands greater expressiveness. The problem is to allow
a class of specifications that extends that of the semicomputable relations,
and yet retains some chance of an effective test or check.
For example, let E C A be a computable subset of an algebra A and
consider the membership relation for the subalgebra (E) of A generated
by E; using established notations, this is defined by:
a<=(E) <> 3k>Q3ei,... ,ek E3t Term(S)[T7(t,e 1) ... ,ek) = a}.
This relation is not semicomputable, nor even projectively computable over
A, but projectively computable over A* .
In examples of the above kind, the computation and specification of y
from x involves a finite sequence of auxiliary data z* that is 'hidden' from
R, but can be recovered from the specification and algorithm. This type
of specification R has the form
where RQ is computable. That is, R is projectively computable (or semicomputable) over A* .

This is a weak form of the concept of a specification that can be validated algorithmically.
We have seen a number of methods, involving logical and non-deterministic
languages, all of which define the projections of computable sets (or, equivalently, of semicomputable sets); we recall them briefly:
(i) Projections in first-order languages. Consider the first-order languages
Lang()
and
Lang(*)
over the signatures E and S* with their usual semantics. The relations that are EX definable in these languages are the projectively
While and While* computable sets.
500
(ii) Horn clause languages. In Tucker and Zucker [1989; 1992a] we studied a generalisation of logic programming languages based on Horn
clauses, and a semantics based on resolution. The relations definable
in this specification-cum-programming language were the projectively
While* computable sets. The logic programming model was shown
to be equivalent to certain classes of logically definable functions (Fitting [1981]).
(Hi) Other definabilities. In Fitting [1981] the relations are shown to be
equivalent to those definable in Montague [1968]. Hence, by work in
Gordon [1970], these all coincide with the search computable functions of Moschovakis [l969a]. A summary of these results is contained
in Tucker and Zucker [1988, section 7].
(iv) Non-deterministic programming languages. Finally, recall from section 5 that we have seen that constructs allowing non-deterministic
choices of data, state, or control in programming languages also lead
to the projectively computable sets. In particular, the models
While* computability with initialisation and
While* computability with random assignments
were analysed.
The equivalence results suggest that the concepts of projective computablity and semicomputability are stable in the analysis of models of
specification. The concept of an algorithmic specification language in its
weak form, together with all the above equivalence results, leads us to formulate the following generalised Church-Turing thesis for specification, to
complement that for computation:
Thesis 8.24 (Generalised ChurchTuring thesis for specification
on abstract data types). Consider an adequate algorithmic specification
language S over an abstract data type dt.
(a) The relations on a many-sorted algebra A implementing dt that can
be specified in S are precisely the projectively While* computable
relations on A.
(b) The families of relations over a class K of such algebras implementing
dt, that can be specified in S, uniformly over K, are precisely the
families of uniformly projectively While* computable relations over
This thesis has been discussed in Tucker and Zucker [1988].
8.10
Some other applications
Computations on many-sorted algebras lead to many investigations and

applications. We conclude by mentioning two.
501
(i) Provably computable selection functions. In this chapter we have not

dealt with proof systems, or the connections between provability and computability. In Tucker and Zucker [1988] we developed one such connection,
namely the use of proof systems for verifying program correctness.
Another connection is based on classical proof theory, and its application to computability on the naturals. In Tucker et al. [1990] and Tucker
and Zucker [1993] we investigated the generalisation of a particular problem
in classical proof theory to the context of ^-standard many-sorted signatures and algebras. Specifically, we developed classical and intuitionistic
formal systems for theories over AT-standard signatures S. We showed, in
the case of universal theories (i.e., theories with axioms containing only
universal quantifiers) that, in either of these systems:
if an existential assertion is provable, then it has a PR* () selection
function.
(Recall the discussion of selection functions in section 8.9.) It follows that
if a (j,PR* () function scheme is provably total, then it is extensionally equivalent over S to a P.R*(S) scheme.
The methods are proof-theoretical, involving cut elimination. These results
generalise to an abstract setting previous results of Parsons [1971; 1972] and
Mints [1973] over the natural numbers.
(if) Computation on stream algebras. A stream over a set A is a sequence
of data from A
... , o(t), ...
indexed by time t 6 T. Discrete time T is modelled by the naturals N,
and the space of all streams over A is the set [N -> A] of functions from N
to A.
Streams are ubiquitous in computing. In hardware, where clocking
and timing are important, most systems process streams (see McEvoy and
Tucker [1990] and Moller and Tucker [1998]). Models of stream computation are needed for any wide spectrum specification method such as FOCUS
(see Broy et al. [1993]).
A general theory of stream processing is given in Stephens [1997].
There is a strong need to incorporate stream computation in a general theory of computation on many-sorted algebras. Some first steps in
this direction, partly motivated by technical questions arising in an algebraic study of stream processing by synchronous concurrent algorithms
(see Thompson and Tucker [1991]), were taken in Tucker and Zucker [1994;
1998].
Another approach to this problem has been developed in Feferman
[1996], within (an extensional version of) the framework of computation
theory on abstract data types presented in Feferman [l992a; 1992b], as
summarised in section 8.6.
The relationship between these two theories of stream computations
remains to be investigated.
502
We conclude with a brief survey of the former approach (Tucker and

Zucker [1994]). Here we consider the following problem: Given a algebra
A (which we suppose for notational simplicity is single-sorted), consider
stream transformations of the form
/ : [N-^]"1-^-^]
as well as their cartesian or uncurried forms
cart(f) : [N -*A]m x N -> A
defined by
We ask the following questions.
For any algebra A, what are the computable stream transformations
over A ?
What is their relation to the computable functions on A?
To answer these, we extend A to the stream algebra A (section 2.8), and
consider various models of computation MC(A) over A, as well as the
corresponding models of computation MC(A) over A. These models of
computation MC include the schemes
PR,
PR*,
fj,PR,
uPR*.
We also consider the operation of stream abstraction or currying inverse to

cart: for any function
g: D x N-> A,
where D is any cartesian product of carriers of A, construct the function
\abs(g) : >->[N-yi]
defined by
(\aba(g))(d)(n)
= g(d,n).
The addition of this construct to models of computation MC leads to models of computation XM.C(A):
XPR,
\PR*,
XpPR,
\nPR*.
We investigate the relationships between these various models; for example, we prove some computational conservativity results: for any function / on A,
fePR(X)
^=* fePR(A)
and similarly for \PR*: XfiPR and \/j,PR*. We also show that computability is not invariant under Cartesian forms, i.e., there are functions
/ such that

/ i PR(A)
but
503
cart(f) e PR(A)
and similarly for XPR*, XfiPR and XîPR*. Further, 'A-elimination' does
not hold, i.e., there are functions / such that
/ XPR(A)
but
/ i PR(A);
for example, the function const"4: A -t [N -> A], which maps data a A to
the stream const"4(a) [N -*A] with constant value a, is in XPR(A) but
not in PR(A), or even in fiPR*(A). However, we do have X-elimination
+ cartesian form, in the sense that
fXPR(A)
^ cart(f) PR(A),
and similarly for XPR*, Xp,PR and XpPR*.

There are advantages to working with stream transformers via their
cartesian forms. It is then true, but difficult to show, that the class of
computable functions so denned is closed under composition (Stephens and
Thompson [1996]).
Suppose now we ask for a model of computability to satisfy a generalised
Church-Turing thesis for stream computations. The model nPR*(A) obtained from our previous generalised Church-Turing thesis on arbitrary
standard algebras (section 8.8, substituting A for A) would be too weak,
since (as we have seen) even the constant stream function const"4 is not
computable in it. However, we can show, as a corollary of the computational conservativity results, that the following models of computation are
equivalent:
XfiPR(A),
Xfj,PR(A),
XnPR*(A),
XnPR(A*).
This shows that the model
\HPR(A)
is robust, and suggests it as a good candidate for a generalised ChurchTuring thesis for stream computations.
(Hi) Equational specification of computable functions. Many functions are
defined as solutions of systems of equations from, for example, datatype
theory or real analysis. Sometimes considerable effort is expended in devising algorithms to implement or compute these functions; this is the raison
d'etre of numerical methods for differential and integral equations.
It is possible to develop a theory of equational specifications for functions on algebras, including topological algebras. In Tucker and Zucker
[2000b] it is shown that any While* approximable function on a total
metric algebra is the unique solution of a finite system of conditional equations, which can be chosen uniformly over all algebras of the signature, and
over all While* computations. The converse however is not true; specifiability by conditional equations is a more powerful device than While*
approximation - how much more powerful, remains to be investigated.
504
References
The great majority of the publications listed here are referenced in the
text. Some papers, however, marked with a star next to the date, are not
so referenced. They are included here as a guide to further reading, either
because they shed some light on the historical development of the subject,
or because they provide useful further information in certain areas, such as
program verification and computation on the reals.
[American Standards Association, 1963] American Standards Association.
Proposed American standard flowchart symbols for information processing, Communications of the Association for Computing Machinery
6:601-604, 1963.
[Apt, *198l] K. R. Apt. Ten years of Hoare's logic: A survey Part 1,
ACM Transactions on Programming Languages and Systems 3:431-483,
1981.
[Apt and Plotkin, 1986] K. R. Apt and G. D. Plotkin. Countable nondeterminism and random assignment, Journal of the Association for Computing Machinery, 33:724-767, 1986.
[Arbib and Give'on, *1968] M. A. Arbib and Y. Give'on. Algebra automata I: Parallel programming as a prolegomena to the categorical
approach, Information and Control 12:331-345, 1968.
[Ashcroft and Manna, *197l] E. Ashcroft and Z. Manna. The translation
of 'go to' programs to 'while' programs, Information Processing, 71:147152, 1971.
[Ashcroft and Manna, *1974] E. Ashcroft and Z. Manna. Translation program schemas to while-schemas, SIAM Journal of Computing 4:125-146,
1974.
[Asser, *1960] G. Asser. Rekursive Wortfunktionen, Zeitschrift fur mathematische Logik und Grundlagen der Mathematik 6:258-278, 1960.
[Asser, 1961] G. Asser. Funktionen-Algorithmen und Graphschemata,
Zeitschrift fur mathematische Logik und Grundlagen der Mathematik
7:20-27, 1961.
[Back, 1983] R. J. R. Back. A continuous semantics for unbounded nondeterminism, Theoretical Computer Science 23:187-210, 1983.
[de Bakker, 1980] J. W. de Bakker. Mathematical Theory of Program Correctness, Prentice Hall, 1980.
[Banachowski et al., *1977] L. Banachowski, A. Kreczmar, G. Mirkowska,
H. Rasiowa and A. Salwicki. An introduction to algorithmic logic, mathematical investigations in the theory of programs. In Mathematical Foundations of Computer Science, A. Mazurkiewicz and Z. Pawlak eds, pp.
7-99, Banach Center Publications, 1977.
[Barwise, *1975] J. Barwise. Admissible Sets and Structures, SpringerVerlag, 1975.
505
[Becker, 1986] E. Becker. On the real spectrum of a ring and its application to semialgebraic geometry, Bulletin of the American Mathematical
Society (N.S.) 15:19-60, 1986.
[Bergstra and Tucker, *1980a] J. A. Bergstra and J. V. Tucker. A natural
data type with a finite equational final semantics specification but no
effective equational initial semantics specification. Bulletin of the European Association for Theoretical Computer Science 11:23-33, 1980.
[Bergstra and Tucker, *1980b] J. A. Bergstra and J. V. Tucker. A characterisation of computable data types by means of a finite equational specification method. In 7th International Colloquium on Automata, Languages and Programming, Noordwijkerhout, The Netherlands, July 1980.
J. W. de Bakker and J. van Leeuwen eds, Lecture Notes in Computer
Science 85, pp. 76-90, Springer-Verlag, 1980.
[Bergstra and Tucker, *1982a] J. A. Bergstra and J. V. Tucker. The completeness of the algebraic specification methods for data types, Information & Control 54:186-200, 1982.
[Bergstra and Tucker, *1982b] J. A. Bergstra and J. V. Tucker. Some natural structures which fail to possess a sound and decidable Hoare-like
logic for their while-programs, Theoretical Computer Science 17:303-315,
1982.
[Bergstra and Tucker, *1982c] J. A. Bergstra and J. V. Tucker. Expressiveness and the completeness of Hoare's logic, Journal of Computer &
Systems Science 25:267-284, 1982.
[Bergstra and Tucker, *1982d] J. A. Bergstra and J. V. Tucker. Two theorems about the completeness of Hoare's logic, Information Processing
Letters, 15:143-149, 1982.
[Bergstra and Tucker, *1983a] J. A. Bergstra and J. V. Tucker. Hoare's
logic and Peano's arithmetic, Theoretical Computer Science 22:265-284,
1983.
[Bergstra and Tucker, *1983b] J. A. Bergstra and J. V. Tucker. Initial and
final algebra semantics for data type specifications: two characterization
theorems, SIAM Journal of Computing 12:366-387, 1983.
[Bergstra and Tucker, *1984a] J. A. Bergstra and J. V. Tucker. Hoare's
logic for programming languages with two data types, Theoretical Computer Science 28:215-221, 1984.
[Bergstra and Tucker, *1984b] J. A. Bergstra and J. V. Tucker. The axiomatic semantics of programs based on Hoare's logic, Acta Informatica
21:293-320, 1984.
[Bergstra and Tucker, *1987] J. A. Bergstra and J. V. Tucker. Algebraic
specifications of computable and semicomputable data types, Theoretical
Computer Science 50:137-181, 1987.
[Bergstra et al, *1982] J. A. Bergstra, J. Tiuryn and J. V. Tucker. Floyd's
principle, correctness theories and program equivalence, Theoretical
506
[Bird, 1976] R. Bird. Programs and Machines: An Introduction to the Theory of Computation, John Wiley and Sons, 1976.
[Bishop, 1967] E. Bishop. Foundations of Constructive Analysis, McGrawHill, 1967.
[Bishop and Bridges, 1985] E. Bishop and D. Bridges. Constructive Analysis, Springer-Verlag, 1985.
[Blanck, 1997] J. Blanck. Domain representability of metric spaces, Annals
of Pure and Applied Logic 83:225-247, 1997.
[Blum and Smale, 1993] L. Blum and S. Smale. The Godel incompleteness
theorem and decidability over a ring. In From Topology to Computation:
Proceedings of the Smalefest, M. W. Hirsch, J. E. Marsden and M. Schub
eds, pp. 321-339, Springer-Verlag, 1993.
[Blum et al., 1989] L. Blum, M. Shub and S. Smale. On a theory of computation and complexity over the real numbers: NP-completeness, recursive functions and universal machines, Bulletin of the American Mathematical Society 21:1-46, 1989.
[Blum et al., 1996] L. Blum, F. Cucker, M. Shub and S. Smale. Complexity
and real computation: A manifesto, International Journal of Bifurcation
and Chaos 6(l):3-26, 1996.
[Bohm and Jacopini, 1966] C. Bohm and G. Jacopini. Flow diagrams, Turing machines and languages with only two formation rules, Communications of the Association for Computing Machinery, 9:366-371, 1966.
[Brainerd and Landweber, 1974] W. S. Brainerd and L. H. Landweber.
Theory of Computation, John Wiley & Sons, 1974.
[Brattka, 1996] V. Brattka. Recursive characterisation of computable realvalued functions and relations, Theoretical Computer Science 162:45-77,
1996.
[Brattka, 1997] V. Brattka. Order-free recursion on the real numbers,
Mathematical Logic Quarterly 43:216-234, 1997.
[Brocker and Lander, 1975] T. Brocker and L/C. Lander. Differentiate
Germs and Catastrophes, London Mathematical Society, Lecture Notes
Series 17, Cambridge University Press, 1975.
[Brown et al., *1972] S. Brown, D. Gries and T. Szymanski. Program
schemes with pushdown stores, SIAM Journal of Computing 1:242-268,
1972.
[Broy et al, 1993] M. Broy, F. Dederichs, C. Dendorfer, M. Fuchs, T. F.
Gritzner and R. Weber. The design of distributed sytems: An introduction to FOCUS, Technical Report TUM-19202-2, Institut fur Informatik,
Technical University of Munich, January 1993.
[Burris and Sankappavanar, 1981] S. Burris and H. P. Sankappavanar. A
Course in Universal Algebra, Springer-Verlag, 1981.
[Byerly, *1993] R. E. Byerly. Ordered subrings of the reals in which output
sets are recusively enumerable, Proceedings of the American Mathematical Society 118:597-601, 1993.
507
[Ceitin, 1959] G. S. Ceitin. Algebraic operators in constructive complete

separable metric spaces, Doklady Akademii Nauk SSSR 128:49-52,1959.
[Chandra, 1973] A. K. Chandra. On the properties and applications of program schemas, PhD. thesis, Department of Computer Science, Stanford
University, 1973.
[Chandra, 1974] A. K. Chandra. The power of parallelism and nondeterminism in programming. In Information Processing '74, North-Holland,
pp. 461-465, 1974.
[Chandra and Manna, 1972] A. K. Chandra and Z. Manna. Program
schemes with equality. In Proceedings of the 4th Annual ACM Symposium on the Theory of Computing, Denver, Col. pp. 52-64, Association
for Computing Machinery, 1972.
[Chandra and Manna, 1975] A. K. Chandra and Z. Manna. On the power
of programming features, Journal of Computer Languages 1:219-232,
1975.
[Chaplin, 1970] N. Chaplin. Flowcharting with the ANSI Standard, Computer Surveys 2:119-30, 1970.
[Church, 1936] A. Church. An unsolvable problem of elementary number
theory, American Journal of Mathematics 58: pp. 345-363, 1936.
[Clark and Cowell, 1976] K. L. Clark and D. F. Cowell. Programs, Machines and Computation: An Introduction to the Theory of Computing,
McGraw-Hill, 1976.
[Clarke, *1979] E. M. Clarke, Jr. Programming language constructs for
which it is impossible to obtain good Hoare-like axioms, Journal of the
ACM 26:126-147, 1979.
[Clarke, *1984] E. M. Clarke, Jr. The characterization problem for
Hoare logic, Philisophical Transactions of the Royal Society of London
J4:312;423-440, 1984.
[Clarke et al, *1983] E. M. Clarke, Jr., S. German and J. Y. Halpern. Effective axiomatization of Hoare logics, Journal of the Association for
Computing Machinery, 30:612-636, 1983.
[Constable and Gries, 1972] R. L. Constable and D. Gries. On classes of
program schemata, SIAM Journal of Computing 1:66-118, 1972.
[Cook, *1978] S. A. Cook. Soundness and completeness of an axiom system
for program verification, SIAM Journal of Computing 7:70-90, 1978;
corrigendum [1981], ibid. 10, 612.
[Cucker et al., *1994] F. Cucker, M. Shub and S. Smale. Separation of complexity classes in Koiran's weak model, Theoretical Computer Science
13:3-14, 1994.
[Cutland, 1980] N. J. Cutland. Computability: An Introduction to Recursive Function Theory, Cambridge University Press, 1980.
[Dariko, *1983] W. Dariko. Algebraic properties of finitely generated structures. In Proceedings in Logics of Programs and their Applications,
508
Poznan 1980, A. Salwicki ed., Lecture Notes in Computer Science 148,

pp. 118-131, Springer-Verlag, 1983.
[Davis, 1958] M. Davis Computability and Unsolvability. McGraw-Hill,
1958. (Reprinted [1983], Dover.)
[Davis and Weyuker, 1983] M. D. Davis and E. P. Weyuker. Computability,
Complexity, and Languages, Academic Press, 1983.
[Davis et al., 1994] M. D. Davis, R. Sigal and E. P. Weyuker. Computability, Complexity, and Languages (2nd edition), Academic Press, 1994.
[Devaney, 1989] R. Devaney. An Introduction to Chaotic Dynamical Systems, Addison Wesley, 1989.
[Dijkstra, 1976] E. W. Dijkstra. A Discipline of Programming, Prentice
Hall, 1976.
[Dugundji, 1966] J. Dugundji. Topology, Allyn and Bacon, 1966.
[Edalat, 1995a] A. Edalat. Domain theory and integration, Theoretical
[Edalat, 1995b] A. Edalat. Dynamical systems, measures, and fractals via
domain theory, Information & Computation 120:32-48, 1995.
Specification 1, EATCS Monographs 6, Springer-Verlag, 1985.
[Eilenberg and Elgot, *1968] S. Eilenberg and C. C. Elgot. Iteration and
recursion, IBM Research Report RC-2148, 1968.
[Eilenberg and Elgot, *1970] S. Eilenberg and C. C. Elgot. Recursiveness,
[Eilenberg and Wright, *1967] S. Eilenberg and J. B. Wright. Automata in
general algebras, Information & Control 11:452-470, 1976.
[Elgot, *1966a] C. C. Elgot. Abstract algorithms and diagram closure. In
Programming Languages, Genuys ed., pp. 1-42, Academic Press, 1966,
also: Preprint, IBM Laboratory Vienna (1966) (presented at NATO
Summer School on Programming Languages, Villard-de-Lans (Isere),
Prance, September 1966).
[Elgot, *1966b] C. C. Elgot. A notion of interpretability of algorithms in
algorithms, Preprint, IBM Laboratory Vienna (presented at NATO Summer School on Programming Languages, Villard-de-Lans (Isere), Prance,
September 1966).
[Elgot, *1966c] C. C. Elgot. Machine species and their computation languages. In Formal Language Description Languages for Computer Programming, Proceedings of the IFIP Working Conference on Formal Language Description Languages, Amsterdam, T. B. Steel, Jr., ed., NorthHolland, pp. 160-178, 1966.
[Elgot, *1970] C. C. Elgot. The common algebraic structure of exitautomata and machines, IBM Research Report RC-2744, 1970.
[Elgot, *197l] C. C. Elgot. Algebraic theories and program schemes. In
Symposium on Algorithmic Semantic Languages, E. Engeler ed., Lecture
Notes in Mathematics 188, Springer-Verlag, 1971.
509
[Elgot and Robinson, *1964] C. C. Elgot and A. Robinson. Randomaccess, stored-program machines. An approach to programming Languages, Journal of the Association for Computing Machinery, 11:365399, 1964.
[Elgot et ai, *1966] C. C. Elgot, A. Robinson and J. D. Rutledge. Multiple
control computer models, IBM Research Report RC-1622, 1966.
[Enderton, 1977] H. B. Enderton. Elements of recursion theory. In Handbook of Mathematical Logic, J. Barwise, ed., pp. 527-566, North-Holland,
1977.
[Engeler, 1967] E. Engeler. Algebraic properties of structures, Mathematical Systems Theory 1:183-195, 1967.
[Engeler, 1968a] E. Engeler. Formal Languages: Automata and Structures,
Markham Publishing Co., 1968.
[Engeler, 1968b] E. Engeler. Remarks on the theory of geometrical constructions. In The Syntax and Semantics of Infinitary Languages, Lecture Notes in Mathematics 72, pp. 64-76, Springer-Verlag, 1968.
[Engeler, 1971] E. Engeler. Structure and meaning of elementary programs.
In Symposium on Semantics of Algorithmic Languages, Lecture Notes in
Mathematics 188, pp. 89-101, Springer-Verlag, 1971.
[Engeler, 1975a] E. Engeler. On the solvability of algorithmic problems,
in Logic Colloquium '73, H. E. Rose and J. C. Shepherdson eds, pp.
231-251, North-Holland, 1975.
[Engeler, 1975b] E. Engeler. Algebraic logic. In Foundations of Computer
Science, Mathematical Centre Tracts No. 63, J. W. de Bakker, ed., Amsterdam, pp. 57-85, 1975.
[Engeler, 1993] E. Engeler. Algebraic Properties of Structures, World Scientific, 1993.
[Ershov, 1958] A. P. Ershov. On operator algorithms, Doklady Akademii
Nauk SSSR 122:967-970, 1958 (in Russian), translated in Automation
Express 1:20-23, 1959.
[Ershov, I960] A. P. Ershov. Operator algorithms I, Problemi Kibernetiki
3, 1960. (in Russian), translated in Problems of Cybernetics 3, 1962.
[Ershov, 1962] A. P. Ershov. Operator algorithms II, Problemi Kibernetiki
8:211-233 (in Russian), 1962.
[Ershov, *198l] A. P. Ershov. Abstract computability on algebraic structures. In Algorithms in Modern Mathematics and Computer Science, A.
P. Ershov and D. E. Knuth, eds, Lecture Notes in Computer Science
122, Springer-Verlag, 1981.
[Ershov and Shura-Bura, 1980] A. P. Ershov and M. R. Shura-Bura. The
early development of programming in the USSR. In A History of Computing in the Twentieth Century, E. N. Metropolis, J. Hewlett and G.-C.
Rota eds, pp. 137-196, Academic Press, 1980.
[Feferman, 1992a] S. Feferman. A new approach to abstract data types, I:
510
Informal development, Mathematical Structures in Computer Science 2:

pp. 193-229, 1992.
[Feferman, 1992b] S. Feferman. A new approach to abstract data types,
II: Computability on ADTs as ordinary computation. In Computer Science Logic, E. Borger, G. Jager, H. Kleine Biining and M. M. Richter
eds, Lecture Notes in Computer Science 626, pp. 79-95, Springer-Verlag,
1992.
[Feferman, 1996] S. Feferman. Computation on abstract data types: The
extensional approach, with an application to streams, Annals of Pure
and Applied Logic 81:75-113, 1996.
[Fenstad, 1975] J. E. Fenstad. Computation theories: an axiomatic approach to recursion on general structures. In ISILC Logic Conference,
Kiel 1974, G. Miiller, A. Oberschelp and K. Potthoff eds, Lecture Notes
in Mathematics 499, pp. 143-168, Springer-Verlag, 1975.
[Fenstad, 1980] J. E. Fenstad. Recursion Theory: An Axiomatic Approach,
[Fitting, 1981] M. Fitting. Fundamentals of Generalized Recursion Theory,
[Floyd, *1967] R. W. Floyd. Assigning meaning to programs. In Mathematical Aspects of Computer Science, J. T. Schartz ed, pp. 19-32, American
Mathematical Society, 1967.
[Friedman, 1971a] H. Friedman. Algebraic procedures, generalized Turing
algorithms, and elementary recursion theory. In Logic Colloquium '69,
R. 0. Gandy and C. M. E. Yates eds, pp. 361-389, North-Holland, 1971.
[Friedman, *1971b] H. Friedman. Axiomatic recursive function theory. In
Logic Colloquium '69, R. 0. Gandy and C. M. E. Yates eds, pp. 113-137,
[Friedman and Mansfield, *1992] H. Friedman and R. Mansfield. Algebraic
procedures, Transactions of the American Mathematical Society 332:297312, 1992.
[Gabrovsky, *1976] P. Gabrovsky. Models for an axiomatic theory of computability, PhD thesis, Syracuse University, 1976.
[Gandy, *1980] R. 0. Gandy. Church's thesis and principles for mechanisms. In The Kleene Symposium, J. Barwise, H. J. Keisler and K. Kunen
eds, pp. 123-148, North-Holland, 1980.
[Garland and Luckham, *1973] S. J. Garland and D. C. Luckham. Program schemes, recursion schemes, and formal languages, Journal of Computer and Systems Science 7:119-160, 1973.
[Goguen et al, *1978] J. A. Goguen, J. W. Thatcher and E. G. Wagner.
An initial approach to the specification, correctness and implementation
of abstract data types. In Current Trends in Programming Methodology,
4: Data Structuring, R.T. Yeh ed, pp. 80-149, Prentice Hall, 1978.
[Goldstine and von Neumann, 1947] H. H. Goldstine and J. von Neumann.
Planning and Coding Problems for an Electronic Computing Instrument,
511
Institute for Advanced Study, Princeton, 1947. Reprinted in A. H. Traub

ed, John von Neumann's Collected Works, 5, pp. 80-235, Pergamon,
1963.
[Goodstein, 1964] R. L. Goodstein. Recursive Number Theory, NorthHolland, 1964.
[Gordon, 1970] C. E. Gordon. Comparisons between some generalizations
of recursion theory, Compositio Mathematica 22:333-346, 1970.
[Gordon, *197l] C. E. Gordon. Finitistically computable functions and relations on an abstract structure (abstract), Journal of Symbolic Logic
36:704, 1971.
[Gorn, *196l] S. Gorn. Specification languages for mechanical languages
and their processors, Communications of the Association for Computing
Machinery 4:532-542, 1961.
[Grabowski, *198l] M. Grabowski. Full weak second-order logic versus algorithmic logic, In Proceedings in Mathematical Logic in Computer Science, Colloquia Mathematica Societatis Janos Bolyai 26, pp. 471-483,
[Grabowski and Kreczmar, *1978] M. Grabowski and A. Kreczmar. Dynamic theories of real and complex numbers. In Mathematical Foundations of Computer Science '78, J. Winkowski ed., Lecture Notes in
Computer Science 64, pp. 239-249, Springer-Verlag, 1978.
[Greibach, 1975] S. A. Greibach. Theory of Program Structures: Schemes,
Semantics, Verification, Lecture Notes in Computer Science 36,
[Grzegorczyk, 1955] A. Grzegorczyk. Computable functions, Fundamenta
Mathematicae 42:168-202, 1955.
[Grzegorczyk, 1957] A. Grzegorczyk. On the defintions of computable real
continuous functions, Fundamenta Mathematicae 44:61-71, 1957.
[Guttag, *1977] J. V. Guttag. Abstract data types and the development
of data structures, Communications of the Association for Computing
Machinery 20:396-404, 1977.
[Harel, *1980] D. Harel. On folk theorems, Communications of the Association for Computing Machinery 23, 1980.
[Harel, *1984] D. Harel. Dynamic logic. In Handbook of Philisophical Logic,
II, D. Gabbay and F. Guenthner eds, pp. 497-604, Reidel, 1984.
[Harel et al., *1977] D. Harel, A. R. Meyer and V. R. Pratt. Computability
and completeness in logics of programs. In Proceedings of the 9th Annual
ACM Symposium on the Theory of Computing, Boulder, Colorado, 1977.
[Harman and Tucker, 1993] N. A. Harman and J. V. Tucker. Algebraic
methods and the correctness of microprocessors. In Correct Hardware
Design and Verification Methods, G. J. Milne and L. Pierre eds, Lecture
Notes in Computer Science 683, pp. 92-108, Springer-Verlag, 1993.
[Harnik, *1975] V. Harnik. Effective proper procedures and universal
512
classes of program schemata, Journal of Computer & Systems Science

10:44-61, 1975.
[Heaton and Wainer, 1996] A. Heaton and S. Wainer. Subrecursion theories. In Computability, Enumerability, Unsolvability, S. B. Cooper, S.
S. Wainer and T. A. Slaman eds, London Mathematical Society Lecture
Note Series, Cambridge University Press, 1996.
[Hemmerling, *1994] A. Hemmerling. On genuine complexity and kinds
of nondeterminism, Journal of Information Processing and Cybernetics
30:77-96, 1994.
[Hemmerling, *1995] A. Hemmerling. Computability and complexity over
structures of finite type, Preprint Nr. 2-1995, Preprint-Reihe Mathematik, Ernst-Moritz-Arndt-Universitat, Greifswald, 1995.
[Hemmerling, *1998] A. Hemmerling. Computability of string functions
over algebraic structures, Mathematical Logic Quarterly 44:1-44, 1998.
[Herman and Isard, 1970] G. T. Herman and S. D. Isard. Computability
over arbitrary fields, Journal of the London Mathematical Society 2:7379, 1970.
[Hinman, 1999] P. G. Hinman. Recursion on abstract structures. In Handbook of Computability Theory, E. Griffor ed., pp. 315-359. Elsevier, 1999.
[Hoare, *1969] C. A. R. Hoare. An axiomatic basis for computer programming, Communications of the Association for Computing Machinery
12:576-583, 1969.
[Hobley et al., *1988] K. M. Hobley, B. C. Thompson and J. V. Tucker.
Specification and verification of synchronous concurrent algorithms: a
case study of a convoluted algorithm. In The Fusion of Hardware Design and Verification (Proceedings of IFIP Working Group 10.2 Working
Conference), G. Milne ed, pp. 347-374, North-Holland, 1988.
[Hocking and Young, 1961] J. G. Hocking and G. S. Young. Topology, Addison Wesley, 1961.
[Holden et al, 1992] A. V. Holden, M. Poole, J. V. Tucker and H. Zhang.
Coupled map lattices as computational systems. American Institute of
Physics - Chaos, 2: 367-376, 1992.
[lanov, 1960] I. lanov. The logical schemes of algorithms, Problemi Kibernetiki 1:75-127,1958 (in Russian). Translated in Problems of Cybernetics
1:82-140, 1960.
[igerashi, *1968] S. Igerashi. An axiomatic approach to the equivalence
problems of algorithms with applications, Report from the Computing
Centre of the University of Tokyo 1, 1968.
[Ivanov, *1986] L. L. Ivanov. Algebraic Recursion Theory, Ellis Horwood,
1986.
[Jacopini, *1966] G. Jacopini. Macchina Universale di von Neumann ad
unico comando incondizionato, Calcolo 3:23-29, 1966.
[Jervis, 1988] C. A. Jervis. On the specification, implementation and verification of data types, PhD thesis, Department of Computer Studies,
513
University of Leeds, 1988.

[Kaluzhnin, 1961] A. Kaluzhnin. Algorithmization of mathematical problems, Problemi Kibernetiki 2, 1959 (in Russian). Translated in Problems
of Cybernetics 2, 1961.
[Kaphengst, *1959] M. Kaphengst. Eine abstrakte programmgesteuerte
Rechenmaschine, Zeitschrift fur mathematische Logik und Grundlagen
der Mathematik 5: 366-379, 1959.
[Kaplan, *1969] D. M. Kaplan. Regular expressions and the equivalence of
programs, Journal of Computer & System Sciences, 3:361-386, 1969.
[Karp and Miller, *1969] R. M. Karp and R. E. Miller. Parallel program
schemata, Journal of Computer & Systems Science 3:147-195, 1969.
[Kelley, 1955] J. L. Kelley. General Topology, Van Nostrand, 1955.
Reprinted Springer-Verlag, 1975.
[Kfoury, *1972] A. J. Kfoury. Comparing algebraic structures up to algorithmic equivalence. In International Colloquium on Automata, Languages and Programming, Paris, 1972, M. Nivat, ed., pp. 235-264,
[Kfoury, *1983] A. J. Kfoury. Definability by programs in first-order structures, Theoretical Computer Science 25:1-66, 1983.
[Kfoury, *1985] A. J. Kfoury. Definability by deterministic and nondeterministic programs (with applications to first-order dynamic logic),
Information & Control 65:98-121, 1985.
[Kfoury and Park, *1975] A. J. Kfoury and D. M. Park. On the termination of program schemas, Information & Control 29:243-251, 1975.
[Kfoury and Urzyczyn, *1985] A. J. Kfoury and P. Urzyczyn. Necessary
and sufficient conditions for the universality of programming formalisms,
Acta Informatica 22:347-377, 1985.
[Kfoury et al, 1982] A. J. Kfoury, R. N. Moll and M. A. Arbib. A Programming Approach to Computability, Springer-Verlag, 1982.
[Kleene, 1936] S. C. Kleene. General recursive functions of natural numbers, Mathematische Annalen 112:727-742, 1936.
[Kleene, 1952] S. C. Kleene. Introduction to Metamathematics, NorthHolland, 1952.
[Kleene, 1959] S. C. Kleene. Recursive functionals and quantifiers of finite
types I, Transactions of the American Mathematical Society 91:1-52,
1959.
[Kleene, 1963] S. C. Kleene. Recursive functionals and quantifiers of finite
types II, Transactions of the American Mathematical Society 108:106142, 1963.
[Klop, 1992] J. W. Klop. Term rewriting systems. In Handbook of Logic in
Computer Science, Vol. 1, S. Abramsky, D. Gabbay and T. Maibaum
eds, pp. 2-116, Clarendon Press, 1992.
[Knuth, *1974] D. E. Knuth. Structured programming with 'go to' statements, Computing Surveys 6:261-301, 1974.
514
[Knuth and Prado, *1980] D. Knuth and L. T. Prado. The early development of programming languages. In A History of Computing in the
Twentieth Century, N. Metropolis, J. Hewlett and G.-C. Rota eds, pp.
197-273, Academic Press, 1980.
[Ko, 1991] K.-I. Ko. Complexity Theory of Real Functions, Birkhauser,
1991.
[Kolmogorov, *1953] A. N. Kolmogorov. O ponyatii algoritma, Uspekhi
Matematicheskikh Nauk 814:175-176, 1953.
[Kreczmar, *1977] A. Kreczmar. Programmability in fields, Fundamenta
Informaticae 1:195-230, 1977.
[Kreisel, 1971] G. Kreisel. Some reasons for generalizing recursion theory.
In Logic Colloquium '69, R. O. Gandy and C. M. E. Yates eds, pp. 139198, North-Holland, 1971.
[Kreisel and Krivine, 1971] G. Kreisel and J. L. Krivine. Elements of Mathematical Logic, North-Holland, 1971.
[Kreitz and Weihrauch, 1985] C. Kreitz and K. Weihrauch. Theory of representations, Theoretical Computer Science 38:35-53, 1985.
[Lacombe, 1955] D. Lacombe. Extension de la notion de fonction recursive
aux fonctions d'une ou plusieurs variables reelles, I, II, III, Comptes
Rendus de I'Academie des Sciences Paris 240:2470-2480,241:13-14,151153, 1955.
[Lacombe, *197l] D. Lacombe. Recursion theoretic structure for relational
systems. In Logic Colloquium '69, R. O. Gandy and C. M. E. Yates eds,
pp. 3-18, North-Holland, 1971.
[Lambert, 1968] W. M. Lambert, Jr. A notion of effectiveness in arbitrary
structures, Journal of Symbolic Logic, 33:577-602, 1968.
[Lauer, 1967] P. E. Lauer. The formal explicates of the notion of algorithm,
Technical Report TR 25.072, IBM Laboratory, Vienna, 1971.
[Lauer, 1968] P. E. Lauer. An introduction to H. Thiele's notions of algorithm, algorithmic process and graph-schemata calculus, Technical Report TR 25.079, IBM Laboratory, Vienna, 1968.
[Levien, *1962] R. E. Levien. Set-theoretic formalizations of computational
algorithms, computable functions and general purpose computers. In
Proceedings of the Symposium on the Mathematical Theory of Automation, New York, American Mathematical Society, pp. 101-123, 1962.
[Lucas et al, 1968] P. Lucas, P. E. Lauer and H. Stigleitner. Method and
notation for the formal definition of programming languages, Technical
Report TR 25.087, IBM Laboratory, Vienna, 1968.
[Luckham and Park, 1964] D. Luckham and D. M. Park. The undecidability of the equivalence problem for program schemata, Report 1141, Bolt,
Beranek and Newman Inc., 1964.
[Luckham et al., 1970] D. Luckham, D. M. Park and M. S. Paterson. On
formalized computer programs, Journal of Computer & Systems Science
4:220-249, 1970.
515
[Machtey and Young, 1978] M. Machtey and P. Young. An Introduction to

the General Theory of Algorithms, North-Holland, 1978.
[Mahr and Makowsky, *1984] B. Mahr and J. A. Makowsky. Characterizing specification languages which admit initial semantics, Theoretical
[Makowsky and Sain, *1989] J. A. Makowsky and I. Sain. Weak second order characterization of various program verification systems, Theoretical
[Mal'cev, 1973] A. I. Mal'cev. Algebraic Systems, Grundlehren der mathematischen Wissenschaften 192, Springer-Verlag, 1973.
[Manna, 1974] Z. Manna. Mathematical Theory of Computation, McGrawHill, 1974.
[Martin and Tucker, *1988] A. R. Martin and J. V. Tucker. The concurrent
assignment representation of synchronous systems, Parallel Computing
9:227-256, 1988.
[McCarthy, *1960] J. McCarthy. Recursive functions of symbolic expressions and their computation by machine, Part I, Communications of the
Association for Computing Machinery 3:184-195, 1960.
[McCarthy, *1962] J. McCarthy. Towards a mathematical science of computation, in Proceedings of the International Congress of Information
Processing pp. 21-34, 1962.
[McCarthy, 1963] J. McCarthy. A basis for a mathematical theory of computation. In Computer Programming and Formal Systems, P. Braffort
and D. Hershberg, eds., North Holland, Amsterdam, pp. 33-70, 1963.
[McEvoy and Tucker, 1990] K. McEvoy and J. V. Tucker, eds. Theoretical
Foundations of VLSI Design, Cambridge University Press, 1990.
[McKenzie et al, 1987] R. N. McKenzie, G. F. McNulty and W. F. Taylor.
Algebras, Lattices, Varieties 1, Wadsworth and Brookes Cole, 1987.
[McNaughton, 1982] R. McNaughton. Elementary Computability, Formal
Languages and Automata, Prentice Hall, 1982.
[Meer, *1993] K. Meer. Komplexitatsbetrachtungen fur reelle Maschinenmodelle, Shaker Verlag, 1993.
[Meer and Michaux, *1996] K. Meer and C. Michaux. A survey on real
structural complexity theory, Bulletin of the Belgian Mathematical
Socitety 3:113-148, 1996.
[Megiddo, *1993] N. Megiddo. A general NP-completeness theorem. In
From Topology to Computation: Proceedings of the Smalefest, M. W.
Hirsch, J. E. Marsden and M. Schub eds, pp. 432-442, Springer-Verlag,
1993.
[Meinke and Tucker, 1992] K. Meinke and J.V. Tucker. Universal algebra.
In Handbook of Logic in Computer Science, Vol. 1, S. Abramsky, D.
Gabbay and T. Maibaum eds, pp. 189-411, Clarendon Press, 1992.
[Melzak, *196l] Z. A. Melzak. An informal arithmetical approach to com-
516
putability and computation, Canadian Mathematical Bulletin, 4:279293, 1961.

[Meseguer and Goguen, 1985] J. Meseguer and J. A. Goguen. Initiality, induction and computability. In Algebraic Methods in Semantics, M. Nivat
and J. Reynolds eds, pp. 459-541, Cambridge University Press, 1985.
[Meyer and Ritchie, 1967] A. R. Meyer and D. M. Ritchie. The complexity of loop programs. In Proceedings of the 22nd National Conference,
Association for Computing Machinery, pp. 465-469, Thompson Book
Company, 1967.
[Meyer and Tiuryn, *1982] A. R. Meyer and J. Tiuryn. A note on equivalences among logics of programs. In Proceedings in Logics of Programs,
Yorktown Heights 1981, D. Kozen ed, Lecture Notes in Computer Science
92, Springer-Verlag, 1982.
[Michaux, *1989] C. Michaux. Une remarque a propos des machines sur
R. In Comptes Rendus de I'Academic des Sciences Paris, Serie 7309:
pp. 435-437, 1989.
[Michaux, *1990] C. Michaux. Machines sur les reels et problemes
NP-complets. In Seminaire de structures algebriques ordonnees,
Prepublication de 1'equipe de logique mathematique de Paris 7, 1990.
[Michaux, *199l] C. Michaux. Ordered rings over which output sets are
recursively enumerable, Proceedings of the American Mathematical Society, 112:569-575, 1991.
[Milner, *1969] Equivalences on program schemes. Journal of Computer &
System Sciences 4: 205-219, 1969.
[Mints, 1973] G. Mints. Quantifier-free and one-quantifier systems, Jounal
of Soviet Mathematics 1:71-84, 1973.
[Moldestad and Tucker, 1981] J. Moldestad, and J. V. Tucker. On the classification of computable functions in an abstract setting. Unpublished
manuscript, 1981.
[Moldestad et al, 1980a] J. Moldestad, V. Stoltenberg-Hansen and J. V.
Tucker. Finite algorithmic procedures and inductive definability, Mathematica Scandinavica 46:62-76, 1980.
[Moldestad et al, 1980b] J. Moldestad, V. Stoltenberg-Hansen and J. V.
Tucker. Finite algorithmic procedures and inductive definability, Mathematica Scandinavica 46:77-94, 1980.
[Montague, 1968] R. Montague. Recursion theory as a branch of model theory, Logic, Methodology & Philosophy of Science III, B. van Rootselaar
and J. F. Staal eds, North-Holland, pp. 63-86, 1968.
[Moschovakis, 1964] Y. N. Moschovakis. Recursive metric spaces, Fundamenta Mathematicae 55:215-238, 1964.
[Moschovakis, 1969a] Y. N. Moschovakis. Abstract first-order computability I, Transactions of the American Mathematical Society 138:427-464,
1969.
517
[Moschovakis, *1969b] Y. N. Moschovakis. Abstract first-order computability II, Transactions of the American Mathematical Society
138:465-504,1969.
[Moschovakis, *1969c] Y. N. Moschovakis. Abstract computability and invariant definability, Journal of Symbolic Logic, 34:605-633, 1969.
[Moschovakis, 1971] Y. N. Moschovakis. Axioms for computation theories
first draft. In Logic Colloquium '69, R. O. Gandy and C. E. M. Yates
eds, pp. 199-255, North-Holland, 1971.
[Moschovakis, *1974] Y. N. Moschovakis. Elementary Induction on Abstract Structures, North-Holland, 1974.
[Moschovakis, 1984] Y. N. Moschovakis. Abstract recursion as a foundation
for the theory of recursive algorithms. In Computation and Proof Theory,
M. M. Richter, E. Borger, W. Obserschelp, B. Schinzel and W. Thomas,
eds, Lecture Notes in Mathematics 1104, pp. 289-364, Springer-Verlag,
1984.
[Moschovakis, 1989] Y. N. Moschovakis. The formal language of recursion,
Journal of Symbolic Logic 54:1216-1252,1989.
[Miiller and Tucker, 1998] B. Miiller and J. V. Tucker, eds. Prospects
for Hardware Foundations. Lecture Notes in Computer Science 1546,
[Normann, 1978] D. Normann. Set-recursion. In Generalized Recursion
Theory II: Proceedings of the 1977 Oslo Symposium, J. E. Fenstad,
R. 0. Gandy and G. E. Sacks eds, pp. 303-320, North-Holland, 1978.
[Normann, 1982] D. Normann. External and internal algorithms on the
continuous functionals. In Patas Logic Symposium, G. Metakides, ed,
Studies in Logic, vol. 109, pp. 137-144. North-Holland, 1982.
[Parsons, 1971] C. Parsons. On a number theoretic choice scheme II (Abstract), Journal of Symbolic Logic 36:587, 1971.
[Parsons, 1972] C. Parsons. On n-quantifier induction, Journal of Symbolic
Logic 37:466-482, 1972.
[Paterson, *1967] M. S. Paterson. Equivalence problems in a model of computation, PhD thesis, Cambridge University, 1967.
[Paterson, *1968] M. S. Paterson. Program schemata, Machine Intelligence
3:19-31, 1968.
[Paterson and Hewitt, 1970] M. S. Paterson and C. E. Hewitt. Comparative schematology. In Record of Project MAC Conference on Concurrent
Systems and Parallel Computation pp. 119-128, ACM; also MIT, AI
Technical Memo 201, 1979.
[Peter, 1958] R. Peter. Graphschemata und rekursive Funktionen, Dialectica 2:373-393, 1958.
[Peter, 1967] R. Peter. Recursive Functions, Academic Press, 1967.
[Phillips, 1992] I. C. C. Phillips. Recursion theory. In Handbook of Logic
in Computer Science, Vol. 1, S. Abramsky, D. Gabbay and T. Maibaum
eds, pp. 79-187, Clarendon Press, 1992.
518
[Plaisted, *1972] D. Plaisted. Program schemas with counters. In Proceedings of the 4th Annual ACM Simposium on the Theory of Computing,
Denver, Col. pp. 44-51, Association for Computing Machinery, 1972.
[Platek, 1966] R. A. Platek. Foundations of recursion theory, PhD thesis,
Department of Mathematics, Stanford University, 1966.
[Pour-El and Caldwell, 1975] M. B. Pour-El and J. C. Caldwell. On a
simple definition of computable function of a real variable with applications to functions of a complex variable, Zeitschrift fur mathematische
Logik und Grundlagen der Mathematik 21:1-19, 1975.
[Pour-El and Richards, 1989] M. B. Pour-El and J. I. Richards. Computability in Analysis and Physics, Springer-Verlag, 1989.
[Rice, 1954] H. G. Rice. Recursive real numbers, Proceedings of the American Mathematical Society 5:784-791, 1954.
[Rogers, 1967] H. Rogers, Jr. Theory of Recursive Functions and Effective
Computability, McGraw-Hill, 1967.
[Rutledge, *1964] J. D. Rutledge. On lanov's program schemata, Journal
of the Association for Computing Machinery 11:1-9, 1964.
[Rutledge, *1970] J. D. Rutledge. Parallel processesschemata and transformations, IBM Research Report RC-2912 1970. Also in Architecture
and Design of Digital Computers, Boulayeed., pp. 91-129, Dunod, 1971.
[Rutledge, *1973] J. D. Rutledge. Program Schemes as Automata 1, Journal of Computer & System Sciences 7:543-578, 1973.
[Saint John, *1994] R. Saint John. Output sets, halting sets and an arithmetical hierarchy for ordered substrings of the real numbers under
Blum/Shub/Smale computation, Technical Report TR-94-035, ICSI,
Berkeley, CA, 1994.
[Saint John, *1995] R. Saint John. Theory of computation for the real
numbers and subrings of the real numbers following Blum/Shub/Smale,
Dissertation, University of California at Berkeley, 1995.
[Sanchis, *1988] L. E. Sanchis. Reflexive Structures, Springer-Verlag, 1988.
[Schreiber, *1975] P. Schreiber. Theorie der geometrischen Konstruktionen, Deutscher Verlag der Wissenschaften, Berlin, 1975.
[Scott, 1967] D. Scott. Some definitional suggestions for automata theory,
Journal of Computer & System Sciences 1:187-212, 1967.
[Scott, *1970a] D. S. Scott. The lattice of flow diagrams, Programming
Research Group, Oxford, 1970.
[Scott, *1970b] D. S. Scott. Outline of a mathematical theory of computation. In Proceedings of the 4th Annual Princeton Conference on Information Sciences & Systems, Princeton University, pp. 169-176, 1970.
Also Technical Monograph PRG-2, Porgramming Research Group, Oxford University, 1970.
[Scott and Strachey, *197l] D. S. Scott and C. Strachey. Towards a mathematical semantics for computer languages. In Proceedings of the Symposium on Computers & Automata, 3. Fox ed., Polytechnic Institute
519
of Brooklyn. Also in Technical Monograph 6, Programming Research

Group, Oxford, 1971.
[Shafarevich, 1977] I. R. Shafarevich. Basic Algebraic Geometry, SpringerVerlag, 1977.
[Shepherdson, 1973] J. C. Shepherdson. Computations over abstract structures: serial and parallel procedures and Friedman's effective definitional
schemes, in Logic Colloquium '73, H. E. Rose and J. C. Shepherdson eds,
pp. 445-513, North-Holland, 1973.
[Shepherdson, 1976] J. C. Shepherdson. On the definition of computable
function of a real variable, Zeitschrift fur mathematische Logik und
Grundlagen der Mathematik 22:391-402, 1976.
[Shepherdson, 1985] J. C. Shepherdson. Algebraic procedures, generalized
Turing algorithms, and elementary recursion theory. In Harvey Friedman's Research on the Foundations of Mathematics, L. A. Harrington,
M. D. Morley, A. Scedrov and S. G. Simpson eds, pp. 285-308, NorthHolland, 1985.
[Shepherdson, *1994] J. C. Shepherdson. Mechanisms for computing over
arbitrary structures. In The Universal Turing Machine, A Half-Century
Survey, R. Herken ed, pp. 581-601, Oxford University Press, 1994.
[Shepherdson and Sturgis, 1963] J. C. Shepherdson and H. E. Sturgis.
Computability of recursive functions, Journal of the Association for
Computing Machinery 10:217-255, 1963.
[Simmons, 1963] G. F. Simmons. Introduction to Topology and Modern
Analysis, McGraw-Hill, 1963.
[Smyth, 1992] M. B. Smyth. Topology. In Handbook of Logic in Computer
Science, Vol. 1, S. Abramsky, D. Gabbay and T. Maibaum eds, pp. 641761, Clarendon Press, 1992.
[Soskov, *1987] I. N. Soskov. Prime computability on partial structures. In
Mathematical Logic and its Applications, D. G. Skordev ed, pp. 341-350,
Plenum Press, 1987.
[Soskov, *1989a] I. N. Soskov. Definability via enumerations, Journal of
Symbolic Logic, 54:428-440, 1989.
[Soskov, *1989b] I. N. Soskov. An external characterization of the prime
computability, Annuaire de I'Universite de Sofia 83:89-110, 1089.
[Soskov, *1990] I. N. Soskov. Computability by means of effectively definable schemes and definability via enumerations, Archive for Mathematical Logic 29:187-200, 1990.
[Soskova, *1994] A. A. Soskova An external approach to abstract data
types I, Annuaire de I'Universite Sofia 87, 1994.
[Soskova and Soskov, *1990] A. A. Soskova and I. N. Soskov. Effective enumerations of abstract structures. In Heyting '88, P. Petkov ed, pp. 361372, Plenum Press, 1990.
[Sperschneider and Antoniou, 1991] V. Sperschneider and G. Antoniou.
Logic: A Foundation for Computer Science, Addison Wesley, 1991.
520
[Stephens, 1997] R. Stephens. A survey of stream processing, Acta Information 34:491-541, 1997.
[Stephens and Thompson, 1996] R. Stephens and B. C. Thompson. Cartesian stream transformer composition, Fundamenta Informaticae 25:123174, 1996.
[Stephenson, 1996] K. Stephenson. An algebraic approach to syntax, semantics and computation, PhD thesis, Department of Computer Science,
University of Wales, Swansea, 1996.
[Stewart, 1999] K. Stewart. Abstract and concrete models of computation
over metric algebras. PhD thesis, Computer Science Department, University of Wales, Swansea, 1999.
[Stoltenberg-Hansen, 1979] V. Stoltenberg-Hansen. Finite injury arguments in infinite computation theories, Annals of Mathematical Logic
16:57-80, 1979.
[Stoltenberg-Hansen and Tucker, 1985] V. Stoltenberg-Hansen and J. V.
Tucker. Complete local rings as domains, Technical Report 1.85, Centre
for Theoretical Computer Science, University of Leeds, 1985.
Tucker. Complete local rings as domains, Journal of Symbolic Logic
53:603-624, 1988.
Tucker. Algebraic and fixed point equations over inverse limits of algebras, Theoretical Computer Science 87:1-24, 1991.
Tucker. Infinite systems of equations over inverse limits and infinite synchronous concurrent algorithms. In Semantics: Foundations and Applications J. W. de Bakker, W.-P. de Roever and G. Rozenberg, eds. Lecture
Notes in Computer Science 666, pp. 531-562, Springer-Verlag, 1993.
Tucker. Effective algebras. In Handbook of Logic in Computer Science,
Vol. 4, S. Abramsky, D. Gabbay and T. Maibaum eds, pp. 357-526,
Oxford University Press, 1995.
[Stoltenberg-Hansen and Tucker, 1999a] V. Stoltenberg-Hansen and J. V.
Tucker. Computable rings and fields. In Handbook of Computability Theory, E. Griffor ed, North-Holland, 1999.
[Stoltenberg-Hansen and Tucker, 1999b] V. Stoltenberg-Hansen and J. V.
Tucker. Concrete models of computation for topological algebras. Theoretical Computer Science, 219:347-378, 1999.
[Stoltenberg-Hansen et al., 1994] V. Stoltenberg-Hansen, I. Lindstrom and
E. Griffor. Mathematical Theory of Domains, Cambridge University
Press, 1994.
[Strong, 1968] H. R. Strong, Jr. Algebraically generalised recursive function theory, IBM Journal of Research and Development, 12:465-475,
1968.
521
[Strong, *197l] H. R. Strong, Jr. Translating recursion equations into

flowcharts, Journal of Computer & Systems Science 5:254-285, 1971.
[Thiele, 1966] H. Thiele. Wissenschaftstheoretische Untersuchungen in algorithmischen Sprachen, VEB Deutcher Verlag der Wissenschaften,
1966.
[Thompson, 1987] B. C. Thompson. A mathematical theory of synchronous
concurrent algorithms, PhD thesis, School of Computer Studies, University of Leeds, 1987.
[Thompson and Tucker, 1991] B. C. Thompson and J. V. Tucker. Algebraic specification of synchronous concurrent algorithms and architectures, Research Report CSR 9-91, University College of Swansea, 1991.
[Tiuryn, *1981a] J. Tiuryn. Unbounded program memory adds to expressive power of first-order dynamic logic. In Proceedings of the 22nd Annual Symposium on the Foundations of Computer Science, Nashville, pp.
335-339, IEEE, 1981.
[Tiuryn, 1981b] J. Tiuryn. Logic of effective definitions, Fundamenta Informaticae 4:629-660, 1981.
[Tiuryn, *1981c] J. Tiuryn. A survey of the logic of effective definitions. In
Logics of Programs: Workshop, ETH Zurich, May-July 1979, E. Engeler ed., Lecture Notes in Computer Science 125, pp. 198-245, SpringerVerlag, 1981.
[Troelstra and van Dalen, 1988] A. S. Troelstra and D. van Dalen. Constructivism in Mathematics: An Introduction, Vols. I and II, NorthHolland, 1988.
[Tucker, 1980] J. V. Tucker. Computing in algebraic systems, Recursion
Theory, Its Generalisations and Applications, F. R. Drake and S. S.
Wainer eds., London Mathematical Society Lecture Note Series 45, pp.
215-235, Cambridge University Press, 1980.
[Tucker, *199l] J. V. Tucker. Theory of computation and specification over
abstract data types and its applications. In NATO Advanced Study Institute, International Summer School at Marktoberdorf, 1989, on Logic,
Algebra and Computation, F. L. Bauer ed, pp. 1-39, Springer-Verlag,
1991.
[Tucker and Zucker, 1988] J. V. Tucker and J. I. Zucker. Program Correctness over Abstract Data Types, with Error-State Semantics, CWI
Monographs 6:, North-Holland, 1988.
[Tucker and Zucker, 1989] J. V. Tucker and J. I. Zucker. Horn programs
and semicomputable relations on abstract structures, in 16th International Colloquium on Automata, Languages and Programming, Stresa,
Italy, July 1989, G. Ausiello, M. Dezani-Ciancaglini and S. Ronchi della
Rocca eds., Lecture Notes in Computer Science 372:, Springer-Verlag,
pp. 745-760, 1989.
[Tucker and Zucker, *199l] J. V. Tucker and J. I. Zucker. Projections of
semicomputable relations on abstract data types, International Journal
522
of Foundations of Computer Science 2:267-296, 1991.

[Tucker and Zucker, 1992a] J. V. Tucker and J. I. Zucker. Deterministic
and nondeterministic computation, and Horn programs, on abstract data
types, Journal of Logic Programming 13:23-55, 1992.
[Tucker and Zucker, *1992b] J. V. Tucker and J. I. Zucker. Examples of
semicomputable sets of real and complex numbers. In Constructivity
in Computer Science: Summer Symposium, San Antonio, Texas, June
1991, J. P. Myers, Jr. and M. J. O'Donnell eds, Lecture Notes in Computer Science 613, pp. 179-198, Springer-Verlag, 1992.
[Tucker and Zucker, *1992c] J. V. Tucker and J. I. Zucker. Theory of computation over stream algebras, and its applications. In Mathematical
Foundations of Computer Science 1992: 17th International Symposium,
Prague, I.M. Havel and V. Koubek eds, Lecture Notes in Computer Science 629, pp. 62-80, Springer-Verlag, 1992.
[Tucker and Zucker, 1993] J. V. Tucker and J. I. Zucker. Provable computable selection functions on abstract structures. In Proof Theory, P.
Aczel, H. Simmons and S. S. Wainer eds, Cambridge University Press,
pp. 277-306, 1993.
[Tucker and Zucker, 1994] J. V. Tucker and J. I. Zucker. Computable functions on stream algebras. In NATO Advanced Study Institute, International Summer School at Marktoberdorf, 1993, on Proof and Computation, H. Schwichtenberg ed, pp. 341-382, Springer-Verlag, 1994.
[Tucker and Zucker, 1998] J. V. Tucker and J. I. Zucker. Infinitary algebraic specifications for stream algebras. Report CAS 98-02, Department
of Computing and Software, McMaster University, 1998.
[Tucker and Zucker, 1999] J. V. Tucker and J. I. Zucker. Computation by
'While' programs on topological partial algebras. Theoretical Computer
Science, 219:379-420, 1999.
[Tucker and Zucker, 2000a] J. V. Tucker and J. I. Zucker. Abstract versus
concrete comptability over partial metric algebras (in preparation).
[Tucker and Zucker, 2000b] J. V. Tucker and J. I. Zucker. Abstract computability, algebraic specificationa nd initiality. Technical Report No.
CAS 2000-01-J2, Department of Computing & Software, McMaster University, Hamilton, Canada.
[Tucker et al, 1990] J. V. Tucker, S. S. Wainer and J. I. Zucker. Provable
computable functions on abstract data types. In 17th International Colloquium on Automata, Languages and Programming, Warwick University, England, July 1990, M. S. Paterson ed, Lecture Notes in Computer
Science 443, pp. 660-673, Springer-Verlag, 1990.
[Turing, 1936] A. M. Turing. On computable numbers, with an application to the Entscheidungsproblem, Proceedings of the London Mathematical Society 42: pp. 230-265; correction [1937], ibid. 43, pp. 544-546.
Reprinted [1965], The Undecidable, M. Davis, ed., Raven Press, 1936.
523
[Urzyczyn, *1981a] P. Urzyczyn. Algorithmic triviality of abstract structures, Fundamenta Informaticae 4:819-849, 1981.
[Urzyczyn, *1981b] P. Urzyczyn. The unwind property in certain algebras,
Information & Control 50:91-109, 1981.
[Urzyczyn, *1982] P. Urzyczyn. On the unwinding of flow-charts with
stacks, Fundamenta Informaticae 4:119-126, 1982.
[Urzyczyn, *1983] P. Urzyczyn. Nontrivial definability by flow-chart programs, Information & Control, 58:101-112, 1983.
[Voorhes, 1958] E. A. Voorhes. Algebric formulation of the notion of flowdiagrams, Communications of the Association for Computing Machinery
1:4-8, 1958.
[Wagner, *1965] E. A. Wagner. Uniformly reflexive structures: An axiomatic approach to computability. In Logic, Computability & Automation: Joint PADG-AIAC Symposium, Trinkaus Manor, Oriskany, New
York, 1965.
[Wagner, 1969] E. A. Wagner. Uniformly reflexive structures: On the nature of Godelizations and relative computability, Transactions of the
American Mathematical Society 144:1-41, 1969.
[Walker and Strong, *1973] S. Q. Walker and H. R. Strong. Characterizations of flowchartable recursions, Journal of Computer & Systems Science 7:404-447, 1973.
[Warner, *1993] S. Warner. Topological Rings, Mathematics Studies 178,
[Wechler, 1992] W. Wechler. Universal Algebra for Computer Scientists,
EATCS Monographs 25, Springer-Verlag, 1992.
[Weihrauch, 1987] K. Weihrauch. Computability, EATCS Monographs 9,
[Weihrauch and Schreiber, 1981] K. Weihrauch. Embedding metric spaces
into complete partial orders. Theoretical Computer Science 16:5-24,
1981.
[van Wijngaarden, *1966] A. van Wijngaarden. Numerical analysis as an
independent science, BIT 6:68-81, 1966.
[Wirsing, 1991] M. Wirsing. Algebraic specification. In Handbook of Theoretical Computer Science Vol.B: Formal Methods and Semantics, J. van
Leeuwen ed, pp. 675-788, North-Holland, 1991.
[Zucker and Pretorius, 1993] J. I. Zucker and L. Pretorius. Introduction to
computability theory, South African Computer Journal 9:3-30, 1993.
ON
-"
,)(.< ^
So
= i
ft
TTITIT
q^ qii 4ii J
J <S -U-
ONOsOs
O\ ON
oooo o\
VO
oo
VO
I
<
>
S5,|
SS::|*'S
53"';^3'
'
:
^
2,|
>
N
K ft0 ft ? || || || LU
a
fD
526
A, 120
A,, 60
<,79
x.lll
A, 82
-,51
--,85
(j> prop [T], 77
KA:XKA^
7i>, 109
7Ti,45
^,80
Sr, 135
Soo, 135
a + a', 53
CT = a' [T], 103
crto, 62
<T-KJ', 60
<T x a', 57
CTF, 102
*,60
A, 83
T*,83
{-I-}/. 54
a x A 114
OF, 115
e(e'),51
/ x A, 1 1 1
/M, 79, 111
n - x , 88
pr,84
a type [F], 103
- x x , 45
<p a (,fTi), 139
n, 142
ATIME, 140
, 74
,, 120
y , 61
abstract data type, 224, 35 1
modularized, 285
abstraction
behavioural, 298
INDEX
abstraction condition, 478

actual variables, 138
adequate specification, 252
algebra, 221
compact, 464-465,471
complete metric, 477,484
complex numbers, 328-329,346,
353,423,438-451 passim,
451-^-78 passim,
computable, 332-335
connected, 465469
effective, 321, 329, 335
expansion, 324-325,347,456457
final, 224
freely generated, 233
generated, 231
Hausdorff, 457
homomorphic image of, 223
initial, 224
interval, 445
locally compact, 477
locally finite, 405,418-419
many sorted, 320,322,325,329330,344-360 passim
metric, 465
minimal, 350,412
AT-standard, 350, 353-354
natural numbers, 320,326,329,
334,345-346,352-354,269270,405,409
order-sorted, 302
partial, 345,451-478 passim
partial topological, 451-478
passim
polynomials, 327,329,438^151
passim, 471
quotient algebra, 226
quotient term algebra, 235
quotient term algebra of a set of
formulas, 244
INDEX
real numbers, 320-321,327-329,
346, 353, 354, 396, 409,
438-451 passim, 451-478
passim
reduct of an, 237
standard, 322, 351-352,360
streams, 326,328,359-360,451,
454,501
subalgebra, 225
term algebra, 234
terms, 329
topological, 332, 451^78
passim
total, 345
ultrametric, 477
with arrays, 356-359
with unspecified value, 355-356
algebraic theory, 45
dependently typed, 102
algebraic and transcendental points,
441
algebraic domain, 477
algebraic operational semantics, 364366
amalgamated union, 283
ap,61,120
approximate computation 320-321,
342,451-478 passim
arity,51,220
assignment, 228
atomic formula, 143
atomic specification, 252
Ax, J., 207
axiom, 249
scheme, 249
term-equality, 102
type-equality, 102
axiomatizable, 246
Baire space, 476
Barwise, J., 200
Baur, W., 209
behavioural abstraction, 298
behavioural equivalence, 298
527
Ben-Or, M., 209

B6nabou,J., 113
Beck-Chevalley condition, 96,97
Berman, L., 193,194,209
bi-rule, 86
Bloom, S. L., 75
Blum, L., 438,484,506
B6rger,E., 136,154
Brattka, V., 478,484, 506
Brown, S. S., 208
Buchi, J., 154
C-property, 79
Cat, 114
Ct(Th),1Q, 107
Cpo, 80
cur, 120
curi, 60
calculus, 249
equational, 250
Cantor set, 445,451
carrier, 221
carrier set, 221
Cartmell,J.,41, 101,110
case, 53
categorical combinators, 123
category
bicartesian closed, 77
cartesian closed, 62
classifying, 70
prop-, 79
slice, 111
type-, 110
well-pointed, 49
well-powered, 81
category with attributes, 101
Cegielski, P., 136
Chagrov.A., 136
Chandra, A., 140
chaotic systems, 447451
Cherlin, G., 208
Church-Turing thesis, see generalised
Church-Turing thesis
528
classifying
category, 70
prop-category, 99
type-category, 108-109
closure, 246
of a class of algebras, 247
condition, 225
theorems for semicomputable sets,
409-413, 415-416, 420421
coherence, 101,123
complete, 142,250
completeness, 77,97-100
Compton, K., 134,206
computational lambda calculus, 66
computation type, 66
computability theory
on natural numbers, 319-320,
322,330-331
on algebras, 320-321,330-331,
340-342
generalised, 320-321,330-331
abstract, 321,330-331,336-340
abstract versus concrete, 333335,475^78
history, 335-340
abstract, history, 335-340,474478
generalised, history, 335-340
reasons for generalising, 335336
type two, 476
computable analysis, 321
computable real number, 475
computation
local, 372-373,387
sequence, 364
tree, 342, 423-430, 436-438,
468-469
theory, 490
concrete representation, 477
cons, 62
cons x, 62
continuous domain, 477
INDEX
condition
inheritance, 302
subtype, 302
conditional equational logic, 241
CEL, 241
confluent, 263
congruence relation, 225
induced, 226
conservativity for terms, 383-387,429
consistent, 285
constant, 220
constraint, 267
construction term, 300
constructive specification, 267
abstract syntax, 267
concrete syntax, 268
semantics, 268
constructor, 231
constructors, 255
context, 44, 101
T/z-provably equal, 69
a-equivalence of, 69
identity morphism, 70
morphism, 69
morphism composition, 69
contextual categories, 101
(Contract), 79
Coste, M., 41
countability/cofiniteness condition, 442
countable connectivity condition, 445
course of values recursion, 483
Curry-Howard interpretation, 3
(Cut), 79
ctxt, 103
data types, 320, 325,329,351
data type theory, 329,330-332,340
declaration, 280
default terms and values, 349
density/codensity condition, 442
dependent type, 120
depth, 139
derivable formula, 249
design specification, 253
INDEX
disjoint union type, 53
domain, 243,476-477
Duret, J.-L., 207
dynamic signature, 304
dynamic sort, 304
dynamical systems, 328, 447^51,
484
emptyT, 56
EdalatA.,477,508
Egidi, L., 208
Ehrenfeucht games, 200
effective algebra, 321
effective domains, 476
effective definitional schemes, 339,
487
element
generalized, 49
global, 49
elementary recursive, 140
Emerson, E. A., 136
empty type, 57
Engeler, E., 338-339,408,425,429,
430, 434, 435, 446, 489,
509
Engeler's lemma, 425,428,429,434,
435,438,446
environment, 278
equation, 240
equation-in-context, 45
equational calculus, 250
equational logic, 45,240
dependently typed, 105-106
equivalence sequence, 263
Ergov.Y, 131, 142,192,208
Esik, Z., 75
essentially algebraic, 42,123
evaluation morphism, 62
exact computation, 320-321,451
evaluation homomorphism, 234
exception, 303
(Exchange), 79
explicit definition, 144
exponential object, 62
529
export signature, 284

extension, 238
^-extension, 238
a set of formulas
persistent, 248
of a set of formulas, 248
persistent free, 276
quotient term, 275
fsat(L0), 153
JFp,74
false, 85
fst, 59
factorization, 226
Fagin,R., 136
Feferman, S., 209
Fenstad, J. E., 336,343,490, 510
Ferrante, J., 146,148,186,191,194,
196,202,210,211
(false-Adj), 87
(false-Elim), 86
final algebra, 224
final specification, 299
finite algorithmic procedure, 339,484
finite algorithmic procedure with
counting, 485
finite algorithmic procedure with
stacking, 486
finite algorithmic procedures with
index registers, 487
finite computation, 320-321,331
finite product
category with, 45
preservation of, 68
strictly associative, 71
strictly unital, 71
strict preservation of, 68
finite sequences, 324
first-order languages, 499
first-order logics, 138
Fischer, M. J., 136, 148, 159, 160,
193,194,195,198,207
flattening, 281
Fleischmann, K., 132
530
formal variables, 138

formula, 239
atomic, 77
derivable, 249
value of, 242
well-formed, 77
formula-in-context, 78
flowchart 336-337,342
for programming languages, 376
formula morphism, 239
free (ip), 143
free extension, 274
occurrence, 242
persistent, 276
freely generated, 233
Freyd, P. J., 42,123
Fridman, E. I., 209
Fried, M., 207
Friedman, H., 339-340,484,487,510
Frobenius reciprocity, 91
function
while computable, 324,326-329,
336,341,369
while N computable, 377
a-computable, 333
continuous, 342, 451-478 passim
while-array computable, 325,335,
378
order, 404-405
discontinuous, 451
partial, 317-532 passim
uniformly continuous, 474
equationally definable, 491
selection, 497
types, 347
function symbol
introductory axiom, 102
term-valued, 101
type-valued, 101
function type, 60
fundamental theorem of algebra, 442
Purer, M., 210,211
INDEX
generalised Church-Turing thesis, 338,
342, 422, 478, 487, 493500, 503
generalised element, 49
generalised quantifiers, 95
generated, 231
in some sorts, 232
generic
T/i-algebra, 72
model, 77,99, 118-119
Gentzen, G., 85, 87,123
Girard, J.-Y., 40,100, 123
global element, 49
global section, 114
Godel numbering, 388
Godel completeness thorem, 139
Gradel.E., 136
Grandjean, E., 137, 141,211
Grothendieck, A., 114
Grothendieck fibration, 114
ground
equation, 240
term, 227
type, 51
group, 321,327,328,346-347,353,
370,395,416
Grzegorczyk, A., 474,475
guarded command language, 488
Gurevich, Y., 207, 208
Halpern.J. Y., 136
halting formula, 42^429,433,437
halting problem, 417
halting set, 324,408,414,422,428,
436,457
hard, 141
Hardy, G. H., 195,197
Harel, D., 136
height, 139
Henkin,L.,210
Henson, C. W., 206
hereditary, 140
hereditary lower bounds, 131, 132,
140
INDEX
531
hierarchical specification, 284

higher-order logic, 123
Hofmann, M., 113
homomorphic extension, 274
homomorphism, 223
bijective, 223
evaluation, 234
image of, 223
initial, 244
homomorphism condition, 223
Hopcroft, J., 140, 159, 200
Horn clause languages, 500
Hyland,J.M.E.,41
hyperdoctrine, 80
internal language, 41,48, 95

interpretation, 167
simple, 167
prenex, 167
iterative, 167
invariance
isomorphism, 320,341,358,475,
495
from numberings, 334,475478
homomorphism, 371-372,422423,454
isomorphism, 223
isomorphism property, 239
iterated map, 448
iterative definition, 145
iteration theory, 75
imV,53
inr^, 53
junk, 230
inv(L), 132, 139

inv(Lo), 153
Immerman, N., 200
implementation, 297, 300
implicit definitions, 145
import signature, 284
inclusive subset, 80
indexed type, 110
induced subalgebra, 225
inductive
closure, 246
consequence, 244
type, 62
inference rule, 249
infinite streams, 324, 326, 328, 359360,451,454,501-503
inheritance condition, 302
inherited, 284
initial algebra, 224
initial homomorphism, 244
initial module specification, 286
initial specification, 257
initialisations, 408, 413-414, 436
instantiation assumption, 349, 360
institution, 310
K, 88
AC*, 80
Kaufmann, M., 164, 165

Ko.K.I.,475,513
Kochen, S., 108
Kokorin, A. I., 209
Konig's lemma, 469
Kozlov, G. T., 209
Korec, I., 185
Kozen, D., 136,140, 193
Kreisel.H., 211
Kripke, S., 100
Kutty, G., 136
L*. 143
Lo,138
Lt, 138, 171
IX, 62
listit, 64
listrec, 62
listreci, 62
lifti, 67
label sort, 304
Ladner,R., 136
Lafont, Y., 42
INDEX
532
Lambek, J., 65, 123

Lawvere, F. W., 40, 42, 65, 79, 80,
91,93,96,123
LCF,4
length of a computation, 365
let, 66
Lewis, H. R., 136, 193
linear logic, 123
linear ATIME lower bounds, 175
linearly bounded, 141
Lo,L., 196
locality of computation theorem, 387
locally confluent, 263
log-lin reduction, 141
logic, 239
conditional equational, 241
equational, 240
isomorphism property, 239
predicate logic, 241
satisfaction condition, 239
with equality, 239
logic with equality, 239
logical consequence, 244
in a domain, 244
loose module specification, 286
loose specification, 253
Loveland,D., 210
Lynch,!. F., 161, 162
ML0, 138
MLt, 138
ME r , 135,171
MSoo, 135, 171
MLt, 171
Machtey, M., 140
Makkai,M., 81
many-sorted signatures, see
signatures
Martin-L6f,P.,51, 100
McCarthy,!., 338,340,515
Macintyre, A., 210
McNaughton, R., 211
Maurin, F., 136, 195, 196
merging two procedures, 409-410,

420
meta-expression, 51
Meyer, A., 159,160, 184, 185,193
Michel, P., 136, 196
model, 243
of a dependently typed theory,
117
of a predicate theory, 97
of computation, 320, 323, 325,
335-340, 458-460, 475503 passim
oriented semantics, 283
modularized abstract data type, 285
module, 285
module signature, 284
module specification
initial, 286
loose, 286
module specifications, 287
Moggi, E., 41,66
interpretation, 175
iterative, 175
monadic, 175
prenex, 175
simple, 175
monadic interpretability, 175
monadic second-order logics, 138
monomorphic, 224,285
morphism
formula morphism, 239
signature, 237
Moschovakis, Y. N., 145, 148, 336,
476, 490, 493, 500, 516,
517
Moses, Y., 136
multicategory, 123
NT I ME, 140
ATT/M J5(T(cra))-inseparable, 153
NTIME lower bounds, 166
mU62
n ilx, 62
numbering, 332
533
INDEX
natural number object, 65
weak, 65
next state function, 447
Noetherian, 263
non-deterministic assignment, 488
normal form, 263
Normann,D.,478,493,517
null, 57
Objc, 112
object, 307
class, 307
identities, 307
instances, 307
type, 307
observable sorts, 298
Oles, R, 50
one-element-type, 59
only positively, 145
operation, 220
constant, 220
operation name, 220
operator formula, 145
orbit, 447
order-sorted algebra, 302
order-sorted signature, 301
P,88
Pi, 88
Po,88
pair, 58
proj, 60
prop,78
Papert,S.,211
parameterization
A-calculus approach, 295
pushout approach, 296
Peano arithmetic, 246
periodic points, 447
persistent, 238,248,274,285
free extension, 276
Poigne, A., 40
Point, F., 207
polymorphic, 224
lambda calculus, 123

positive and negative occurrences, 144
Post's theorem 342, 407, 410, 411412,415,420
Pour-El, M. B., 474,476, 518
poewr, 138
predicate
transition, 304
predicate logic, 241
prenex definition, 144
prescribed set of formulas, 150
Prest, M., 207,209
primary subtree, 138
problem, 140, 141
procedures 362
product type, 57, 344
program scheme, 489
program schematology 339,489
projections of relations 348
projective equivalence theorem 422,
434-435
projection morphism, 110
proof theory, 123
Pmpc, 79
prop-category, 79
classifying, 98
has equality, 94
has existential quantification, 91
has finite joins, 83
has finite meets, 82
has Heyting implications, 84
has universal quantification, 91
PSL, 291
pullback
of an indexed type, 110
of a property, 79
quotient algebra, 226
quotient homomorphism, 226
quotient term algebra, 235
of a set of formulas, 244
quotient term extension, 275
Rabin, M., 131, 142, 148, 184, 192,
534
193, 194, 195, 198, 207,

208
Rabinovich, A., 136
Rackoff,C, 146,148,186,191,193,
194,196,202,210,211
Ramakrishna, Y., 136
rapid prototyping, 253
random assignments, 408,435-438,
488
Rautenberg, W., 185
reachable, 231
realizability, 89
realization, 300
Reddy.U., 210
reduct, 237
and expansion, 347, 354, 356,
358
of a homomorphism, 238
reduct of a homomorphism, 238
reduction ordering, 264
reduction system, 263
reductions sequence, 263
yu-reduct, 237
register machines, 484-487
register machines with counting,
485
register machine with stacking,
485
remainder set, 380
relations, 348
relation symbol, 77
relativization, 140
relative homomorphism, 350-351
relative while computability, 375
renaming, 235
representations of semantic functions,
387-394
requirement specification, 253
reset log-lin reduction, 141
rewrite ordering, 264
Reyes, G. E., 81
Reynolds,!. C,41, 50, 100
Richards, J. I., 474,476, 518
Robertson, E. L., 184
INDEX
Robinson, A., 209, 210
Roman, L., 65
rules
adjoint style, 86, 89,93
natural deduction style, 85, 89,
93
S, 88
Set, 80, 111
Sg,43
Sgc, 48
r , 171
Soo,171
snd,59
split, 58
sat(S), 132
sat*(), 144
sat^(S), 144
satr(), 139
satr(L), 139
satr(ME+), 161
sat^(L), 144
sat(), 139
satT(Lo), 132
satT(ML0), 132
Sacerdote, G., 207
satisfaction, 239
condition, 239
of an equation, 47
of a judgement, 117 '
of sequent, 82
relation, 239
satisfiability problem, 132
Scarpellini, B., 136,210
Scedrov, A., 123
Schmitt, P., 209 Schoning, U., 136
Scott, D. S., 41
search, 333,412-413,461
search procedure, 413
Seiferas,!., 159,160
Seiferas-Fischer-Meyer Theorem, 159
semantics
model oriented, 283
of while programs, 363-36
INDEX
presentation oriented, 284
specification oriented, 284
theory oriented, 284
Semenov,. L., 189,210
semicomputability equivalence theorem, 431
semicomputability with search, 413414
sentence, 144
sequent, 78
set
while computable, 324,326-329,
407,409,438^51 passim,
while semicomputable, 324,326329,407-451 passim
halting, 324,408,414,422,428,
436,457
a-decidable, 333
a-semidecidable, 333
a-cosemidecidable, 333
projective semicomputable, 407451 passim
definable, 408,431^35
semicomputable with search, 414,
416,421-422
semialgebraic, 444
Julia, 449-451
Open, 451,464,
Closed, 451,464
Clopen, 451,464
recursion, 493
Shelah.S., 164, 165
Shepherdson, J. C., 339, 342, 473,
475, 484, 487, 489, 518,
519
Shub, M, 438,484, 506
E-homomorphism, 223
(A")-term, 227
signature, 43, 101, 220, 322, 344360 passim
dynamic, 304
module, 284
morphism, 235, 237
inclusion, 236
535
order-sorted, 301
strongly typed, 228
simultaneous course of values
recursion, 337,483
simultaneous iterative definition, 148
slice category, 111
Slobodskoi, A. M., 209
Smale, S., 438,484,506
snapshot function, 382,402,417
sort, 43, 220
argument sort, 220
dynamic, 304
label sort, 304
observable, 298
target sort, 220
sound, 250
soundness, 47
specification
adequate, 252
atomic, 252
design, 253
e-specification, 278
final, 299
initial, 257
language 496-500
loose, 253
loose with constructors, 255
requirement, 253
strictly adequate, 252
specification morphism, 284
specification oriented semantics, 284
stable
coproduct, 56, 57
initial object, 57
join, 87
stage, 49
standardness assumption, 353
standard signatures, 351-352
statement remainder function, 417
Statman, R., 210
Stern,!., 191
Stirling, C., 136
Stoltenberg-Hansen, V., 330,332,335,
343,476,477, 520
536
Stockmeyer, L., 137, 140, 184, 21 1

streams, see infinite streams
strict TV-standardness, 355
strictly adequate specification, 252
strictness condition, 111
strong monad, 66
strongly typed, 228
structure
for an algebraic theory, 46
for a dependency typed theory,
114
for a predicate theory, 80
structural induction 362
subalgebra, 225, 349
induced, 225
subobject, 80
(Subst), 78
substitution, 229
ground, 229
theorem, 230
substitutivity condition, 225
subtype condition, 302
sufficiently complete, 231
synchronous concurrent algorithms,
501
true, 85
type, 103
7i, 171
Tarski, A., 79
Tarski's quantifier-elimination
theorem, 444
tautology, 244
TERMS, 51
term, 227, 237, 349, 361-364, 383387
algebra, 234
construction, 300
evaluation, 329, 341, 389-390,
394-397,399-402,405,410,
412,415,416,418-421,431,
439, 472
ground, 227
INDEX
signature morphism on, 237
rewriting system, 264
value of a, 228
term-in-context, 44
term-model, 41
T/t-algebra, 47
JTi-context, 107
The, 73
theory, 245
algebraic, 45
axioms of, 45
dependently typed algebraic, 102
in predicate logic, 77
morphism, 284
oriented semantics, 284
theorems of, 45,78, 102
translation, 74
time resource bound, 140
Tiuryn, J., 136
topos, 112,122
total object, 110
Touraille, A., 208
Trakhtenbrot, B. A., 131,153
Trakhtenbrot-Vaught Inseparability
Theorem, 153
transition predicate, 304
Tucker, 3. V., 317, 330, 332, 335,
343, 365, 369, 396, 432,
452, 475, 576, 476, 477,
478, 483, 494, 495, 496,
520, 521
Turing, A., 154
type
computation, 66
dependent product, 120
disjoint union, 52
empty, 57
function, 60
ground, 51
indexed, 110
inductive, 62
one-element, 59
product, 57
type-category, 110
537
INDEX
type-category, cont
classifying, 107-108
has dependent products, 120
reachable, 119
TYPES, 51
Typec, 110
unit, 60
Ullman, J. D., 140,159,200
uniform computation, 324
uniform convergence, 470
union
amalgamated, 283
universe, 243
universality, 341,387-388,399-401,
439,490
val, 66
val(S), 132
valid, 244
in a domain, 244
inductively valid, 244
logically valid, 244
validity problem, 132
value of a formula, 242
Var, 44
uar(r), 44
Vardy.M., 136
variable
free occurrence of, 242
Vaught,R., 131,153,209
vocabulary, 138
Volger, H., 192
Vorobynov, S., 137,210
weak model, 138
weak product, 59
weak second-order language, 408,431435
(Weaken), 78
Weierstrass approximability, 470-474
Weihrauch, K., 476,477,523
well-formed theory, 105
well-pointed, 49
while-array programming language,
317-523 passim
while programming language, 317523 passim
Wood, C, 209
Wright, E. M., 195, 197
Young, P., 140, 153, 195
Zakharyaschev, M., 136
Zucker, J.I., 317,365,369,432,452,
475, 478, 483, 494, 496,
497, 500, 501, 503, 521,
522

PDF

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

PDF

Transféré par

Droits d'auteur :

Formats disponibles

HANDBOOK OF LOGIC

HANDBOOKS OF LOGIC IN COMPUTER SCIENCE

Handbook of Logic in Computer Science

Background: Mathematical structures

Handbook of Logic in Artificial Intelligence and

CLARENDON PRESS OXFORD

Great Clarendon Street, Oxford 0x2 6DP

audience is graduate students and researchers in the areas of computing

This page intentionally left blank

Martin-L6f s type theory

B. Nordstrtim, K. Petersson and J. M. Smith

3.2 Product types

3.3 Function types

3.4 Inductive types

5.1 Formulas and sequents

6.2 Classifying category of a theory

A uniform method for proving lower bounds

K. Compton and C. Ward Henson

Algebraic specification of abstract data types

J. Loeckx, H.-D. EhrichandM. Wolf

Modularization and parameterization

Computable functions and semicomputable sets

While computability on standard algebras

This page intentionally left blank

Martin-L0f 's type theory

B. Nordstrom, K. Petersson and J. M. Smith

Martin-Lof's type theory

strom et a/., 1990], in that we here give a presentation of Martin-Lof's

Different formulations of type theory

B. Nordstrom, K. Petersson and J. M. Smith

One major application of type theory is its use as a programming logic in

Martin-Lof's type theory

correspond to the types of the basic combinators K and 5,

Modus ponens then corresponds to functional application. Tait [Tait,

B. Nordstrom, K. Petersson and J. M. Smith

where stands for absurdity, that is a proposition which has no proof. If

Martin-Lof's type theory

Semantics and formal rules

B. Nordstrom, K. Petersson and J. M. Smith

Martin-Lof's type theory

The meaning of the judgement forms a A, a = 6 A and A = B

where we already know that A\ is a type, A2 is a type in the context

B. Nordstrom, K. Petersson and J. M. Smith

holds for an arbitrary object a of type A1 in the empty context. We must

A [x1 <- a] = A [x1 <- b]

Martin-Lof's type theory

The explanations of the other hypothetical judgement forms give the

Let A be a type in the context x1 A1, x2 A2, ... , xn E An.

Let A be a type and c and d be objects of type A in the context x1 E AI,

B. Nordstrom, K. Petersson and J. M. Smith

We also obtain the rule for forming equal function types:

Martin-Lof's type theory

x must occur free neither in c nor in d

We will write repeated abstractions as [x1,x2, . . . ,xn]b and also exclude

We must also know that when we apply an abstraction [x]b, where b

B. Nordstrom, K. Petersson and J. M. Smith

x must not occur free in c

The type Set

Notice that it is required that the sets are built up inductively: we

Martin-Lof's type theory

A defined constant is defined in terms of other objects. When we apply

B. Nordstrom, K. Petersson and J. M. Smith