Deciding Confluence for a Simple Class of Relational Transducer Networks

Abstract

Networks of relational transducers can serve as a formal model for declarative networking, focusing on distributed database querying applications. In declarative networking, a crucial property is eventual consistency, meaning that the final output does not depend on the message delays and reorderings caused by the network. Here, we formalize eventual consistency as a confluence notion, meaning that finite executions of the system can always be extended to yield the desired output. We show that confluence is decidable when the transducers satisfy some syntactic restrictions, some of which have also been considered in earlier work on automated verification of relational transducers. This simple class of transducer networks computes exactly all distributed queries expressible by unions of conjunctive queries with negation.

Appendices

Appendix A: Undecidability Results

1.1 A.1 Proof of Proposition 1

Inspired by the work of Deutsch et al. [11, 14], we reduce the finite implication problem for functional and inclusion dependencies to the diffluence decision problem. Section A.1.1 provides notations for dependencies. Next, Section A.1.2 contains the technical description of the reduction. The correctness is shown in Section A.1.3.

1.1.1 A.1.1 Dependencies

We introduce notations for dependencies. Let \(\mathcal {D}\) be a database schema, and let \(R^{(k)}\in \mathcal {D}\). A functional dependency σ over R is a tuple \((R, \bar {a}, b)\), where \(\bar {a}\) is a subsequence of [1,…,k] and b∈{1,…,k}. This dependency holds for a database instance I over \(\mathcal {D}\) if for any pair of facts in I, if they have the same values on components \(\bar {a}\) then they have the same value on component b.

Let R ^(k) and S ^(l) be relations in \(\mathcal {D}\). An inclusion dependency σ from R to S is a tuple \((R, \bar {a}, S, \bar {b})\), where \(\bar {a}\) and \(\bar {b}\) are subsequences of [1,…,k] and [1,…,l] respectively, and \(\bar {a}\) and \(\bar {b}\) have the same length. Denoting \(\bar {a}=[a_{1},\ldots ,a_{m}]\) and \(\bar {b}=[b_{1},\ldots ,b_{m}]\), this dependency holds for a database instance I over \(\mathcal {D}\) if

$$\{(u_{a_{1}}, \ldots, u_{a_{m}})| R(u_{1},\ldots,u_{k})\in I\}\subseteq\{(v_{b_{1}},\ldots, v_{b_{m}})| S(v_{1}, \ldots, v_{l})\in I\}. $$

1.1.2 A.1.2 Transducer Network Construction

Let \((\mathcal {D}, \varSigma , \sigma )\) be an instance of the finite implication problem. We create a single-node transducer network \(\boldsymbol {\mathcal {N}}\) that is simple except that send rules don’t have to be static and such that \(\boldsymbol {\mathcal {N}}\) is diffluent iff \((\mathcal {D},\varSigma ,\sigma )\) is not valid.

The syntactical simplifications of Section 4.1 are applied.

Abbreviate \(\varSigma ^{\prime }=\varSigma \cup \{\sigma \}\). Let Υ be the transducer schema of π. We define \(\varUpsilon _{\textnormal {in}}=\mathcal {D}\cup \{A^{(1)}\}\) where A is a new relation name not yet occurring in \(\mathcal {D}\). Relation A is used to cause inconsistencies. We define Υ _out={T ⁽¹⁾}. We introduce the message and memory relations of Υ while we describe the rules of π below.

We construct π to be recursion-free; so \(\boldsymbol {\mathcal {N}}\) is also globally recursion-free. Moreover, the output and memory rules will be message-bounded and all rules are message-positive. We only add rules to insert memory facts, making π inflationary.

First, π sends all input facts to itself. This helps satisfy the message-boundedness restriction. So, for each relation \(R^{(k)}\in \mathcal {D}\), we have a rule:

$$R_{\textnormal{msg}}(\mathtt{u}_{\mathtt{1}}, \ldots, \mathtt{u}_{\mathtt{k}})\leftarrow R(\mathtt{u}_{\mathtt{1}},\ldots,\mathtt{u}_{\mathtt{k}}). $$

To check violations of \(\varSigma ^{\prime }\), received input messages are projected onto auxiliary memory relations.

Let \(\tau \in \varSigma ^{\prime }\) be a functional dependency. Denote \(\tau =(R, \bar {a}, b)\). We add a memory relation \(R_{\tau }^{(l)}\) where l is the length of \(\bar {a}\) plus 1 (for b). On receipt of an R _msg-fact, we project components \(\bar {a}\) and b to R _τ , with \(\bar {a}\) placed (in order) before b. This can be done in a message-bounded manner (details omitted).

Let \(\tau \in \varSigma ^{\prime }\) be an inclusion dependency. Denote \(\tau =(R, \bar {a}, S, \bar {b})\). We add two memory relations \(R_{\tau }^{(m)}\) and \(S_{\tau }^{(m)}\), where m is the length of \(\bar {a}\) and \(\bar {b}\). On receipt of an R _msg- and S _msg-fact, we project the components \(\bar {a}\) and \(\bar {b}\) (in order) to the relations R _τ and S _τ respectively. Again, this can be done in a message-bounded manner.

The above auxiliary memory relations depend on message delivery, but we don’t know when all input facts have been delivered. For this purpose we introduce a special marker message datadone ⁽⁰⁾. We unconditionally send it in every transition, with the rule

$$\mathtt{datadone}()\leftarrow. $$

On receipt of datadone(), we create a snapshot of the input facts. We check dependencies only once in this snapshot, by using the memory relation ⁽⁰⁾, which is filled by the rule

$$\mathtt{checkdone}()\leftarrow\mathtt{datadone}(). $$

To actually check dependencies, we proceed as follows. Let \(\tau \in \varSigma ^{\prime }\) be a functional dependency. Denote \(\tau =(R, \bar {a}, b)\). We send message _τ () if τ is violated in the snapshot, where \(k=|\bar {a}|\):

$$\begin{array}{@{}rcl@{}} \mathtt{viol}_{\tau}()&\leftarrow&\, R_{\tau}(\mathtt{a}_{\mathtt{1}},\ldots,\mathtt{a}_{\mathtt{k}}, \mathtt{b}),\, R_{\tau}(\mathtt{a}_{\mathtt{1}},\ldots, \mathtt{a}_{\mathtt{k}},\mathtt{b}^{\prime}),\,\mathtt{b}\neq\mathtt{b}^{\prime},\\ &&\mathtt{datadone}(),\,\neg\mathtt{checkdone}(). \end{array} $$

Now, let \(\tau \in \varSigma ^{\prime }\) be an inclusion dependency. Denote \(\tau =(R, \bar {a}, S, \bar {b})\). We send message _τ () if τ is violated in the snapshot, where \(m=|\bar {a}|=|\bar {b}|\):

$$\begin{array}{@{}rcl@{}} \mathtt{viol}_{\tau}()&\leftarrow\,& R_{\tau}(\mathtt{a}_{\mathtt{1}},\ldots,\mathtt{a}_{\mathtt{m}}),\,\neg S_{\tau}(\mathtt{a}_{\mathtt{1}},\ldots,\mathtt{a}_{\mathtt{m}}),\\ && \mathtt{datadone}(),\,\neg\mathtt{checkdone}(). \end{array} $$

We cause diffluent behavior if σ is violated and Σ is not. First, we (unconditionally) send A _msg-facts, based on the input A-facts:

$$A_{\textnormal{msg}}(\mathtt{u})\leftarrow A(\mathtt{u}). $$

Received A _msg-facts are copied to output relation T while new memory relation ⁽⁰⁾ is empty:

$$T(\mathtt{u})\leftarrow A_{\textnormal{msg}}(\mathtt{u}),\,\neg\mathtt{blocked}(). $$

Blocking is triggered by the violation of σ:

$$\mathtt{blocked}()\leftarrow\mathtt{viol}_{\sigma}(). $$

So, if σ is violated, diffluence can be caused by varying the delivery order of A _msg-facts and _σ (). But we want to remove the diffluence if any τ∈Σ turns out to be violated as well, by adding this output rule:

$$T(\mathtt{u})\leftarrow A_{\textnormal{msg}}(\mathtt{u}),\,\mathtt{repair}(). $$

Here, ⁽⁰⁾ is a new memory relation that becomes enabled when Σ is violated, denoting Σ={τ ₁,…,τ _n }:

$$\begin{array}{cc} \mathtt{repair}()\leftarrow\, & \mathtt{viol}_{\tau_{1}}().\\ \vdots\\ \mathtt{repair}()\leftarrow\, & \mathtt{viol}_{\tau_{n}}(). \end{array} $$

1.1.3 A.1.3 Correctness

Let \((\mathcal {D}, \varSigma , \sigma )\) be as above. Let \(\boldsymbol {\mathcal {N}}\) denote the constructed transducer network.

Suppose \((\mathcal {D}, \varSigma , \sigma )\) is not valid. There is an instance I over \(\mathcal {D}\) such that I⊧Σ and \(I\nvDash \sigma \). We give \(\boldsymbol {\mathcal {N}}\) the input \(J=I\cup \{A(a)\}\) and we obtain diffluence as follows.

In a first run \(\mathcal {R}_{1}\), the message A _msg(a) is sent during the first transition, and in the second transition we deliver only this message, causing the output fact T(a) to be derived.

In a second run \(\mathcal {R}_{2}\), we do not deliver A _msg(a). Instead, in \(\mathcal {R}_{2}\) we send and deliver all input facts of I, after which we deliver datadone(). Now, message _σ () is sent because \(I\nvDash \sigma \). We deliver this message, causing blocked() to be derived. This completes the construction of \(\mathcal {R}_{2}\). Run \(\mathcal {R}_{2}\) produces no output because A _msg(a) is not delivered. Next, no extension of \(\mathcal {R}_{2}\) can deliver _τ () for some τ∈Σ because I⊧Σ. Hence, () can not be derived. So, () prevents T(a) from being derived whenever A _msg(a) would be delivered.

For the other direction, suppose that \(\boldsymbol {\mathcal {N}}\) is diffluent. There is an input J for \(\boldsymbol {\mathcal {N}}\), and two runs \(\mathcal {R}_{1}\) and \(\mathcal {R}_{2}\) of \(\boldsymbol {\mathcal {N}}\) on J, such that \(\mathcal {R}_{1}\) derives an output fact T(a) and \(\mathcal {R}_{2}\) does not, and neither can T(a) be derived in any extension of \(\mathcal {R}_{2}\). We show there is a subset \(I\subseteq J|_{\mathcal {D}}\) such that I⊧Σ and I⊮σ, so that \((\mathcal {D},\varSigma ,\sigma )\) is not valid.

First, the derivation of T(a) in \(\mathcal {R}_{1}\) implies that A _msg(a) can be sent in \(\mathcal {R}_{1}\). Hence, A _msg(a) can be sent in \(\mathcal {R}_{2}\) and in extensions thereof. Therefore, what is preventing T(a) from being derived in extensions of \(\mathcal {R}_{2}\) is the presence of () and the absence of (). The fact () was derived by the delivery of _σ (). This delivery must have happened inside \(\mathcal {R}_{2}\) because otherwise in some extension of \(\mathcal {R}_{2}\) we could postpone the delivery of _σ () until after A _msg(a) was delivered, deriving T(a), which is impossible in any extension of \(\mathcal {R}_{2}\).

The sending of _σ () implies that () was delivered in some transition i of \(\mathcal {R}_{2}\), and at moment the transducer had received a snapshot \(I\subseteq J|_{\mathcal {D}}\) such that \(I\nvDash \sigma \). Also, because () was not derived in \(\mathcal {R}_{2}\) and can not be derived in an extension, it must be that no _τ ()-fact was ever sent for any τ∈Σ. So, in transition i of \(\mathcal {R}_{2}\), we have I⊧Σ.

1.2 A.2 Proof of Proposition 2

Let (U,V) be an instance of the Post correspondence problem. Denote U=u ₁,…,u _n and V=v ₁,…,v _n . We construct a single-node transducer network \(\boldsymbol {\mathcal {N}}\) that is simple except that local message recursion is allowed, such that (U,V) has a match iff \(\boldsymbol {\mathcal {N}}\) is diffluent.

1.2.1 A.2.1 Notations

For a word w and an index k∈{1,…,|w|}, we write w[k] to denote the symbol of w at position k.

1.2.2 A.2.2 Transducer Network Construction

We now define the single transducer π of \(\boldsymbol {\mathcal {N}}\) and its transducer schema Υ. The syntactical simplifications of Section 4.1 are applied.

For each i∈{1,…,n}, we add to Υ _in unary relations \(U_{k}^{i}\) and \(V_{l}^{i}\) with k∈{1,…,|u _i |} and l∈{1,…,|v _i |}. Now, the words u _i and v _i can be encoded. To illustrate, u _i =a b a is represented by the facts \(\{U_{l}^{i}(a), U_{2}^{i}(b), U_{3}^{i}(a)\}\).

To represent a word-structure with arbitrary length, we provide Υ _in with the input relations R ⁽²⁾, L ⁽²⁾ and F ⁽¹⁾. Here, L and F respectively stand for “label” and “first”. For instance, the word abc might be represented as the facts {R(1,2),R(2,3),L(1,a),L(2,b),L(3,c),F(1)}. The word a can be represented by {F(1),L(1,a)}.

We send error() whenever the previous input relations violate the following natural constraints:

• all relations \(U_{k}^{i}\) and \(V_{l}^{j}\) contain at most one symbol; for each pair u _i and v _j , and each k∈{1,…,|u _i |} and l∈{1,…,|v _j |}, the relations \(U_{k}^{i}\) and \(V_{l}^{j}\) contain a different symbol iff u _i [k]≠v _j [l]; similarly for pairs of two U-words or two V-words;

• relation R contains only chains; relation F designates at most one start element; each element on the chain has at most one label.

We omit the details of the rules to check these constraints.

We search a match for (U,V) by aligning (u _i ,v _i )-pairs against the input word-structure. Let i∈{1,…,n}. To align the single pair (u _i ,v _i ), we use the following binary message relations:

• relations [i,k,k] with \(1\leq k\leq \min (|{u_{i}}|, |{v_{i}}|)\) to represent simultaneous alignment, one character at a time;

• relations [i,k,|v _i |] with |v _i |+1≤k≤|u _i | to continue aligning u _i when v _i has reached its end;

• relations [i,|u _i |,k] with |u _i |+1≤k≤|v _i | to continue aligning v _i when u _i has reached its end.

Next, we have the start rule, to start aligning at the beginning of the word-structure:

$$\mathtt{align}[i, 1, 1](\mathtt{a, a})\leftarrow F(\mathtt{a}),\, L(\mathtt{a, c}),\,U_{1}^{i}(\mathtt{c}),\,V_{1}^{i}(\mathtt{c}).$$

Then we have simultaneous continuation rules for each k satisfying \(1\leq k\leq \min (|u_{i}|, |v_{i}|)-1\):

$$\begin{array}{@{}rcl@{}}\mathtt{align}[i, k+1, k+1](\mathtt{a}^{\prime},\mathtt{b}^{\prime})\leftarrow\, \mathtt{align}[i, k, k](\mathtt{a, b}),\, R(\mathtt{a, a}^{\prime}),\, R(\mathtt{b, b}^{\prime}),\\ \qquad L(\mathtt{a}^{\prime}, \mathtt{c}_{\mathtt{1}}),\, L(\mathtt{b}^{\prime}, \mathtt{c}_{\mathtt{2}}),\,U_{k+1}^{i}(\mathtt{c}_{\mathtt{1}}),\,V_{k+1}^{i}(\mathtt{c}_{\mathtt{2}}). \end{array} $$

We have separate continuation rules for u _i , for each k satisfying |v _i |≤k≤|u _i |−1:

$$\mathtt{align}[i, k+1, |v_{i}|](\mathtt{a}^{\prime}, \mathtt{b})\!\leftarrow\! \mathtt{align}[i, k, |v_{i}|](\mathtt{a, b}), R(\mathtt{a, a}^{\prime}),\, L(\mathtt{a}^{\prime}, \mathtt{c}),U_{k+1}^{i}(\mathtt{c}). $$

Similarly, we have separate continuation rules for v _i , for each k satisfying |u _i |≤k≤|v _i |−1:

$$\mathtt{align}[i, |u_{i}|, k+1](\mathtt{a, b}^{\prime})\!\leftarrow \mathtt{align}[i, |u_{i}|, k](\mathtt{a, b}), R(\mathtt{b, b}^{\prime}),\, L(\mathtt{b}^{\prime},\! \mathtt{c}),V_{k+1}^{i}(\mathtt{c}). $$

Lastly, once u _i and v _i are both fully aligned, for each pair (u _j ,v _j ) with j∈{1,…,n} we have the switch rule from pair i to pair j (with possibly i=j):

$$\begin{array}{@{}rcl@{}} &&\mathtt{align}[j, 1, 1](\mathtt{a}^{\prime}, \mathtt{b}^{\prime})\leftarrow\, \mathtt{align}[i, |u_{i}|, |v_{i}|](\mathtt{a, b}),\, R(\mathtt{a, a}^{\prime}),\, R(\mathtt{b, b}^{\prime}),\\ &&\;\;\;\qquad\qquad\qquad\qquad\qquad L(\mathtt{a}^{\prime}, \mathtt{c}_{\mathtt{1}}),\, L(\mathtt{b}^{\prime}, \mathtt{c}_{\mathtt{2}}),U_{1}^{j}(\mathtt{c}_{\mathtt{1}}), V_{1}^{j}(\mathtt{c}_{\mathtt{2}}). \end{array} $$

Diffluence is obtained in a similar fashion as in Section A1. We add input relation A ⁽¹⁾ and message relation \(A_{\textnormal {msg}}^{(1)}\), and a sending rule:

$$A_{\textnormal{msg}}(\mathtt{u})\leftarrow A(\mathtt{u}). $$

We also have an output relation T ⁽¹⁾ to which received A _msg-facts are copied while a memory relation blocked() is nonempty:

$$ T(\mathtt{u})\leftarrow A_{\textnormal{msg}}(\mathtt{u}),\,\neg\mathtt{blocked}(). $$

Now, whenever we receive a message of the form [i,|u _i |,|v _i |](a,a), we have been able to successfully align a sequence of (u _i ,v _i )-pairs to the input word-structure, so that the U- and V-side end at the same position. This corresponds to a match for (U,V). For each i∈{1,…n}, add the memory insertion rule:

$$\mathtt{blocked}()\leftarrow \mathtt{align}[i, |u_{i}|, |v_{i}|](\mathtt{a, a}). $$

Note that these rules are message-bounded. So, diffluence is obtained by varying the delivery order of A _msg-facts and such alignment-messages. Inconsistencies are repaired when error() is received (together with A _msg-facts):

$$T(\mathtt{u})\leftarrow A_{\textnormal{msg}}(\mathtt{u}),\,\mathtt{error}(). $$

1.2.3 A.2.3 Correctness

Let (U,V) be an instance of the Post correspondence problem. Let \(\boldsymbol {\mathcal {N}}\) be the constructed transducer network.

Suppose (U,V) has a match E=e ₁,…,e _m . Diffluence of \(\boldsymbol {\mathcal {N}}\) is obtained as follows. Denote \(w=u_{e_{1}}{\ldots } u_{e_{m}}\) (or equivalently \(w=v_{e_{1}}{\ldots } v_{e_{m}}\)). We can naturally encode (U,V) and w (as the word-structure) over the input relations. This results in an instance J on which error() can not be sent. We give \(I=J\cup \{A(a)\}\) as input to \(\boldsymbol {\mathcal {N}}\).

In a first run \(\mathcal {R}_{1}\) on I, we immediately send and deliver A _msg(a), causing T(a) to be derived. In a second run \(\mathcal {R}_{2}\), we do not deliver A _msg(a), but, following sequence E, we send messages to align pairs of (U,V) to the encoding of w. Abbreviating z=e _m , and assuming the chain in the word-structure consists of consecutive natural numbers starting at 1, at some point we send [z,|u _z |,|v _z |](|w|,|w|). Upon delivering this message in \(\mathcal {R}_{2}\), we derive (). Because error() can not be sent, T(a) can not be derived in any extension of \(\mathcal {R}_{2}\).

Suppose that \(\boldsymbol {\mathcal {N}}\) is diffluent. We show that (U,V) has a match. There is an input I for \(\boldsymbol {\mathcal {N}}\) and two runs \(\mathcal {R}_{1}\) and \(\mathcal {R}_{2}\) such that \(\mathcal {R}_{1}\) derives an output fact T(a) that is not derived in \(\mathcal {R}_{2}\) or any extensions thereof. The presence of T(a) in \(\mathcal {R}_{1}\) implies that A _msg(a) can be delivered in \(\mathcal {R}_{1}\). So, A _msg(a) can also be delivered in extensions of \(\mathcal {R}_{2}\). The reason why T(a) can not be derived in such extensions is the presence of () and because error() can never be sent. Fact blocked() must have been derived in \(\mathcal {R}_{2}\) itself, by delivering a message of the form [i,|u _i |,|v _i |](a,a).¹³

By going over the derivation history of [i,|u _i |,|v _i |](a,a) in a forward manner, we obtain a sequence E=e ₁,…,e _m of indices in {1,…,n} by looking at the used start- or switch-rules. Sequence E is a match, because the absence of error() implies that the alignment of the U-words “sees” the same word-structure as the alignment of the V-words. This would not be the case, for instance, when an element of the word-structure could have two labels or when the other natural constraints on the input are violated.

Appendix B: Small Model Property

1.1 B.1 Details of Section 5.3

Let \(\mathcal {R}\) be a run of \(\boldsymbol {\mathcal {N}}\) on input I. We construct \(hist_{\mathcal {R}}\) and \(msg_{\mathcal {R}}\) such that the properties 1, 2, and 3 of Section 5.3 are satisfied. Let n be the number of transitions of \(\mathcal {R}\). For each i∈{1,…,n+1}, we denote the ith configuration of \(\mathcal {R}\) as \(\rho _{i}=(s_{i}^{\mathcal {R}}, b_{i}^{\mathcal {R}})\). For a transition i, we denote the multiset of delivered messages and the set of sent messages respectively as \(m_{i}^{\mathcal {R}}\) and \(\delta _{i}^{\mathcal {R}}\).

We will perform the construction backwards, starting in the last transition of \(\mathcal {R}\). Inductively, for each transition j=n,n−1,…,1, we define \(hist_{j}^{\mathcal {R}}\) and \(msg_{\mathcal {R}}^{j}\), where, intuitively, \(hist_{\mathcal {R}}^{j}\) and \(msg_{\mathcal {R}}^{j}\) say something about the C-facts and their needed messages for transition j and later. In the end, we define \(hist_{\mathcal {R}}=hist_{\mathcal {R}}^{1}\) and \(msg_{\mathcal {R}}=msg_{\mathcal {R}}^{1}\). For each pair of transitions j and i, \(hist_{\mathcal {R}^{j}}\) and \(msg_{\mathcal {R}}^{j}\) give rise to the (multi)sets \(\gamma _{i}^{j}, \beta _{i}^{j}\), and \(\mathcal {E}_{i}^{j}\), defined as in Section 5.3.2. By induction on j, we want the following properties to be satisfied:

1. 1.

   \(\gamma _{i}^{j}\sqsubseteq b_{i}^{\mathcal {R}}\) for each transition index i;

2. 2.

   \(\beta _{i}^{j}\) is a set for each transition index i;

3. 3.

   \(\mathcal {E}_{i}^{j}=\gamma _{i+1}^{j}\cap \delta _{i}^{\mathcal {R}}\) for each transition index i; and,

4. 4.

   \(hist_{\mathcal {R}}^{j}\) contains only derivation pairs for transitions j and later.

To allow for a simple base case, we start the inductive construction at j=n+1 and we define \(hist_{\mathcal {R}}^{n+1}=\emptyset \) (no mappings) and \(msg_{\mathcal {R}}^{n+1}=\emptyset \). The induction properties are satisfied for the base case. For the induction hypothesis, we assume that \(hist_{\mathcal {R}}^{j+1}\) and \(msg_{\mathcal {R}}^{j+1}\) are defined such that the properties are satisfied.

1.1.1 B.1.1 Extend Derivation History

We define \(hist_{\mathcal {R}}^{j}\) to be \(hist_{\mathcal {R}}^{j+1}\) extended with an assignment of a derivation pair (φ,V) to each pair (j,g) where g is either (i) an output or memory C-fact created during transition j of \(\mathcal {R}\), or (i i) a needed message such that \((j, \boldsymbol {g}, l)\in msg_{\mathcal {R}}^{j+1}\) for some l. Note that \(hist_{\mathcal {R}}^{j}\) is a function because there are no derivation pairs for transition j in \(hist_{\mathcal {R}}^{j+1}\).

Now we define \(msg_{\mathcal {R}}^{j}\) as an extension of \(msg_{\mathcal {R}}^{j+1}\). Let β be the set of all messages positively needed by the selected derivation pairs in \(hist_{\mathcal {R}}^{j}\) for transition j. For each g∈β, we will select an origin transition k of g, and the resulting triple (k,g,j) is added to \(msg_{\mathcal {R}}^{j}\). There are two cases:

• If there is no triple \((k_{0}, \boldsymbol {g}, l)\in msg_{\mathcal {R}}^{j+1}\) with k ₀<j then we define k to be the largest transition index of \(\mathcal {R}\) for which k<j and \(\boldsymbol {g}\in \delta _{k}^{\mathcal {R}}\);

• Otherwise, let k ₀ be the smallest transition of \(\mathcal {R}\) for which \((k_{0}, \boldsymbol {g}, l)\in msg_{\mathcal {R}}^{j+1}\) and k ₀<j. Then we can apply Claim B.1 to know \(num(\boldsymbol {g}, \gamma _{k_{0}}^{j+1})<num(\boldsymbol {g}, b_{k_{0}}^{\mathcal {R}})\). So, intuitively, we have some instance of g in \(b_{k_{0}}^{\mathcal {R}}\) that is not yet used in \(msg_{\mathcal {R}}^{j+1}\). We now define k as the largest transition index of \(\mathcal {R}\) for which k<k ₀ and \(\boldsymbol {g}\in \delta _{k}^{\mathcal {R}}\).

1.1.2 B.1.2 Show Induction Properties

We show that the induction properties are satisfied. First, \(hist_{\mathcal {R}}^{j}\) by construction only contains derivation pairs for transitions j and later. Now we show the properties for \(msg_{\mathcal {R}}^{j}\). Because we have added triples only for facts in β to \(msg_{\mathcal {R}}^{j}\) with respect to \(msg_{\mathcal {R}}^{j+1}\), it is sufficient to focus on one g∈β. Let k be the transition index such that \((k, \boldsymbol {g}, j)\in msg_{\mathcal {R}}^{j}\). Let i∈{1,…,n} be an arbitrary transition index. We consider each of the properties:

We have to show \(num(\boldsymbol {g}, \gamma _{i}^{j}) \leq num(\boldsymbol {g}, b_{i}^{\mathcal {R}})\). If i≤k then \(num(\boldsymbol {g}, \gamma _{i}^{j})=0\), because index k by choice is the smallest transition index of \(\mathcal {R}\) for which \((k, \boldsymbol {g}, l)\in msg_{\mathcal {R}}^{j}\) for some l. If j<i, then \(num(\boldsymbol {g}, \gamma _{i}^{j})=num(\boldsymbol {g}, \gamma _{i}^{{j+1}})\) since (k,g,j) is only a delivery for transition j; thus the property is satisfied by applying the induction hypothesis.

Lastly, we consider the case k<i≤j. If there is no triple \((k_{0}, \boldsymbol {g}, l)\in msg_{\mathcal {R}}^{j+1}\) with k ₀<j then by choice of k we have \(num(\boldsymbol {g}, \gamma _{i}^{j})=1\). And because g is not sent between k and j and yet \(num(\boldsymbol {g}, b_{j}^{\mathcal {R}})\geq 1\) (since g∈β), it must be \(num(\boldsymbol {g}, b_{i}^{\mathcal {R}})\geq 1\); hence, \(num(\boldsymbol {g}, \gamma _{i}^{j})\leq num(\boldsymbol {g}, b_{i}^{\mathcal {R}})\).

Now suppose that k ₀ exists. We consider the subcases k<i≤k ₀ and k ₀<i≤j. If k<i≤k ₀ then \(num\left (\boldsymbol {g}, \gamma _{i}^{j}\right )=1\), and since g is not sent between k and k ₀ and yet \(num\left (\boldsymbol {g}, b_{k_{0}}^{\mathcal {R}}\right )\geq 1\) (Claim B.1), it must be \(num\left (\boldsymbol {g}, b_{i}^{\mathcal {R}}\right )\geq 1\); hence, \(num\left (\boldsymbol {g}, \gamma _{i}^{j}\right )\leq num\left (\boldsymbol {g}, b_{i}^{\mathcal {R}}\right )\). If k ₀<i≤j, we have \(num\left (\boldsymbol {g}, \gamma _{i}^{j}\right )=num\left (\boldsymbol {g}, \gamma _{i}^{j+1}\right )+1\) because \((k, \boldsymbol {g}, j) \in msg_{\mathcal {R}}^{j}\) is new (and k<k ₀) and \(num\left (\boldsymbol {g}, \gamma _{i}^{j+1}\right )<num\left (\boldsymbol {g}, b_{i}^{\mathcal {R}}\right )\) (Claim B.1); hence, \(num\left (\boldsymbol {g}, \gamma _{i}^{j}\right )\leq num\left (\boldsymbol {g}, b_{i}^{\mathcal {R}}\right )\).

We have to show \(num\left (\boldsymbol {g}, \beta _{i}^{j}\right )\leq 1\). If i<j then \(num\left (\boldsymbol {g}, \beta _{i}^{j}\right )=0\) and if j<i then \(num\left (\boldsymbol {g}, \beta _{i}^{j}\right )=num\left (\boldsymbol {g}, \beta _{i}^{j+1}\right )\leq 1\). If i=j then the property is satisfied because we have selected only one k such that \((k, \boldsymbol {g}, j)\in msg_{\mathcal {R}}^{j}\).

We have to show \(num\left (\boldsymbol {g}, \mathcal {E}_{i}^{j}\right )=num\left (\boldsymbol {g}, \gamma _{i+1}^{j}\cap \delta _{i}^{\mathcal {R}}\right )\). Let k be as defined above. If i<k then \(num\left (\boldsymbol {g}, \mathcal {E}_{i}^{j}\right )=0\) and \(num\left (\boldsymbol {g}, \gamma _{i+1}^{j}\right )=0\) because k is the smallest origin transition of g registered in \(msg_{\mathcal {R}}^{j}\). If j≤i then \(\mathcal {E}_{i}^{j}=\mathcal {E}_{i}^{j+1}\) and \(\gamma _{i+1}^{j} =\gamma _{i+1}^{j+1}\) because in \(msg_{\mathcal {R}}^{j}\backslash msg_{\mathcal {R}}^{j+1}\) we do not register the sending of messages in j. Next, we consider the case k≤i<j. A first observation is that by choice of k, we have \(num\left (\boldsymbol {g}, \gamma _{i+1}^{j}\right )\geq 1\). Hence, it suffices to show \(num\left (\boldsymbol {g}, {\mathcal {E}_{i}^{j}}\right )=num\left (\boldsymbol {g},{\delta _{i}^{\mathcal {R}}}\right )\). If i=k then both \(num\left (\boldsymbol {g},{\delta _{i}^{\mathcal {R}}}\right )=1\) and \(num\left (\boldsymbol {g},{\mathcal {E}_{i}^{j}}=1\right )\) hold. Now only the more specific case k<i<j remains, which we divide in two subcases.

If there is no triple \((k_{0}, \boldsymbol {g}, l)\in msg_{\mathcal {R}}^{j+1}\) with k ₀<j, then because k<i<j, by choice of k, the message g is not sent in transition i. This gives \(num\left (\boldsymbol {g}, \delta _{i}^{\mathcal {R}}\right )=0\). Consequently g was never registered as being sent from transition i, giving \(num\left (\boldsymbol {g}, \mathcal {E}_{i}^{j}\right )=0\), as desired.

Now suppose that k ₀ exists. If k<i<k ₀ then, again like the previous case, we have \(num\left (\boldsymbol {g}, \delta _{i}^{\mathcal {R}}\right )\! =\! 0\) and \(num\left (\boldsymbol {g}, \mathcal {E}_{i}^{j}\right )\! =\! 0\). Suppose k ₀ ≤ i < j. We have \(num\left (\boldsymbol {g}, \gamma _{i+1}^{j+1}\right )\geq 1\) because \((k_{0}, \boldsymbol {g}, l)\in msg_{\mathcal {R}}^{j+1}\) for some l with j<l. Moreover, since \(num\left (\boldsymbol {g}, \mathcal {E}_{i}^{j+1}\right )=num\left (\boldsymbol {g}, \gamma _{i+1}^{j+1}\cap \delta _{i}^{\mathcal {R}}\right )\) by the induction hypothesis, we obtain \(num\left (\boldsymbol {g}, \mathcal {E}_{i}^{j+1}\right )=num\left (\boldsymbol {g}, \delta _{i}^{\mathcal {R}}\right )\). Lastly, we have \(num\left (\boldsymbol {g}, \mathcal {E}_{i}^{j}\right )=num\left (\boldsymbol {g}, \mathcal {E}_{i}^{j+1}\right )\) because k<i. Hence, \(num\left (\boldsymbol {g}, \mathcal {E}_{i}^{j}\right )=num\left (\boldsymbol {g}, \delta _{i}^{\mathcal {R}}\right )\).

1.1.3 B.1.3 Claims

Claim B.1

Suppose we are in transition j of the inductive construction, with \(hist_{\mathcal {R}}^{j+1}\) and \(msg_{\mathcal {R}}^{j+1}\) already defined, satisfying the induction properties. Let g ∈β. Suppose there is a transition index k ₀ of \(\mathcal {R}\) such that \((k_{0}, \boldsymbol {g}, l) \in msg_{\mathcal {R}}^{j+1}\) and k ₀ <j. Assume that k ₀ is the smallest such index. For each transition i∈{j,j−1,…,k ₀ }, we have \(num\left (\boldsymbol {g}, \gamma _{i}^{j+1}\right )<num\left (\boldsymbol {g}, b_{i}^{\mathcal {R}}\right )\).

Proof

We show this by backward induction on i=j, j−1, …,k ₀. To increase readability, we will abbreviate j+1 as the prime symbol \(\prime \). So, \(\gamma _{i}^{j+1}, \mathcal {E}_{i}^{j+1}\), and \(msg_{\mathcal {R}}^{j+1}\) become respectively \(\gamma _{i}^{\prime }, \mathcal {E}_{i}^{\prime }\), and \(msg_{\mathcal {R}}^{\prime }\).

For the base case, i=j, we have to show \(num\left (\boldsymbol {g}, \gamma _{i}^{\prime }\right ) <num\left (\boldsymbol {g}, b_{i}^{\mathcal {R}}\right )\). If we can show \(num\left (\boldsymbol {g}, \gamma _{i}^{\prime }\right )\leq num\left (\boldsymbol {g}, \gamma _{i+1}^{\prime }\backslash \delta _{i}^{\mathcal {R}}\right )\), then by applying the induction property \(\gamma _{i+1}^{\prime }\sqsubseteq b_{i+1}^{\mathcal {R}}\) on \(msg_{\mathcal {R}}^{\prime }\), we obtain \(num\left (\boldsymbol {g}, \gamma _{i}^{\prime }\right )\leq num\left (\boldsymbol {g}, b_{i+1}^{\mathcal {R}}\backslash \delta _{i}^{\mathcal {R}}\right )\). And using \(b_{i+1}^{\mathcal {R}}\backslash \delta _{i}^{\mathcal {R}}=b_{i}^{\mathcal {R}}\backslash m_{i}^{\mathcal {R}}\) (by the operational semantics), we get \(num\left (\boldsymbol {g}, \gamma _{i}^{\prime }\right )\leq num\left (\boldsymbol {g}, b_{i}^{\mathcal {R}}\backslash m_{i}^{\mathcal {R}}\right )\). Lastly, because \(m_{i}^{\mathcal {R}}\sqsubseteq b_{i}^{\mathcal {R}}\) and \(num\left (\boldsymbol {g}, m_{i}^{\mathcal {R}}\right )>1\) (indeed, \(\boldsymbol {g}\in \beta \sqsubseteq m_{j}^{\mathcal {R}}=m_{i}^{\mathcal {R}}\)), we obtain \(num\left (\boldsymbol {g}, \gamma _{i}^{\prime }\right ), <num\left (\boldsymbol {g}, b_{i}^{\mathcal {R}}\right )\), as desired.

We are left to show \(num\left (\boldsymbol {g}, \gamma _{i}^{\prime }\right ), \leq num\left (\boldsymbol {g}, \gamma _{i+1}^{\prime }\backslash \delta _{i}^{\mathcal {R}}\right )\). Because in \(msg_{\mathcal {R}}^{\prime }\) no needed messages are registered for transition j (and smaller), it must be \(num\left (\boldsymbol {g}, \gamma _{i}^{\prime }\right ), =num\left (\boldsymbol {g}, \gamma _{i+1}^{\prime }\backslash \mathcal {E}_{i}^{\prime }\right )\). If we can show \(num\left (\boldsymbol {g}, \mathcal {E}_{i}^{\prime }\right )=num\left (\boldsymbol {g}, \delta _{i}^{\mathcal {R}}\right )\), then we are ready. It actually suffices to show \(\boldsymbol {g}\in \gamma _{i+1}^{\prime }\), because then \(num\left (\boldsymbol {g}, \mathcal {E}_{i}^{\prime }\right )=num\left (\boldsymbol {g}, \delta _{i}^{\mathcal {R}}\right )\) follows from the induction property \(\mathcal {E}_{i}^{\prime }=\gamma _{i+1}^{\prime }\cap \delta _{i}^{\mathcal {R}}\) of \(msg_{\mathcal {R}}^{\prime }\).

We show \(\boldsymbol {g}\in \gamma _{i+1}^{\prime }\). By definition of k ₀, there is a triple \((k_{0}, \boldsymbol {g}, l)\in msg_{\mathcal {R}}^{\prime }\) for some l. Again, because in \(msg_{\mathcal {R}}^{\prime }\) no needed messages are registered for transition j and smaller, it must be j<l or equivalently j+1=i+1≤l. Hence, \(\boldsymbol {g}\in \gamma _{i+1}^{\prime }\) by definition of \(\gamma _{i+1}^{\prime }\).

For the induction hypothesis, suppose that \(num\left (\boldsymbol {g}, \gamma _{i+1}^{\prime }\right )<num\left (\boldsymbol {g}, b_{i+1}^{\mathcal {R}}\right )\). We show \(num\left (\boldsymbol {g}, \gamma _{i}^{\prime }\right )<num\left (\boldsymbol {g}, b_{i}^{\mathcal {R}}\right )\). We proceed similarly as in the base case, but the strictness “ <” is obtained differently.

First, by definition of k ₀, we have \((k_{0}, \boldsymbol {g}, l)\! \in \! msg_{\mathcal {R}}^{j+1}\) for some l. Like above, we have j < l. Hence, k ₀ ≤ i<l or equivalently k ₀<i+1≤l and thus \(num\left (\boldsymbol {g}, \gamma _{i+1}^{\prime }\right )\geq 1\). Because \(\delta _{i}^{\mathcal {R}}\) is a set, if we can show \(num\left (\boldsymbol {g}, \gamma _{i}^{\prime }\right )\leq num\left (\boldsymbol {g}, \gamma _{i+1}^{\prime }\backslash \delta _{i}^{\mathcal {R}}\right )\), then the induction hypothesis gives \(num\left (\boldsymbol {g}, \gamma _{i}^{\prime }\right ) <num\left (\boldsymbol {g}, b_{i+1}^{\mathcal {R}}\backslash \delta _{i}^{\mathcal {R}}\right )\). By the operational semantics we would further obtain \(num\left (\boldsymbol {g}, \gamma _{i}^{\prime }\right ) <num\left (\boldsymbol {g}, b_{i}^{\mathcal {R}}\backslash m_{i}^{\mathcal {R}}\right )\leq num\left (\boldsymbol {g}, b_{i}^{\mathcal {R}}\right )\), as desired.

Showing \(num\left (\boldsymbol {g}, \gamma _{i}^{\prime }\right ) \leq num\left (\boldsymbol {g}, \gamma _{i+1}^{\prime }\backslash \delta _{i}^{\mathcal {R}}\right )\) is like in the base case. □

Claim B.2

Let \(\mathcal {R}\) be a run of \(\boldsymbol {\mathcal {N}}\) on I. Let hist and \(msg_{\mathcal {R}}\) be as defined in Section 5.3 . Let i be a transition index of \(\mathcal {R}\) . We have \(\gamma _{i+1}=(\gamma _{i}\backslash \beta _{i})\cup \mathcal {E}_{i}\) (multiset difference and union).

Proof

Let g be a fact. We show \(num(\boldsymbol {g}, \gamma _{i+1})=num(\boldsymbol {g}, (\gamma _{i}\backslash \beta _{i})\cup \mathcal {E}_{i})\).

First, n u m(g,γ _i+1) is, by definition of γ _i+1, the number of triples \((j, \boldsymbol {g}, k)\in msg_{\mathcal {R}}\) for which j<i+1 and i+1≤k. Hence, n u m(g,γ _i+1)=e ₁+e ₂, where

• e ₁ is the number of triples \((j, \boldsymbol {g}, k) \in msg_{\mathcal {R}}\) for which j<i and i+1≤k, and,

• e ₂ is the number of triples \((j, \boldsymbol {g}, k) \in msg_{\mathcal {R}}\) for which j=i and i+1≤k.

Regarding e ₂, since always j<k, the equality j=i already implies i+1≤k. So, e ₂ simplifies to the number of triples \((i, \boldsymbol {g}, k) \in msg_{\mathcal {R}}\), or equivalently \(e_{2}=num(\boldsymbol {g}, \mathcal {E}_{i})\). If we would know that e ₁=n u m(g,γ _i ∖β _i ) then overall we would obtain, as desired:

$$\begin{array}{@{}rcl@{}}num(\boldsymbol{g}, \gamma_{i+1}) & = & num(\boldsymbol{g}, \gamma_{i}\backslash\beta_{i})+num(\boldsymbol{g}, \mathcal{E}_{i})\\ & = & num(\boldsymbol{g}, (\gamma_{i}\backslash\beta_{i})\cup\mathcal{E}_{i}). \end{array} $$

Now we show e ₁=n u m(g,γ _i ∖β _i ). Using that i+1≤k is equivalent to i<k, we have e ₁=f ₁−f ₂, where

• f ₁ is the number of triples \((j, \boldsymbol {g}, k) \in msg_{\mathcal {R}}\) for which j<i and i≤k, and,

• f ₂ is the number of triples \((j, \boldsymbol {g}, k) \in msg_{\mathcal {R}}\) for which j<i and i=k (or simply i=k because always j<k).

By definition of γ _i and β _i , we have f ₁=n u m(g,γ _i ) and f ₂=n u m(g,β _i ). Lastly, because n u m(g,β _i )≤n u m(g,γ _i ), we obtain

$$\begin{array}{@{}rcl@{}}e_{1} & = & num(\boldsymbol{g}, \gamma_{i})-num(\boldsymbol{g}, \beta_{i})\\ & = & num(\boldsymbol{g}, \gamma_{i}\backslash\beta_{i}). \end{array} $$

□

1.2 B.2 Details of Section 5.4

Claim B.3

Let the transitions of \(\mathcal {S}\) be defined up to and including transition i. If \(\gamma _{i}\sqsubseteq b_{i}^{\mathcal {S}}\) then \(\beta _{i}\subseteq \left (m_{i}^{\mathcal {S}}\right )\).

Proof

By definition, \( m_{i}^{\mathcal {S}} =\left (b_{i}^{\mathcal {S}} \backslash (\gamma _{i}\backslash \beta _{i})\right )\cap m_{i}^{\mathcal {R}}\). Let g∈β _i . It is sufficient to show that \(num\left (\boldsymbol {g}, b_{i}^{\mathcal {S}} \backslash (\gamma _{i}\backslash \beta _{i})\right )\geq 1\) and \(num\left (\boldsymbol {g}, m_{i}^{\mathcal {R}}\right )\geq 1\).

We show that \(num\left (\boldsymbol {g}, b_{i}^{\mathcal {S}}\backslash (\gamma _{i}\backslash \beta _{i})\right )\geq 1\). It is sufficient to show \(num\left (\boldsymbol {g}, b_{i}^{\mathcal {S}}\right )\geq 1\) and \(num(\boldsymbol {g}, \gamma _{i}\backslash \beta _{i})<num\left (\boldsymbol {g}, b_{i}^{\mathcal {S}} \right )\). First, because β _i is a set (property of \(msg_{\mathcal {R}}\)), and g∈β _i , we have n u m(g,β _i )=1. Also, the given assumption \(\gamma _{i}\sqsubseteq b_{i}^{\mathcal {S}} \) implies \(num(\boldsymbol {g}, \gamma _{i}) \leq num\left (\boldsymbol {g}, b_{i}^{\mathcal {S}}\right )\).

• We show \(num\left (\boldsymbol {g}, b_{i}^{\mathcal {S}}\right ) \geq 1\). From the definition of β _i and γ _i , we have n u m(g,β _i )≤n u m(g,γ _i ). And since n u m(g,β _i )=1 and \(num(\boldsymbol {g}, \gamma _{i})\leq num\left (\boldsymbol {g}, b_{i}^{\mathcal {S}} \right )\), we obtain \(num\left (\boldsymbol {g}, b_{i}^{\mathcal {S}} \right )\geq 1\).

• We show \(num(\boldsymbol {g}, \gamma _{i}\backslash \beta _{i})<num\left (\boldsymbol {g}, b_{i}^{\mathcal {S}}\right )\). Since n u m(g,β _i )=1 and n u m(g,β _i )≤n u m(g,γ _i ), we have n u m(g,γ _i ∖β _i )<n u m(g,γ _i ). Combined with \(num(\boldsymbol {g}, \gamma _{i})\leq num\left (\boldsymbol {g}, b_{i}^{\mathcal {S}}\right )\), we obtain \(num(\boldsymbol {g}, \gamma _{i}\backslash \beta _{i})<num\left (\boldsymbol {g}, b_{i}^{\mathcal {S}}\right )\).

We are left to show that \(num\left (\boldsymbol {g}, m_{i}^{\mathcal {R}}\right )\geq 1\). By definition of g∈β _i , there is a triple \((k, \boldsymbol {g}, l) \in msg_{\mathcal {R}}\) with l=i. Hence, by construction of \(msg_{\mathcal {R}}\), we have \(num\left (\boldsymbol {g}, m_{i}^{\mathcal {R}}\right )\geq 1\). □

Claim B.4

Let \(\mathcal {R}\) be a run of \(\boldsymbol {\mathcal {N}}\) on input I. Suppose a run \(\mathcal {S}\) of \(\boldsymbol {\mathcal {N}}\) on J has the properties that (i) \(last({\mathcal {S}})\) and \(last(\mathcal {R})\) contain the same output and memory C-facts, and, (ii) the message buffer of \(last({\mathcal {S}})\) is a submultiset of the message buffer in \(last(\mathcal {R})\) . Then, for every extension \(\mathcal {S}^{\prime }\) of \(\mathcal {S}\) , there is an extension \(\mathcal {R}^{\prime }\) of \(\mathcal {R}\) such that \(last(\mathcal {S}^{\prime })\) and \(last(\mathcal {R}^{\prime })\) again contain precisely the same output and memory C-facts.

Proof

Let \(\mathcal {S}^{\prime }\) be an extension of \(\mathcal {S}\) that does m new transitions after those of \(\mathcal {S}\), with m≥1. The idea is to extend \(\mathcal {R}\) by also doing m new transitions, in each of which we do the same message deliveries as in the corresponding transition in the extension of \(\mathcal {S}\). This results in run \(\mathcal {R}^{\prime }\).

For each i∈{1,…,m+1}, let \(\rho _{i}=\left (s_{i}^{\mathcal {R}},b_{i}^{\mathcal {R}}\right )\) and \(\sigma _{i}=\left (s_{i}^{\mathcal {S}},b_{i}^{\mathcal {S}}\right )\) denote the ith configuration in the extension of respectively \(\mathcal {R}\) and \(\mathcal {S}\), with \(\rho _{1}=last(\mathcal {R})\) and \(\sigma _{1}=last(\mathcal {S})\). We show by induction on i∈{1,…,m+1} that (i) σ _i and ρ _i contain the same output and memory C-facts, and, (ii) the message buffer of σ _i is a submultiset of the message buffer of ρ _i . This second property helps us deliver the same messages in the extension of \(\mathcal {R}\) as done in the extension of \(\mathcal {S}\).

For the base case, these properties hold because \(\rho _{1}=last(\mathcal {R})\) and \(\sigma _{1}=last(\mathcal {S})\). Assuming the properties hold for configuration i with i≥1, for the inductive step we show that they can be satisfied in configuration i+1. Recall that transition i is responsible for transforming configuration i into configuration i+1. Now, in transition i of \(\mathcal {R}^{\prime }\) we deliver the same message multiset as in transition i of \(\mathcal {S}^{\prime }\), which is possible by induction property (i i).

We show that σ _i+1 and ρ _i+1 have the same output and memory C-facts. To show that the C-facts of σ _i+1 are a subset of those in ρ _i+1, we can apply Claim B.6 (property 1). To show the reverse inclusion, let g be a newly derived C-fact in transition i of \(\mathcal {R}^{\prime }\). We show that g is also created in transition i of \(\mathcal {S}^{\prime }\). Let (φ,V) be a derivation pair for g in transition i of \(\mathcal {R}^{\prime }\). We show that V is also satisfying for φ in transition i of \(\mathcal {S}^{\prime }\).

• Let \(\boldsymbol {h}\in V(pos^{\varphi })|_{\varUpsilon _{\textnormal {in}}}\). We have to show h∈J. Suppose we would know that \(adom(\boldsymbol {h})\subseteq adom (J)\). Then, since h∈I (because V is satisfying for φ in \(\mathcal {R}^{\prime }\)) and J=I ^[adom(J)] (Claim B.5), we have h∈J, as desired.

  Now we show that \(adom(\boldsymbol {h})\subseteq adom (J)\). Let \(\boldsymbol a\in pos^{\varphi }|_{\varUpsilon _{\textnormal {in}}}\) be an atom such that V(a)=h. A variable in a is either free or bound. If is free then V()∈C because g is a C-fact, and thus V()∈a d o m(J) because \(C\subseteq adom(K_{1})\subseteq adom (J)\). Next, if is bound then by message-boundedness of φ, value V() occurs in a delivered message during transition i of \(\mathcal {R}^{\prime }\). But this message is also delivered during transition i of \(\mathcal {S}^{\prime }\), and because values in messages of \(\mathcal {S}^{\prime }\) are restricted to a d o m(J), value V() occurs in a d o m(J).

• Let \(\boldsymbol {h}\in V(neg^{\varphi })|_{\varUpsilon _{\textnormal {in}}}\). We have to show h∉J. This follows from h∉I (since V is satisfying for φ in \(\mathcal {R}^{\prime }\)) and \(J\subseteq I\).

• Recall that φ is message-positive. Because V is satisfying for φ during transition i of \(\mathcal {R}^{\prime }\), each message \(\boldsymbol {h}\in V(pos^{\varphi })|_{\varUpsilon _{\textnormal {msg}}}\) is delivered during that transition. By definition of the message deliveries in \(\mathcal {R}^{\prime }\), these messages are also delivered in transition i of \(\mathcal {S}^{\prime }\).

• Let \(\boldsymbol {h}\in V(pos^{\varphi })|_{\varUpsilon _{\text {out}}\cup \varUpsilon _{\text {mem}}}\). We have to show that h is in σ _i . Because g is a C-fact, the message-boundedness of φ implies that h is a C-fact. And because V is satisfying for φ in \(\mathcal {R}^{\prime }\), h is in ρ _i . By the induction hypothesis, ρ _i and σ _i have the same output and memory C-facts. Hence, h is in σ _i . Similarly we can show for each \(\boldsymbol {h}\in V(neg^{\varphi })|_{\varUpsilon _{\text {out}}\cup \varUpsilon _{\text {mem}}}\) that h is not in σ _i .

• Because the nonequalities of φ are satisfied under V in \(\mathcal {R}^{\prime }\), they are also satisfied in \(\mathcal {S}^{\prime }\).

We conclude that V is satisfying for φ during transition i of \(\mathcal {S}^{\prime }\). Hence, g∈σ _i+1.

We show \(b_{i+1}^{\mathcal {S}}\sqsubseteq b_{i=1}^{\mathcal {R}}\). Let m denote the message multiset delivered in transition i. Let \(\delta _{i}^{\mathcal {R}}\) and \(\delta _{i}^{\mathcal {S}} \) denote the message sets sent in new transition i of \(\mathcal {R}^{\prime }\) and \(\mathcal {S}^{\prime }\) respectively. The operational semantics implies that \(b_{i+1}^{\mathcal {R}}=(b_{i}^{\mathcal {R}}\backslash m)\cup \delta _{i}^{\mathcal {R}}\) and \(b_{i+1}^{\mathcal {S}}=(b_{i}^{\mathcal {S}} \backslash m)\cup \delta _{i}^{\mathcal {S}} \) (multiset difference and union). The desired inclusion \(b_{i+1}^{\mathcal {S}}\sqsubseteq b_{i+1}^{\mathcal {R}}\) follows from \((b_{i}^{\mathcal {S}} \backslash m)\sqsubseteq (b_{i}^{\mathcal {R}}\backslash m)\) (by the induction hypothesis) and \(\delta _{i}^{\mathcal {S}} \subseteq \delta _{i}^{\mathcal {R}}\) (by Claim B.6, property 2). □

Claim B.5

The instance J satisfies J=I ^[adom(J)].

Proof

This is because (i) \(J\subseteq I\) implies \(J\subseteq I^{[adom(J)]}\), and (ii), since \(adom(J)\subseteq adom(K_{1})\cup adom(K_{2})\), we have

$$I^{[adom(J)]}\subseteq I^{[adom(K_{1})\cup~adom(K_{2})]}= J. $$

□

Claim B.6

Let \(\mathcal {R}\) be a run of \(\boldsymbol {\mathcal {N}}\) on I and let \(\mathcal {S}\) be a run of \(\boldsymbol {\mathcal {N}}\) on J. Let i and j be a transition index of respectively \(\mathcal {R}\) and \(\mathcal {S}\) . For transition i of \(\mathcal {R}\) , let ρ _i , \(m_{i}^{\mathcal {R}}\) , and ρ _i+1 , respectively denote the begin-configuration, the delivered messages, and the end-configuration. For transition j of \(\mathcal {S}\) we similarly define \(\sigma _j, m_{j}^{\mathcal {S}}\) , and σ _j+1 .

Suppose that (i) ρ _i and σ _j have the same output and memory C-facts, and, (ii) \( m_{j}^{\mathcal {S}}\sqsubseteq m_{i}^{\mathcal {R}}\) . The following properties hold:

1. 1.

   The output and memory C-facts of σ _j+1 are a subset of those in ρ _i+1 .

2. 2.

   The messages sent in transition j of \(\mathcal {S}\) are a subset of those sent in transition i of \(\mathcal {R}\) .

Proof

The two properties are shown below.

Let g be an output or memory C-fact that is newly derived during transition j of \(\mathcal {S}\), by means of a derivation pair (φ,V). We show that V is also satisfying for φ during transition i of \(\mathcal {R}\).

• Let \(\boldsymbol {h}\in V(pos^{\varphi })|_{\varUpsilon _{\textnormal {in}}}\). We have to show h∈I. This follows from h∈J (since V is satisfying for φ in \(\mathcal {S}\)) and \(J\subseteq I\) (by construction of J).

• Let \(\boldsymbol {h}\in V(neg^{\varphi })|_{\varUpsilon _{\textnormal {in}}}\). We have to show h∉I. Since V is satisfying for φ in \(\mathcal {S}\), we have h∉J. Since V can only assign values from a d o m(J), we have \(adom(\boldsymbol {h})\subseteq adom(J)\). So, if h∈I then h∈I ^[adom(J)]=J (Claim B.5), which is false. Hence, h∉I.

• Recall that φ is message-positive. Let \(\boldsymbol {h}\in V(pos^{\varphi })|_{\varUpsilon _{\textnormal {msg}}}\). We have to show that \(\boldsymbol {h}\in m_{i}^{\mathcal {R}}\). Because V is satisfying for φ in \(\mathcal {S}\), we have \(\boldsymbol {h}\in m_{i}^{\mathcal {S}} \sqsubseteq m_{i}^{\mathcal {R}}\).

• Let \(\boldsymbol {h}\in V(pos^{\varphi })|_{\varUpsilon _{\textnormal {out}}\cup \varUpsilon _{\textnormal {mem}}}\). We have to show that h is in ρ _i . Because g is a C-fact, the message-boundedness of φ implies that h is a C-fact. Moreover, because V is satisfying for φ, fact h is a C-fact in σ _j and thus by assumption also in ρ _i .

  We can similarly show for each \(\boldsymbol {h}\in V(neg^{\varphi })|_{\varUpsilon _{\textnormal {out}}\cup \varUpsilon _{\textnormal {mem}}}\) that h∉ρ _i .

• Lastly, because the nonequalities of φ are satisfied under V in \(\mathcal {S}\), they are also satisfied under V in \(\mathcal {R}\).

We obtain that V is satisfying for φ during transition i of \(\mathcal {R}\). Hence, g is in ρ _i+1.

Let g be a message sent in transition j of \(\mathcal {S}\), by means of a derivation pair (φ,V). We show that V is also satisfying for φ during transition i of \(\mathcal {R}\). Because send rules are static, we only have to reason about input and message body atoms of φ. For these body atoms, the proof of property 1 above can actually be applied verbatim to show (i) for each \(\boldsymbol {h}\in V(pos^{\varphi })|_{\varUpsilon _{\textnormal {in}}}\) and \(\boldsymbol {h}\in V(neg^{\varphi })|_{\varUpsilon _{\textnormal {in}}}\) that respectively h∈I and h∉I; and (i i) for each \(\boldsymbol {h}\in V(pos^{\varphi })|_{\varUpsilon _{\textnormal {msg}}}\) that h is delivered in transition i of \(\mathcal {R}\). □

Appendix C: Decidability

1.1 C.1 Details of Section 6.1.2

Claim C.1

Let f be an output fact created in some run of \(\boldsymbol {\mathcal {N}}\) on an input I. Denote C=adom( f). Let \(\mathcal {R}\) be an arbitrary run of \(\boldsymbol {\mathcal {N}}\) on input I. There exists a run \(\mathcal {S}\) of \(\boldsymbol {\mathcal {N}}\) on input I with at most r u n L e n transitions and such that \(last(\mathcal {S})\) contains precisely the same output and memory C-facts as \(last(\mathcal {R})\).

Proof

We start by sketching the approach. Like in Section 5.3, we can “mark” the transitions where the output and memory C-facts are created, and also the transitions where any message is sent that is recursively needed by such a C-fact. This gives us the function \(hist_{\mathcal {R}}\) and the set \(msg_{\mathcal {R}}\) as defined there (satisfying the properties of Section 5.3.2). Since each C-fact requires at most b ^p messages by recursion-freeness, at most cb ^p+c=r u n L e n transitions are marked this way. The maximum would be reached if each C-fact requires a unique set of messages. Let \(\mathcal {M}\) denote the marked transition indices of \(\mathcal {R}\). Intuitively, the new run \(\mathcal {S}\) does only the marked transitions, so \(|\mathcal {M}|\) in total.

We also need some extra notations. We write \(\rho _{i}=(s_{i}^{\mathcal {R}},b_{i}^{\mathcal {R}})\) and \(\sigma _{i}=(s_{i}^{\mathcal {S}}, b_{i}^{\mathcal {S}} )\) to denote the begin-configuration of transition i in \(\mathcal {R}\) and \(\mathcal {S}\) respectively. For transition i of \(\mathcal {R}\), let γ _i be as defined in Section 5.3.2, based on \(msg_{\mathcal {R}}\). Denote \(n=|\mathcal {M}|\). We can order the transitions of \(\mathcal {M}\) in ascending order, and we write \(\mathcal {M}(i)\) to denote the transition index of \(\mathcal {M}\) at ordinal i in this ordering, with i∈{1,…,n}. For uniformity, we define \(\mathcal {M}(n+1)=n^{\prime }+1\), with \(n^{\prime }\) the last transition index of \(\mathcal {R}\).

Now, by induction on the configurations, we construct \(\mathcal {S}\) so that each configuration index i∈{1,…,n+1} satisfies the following properties:

• \(s_{i}^{\mathcal {S}}\) contains the same output and memory C-facts as \(s_{\mathcal {M}(i)}^{\mathcal {R}}\); and,

• \(\gamma _{\mathcal {M}(i)}\) is a submultiset of \(b_{i}^{\mathcal {S}}\).

Then, the last configuration \(s_{n+1}^{\mathcal {S}}\) contains the same output and memory C-facts as \(s_{\mathcal {M}(n+1)}^{\mathcal {R}}=s_{n^{\prime }+1}^{\mathcal {R}}\), which is the last configuration of \(\mathcal {R}\), as desired. The second induction property helps in showing the first induction property.

For the base case (i=1), we have \(s_{1}^{\mathcal {S}}=\emptyset \) because σ ₁ is the start configuration of \(\mathcal {S}\). Moreover, \(s_{\mathcal {M}(1)}^{\mathcal {R}}\) can not contain any output and memory C-facts because \(\mathcal {M}(1)\) is the first marked transition, and thus the C-facts are created in or after transition \(\mathcal {M}(1)\). A similar reasoning applies to needed messages: \(\gamma _{\mathcal {M}(1)}=\emptyset \), which is a submultiset of \(b_{1}^{\mathcal {S}}\).

For the induction hypothesis, we assume that the properties hold for configuration σ _i of \(\mathcal {S}\), with i≥1 (and i≤n). Abbreviate \(j=\mathcal {M}(i)\) and let β _j be as in Section 5.3.2. We define transition i of \(\mathcal {S}\) to deliver precisely set β _j . Note that we can deliver β _j because \(\gamma _{j}\sqsubseteq b_{i}^{\mathcal {S}} \) (induction hypothesis) and \(\beta _{j}\sqsubseteq \gamma _{j}\) (follows from their definition).¹⁴ We now show that the induction properties are satisfied for configuration σ _i+1.

Abbreviate \(k=\mathcal {M}(i+1)\). We have to show that \(s_{i+1}^{\mathcal {S}}\) and \(s_{k}^{\mathcal {R}}\) contain the same output and memory C-facts. We have j<k (because \(\mathcal {M}(i)<\mathcal {M}(i+1)\)). Also, there are no other marked transitions between j and k, so no new output and memory C-facts are created between j and k. Finally, inflationarity implies that \(s_{j+1}^{\mathcal {R}}\) and \(s_{k}^{\mathcal {R}} \) contain precisely the same output and memory C-facts. Hence, it is sufficient to show that \(s_{i+1}^{\mathcal {S}}\) and \(s_{j+1}^{\mathcal {R}}\) contain the same output and memory C-facts.

First, let g be an output or memory C-fact in \(s_{i+1}^{\mathcal {S}}\). We show that \(\boldsymbol {g}\in s_{j+1}^{\mathcal {R}}\). If \(\boldsymbol {g}\in s_{i}^{\mathcal {S}} \) then by the induction hypothesis \(\boldsymbol {g}\in s_{j}^{\mathcal {R}} \subseteq s_{j+1}^{\mathcal {R}}\). Now suppose \(\boldsymbol {g}\in s_{i+1}^{\mathcal {S}}\backslash s_{i}^{\mathcal {S}} \). Let (φ,V) be a derivation pair for g in transition i of \(\mathcal {S}\). We show that V is also satisfying for φ in transition j of \(\mathcal {R}\).

• Since \(\mathcal {S}\) and \(\mathcal {R}\) are given the same input, the input literals in the body of φ are satisfied under V in transition j of \(\mathcal {R}\) as well.

• Let \(\boldsymbol {h}\in V(pos^{\varphi })|_{\varUpsilon _{\textnormal {msg}}}\). Since V is satisfying for φ in transition i of \(\mathcal {S}\), it must be h∈β _j . By construction of \(msg_{\mathcal {R}}\), the set β _j is delivered in transition j of \(\mathcal {R}\), as desired.

• Since \(s_{i}^{\mathcal {S}} \) and \(s_{j}^{\mathcal {R}} \) contain the same output and memory C-facts (induction hypothesis), message-boundedness of φ implies that the output and memory literals of φ are satisfied under V in transition j of \(\mathcal {R}\).

• Finally, the nonequalities of φ under V are also satisfied in transition j of \(\mathcal {R}\) because they are satisfied in transition i of \(\mathcal {S}\).

Let g be an output or memory C-fact in \(s_{j+1}^{\mathcal {R}}\). Similarly to the above, if \(\boldsymbol {g}\in s_{j}^{\mathcal {R}} \) then by the induction hypothesis \(\boldsymbol {g}\in s_{i}^{\mathcal {S}} \subseteq s_{i+1}^{\mathcal {S}}\). Because g is an output or memory C-fact, the mapping \(hist_{\mathcal {R}}(j,\boldsymbol {g})=(\varphi , V)\) is defined. We show that V is also satisfying for φ in transition i of \(\mathcal {S}\). The reasoning for nonequalities and input, output, and memory literals of φ is the same as above for the case \(\boldsymbol {g}\in s_{i+1}^{\mathcal {S}}\backslash s_{i}^{\mathcal {S}} \). Let \(\boldsymbol {h}\in V(pos^{\varphi })|_{\varUpsilon _{\textnormal {msg}}}\). Then h is a message needed by (φ,V), and thus g∈β _j by construction of \(msg_{\mathcal {R}}\). Hence, h is delivered in transition i of \(\mathcal {S}\).

We have to show \(\gamma _{\mathcal {M}(i+1)}\sqsubseteq b_{i+1}^{\mathcal {S}}\). Abbreviate \(j=\mathcal {M}(i)\) and \(k=\mathcal {M}(i+1)\). We have j+1≤k because j<k. We start by showing γ _j+1=γ _k , so it becomes sufficient to show \(\gamma _{j+1}\sqsubseteq b_{i+1}^{\mathcal {S}}\).

Let g be a fact. We show n u m(g,γ _j+1)≤n u m(g,γ _k ). By definition of γ _j+1, expression n u m(g,γ _j+1) is the number of triples \((a, \boldsymbol {g}, b) \in msg_{\mathcal {R}}\) for which a<j+1≤b. Let (a,g,b) be such a triple. It is sufficient to show that a<k≤b. We have a<k because a<j+1 and j+1≤k. Secondly, if b<k then a needed message is delivered at transition b of \(\mathcal {R}\), implying \(b\in \mathcal {M}\), which is impossible because j<b<k and there are no marked transitions between j and k. Hence, k≤b.

Let g be a fact. We show n u m(g,γ _k )≤n u m(g,γ _j+1). This is similar to the previous direction, but there are also some differences. By definition of γ _k , expression n u m(g,γ _k ) is the number of triples \((a, \boldsymbol {g}, b)\in msg_{\mathcal {R}}\) for which a<k≤b. Let (a,g,b) be such a triple. It is sufficient to show that a<j+1≤b. We have j+1≤b because j+1≤k and k≤b. Secondly, if j+1≤a then a needed message would be sent at transition a of \(\mathcal {R}\), implying \(a\in \mathcal {M}\), which is impossible because j<a<k and there are no marked transitions between j and k. Hence, a<j+1.

Lastly, we show that \(\gamma _{j+1}\sqsubseteq b_{i+1}^{\mathcal {S}}\). Using Claim B.2, we have \(\gamma _{j+1}=(\gamma _{j}\backslash \beta _{j})\cup \mathcal {E}_{j}\). Let \(\delta _{i}^{\mathcal {S}} \) denote the set of messages sent during transition i of \(\mathcal {S}\). The operational semantics implies \(b_{i+1}^{\mathcal {S}}=(b_{i}^{\mathcal {S}}\backslash \beta _{j})\cup \delta _{i}^{\mathcal {S}}\). It is sufficient to show \(\gamma _{j}\backslash \beta _{j}\sqsubseteq b_{i}^{\mathcal {S}} \backslash \beta _{j}\) and \(\mathcal {E}_{j}\subseteq \delta _{i}^{\mathcal {S}} \). The first inclusion follows from the induction hypothesis \(\gamma _{j}\sqsubseteq b_{i}^{\mathcal {S}} \). Now, let \(\boldsymbol {g}\in \mathcal {E}_{j}\). We show \(\boldsymbol {g}\in \delta _{i}^{\mathcal {S}}\). By definition of \(\mathcal {E}_{j}\), there is a triple \((j, \boldsymbol {g}, b)\in msg_{\mathcal {R}}\). So, g is a needed message that should be sent in transition j of \(\mathcal {R}\). Hence, \(hist_{\mathcal {R}}(j, \boldsymbol {g})=(\varphi , V)\) is defined. We show that V is satisfying for φ during transition i of \(\mathcal {S}\), so that \(\boldsymbol {g}\in \delta _{i}^{\mathcal {S}}\). Because φ is static, we only consider the input and message literals, where the latter are positive by message-positivity. The input literals of φ are satisfied under V in transition i of \(\mathcal {S}\), because they are satisfied in transition j of \(\mathcal {R}\) and because both runs have the same input. Now, let \(\boldsymbol {h}\in V(pos^{\varphi })|_{\varUpsilon _{\textnormal {msg}}}\). We have to show that h is delivered in transition i of \(\mathcal {S}\). Because h is delivered in transition j of \(\mathcal {R}\) (since V is satisfying for φ), h is a needed message for transition j; hence, h∈β _j and this set is delivered in transition i of \(\mathcal {S}\). □

Claim C.2

Let I be an input for \(\boldsymbol {\mathcal {N}}\) . Let \(\mathcal {R}\) be a run of \(\boldsymbol {\mathcal {N}}\) on I. Let \(\mathcal {R}^{\prime }\) be \(\mathcal {R}\) extended by doing p +1 additional transitions in each of which we deliver the entire message buffer. Let g be a message that is sent in some run \(\mathcal {S}\) of \(\boldsymbol {\mathcal {N}}\) on I. Message g is delivered in the last transition of \(\mathcal {R}^{\prime }\).

Proof

Recall the definitions and notations regarding derivation trees from Section 2.6. Let \(\mathcal {T}\) be a derivation tree for g extracted from \(\mathcal {S}\). Let \(\kappa ^{\mathcal {T}}\) be the canonical scheduling of \(\mathcal {T}\). Let n denote the height of \(\mathcal {T}\), measured as the number of edges on the longest path from the root to a leaf. For i∈{1,…,n}, define the following message set M _i :

$$M_{i}=\bigcup_{\begin{array}{l} x\in int^{\mathcal{T}},\\ \kappa^{\mathcal{T}}(x)=i \end{array}} body^{\mathcal{T}}(x)|_{\varUpsilon_{\textnormal{msg}}}. $$

Because the rules of π are message-positive, \(body^{\mathcal {T}}(x)|_{\varUpsilon _{\textnormal {msg}}}\) contains only facts. Intuitively, M _i is the union of all message facts needed by rules scheduled at transition i by \(\kappa ^{\mathcal {T}}\). Since n≤p, we can consider the transition index j of \(\mathcal {R}^{\prime }\) such that j+1, …, j+n, j+n+1 are the last n+1 transitions of \(\mathcal {R}^{\prime }\). If we can show that g is sent in transition j+n, then g is delivered in the last transition j+n+1 (because the entire buffer is delivered), as desired.

Because sending rules are static and message-positive, and \(\mathcal {R}^{\prime }\) and \(\mathcal {S}\) have the same input I, it is sufficient to show that M _n is delivered in transition j+n, so that the root rule and valuation of \(\mathcal {T}\) derive g. Specifically, we show by induction on i∈{1,…,n} that M _i is delivered in transition j+i of \(\mathcal {R}^{\prime }\). The property holds for the base case because M ₁=∅.¹⁵ For the induction hypothesis, we assume that M _i can be delivered in transition j+i of \(\mathcal {R}^{\prime }\). We now show that M _i+1 can be delivered in transition j+i+1 of \(\mathcal {R}^{\prime }\). Let h∈M _i+1. By definition of M _i+1, there is an internal node x of \(\mathcal {T}\) with \(\kappa ^{\mathcal {T}}(x)=i+1\) and \(\boldsymbol {h}\in body^{\mathcal {T}}(x)|_{\varUpsilon _{\textnormal {msg}}}\). We show that h is sent in transition j+i of \(\mathcal {R}^{\prime }\), so that h is delivered in transition j+i+1. By message-positivity of \(rule^{\mathcal {T}}(x)\), there is a child node \(y\in int^{\mathcal {T}}\) of x such that \(fact^{\mathcal {T}} (y)=\boldsymbol {h}\). By definition of \(\kappa ^{\mathcal {T}}\), we have \(\kappa ^{\mathcal {T}}(y)=i\). We show that \(val^{\mathcal {T}}(y)\) is satisfying for \(rule^{\mathcal {T}}(y)\) during transition j+i of \(\mathcal {R}^{\prime }\). Like above, because sending rules are static and message-positive, and \(\mathcal {R}^{\prime }\) and \(\mathcal {S}\) have the same input I, it is sufficient to show that M _i is delivered in transition j+i, which holds by the induction hypothesis. □

1.2 C.2 Complexity Lower Bound

Here we complete the specification of transducer π over schema Υ from Section 6.2. We assume that Υ _in contains the additional relations of Table 2. All rules we specify below are sending rules.

Table 2 Input relations for M

Let w denote the input word for M under consideration, and let n=|w|. We can select a constant \(k\in \mathbb {N}\) such that if M accepts w then M has an accepting computation trace on w with at most \(2^{n^{k}}\) transitions.

1.2.1 C.2.1 Binary Addresses

Abbreviate z=n ^k. Note that z is polynomial in n. Because we are only concerned with accepting computation traces of length at most \(2^{n^{k}}\), the address of a reachable tape cell can be represented as a binary number with z bits. We denote such a number as (a ₁…a _z ) where each a _i is 0 or 1 and a _z is the least significant bit. Note that z bits actually allow us to represent addresses larger than \(2^{n^{k}}\), but the accepting computation trace will never reach these tape cells, hence, we will ignore those addresses in the following.

We will use messages of the form (a ₁,…,a _z ; b ₁,…,b _z ) to say that address (b ₁…b _z ) is the successor of address (a ₁…a _z ), i.e., (b ₁…b _z ) is obtained from (a ₁…a _z ) by adding 1.¹⁶ Similarly, we use messages of the form (a ₁,…,a _z ;b ₁,…,b _z ) and (a ₁,…,a _z ;b ₁,…,b _z ) to say respectively that (a ₁…a _z ) is smaller than (b ₁…b _z ) and that (a ₁…a _z ) and (b ₁…b _z ) are different. To specify these messages, we add the following rules for each p=1,…,z:

$$\begin{array}{@{}rcl@{}} \mathtt{succ}(\mathtt{a_{1}},&&\ldots,\mathtt{a_{p-1}},\mathtt{a_{p}},\ldots,\mathtt{a_{z}};\,\mathtt{a_{1}},\ldots,\mathtt{a_{p-1}}, \mathtt{b_{p}},\ldots, \mathtt{b_{z}})\leftarrow\\ && 01(\mathtt{a_{1}}),\,\ldots,\,01(\mathtt{a_{p-1}}),\,0(\mathtt{a_{p}}),\,1(\mathtt{b_{p}}),\\ && 1(\mathtt{a_{p+1}}),\,\ldots,\,1(\mathtt{a_{z}}),\,0(\mathtt{b_{p+1}}),\,\ldots,\,0(\mathtt{b_{z}}).\\ \mathtt{less}(\mathtt{a_{1}},&&\ldots,\mathtt{a_{p-1}}, \mathtt{a_{p}},\ldots, \mathtt{a_{z}};\,\mathtt{a_{1}},\ldots, \mathtt{a_{p-1}}, \mathtt{b_{p}},\ldots,\mathtt{b_{z}})\leftarrow\\ && 01(\mathtt{a_{1}}),\,\ldots,\,01(\mathtt{a_{p-1}}),\,0(\mathtt{a_{p}}),\,1(\mathtt{b_{p}}),\\ && 01(\mathtt{a_{p+1}}),\,\ldots,\,01(\mathtt{a_{z}}),\,01(\mathtt{b_{p+1}}),\,\ldots,\,01(\mathtt{b_{z}}).\\ \mathtt{diff}(\mathtt{a_{1}},&&\ldots, \mathtt{a_{p-1}}, \mathtt{a_{p}},\ldots,\mathtt{a_{z}};\,\mathtt{b_{1}},\ldots,\mathtt{b_{p-1}}, \mathtt{b_{p}},\ldots,\mathtt{b_{z}})\leftarrow\\ &&01(\mathtt{a_{1}}),\,\ldots,\,01(\mathtt{a_{z}}),\,01(\mathtt{b_{1}}),\,\ldots,\,01(\mathtt{b_{z}}),\,\mathtt{a_{p}}\neq\mathtt{b_{p}}. \end{array} $$

Here, if p=1 then the variables ₁ to a _p−1 are nonexistent, and if p=z then the variables a _p+1 to a _z and b _p+1 to b _z are nonexistent. Note that the number and size of these above rules is polynomial in n, and they have no cyclic dependencies (leads to recursion-freeness).

1.2.2 C.2.2 Sending error

The message error is sent when some crucial properties of the input relations are violated.

First, we demand that for each configuration at most one state and head position is specified, and also that each tape cell has at most one symbol:

$$\begin{array}{@{}rcl@{}} \mathtt{error}() & \leftarrow & \mathtt{state}(\mathtt{i, q_{1}}),\,\mathtt{state}(\mathtt{i, q_{2}}),\,\mathtt{q_{1}}\neq\mathtt{q_{2}}.\\ & \leftarrow & \mathtt{head}(\mathtt{i, h_{1}},\ldots,\mathtt{h_{z}}),\,\mathtt{head}(\mathtt{i, k_{1}},\ldots,\mathtt{k_{z}}),\\ & & \mathtt{diff}(\mathtt{h_{1}},\ldots,\mathtt{h_{z}};\,\mathtt{k_{1}},\ldots,\mathtt{k_{z}}).\\ & \leftarrow & \mathtt{tape}(\mathtt{i, a_{1}},\ldots,\mathtt{a_{z}}, \mathtt{s_{1}}),\,\mathtt{tape}(\mathtt{i, a_{1}},\ldots,\mathtt{a_{z}}, \mathtt{s_{2}}),\\ & & \mathtt{s_{1}}\neq\mathtt{s_{2}}. \end{array} $$

For the relations providing the binary numbers, we demand that relations 0 and 1 are disjoint, contain at most one value, and that relation 01 is the union of 0 and 1:

$$\begin{array}{@{}rcl@{}} \mathtt{error}() & \leftarrow & 0(\mathtt{v}),\,1(\mathtt{v}).\\ & \leftarrow & 0(\mathtt{v}),\,0(\mathtt{w}),\,\mathtt{v}\neq\mathtt{w}.\\ & \leftarrow & 1(\mathtt{v}),\,1(\mathtt{w}),\,\mathtt{v}\neq\mathtt{w}.\\ & \leftarrow & 0(\mathtt{v}),\,\neg01(\mathtt{v}).\\ & \leftarrow & 1(\mathtt{v}),\,\neg01(\mathtt{v}).\\ & \leftarrow & 01(\mathtt{v}),\,\neg0(\mathtt{v}),\,\neg1(\mathtt{v}). \end{array} $$

For the relations providing symbols of Γ, we demand that they are pairwise disjoint and that each contains at most one symbol. We demand the same properties of the relations providing symbols of Q. Formally, for each \((s_{1},s_{2})\in (\varGamma \times \varGamma )\cup (Q\times Q)\) with s ₁≠s ₂, we add the rule

$$\mathtt{error}()\leftarrow s_{1}(\mathtt{v}),\, s_{2}(\mathtt{v}). $$

And for each \(s\in \varGamma \cup Q\), we add the rule

$$\mathtt{error}()\leftarrow s(\mathtt{v}),\, s(\mathtt{w}),\,\mathtt{v}\neq\mathtt{w}. $$

1.2.3 C.2.3 Sending accept

We give the rules to send messages of the form ₀(i,j) and (i), where ₀(i,j) indicates that configuration j can be reached by a valid Turing machine transition from configuration i, and where (i) indicates that configuration i has the properties of the start configuration.

We will send messages of the form (i,j,a ₁,…,a _z ) to say that in configuration j, the tape cell at address (a ₁…a _z ) can be explained by a Turing machine transition applied to configuration i.¹⁷ To send ₀(i,j), we have to check that such messages can be sent for all tape cells. We will simultaneously enforce that the state and head position of j can follow from the state and head position of i.

To send (i,j,a ₁,…,a _z ), we consider three cases, where (h ₁…h _z ) denotes the head position of configuration i:

• (a ₁…a _z )<(h ₁…h _z ), in which case the cell contents at (a ₁…a _z ) should be unaltered in j with respect to i;

• the symmetric case (h ₁…h _z )<(a ₁…a _z ), with the same constraint;

• (a ₁…a _z )=(h ₁…h _z ), in which case a transition of Turing machine M has to explain the symbol at cell (a ₁…a _z ) in j.

The first case is implemented by the following rule:

$$\begin{array}{ll} \mathtt{tapeCOK}(\mathtt{i, j, a_{1}},\ldots,\mathtt{a_{z}})\leftarrow\, & \mathtt{head}(\mathtt{i, h_{1}},\ldots,\mathtt{h_{z}}),\,\mathtt{less}(\mathtt{a_{1}},\ldots,\mathtt{a_{z}};\,\mathtt{h_{1}},\ldots,\mathtt{h_{z}}),\\ & \mathtt{tape}(\mathtt{i, a_{1}},\ldots,\mathtt{a_{z}}, \mathtt{s}),\,\mathtt{tape}(\mathtt{j, a_{1}},\ldots,\mathtt{a_{z}}, \mathtt{s}). \end{array} $$

The second case is done with a similar rule, except that (a ₁ ,…,a _z ; h ₁ ,…,h _z ) is replaced by (h ₁ ,…,h _z ; a ₁ ,…,a _z ).

The third case is split further depending on whether the head moves left or right. Let δ denote the transition function of Turing machine M. For each mapping (q ₁,s ₁↦q ₂,s ₂,L)∈δ, add the rule:

$$\begin{array}{ll}\mathtt{tapeCOK}(\mathtt{i, j, h_{1}},\ldots,\mathtt{h_{z}})\leftarrow\, & \mathtt{head}(\mathtt{i, h_{1}},\ldots,\mathtt{h_{z}}),\,\mathtt{head}(\mathtt{j, k_{1}},\ldots,\mathtt{k_{z}}),\\ & \mathtt{succ}(\mathtt{k_{1}},\ldots,\mathtt{k_{z}};\,\mathtt{h_{1}},\ldots,\mathtt{h_{z}}),\\ & \mathtt{state}(\mathtt{i, q_{1}}),\,\mathtt{tape}(\mathtt{i, h_{1}},\ldots,\mathtt{h_{z}},\mathtt{s_{1}}),\\ & \mathtt{state}(\mathtt{j, q_{2}}),\,\mathtt{tape}(\mathtt{j, h_{1}},\ldots,\mathtt{h_{z}},\mathtt{s_{2}}),\\ & q_{1}(\mathtt{q_{1}}),\, s_{1}(\mathtt{s_{1}}),\, q_{2}(\mathtt{q_{2}}),\, s_{2}(\mathtt{s}_{2}). \end{array} $$

Regarding relations q ₁,s ₁,q ₂ and s ₂, it does not matter what precise values they contain by genericity of the rules (as long as the conditions enforced in Section A3 hold). A similar rule is added for each mapping (q ₁,s ₁↦q ₂,s ₂,R)∈δ, except that (k ₁ ,…,k _z ; h ₁ ,…,h _z ) is replaced by (h ₁ ,…,h _z ; k ₁ ,…,k _z ). Note that the nondeterminism of Turing machine M is implemented by having multiple rules in π of these last two forms. Also, the number of rules for relation tapeCOK is constant because M is fixed, but their size is polynomial in n.

Next, we send messages of the form _m (i,j,a ₁,…,a _z ; b ₁,…,b _z ), with m=0,…,z and (a ₁…a _z )≤(b ₁…b _z ), to say that interval [(a ₁…a _z ),(b ₁…b _z )] contains 2^m tape cells and that the message (i,j,c ₁,…,c _z ) can be sent for all addresses (c ₁…c _z ) in this interval. The goal is to eventually send a message _z (i,j,a ₁,…,a _z ; b ₁,…,b _z ) where (a ₁…a _z ) is the first tape cell. To start, we generate ₀-messages:

$$\mathtt{tapeOK}_{0}(\mathtt{i, j, a_{1}},\ldots,\mathtt{a_{z}};\,\mathtt{a_{1}},\ldots,\mathtt{a_{z}})\leftarrow\mathtt{tapeCOK}(\mathtt{i, j, a_{1}},\ldots,\mathtt{a_{z}}). $$

And we add the following rule for each m=1,…,z:

$$\begin{array}{@{}rcl@{}} \mathtt{tapeOK}_{m}&&(\mathtt{i, j, a_{1}},\ldots,\mathtt{a_{z}};\,\mathtt{b_{1}},\ldots,\mathtt{b_{z}})\leftarrow\\ &&\mathtt{tapeOK}_{m-1}(\mathtt{i, j, a_{1}},\ldots,\mathtt{a_{z}};\,\mathtt{c_{1}},\ldots,\mathtt{c_{z}}),\\ &&\mathtt{tapeOK}_{m-1}(\mathtt{i, j, d_{1}},\ldots,\mathtt{d_{z}};\,\mathtt{b_{1}},\ldots,\mathtt{b_{z}}),\\ &&\mathtt{succ}(\mathtt{c_{1}},\ldots,\mathtt{c_{z}};\,\mathtt{d_{1}},\ldots,\mathtt{d_{z}}). \end{array} $$

Note that the number and size of such rules is polynomial in n.

Finally, the ₀-messages are sent with the following rule:

$$\begin{array}{ll} \mathtt{reach}_{0}(\mathtt{i, j})\leftarrow\, & \mathtt{tapeOK}_{z}(\mathtt{i, j, a_{1}},\ldots,\mathtt{a_{z}};\,\mathtt{b_{1}},\ldots,\mathtt{b_{z}}),\\ & 0(\mathtt{a_{1}}),\,\ldots,\,0(\mathtt{a_{z}}). \end{array} $$

Note that we constrain attention to the range [0,2^z].

To send a message (i), we have to check that configuration i has the properties of the start configuration: (i) the tape contains the input word w starting at the first tape cell, with the other tape cells blank; (i i) the state is q ₀; and, (i i i) the head is at tape cell 0. The last two properties are easily checked.

To check property (i), we send messages of the form (i,a ₁,…,a _z ) to indicate that the contents of tape cell (a ₁…a _z ) in configuration i is as required by the start configuration. We add the following rule for all addresses a∈[0,n−1], where (a ₁…a _z ) is the binary representation of a and w _a is the symbol of word w at (zero-based) index a:

$$\begin{array}{@{}rcl@{}} &&\mathtt{startTapeCOK}(\mathtt{i, a_{1}},\ldots,\mathtt{a_{z}})\leftarrow\\ &&\qquad\qquad a_{1}(\mathtt{a_{1}}),\,\ldots,\, a_{z}(\mathtt{a_{z}}),\,\mathtt{tape}(\mathtt{i, a_{1}},\ldots,\mathtt{a_{z}},\mathtt{s}),\, w_{a}(\mathtt{s}). \end{array} $$

We also add one rule to demand that the other tape cells contain blanks, where ⊔∈Γ denotes the blank symbol and (b ₁…b _z ) is the binary representation of n−1:

$$\begin{array}{@{}rcl@{}} &&\mathtt{startTapeCOK}(\mathtt{i, a_{1}},\ldots,\mathtt{a_{z}})\leftarrow\\ &&\qquad\qquad b_{1}(\mathtt{b_{1}}),\,\ldots,\, b_{z}(\mathtt{b_{z}}),\,\mathtt{less}(\mathtt{b_{1}},\ldots,\mathtt{b_{z}};\,\mathtt{a_{1}},\ldots,\mathtt{a_{z}}),\\ &&\qquad\qquad\mathtt{tape}(\mathtt{i, a_{1}},\ldots,\mathtt{a_{z}}, \mathtt{s}),\,\sqcup(\mathtt{s}). \end{array} $$

Note that the number and size of rules for relation startTapeCOK is polynomial in n.

Next, similarly to the relations _m above, we send messages of the form _m (i,a ₁,…,a _z ; b ₁,…,b _z ), with m=0,…,z and (a ₁…a _z )≤(b ₁…b _z ), to say that the interval [(a ₁…a _z ),(b ₁…b _z )] contains 2^m tape cells and that message (i,c ₁,…,c _z ) can be sent for all addresses \((c_{1}{\dots } c_{z})\) in this interval. We do not explicitly give the rules, because they are very similar to the rules of the relations _m . The number and size of the added rules is also polynomial in n.

Finally, we can send the -messages:

$$\begin{array}{ll}\mathtt{start}(\mathtt{i})\leftarrow\, & \mathtt{startTapeOK}_{z}(\mathtt{i, a_{1}},\ldots,\mathtt{a_{z}};\,\mathtt{b_{1}},\ldots,\mathtt{b_{z}}),\\ & 0(\mathtt{a_{1}}),\,\ldots,\,0(\mathtt{a_{z}}),\,\mathtt{head}(\mathtt{i},\,\mathtt{a_{1}},\ldots,\mathtt{a_{z}}),\\ & \mathtt{state}(\mathtt{i, q}),\,q_{0}(\mathtt{q}). \end{array} $$

1.2.4 C.2.4 Correctness

Here we argue the correctness of the reduction.

Suppose that M has an accepting computation trace on input word w. We have to show that the transducer network \(\boldsymbol {\mathcal {N}}\) for w is diffluent.

The accepting computation trace of M is a sequence of configurations, and we identify each configuration by their (one-based) ordinal. We always have i≤2^z. Let I be the input instance for \(\boldsymbol {\mathcal {N}}\) consisting of the following facts:

• facts (i,q _i ) and (i,h ₁,…,h _z ) for each configuration i, where q _i and (h ₁…h _z ) are respectively the state and head position of i;

• fact (i,a ₁,…,a _z ,s) for each configuration i and each address (a ₁…a _z )∈[0,2^z], where s∈Γ is the contents of cell (a ₁…a _z ) in configuration i;

• fact s(s) for each s∈Γ; fact q(q) for each q∈Q; facts 0(0),1(1),01(0), and 01(1); and, fact A(a).

Note that no error-message can be sent on this instance (cf. Section A3). Hence, it is sufficient to show that accept() can be sent, so that input fact A(a) gives rise to the messages A _msg(a) and B _msg(a). Then there exist two runs \(\mathcal {R}_{1}\) and \(\mathcal {R}_{2}\) so that T(a) is created in \(\mathcal {R}_{1}\) and not in \(\mathcal {R}_{2}\) or any extension thereof.

Let e denote the last configuration of the computation trace. The state of e is q _accept. Looking at the rules for sending accept-messages (Section 6.2), since I contains (e,q _accept) and q _accept(q _accept), we are left to show that the following messages can be sent: (1) and _m (1,e) for some m∈[0,z]. Because configuration 1 is the start configuration of the computation trace, and because we have accurately described this configuration in the input relations, we can see that (1) can be sent. Similarly, we can see that for each pair (i,j) of subsequent configurations in the trace, the message ₀(i,j) can be sent. And because the _m -rules with m∈[0,z] allow us to connect configurations over arbitrary distances within [1,2^z], we can also send _m (1,e) for some m∈[0,z].

Suppose that the transducer network \(\boldsymbol {\mathcal {N}}\) for w is diffluent. We have to show that M has an accepting computation trace on w.

First, because \(\boldsymbol {\mathcal {N}}\) is diffluent, there exists an input instance I for \(\boldsymbol {\mathcal {N}}\), and two runs \(\mathcal {R}_{1}\) and \(\mathcal {R}_{2}\) of \(\boldsymbol {\mathcal {N}}\) on I, such that \(last(\mathcal {R}_{1})\) contains an output fact T(a) that is not in \(last(\mathcal {R}_{2})\), and T(a) can not be created in any extension of \(\mathcal {R}_{2}\).

We first show that accept() can be sent on input I and that error() can not. The presence of T(a) in \(last(\mathcal {R}_{1})\) implies that the message A _msg(a) can be sent. This in turn implies that accept() can be sent. Now, since by static send rules the message A _msg(a) can also be sent in an extension of \(\mathcal {R}_{2}\), the reason why T(a) can not be created in that extension is that the memory fact B(a) is present and that the message error() can never be delivered, and hence can never be sent.

Looking at the sending rules for relation accept, the sending of accept() in \(\mathcal {R}_{1}\) must have been caused by the joint occurrence of the following four facts during some transition of \(\boldsymbol {\mathcal {N}}\): the message facts (x) and _m (x,y) for some x,y∈a d o m(I) and m∈[0,z], and the input facts (y,q) and q _accept(q). The input facts together already imply that y could describe an accepting configuration. Now we have to look at the derivation histories of the two messages to construct a full accepting computation trace.

As a general remark, because error() can never be sent, the input satisfies the restrictions enforced in Section A3. In particular, each configuration has at most one state and at most one head position in relations state and head respectively, and each configuration has at most one symbol for each tape cell in relation tape. So, the presence of the message (x) implies that x not only has precisely one state, one head position and one symbol in each tape cell, but also that x satisfies the additional properties of a valid start configuration. Hence, x is a fully specified start configuration.

The presence of the message _m (x,y) implies there is a sequence of configurations c ₁,…,c _e in the input with c ₁=x and c _e =y and such that the message ₀(i,j) can be sent for each pair (i,j) of subsequent configurations. Again using the absence of (), the presence of the message ₀(i,j) implies that configurations i and j each have precisely one state, one head position, and one symbol in each tape cell, and that there exists a valid transition rule of Turing machine M to explain how configuration j follows from configuration i. Finally, using that y is accepting (see above), we have found an accepting computation trace of M on w.

Appendix D: Expressivity Upper Bound

1.1 D.1 Correctness Part 1

Let Φ be as constructed in Section 7.2.3. Let H be an arbitrary distributed database instance over \(in^{\boldsymbol {\mathcal {N}}}\). Abbreviate \(I=\langle H\rangle ^{\boldsymbol {\mathcal {N}}}\). Let f∈Φ(I). We have to show that f is output at node x when \(\boldsymbol {\mathcal {N}}\) is run on H. It is sufficient to show that f is output by \(\boldsymbol {\mathcal {M}}\) on input I.

We remind that Section 7.2.2 contains common concepts and notations. Helper claims can be found in Section A410.

1.1.1 D.1.1 Satisfying Valuation

Since f∈Φ(I), program Φ contains a UCQ ^¬-program \(derive_{G, {\mathcal {T}_{0}}}\) such that \(\boldsymbol {f}\in derive_{G, \mathcal {T}_{0}}(I)\). Hence, there exists a subset \(G_{0}\subseteq forest_{\mathcal {R}}\) and an equivalence relation E on a d o m(G ₀) such that G=E(G ₀) and \(\mathcal {T}_{0}\in G\).

Like before, we regard \(derive_{G, \mathcal {T}}\) as an ∃FO-formula, where \(\mathcal {T}\) is the truncated version of \(\mathcal {T}_{0}\) and κ is the canonical scheduling of \(\mathcal {T}_{0}\):

$$derive_{G, \mathcal{T}_{0}}:=\exists\bar{z}\left(diffVal_{G}\wedge sndMsg_{G}\wedge succeed_{G, \mathcal{T}, \kappa}\right). $$

Here, free variables are constituted by the tuple \(\bar {x}\) of values occurring in the root fact of \(\mathcal {T}_{0}\), and \(\bar {z}\) are the values in a d o m(G) that are not in \(\bar {x}\). Since \(\boldsymbol {f}\in derive_{G, \mathcal {T}_{0}}(I)\), there exists a valuation \(Val: adom(G)\rightarrow adom(I)\) that makes the following quantifier-free formula true:

$$diffVal_{G}\wedge sndMsg_{G}\wedge succeed_{G, \mathcal{T}, \kappa}. $$

The part d i f f V a l _G makes V a l injective.

1.1.2 D.1.2 Concrete Run

For each tree \(\mathcal {T}^{\prime }\in G\), for each internal node x of \(\mathcal {T}^{\prime }\), we can apply the function V a l after valuation \(val^{\mathcal {T}}(x)\). The resulting valuations still satisfy the nonequalities of the rules, because these nonequalities are satisfied under \(val^{\mathcal {T}}(x)\) and V a l is injective. Let F denote the forest of (structurally equivalent) derivation trees obtained from G in this way. Following the principle of canonical runs of Section 7.2.3, we will concurrently execute all trees in F by their canonical scheduling. This results in a run \(\mathcal {R}\), whose length is the largest height of any tree in F. We now show that f is derived in \(\mathcal {R}\).

Let \(\mathcal {T}_{0}\) be as above. Let \(\mathcal {S}_{0}\in F\) be the structurally equivalent tree. We first show that \(fact^{\mathcal {S}_{0}}(root^{\mathcal {S}_{0}})=\boldsymbol {f}\). The tuple of values in \(fact^{\mathcal {T}_{0}}(root^{\mathcal {T}_{0}})\) are the free variables of \(derive_{G, \mathcal {T}_{0}}\). Thus \(Val(fact^{\mathcal {T}_{0}}(root^{\mathcal {T}_{0}}))=\boldsymbol {f}\). And by construction of F, we have \(fact^{\mathcal {S}_{0}}(root^{\mathcal {S}_{0}})=Val(fact^{\mathcal {T}_{0}}(root^{\mathcal {T}_{0}})\).

Henceforth, we will focus on the truncated trees \(\mathcal {T}\) and \(\mathcal {S}\) of \(\mathcal {T}_{0}\) and \(\mathcal {S}_{0}\) respectively. The canonical scheduling κ of \(\mathcal {T}_{0}\) is also defined on \(\mathcal {S}\). Now, using the order implied by κ, we show by induction on \(x\in a^{\mathcal {S}}\) that \(fact^{\mathcal {S}}(x)\) is derived in transition κ(x) of \(\mathcal {R}\). So, let \(x\in a^{\mathcal {S}}\) be a node such that for all alpha child nodes y of x, the fact \(fact^{\mathcal {S}}(y)\) is derived in transition κ(y) of \(\mathcal {R}\).¹⁸ We show that \(val^{\mathcal {S}}(x)\) is satisfying for \(rule^{\mathcal {S}}(x)\) in transition κ(x). The nonequalities of \(rule^{\mathcal {S}}(x)\) are satisfied because they are satisfied under \(val^{\mathcal {T}}(x)\) and because V a l is injective. Next, we differentiate between the different kinds of atoms in the body of \(rule^{\mathcal {S}}(x)\).

Let \(\boldsymbol {l}\in body^{\mathcal {S}}(x)|_{\varUpsilon _{\textnormal {in}}}\). We have to show I⊧l. Let \(\boldsymbol {l}^{\prime }\in body^{\mathcal {T}}(x)|_{\varUpsilon _{\textnormal {in}}}\) be such that \(\boldsymbol {l}=Val(\boldsymbol {l}^{\prime })\). By construction, \(\boldsymbol {l}^{\prime }\) occurs in the conjunction \(succeed_{G, \mathcal {T}, \kappa }^{\textnormal {in}}\), and since this formula is true under V a l with respect to I, we have \(I\models Val(\boldsymbol {l}^{\prime })\) or equivalently I⊧l, as desired.

Let \(\boldsymbol {l}\in body^{\mathcal {S}}(x)|_{\varUpsilon _{\textnormal {msg}}}\). Abbreviate i=κ(x). We have to show that l is delivered in transition i of \(\mathcal {R}\). Because \(rule^{\mathcal {S}}(x)\) is message-positive, l is a fact. Let \(\boldsymbol {g}\in body^{\mathcal {T}}(x)|_{\varUpsilon _{\textnormal {msg}}}\) be such that l=V a l(g). Because κ is an alignment for \(\mathcal {T}\) with respect to the abstract canonical run \(\mathcal {R}^{G}\), we have \(\boldsymbol {g}\in M_{i}^{G}\). By Claim D.1, the fact l=V a l(g) is delivered during transition i of \(\mathcal {R}\), as desired.

Let \(\boldsymbol {l}\in body^{\mathcal {S}}(x)|_{\varUpsilon _{\textnormal {out}}\cup \varUpsilon _{\textnormal {mem}}}\) be such that l is positive. There is an alpha child y of x such that \(fact^{\mathcal {S}}(y)=\boldsymbol {l}\). By assumption on x, \(fact^{\mathcal {S}}(y)\) is derived during transition κ(y) of \(\mathcal {R}\), and thus l is available during transition κ(x), as desired.

Let \(\boldsymbol {l}\in body^{\mathcal {S}}(x)|_{\varUpsilon _{\textnormal {out}}\cup \varUpsilon _{\textnormal {mem}}}\) be such that l is negative. Denote l=¬g. We show that g is not derived before transition κ(x) of \(\mathcal {R}\). To relate back to \(\mathcal {T}\), there is also a fact h such that g=V a l(h) and ¬h∈\( body^{\mathcal {T}}(x)\).

Towards a proof by contradiction, suppose that g is derived in some transition j<κ(x) of \(\mathcal {R}\). Then it is possible to extract a truncated derivation tree \(\mathcal {S}^{\prime }\) from \(\mathcal {R}\) with \(fact^{\mathcal {S}^{\prime }}(root^{\mathcal {S}^{\prime }})=\boldsymbol {g}\), together with an alignment \(\kappa ^{\prime }\) of \(\mathcal {S}^{\prime }\) such that for all alpha nodes z of \(\mathcal {S}^{\prime }\), the fact \(fact^{\mathcal {S}^{\prime }}(z)\) is derived during transition \(\kappa ^{\prime }(z)\) of \(\mathcal {R}\) because \(val^{\mathcal {S}^{\prime }}(z)\) is satisfying for \(rule^{\mathcal {S}^{\prime }}(z)\). Note that v a l ⁻¹ is defined because V a l is injective. Let \(\mathcal {T}^{\prime }\) be the truncated derivation tree obtained from \(\mathcal {S}^{\prime }\) by applying for each alpha node z, the function V a l ⁻¹ after the valuation \(val^{\mathcal {S}^{\prime }}(z)\). The tree \(\mathcal {T}^{\prime }\) has root fact v a l ⁻¹(g)=h.

There exists \(y\in \beta ^{\mathcal {T}}(x)\) with \(fact^{\mathcal {T}}(y)=\boldsymbol {h}\). Suppose we would also know that \((\mathcal {T}^{\prime },\kappa ^{\prime })\in align^{G}(\boldsymbol {h})\) (shown below). Then the subformula \(succeed_{G, \mathcal {T}, \kappa }^{\text {deny}}\) contains the subformula \(\neg succeed_{G, \mathcal {T}^{\prime }, \kappa ^{\prime }}\), which is true under V a l. Equivalently, \(succeed_{G, \mathcal {T}^{\prime }\kappa ^{\prime }}\) is false under V a l. We will use this information to show that at least one alpha node z of \(\mathcal {T}^{\prime }\) exists for which valuation \(Val\circ val^{\mathcal {T}^{\prime }}(z)\) is not satisfying for \(rule^{\mathcal {T}^{\prime }}(z)\) during transition \(\kappa ^{\prime }(z)\) of \(\mathcal {R}\), or equivalently, valuation \(Val\circ Val^{-1}\circ val^{\mathcal {S}^{\prime }}(z)=val^{\mathcal {S}^{\prime }}(z)\) is not satisfying for \(rule^{\mathcal {S}^{\prime }}(z)\) during transition \(\kappa ^{\prime }(z)\). This gives the desired contradiction.

Since \(succeed_{G, \mathcal {T}^{\prime }, \kappa ^{\prime }}\) is false under V a l, it must be that either \(succeed_{G, \mathcal {T}^{\prime }, \kappa ^{\prime }}^{\textnormal {in}}\) is false or \(succeed_{G, \mathcal {T}^{\prime }, \kappa ^{\prime }}^{\textnormal {deny}}\) is false. In the first case, there is an alpha node z of \(\mathcal {T}^{\prime }\) and a literal \(\boldsymbol {l}\in body^{\mathcal {T}^{\prime }}(z)|_{\varUpsilon _{\textnormal {in}}}\) such that \(I\nvDash Val(\boldsymbol {l})\). This immediately gives that \(Val\circ val^{\mathcal {T}^{\prime }}(z)\) is not satisfying for \(rule^{\mathcal {T}^{\prime }}(z)\) during any transition of \(\mathcal {R}\), hence, not in transition \(\kappa ^{\prime }(z)\), as desired.

Now suppose that \(succeed_{G, \mathcal {T}^{\prime }, \kappa ^{\prime }}^{\text {deny}}\) is false under V a l. Thus, \(succeed_{G, \mathcal {T}^{\prime }, \kappa ^{\prime }}^{\text {deny}}\) contains a subformula \(\neg succeed_{G, \mathcal {T}^{\prime \prime }, \kappa ^{\prime \prime }}\) where \(succeed_{G, \mathcal {T}^{\prime \prime }, \kappa ^{\prime \prime }}\) is true under V a l. Hence, there is an alpha node z of \(\mathcal {T}^{\prime }\), with a beta child u, letting \(\boldsymbol {i}=fact^{\mathcal {T}^{\prime }}(u)\), and there is a pair \((\mathcal {T}^{\prime \prime }, \kappa ^{\prime \prime })\in align^{G}(\boldsymbol {i})\) with \(\kappa ^{\prime \prime }(root^{\mathcal {T}^{\prime \prime }})<\kappa ^{\prime }(z)\). Let \(\mathcal {S}^{\prime \prime }\) be the (truncated) derivation tree obtained from \(\mathcal {T}^{\prime \prime }\) by applying V a l after all valuations. Now, using the natural recursion on \(succeed_{G, \mathcal {T}^{\prime \prime }, \kappa ^{\prime \prime }}\), it is possible to show that \((\mathcal {S}^{\prime \prime }, \kappa ^{\prime \prime })\) derives V a l(i) during earlier transition \(\kappa ^{\prime \prime }(root^{\mathcal {T}^{\prime \prime }})<\kappa ^{\prime }(z)\). This reasoning ends, because in each recursive step we come strictly closer to the beginning of \(\mathcal {R}\), and eventually we only use formulas of the form \(succeed_{G, {\_}, {\_}}^{\text {in}}\). Since valuation \(Val\circ val^{\mathcal {T}^{\prime }}(z)\) requires the absence of V a l(i) during \(\kappa ^{\prime }(z)\), and V a l(i) is present in \(\kappa ^{\prime }(z)\), this valuation is not satisfying during transition \(\kappa ^{\prime }(z)\) of \(\mathcal {R}\), as desired.

Let \(\mathcal {T}^{\prime }\) and \(\kappa ^{\prime }\) be as above. We are left to show that \((\mathcal {T}^{\prime }, \kappa ^{\prime })\in align^{G}(\boldsymbol {h})\). First, because \(\kappa ^{\prime }\) is an alignment for \(\mathcal {S}^{\prime }\), and because \(\mathcal {T}^{\prime }\) and \(\mathcal {S}^{\prime }\) are structurally equivalent, \(\kappa ^{\prime }\) is a scheduling for \(\mathcal {T}^{\prime }\). Next, let z be an internal (alpha) node of \(\mathcal {T}^{\prime }\). Let \(\boldsymbol {l}\in body^{\mathcal {T}^{\prime }}(z)|_{\varUpsilon _{\textnormal {msg}}}\), where l is a fact by message-positivity of \(rule^{\mathcal {T}^{\prime }}(z)\). We have to show that \(\boldsymbol {l}\in M_{j}^{G}\) where \(j=\kappa ^{\prime }(z)\). Since \(val^{\mathcal {T}^{\prime }}(z)=Val^{-1}\circ val^{\mathcal {S}^{\prime }}(z)\), we can consider the fact \(\boldsymbol {i}\in body^{\mathcal {S}^{\prime }}(z)|_{\varUpsilon _{\textnormal {msg}}}\) such that l=V a l ⁻¹(i). Now, since \(\kappa ^{\prime }\) is an alignment for \(\mathcal {S}^{\prime }\) with respect to \(\mathcal {R}\), we know that i is delivered in transition j of \(\mathcal {R}\). Then, by Claim D.1, there is a fact \(\boldsymbol {l}^{\prime }\in M_{j}^{G}\) such that \(Val(\boldsymbol {l}^{\prime })=\boldsymbol {i}\). But by injectivity of V a l, this means \(\boldsymbol {l}^{\prime }=Val^{-1}(\boldsymbol {i})=\boldsymbol {l}\), as desired.

1.2 D.2 Correctness Part 2

Let H be an arbitrary input over \(in^{\boldsymbol {\mathcal {N}}}\). Abbreviate \(I=\langle H \rangle ^{\boldsymbol {\mathcal {N}}}\). Let f be an R-fact output at node x when \(\boldsymbol {\mathcal {N}}\) is run on H. This implies that \(\boldsymbol {\mathcal {M}}\) outputs f on input I. We have to show that f∈Φ(I), with Φ as constructed in Section 7.2.3.

Let π denote the transducer of \(\boldsymbol {\mathcal {M}}\). We remind that Section 7.2.2 contains common concepts and notations. Additionally, for two structurally equivalent derivation trees \(\mathcal {T}\) and \(\mathcal {S}\), we write \(map_{\mathcal {T}, \mathcal {S}}\) to denote the structural bijection from nodes of \(\mathcal {T}\) to nodes of \(\mathcal {S}\). Lastly, helper claims can be found in Appendix D.3.

1.2.1 D.2.1 Collecting Trees

On input I, from each run of \(\boldsymbol {\mathcal {M}}\) in which f is output, we can extract a derivation tree for f. Now, let F be a maximal set of derivation trees for f extracted from all possible runs of \(\boldsymbol {\mathcal {M}}\) on I, such that no two trees are structurally equivalent. Set F is finite because π is recursion-free.

1.2.2 D.2.2 Canonical Run

Following the principle of canonical runs from Section 7.2.3, we can concurrently execute all trees of F. This results in a run \(\mathcal {R}\) whose length is the height of the largest tree in F.

We now show that f is derived in \(\mathcal {R}\). Because \(\boldsymbol {\mathcal {M}}\) outputs f on input I, confluence of \(\boldsymbol {\mathcal {M}}\) implies that \(\mathcal {R}\) can always be extended to a run \(\mathcal {R}^{\prime }\) in which f is output. From \(\mathcal {R}^{\prime }\), we can extract a pair \((\mathcal {T}, \kappa )\) of a concrete derivation tree for f and a scheduling for this tree, such that for each \(x\in int^{\mathcal {T}}\) the fact \(fact^{\mathcal {T}}(x)\) is derived during transition κ(x) of \(\mathcal {R}^{\prime }\) by applying \(val^{\mathcal {T}} (x)\) to \(rule^{\mathcal {T}}(x)\). There is some tree \(\mathcal {S}\in F\) structurally equivalent to \(\mathcal {T}\). Using the order implied by canonical scheduling \(\kappa ^{\mathcal {S}}\), we show by induction on the alpha nodes \(x\in a^{\mathcal {S}}\) that \(fact^{\mathcal {S}}(x)\) is derived during transition \(\kappa ^{\mathcal {S}}(x)\) by applying valuation \(val^{\mathcal {S}}(x)\) to \(rule^{\mathcal {S}}(x)\). Let \(x\in a^{\mathcal {S}}\), assuming for each descendant \(y\in a^{\mathcal {S}}\) of x that \(fact^{\mathcal {S}}(y)\) is derived during transition \(\kappa ^{\mathcal {S}}(y)\).

Since \(\mathcal {S}\in F\), the tree \(\mathcal {S}\) was extracted from a run, and hence, the input literals of \(rule^{\mathcal {S}}(x)\) must be satisfied under \(val^{\mathcal {S}}(x)\).

Moreover, because sending rules are message-positive and static, it can be shown that the messages needed by \(rule^{\mathcal {S}}(x)\) under \(val^{\mathcal {S}}(x)\) are delivered in \(\mathcal {R}\) during transition \(\kappa ^{\mathcal {S}}(x)\) (details omitted).

Using the assumption on descendant alpha nodes of x, the positive output and memory facts required by \(val^{\mathcal {S}}(x)\) are also satisfied.

As the last step, we show that the negative output and memory literals under \(val^{\mathcal {S}}(x)\) are absent during transition \(\kappa ^{\mathcal {S}}(x)\). Let us abbreviate \(n=map_{\mathcal {S}, \mathcal {T}}\) (defined in Section 7.2.2). Since \(\mathcal {S}\) and \(\mathcal {T}\) are structurally equivalent and both derive the root fact f, we can apply Claim D.2 to know that the valuations \(val^{\mathcal {S}}(x)\) and \(vaL^{\mathcal {T}}(n(x))\) assign the same values to the free variables of \(rule^{\mathcal {S}}(x)\). By selection of \((\mathcal {T}, \kappa )\), the output and memory facts that rule \(rule^{\mathcal {S}}(x)\) tests for absence under \(vaL^{\mathcal {T}}(n(x))\), are effectively absent during transition κ(n(x)) of \(\mathcal {R}^{\prime }\). Now, because π is inflationary, if we would know \(\kappa ^{\mathcal {S}}(x)\leq \kappa (n(x))\), then these same output and memory facts must also be absent during transition \(\kappa ^{\mathcal {S}}(x)\), as desired. We are left to show that \(\kappa ^{\mathcal {S}}(x)\leq \kappa (n(x))\). By definition of canonical scheduling \(\kappa ^{\mathcal {S}}\), transition \(\kappa ^{\mathcal {S}}(x)\) is the earliest transition of \(\mathcal {R}\) in which the rule \(rule^{\mathcal {S}}(x)\) can be executed if the derivation strategy represented by \(\mathcal {S}\) must be followed.¹⁹ Now, since the subtree under x in \(\mathcal {S}\) is structurally equivalent to the subtree under n(x) in \(\mathcal {T}\), we have \(\kappa ^{\mathcal {S}}(x)\leq \kappa (n(x))\).

1.2.3 D.2.3 Create Valuation

From Section 7.2.3, recall the set f o r e s t _R , in which no two trees are structurally equivalent. For each tree \(\mathcal {T}\in F\), there is a unique tree \(\mathcal {S}\in forest_{R}\) that is structurally equivalent to \(\mathcal {T}\). Let \(G_{0}\subseteq forest_{R}\) be all these trees. We define a function \(Val_{0}:adom(G_{0})\rightarrow adom(F)\), giving rise to an equivalence relation on a d o m(G ₀).

First, let \(\mathcal {S}\in G_{0}\). We can uniquely identify a component of a positive atom in \(\mathcal {S}\) by a triple (p,a,i), where p is a path followed from the root towards an internal node x of \(\mathcal {S}\); a is the head or a positive body atom of \(rule^{\mathcal {S}}(x)\); and, i is a component index in a. Here, p can be uniquely specified as the sequence of atoms \(lit^{\mathcal {S}}(x)\) labelling the encountered internal nodes x. Two components (p ₁,a ₁,i ₁) and (p ₂,a ₂,i ₂) belong to the same rule if p ₁=p ₂. Now, we define an equivalence relation over the components in a bottom-up way, as follows. Starting at an internal node x without other internal nodes as children, two components in \(rule^{\mathcal {S}}(x)\) are equivalent if they contain the same variable. Going to the parent y of x, two components c ₁ and c ₂ in \(rule^{\mathcal {S}}(y)\) are equivalent if (i) they contain the same variable; or (ii) they occur together in a positive body atom a of \(rule^{\mathcal {S}}(y)\), and for the child x of y with \(lit^{\mathcal {S}}(x)=\boldsymbol {a}\), the components in the head of \(rule^{\mathcal {S}}(x)\) corresponding to c ₁ and c ₂ are equivalent. The equivalence relation on the components of \(\mathcal {S}\) is unique, and its number of equivalence classes upper bounds the active domain size of \(\mathcal {S}\).

Now we define function \(Val_{0}: adom(G_{0})\rightarrow adom(F)\). Let \(\mathcal {S}\in G_{0}\) and let \(\mathcal {T}\in F\) denote the structurally equivalent tree. Because \(\mathcal {S}\) and \(\mathcal {T}\) are structurally equivalent, the equivalence classes on components of \(\mathcal {S}\) transfer naturally to equivalence classes on the components of \(\mathcal {T}\). Because \(\mathcal {S}\) is general, its valuations assign a different value to each equivalence class, so we can define a function \(V_{\mathcal {S}}: adom(\mathcal {S})\rightarrow adom(\mathcal {T})\) that contains for each equivalence class e of \(\mathcal {S}\) the mapping (a↦b), where a and b are the values assigned to e by \(\mathcal {S}\) and \(\mathcal {T}\) respectively. For the entire set G ₀, we take the union of all mappings \(V_{\mathcal {S}}\) with \(\mathcal {S}\in G_{0}\). The result is denoted V a l ₀, and this is a function because each tree in G ₀ has a disjoint active domain. We can now define an equivalence relation E on a d o m(G ₀): two values are equivalent if their image under V a l ₀ is the same. Assuming an order on dom (the same order as in Section 7.2.3), we can replace each value in a d o m(G ₀) by the smallest value in its equivalence relation. This results in a set G of derivation trees, in which still as many structurally different trees occur as in G ₀, and with \(adom(G)\subseteq adom(G_{0})\).²⁰

Let V a l denote the restriction of V a l ₀ to a d o m(G); this function is injective.

1.2.4 D.2.4 Satisfying Valuation

Let F, G, and V a l be as previously defined. For each tree \(\mathcal {S}\in G\), if we would apply V a l after each valuation in \(\mathcal {S}\), we obtain a tree in F. So, if we would consider \(adom({\mathcal {S}})\) to be variable symbols, then we can see V a l as an assignment to these variables. This will be used below to show that f∈Φ(I).

As shown above, there is a derivation tree \(\mathcal {T}\in F\) that derives f in \(\mathcal {R}\), when executed according to its canonical scheduling. Let \(\mathcal {S}_{0}\in G\) be the tree that is structurally equivalent to \(\mathcal {T}\). As remarked above, applying V a l to \(\mathcal {S}_{0}\) gives \(\mathcal {T}\). Let \(\mathcal {S}\) denote the truncated version of \(\mathcal {S}_{0}\), and let κ denote the restriction of the canonical scheduling of \(\mathcal {S}_{0}\) to the remaining nodes. Recalling the construction in Section 7.2.3, we have added to the UCQ ^¬-program Φ the UCQ ^¬-program \(derive_{G, \mathcal {S}}\), given by the following equivalent ∃FO-formula:

$$derive_{G, \mathcal{S}} :=\exists\bar{z}\left(diffVal_{G}\wedge sndMsg_{G}\wedge succeed_{G, \mathcal{S}, \kappa}\right), $$

where \(\bar {z}\) is an ordering of the values in a d o m(G) not occurring in the tuple \(\bar {x}\) in the root fact of \(\mathcal {S}\). So, \(\bar {x}\) are the free variables. Now, denoting \(\boldsymbol {f}=R(\bar {a})\), to show f∈Φ(I), it suffices to show that if \(\bar {x}\) is assigned \(\bar {a}\) then the resulting sentence is true with respect to I. This amounts to showing that the following quantifier-free formula is true under V a l with respect to I:

$$diffVal_{G}\wedge sndMsg_{G}\wedge succeed_{G, \mathcal{S}, \kappa}. $$

The subformula d i f f V a l _G is true because V a l is injective on a d o m(G). Next, the subformula s n d M s g _G is a large conjunction of input literals from the sending rules in G. Let l be such a literal. We have to show I⊧V a l(l). There exists a tree \(\mathcal {S}^{\prime }\in G\) and an internal node x of \(\mathcal {S}^{\prime }\) such that \(rule^{\mathcal {S}^{\prime }}(x)\) is a sending rule and \(\boldsymbol {l}\in body^{\mathcal {S}^{\prime }}(x)|_{\varUpsilon _{\textnormal {in}}}\). Let \(\mathcal {T}^{\prime }\in F\) be the tree structurally equivalent to \(\mathcal {S}^{\prime }\), and abbreviate \(n^{\prime }=map_{\mathcal {S}^{\prime }, \mathcal {T}^{\prime }}\). By construction of V a l, we have \(Val(\boldsymbol {l})\in body^{\mathcal {T}^{\prime }}(n^{\prime }(x))\). Since \(val^{\mathcal {T}^{\prime }}(n^{\prime }(x))\) was satisfied during some run, which follows from \(\mathcal {T}^{\prime }\in F\), and all runs have the same input facts, we obtain I⊧V a l(l).

Now consider the subformula \(succeed_{G, \mathcal {S}, \kappa }\). This formula is specified as

$$succeed_{G, \mathcal{S}, \kappa}:= succeed_{G, \mathcal{S}, \kappa}^{\textnormal{in}}\wedge succeed_{G, \mathcal{S}, \kappa}^{\textnormal{deny}}. $$

Let \(\mathcal {S}_{0}\) and \(\mathcal {T}\in F\) be as above: \(\mathcal {S}\) is the truncated version of \(\mathcal {S}_{0}\) and \(\mathcal {T}\) is structurally equivalent to \(\mathcal {S}_{0}\). Abbreviate \(n=map_{\mathcal {S}_{0}, \mathcal {T}}\).

Similarly to s n d M s g _G , the subformula \(succeed_{G, \mathcal {S}, \kappa }^{\text {in}}\) is a conjunction of input literals. Let l be such a literal. We have to show I⊧V a l(l). There exists a node \(x\in a^{\mathcal {S}}\) such that \(\boldsymbol {l}\in body^{\mathcal {S}}(x)|_{\varUpsilon _{\textnormal {in}}}\). By construction of V a l, we have \(Val(\boldsymbol {l})\in body^{\mathcal {T}}(n(x))\). And similarly to our reasoning for s n d M s g _G , we can now obtain that I⊧V a l(l).

Consider the subformula \(succeed_{G, \mathcal {S}, \kappa }^{\textnormal {deny}}\). Let \(x\in a^{\mathcal {S}}, y\in \beta ^{\mathcal {S}}(x)\), denoting \(\boldsymbol {g}=fact^{\mathcal {S}}(y)\), and \((\mathcal {S}^{\prime }, \lambda )\in align^{G}(\boldsymbol {g})\) with \(\lambda (root^{\mathcal {S}^{\prime }})<\kappa (x)\). We have to show that \(\neg succeed_{G, \mathcal {S}^{\prime }, \lambda }\) is true under V a l, which amounts to showing that \(succeed_{G, \mathcal {S}^{\prime }, \lambda }\) is false under V a l. The main strategy will be to use that \(\mathcal {S}^{\prime }\) extended with V a l fails in \(\mathcal {R}\) when executed according to λ. The reasons for failure make (parts of) formula \(succeed_{G, \mathcal {S}^{\prime }, \lambda }\) false.

First, we show that the fact V a l(g) has to be absent during (and before) transition κ(x) of \(\mathcal {R}\). By definition of y, we have \(\neg \boldsymbol {g}\in body^{\mathcal {S}}(x)\). Let \(\mathcal {S}_{0}, \mathcal {T}\in F\), and mapping n, be as above for the case “succeed input”. We have \(\neg Val(\boldsymbol {g})\in Val(body^{\mathcal {S}}(x))=body^{\mathcal {T}}(n(x))\). Now, because valuation \(vaL^{\mathcal {T}}(n(x))\) is satisfying during transition \(\kappa ^{\mathcal {T}}(n(x))=\kappa (x), Val(\boldsymbol {g})\) must be absent during κ(x). By inflationarity of the transducer, V a l(g) is thus also absent before κ(x).

Let \((\mathcal {S}^{\prime }, \lambda )\) be as above. There must be an alpha node z of \(\mathcal {S}^{\prime }\) such that fact \(Val(fact^{\mathcal {S}^{\prime }}(z))\) is not derived during transition λ(z) of \(\mathcal {R}\) because otherwise \(Val(fact^{\mathcal {S}^{\prime }}(root^{\mathcal {S}^{\prime }}))=Val(\boldsymbol {g})\) would be derived in transition \(\lambda (root^{\mathcal {S}^{\prime }})<\kappa (x)\), which is false. Let z be the first of such failed nodes with respect to λ. Valuation \(Val\circ val^{\mathcal {S}^{\prime }}(z)\) is not satisfying for \(rule^{\mathcal {S}^{\prime }}(z)\) during transition λ(z) of \(\mathcal {R}\), and each reason is used to show that some part of formula \(succeed_{G, \mathcal {S}^{\prime }, \lambda }\) is false under V a l. We consider the different kinds of literal in \(rule^{\mathcal {S}^{\prime }}(z)\):

[Input] :

Suppose there is a literal \(\boldsymbol {l}\in body^{\mathcal {S}^{\prime }}(z)|_{\varUpsilon _{\textnormal {in}}}\) such that \(I\nvDash Val(\boldsymbol {l})\). Then the conjunction \(succeed_{G, \mathcal {S}^{\prime }, \lambda }^{\textnormal {in}}\), and hence the entire formula \(succeed_{G, \mathcal {S}^{\prime }, \lambda }\), is false under V a l because \(succeed_{G, \mathcal {S}^{\prime }, \lambda }\) contains l.

[Messages] :

Recall that \(rule^{\mathcal {S}^{\prime }}(z)\) is message-positive. Suppose that there is a fact \(\boldsymbol {l}\in body^{\mathcal {S}^{\prime }}(z)|_{\varUpsilon _{\textnormal {msg}}}\) such that V a l(l) is not delivered in transition λ(z) of \(\mathcal {R}\). We argue that this is actually not possible, so this case can not occur. First, because λ is an alignment of \(\mathcal {S}^{\prime }\) to the abstract canonical run \(\mathcal {R}^{G}\), fact l is delivered in transition λ(z) of \(\mathcal {R}^{G}\). Hence, by Claim D.1, fact V a l(l) is delivered in transition λ(z) of \(\mathcal {R}\).

[Positive output and memory] :

Suppose there is a positive literal \(\boldsymbol {l}\in body^{\mathcal {S}^{\prime }}(z)|_{\varUpsilon _{\textnormal {out}}\cup \varUpsilon _{\textnormal {mem}}}\) (i.e., l is a fact) such that V a l(l) is not available during transition λ(z) of \(\mathcal {R}\). We will again show that this case can not occur. The existence of l implies that z has an alpha child-node \(z^{\prime }\) in \(\mathcal {S}^{\prime }\) with \(fact^{\mathcal {S}^{\prime }}({z^{\prime }})=\boldsymbol {l}\). This implies \(\lambda (z^{\prime })<\lambda (z)\). Since z is the first failed alpha node of \(\mathcal {S}^{\prime }\) with respect to λ, it must be that the fact \(Val(fact^{\mathcal {S}^{\prime }}(z^{\prime }))=Val(\boldsymbol {l})\) is derived in transition \(\lambda (z^{\prime })\). Hence, V a l(l) is available in transition λ(z) by inflationarity of π.

[Negative output and memory] :

Suppose there is a negative literal \(\neg \boldsymbol {i}\in body^{\mathcal {S}^{\prime }}(z)|_{\varUpsilon _{\textnormal {out}}\cup \varUpsilon _{\textnormal {mem}}}\), such that h=V a l(i) is present during transition λ(z) of \(\mathcal {R}\). From \(\mathcal {R}\), we can extract a pair \((\mathcal {T}^{\prime \prime }, \lambda ^{\prime \prime })\) with \(\mathcal {T}^{\prime \prime }\) a truncated derivation tree for h, and \(\mathcal {S}^{\prime \prime }\) an alignment of \(\mathcal {T}^{\prime \prime }\) to \(\mathcal {R}\) according to which \(\mathcal {T}^{\prime \prime }\) derives h. Note that V a l ⁻¹ exists because V a l is injective. Now, let \(\mathcal {S}^{\prime \prime }\) denote the tree obtained from \(\mathcal {T}^{\prime \prime }\) by applying for each internal node u of \(\mathcal {T}^{\prime \prime }\) the function V a l ⁻¹ after \(val^{\mathcal {T}^{\prime \prime }}(u)\). Note that \(adom(\mathcal {S}^{\prime \prime })\subseteq adom(G)\).

Because in \(\mathcal {S}^{\prime }\) there is a beta child node \(z^{\prime }\) of z with \(fact^{\mathcal {S}^{\prime }}({z^{\prime }})=\boldsymbol {i}\), if we could show \((\mathcal {S}^{\prime \prime }, \lambda ^{\prime \prime })\in align^{G}({\boldsymbol {i}})\), then formula \(succeed_{G, \mathcal {S}^{\prime }, \lambda }^{\text {deny}}\) contains the subformula \(\neg succeed_{G, \mathcal {S}^{\prime \prime }, \lambda ^{\prime \prime }}\). Then, we can recursively show that \(succeed_{G, \mathcal {S}^{\prime \prime }, \lambda ^{\prime \prime }}\) is true under V a l, making \(succeed_{G, \mathcal {S}^{\prime }, \lambda }^{\text {deny}}\), and by extension \(succeed_{G, \mathcal {S}^{\prime }, \lambda }\), false under V a l, as desired. This is similar to our current proof where we show that \(succeed_{G, \mathcal {S}, \kappa }\) is true under V a l, but we would replace \((\mathcal {S}, \kappa )\) by \((\mathcal {S}^{\prime \prime }, \lambda ^{\prime \prime })\). This recursive step always ends, as we argued at the end of Section 7.2.3.

We are left to show that \((\mathcal {S}^{\prime \prime },\lambda ^{\prime \prime })\in align^{G}(\boldsymbol {i})\). First, \(\mathcal {S}^{\prime \prime }\) derives the fact V a l ⁻¹(h)=V a l ⁻¹(V a l(i))=i. Next, alignment \(\lambda ^{\prime \prime }\) for \(\mathcal {S}^{\prime \prime }\) schedules nodes before their ancestors because it also does this for \(\mathcal {T}^{\prime \prime }\). For the last step, let u be an internal node of \(\mathcal {S}^{\prime \prime }\). We have to show that each \(\boldsymbol {e}\in body^{\mathcal {S}^{\prime \prime }}(u)|_{\varUpsilon _{\textnormal {msg}}}\) is delivered during transition \(\lambda ^{\prime \prime }(u)\) of \(\mathcal {R}^{G}\). By construction of \(\mathcal {S}^{\prime \prime }\) from \(\mathcal {T}^{\prime \prime }\), there is some \(\boldsymbol {e^{\prime }}\in body^{\mathcal {T}^{\prime \prime }}(u)|_{\varUpsilon _{\textnormal {msg}}}\) that is delivered in transition \(\lambda ^{\prime \prime }(u)\) of \(\mathcal {R}\) and \(\boldsymbol {e}=Val^{-1}(\boldsymbol {e^{\prime }})\). But by Claim D.1, we have \(\boldsymbol {e^{\prime }}\in Val(M_{j}^{G})\) with \(j=\lambda ^{\prime \prime }(u)\). Hence, \(\boldsymbol {e} \in Val^{-1}\circ Val(M_{j}^{G})=M_{j}^{G}\), as desired.

1.3 D.3 Claims

Claim D.2

Consider the symbols defined in Section 7.2.3 . Let \(G\subseteq forest_{{R}}\) . Let F be a set of derivation trees of π such that (i) no two trees are structurally equivalent; (ii) for each \(\mathcal {T}\in F\) there is a structurally equivalent tree \(\mathcal {S}\in G\) ; and, (iii) there is an injective function \(Val:adom(G)\rightarrow adom(F)\) such that when Val is applied after the valuations of a tree \(\mathcal {S}\in G\) , we obtain the structurally equivalent tree \(\mathcal {T}\in F\) . Finally, let I be an input for \(\boldsymbol {\mathcal {M}}\) such that formula sndMsg _G is satisfied under Val with respect to I.

Let \(\mathcal {R}^{G}\) and \(\mathcal {R}\) denote the canonical runs based on G and F respectively, that both have the same length n. Let i∈{1,…,n} and let \(M_{i}^{G}\) denote the (abstract) message set delivered in transition i of \(\mathcal {R}^{G}\) . In transition i of \(\mathcal {R}\) , we deliver precisely \(Val(M_{i}^{G})\).

Proof

We show this by induction on i. For the base case (i=1), the property holds because \(M_{i}^{G}=\emptyset \) and no messages are delivered in the first transition of \(\mathcal {R}\) (as no messages were previously sent).

For the induction hypothesis, assume the property holds for transitions j=1,…,i−1 with i>1. For the inductive step, we show that the property is satisfied for transition i. First, note that at most \(Val(M_{i}^{G})\) can be delivered in transition i of \(\mathcal {R}\), because this transition only delivers the messages needed by rules in F scheduled at i, and because the trees in F are obtained from those in G by concatenating V a l to their valuations.

For the second direction, let \(\boldsymbol {g}\in M_{i}^{G}\) and denote h=V a l(g). We show that h is delivered in transition i of \(\mathcal {R}\). Since \(\boldsymbol {g}\in M_{i}^{G}\), there is a tree \(\mathcal {S}^{\prime }\in G\), and an internal node x of \(\mathcal {S}^{\prime }\), such that \(\kappa ^{\mathcal {S}^{\prime }}(x)=i\) and \(\boldsymbol {g}\in body^{\mathcal {S}^{\prime }}(x)|_{\varUpsilon _{\textnormal {msg}}}\). By message-positivity of \(rule^{\mathcal {S}^{\prime }}(x)\), there is a child y of x such that \(fact^{\mathcal {S}^{\prime }}(y)=\boldsymbol {g}\). From the definition of the canonical scheduling, we have \(\kappa ^{\mathcal {S}^{\prime }}(y)=\kappa ^{\mathcal {S}^{\prime }}(x)-1\). Denoting \(j=\kappa ^{\mathcal {S}^{\prime }}(y)\), we have j=i−1. We show that \(Val\circ val^{\mathcal {S}^{\prime }}(y)\) is satisfying for \(rule^{\mathcal {S}^{\prime }}(y)\) during transition j, such that V a l(g)=h is sent in transition j, and can be delivered in (the next) transition i. The nonequalities of \(rule^{\mathcal {S}^{\prime }}(y)\) are satisfied because they are satisfied under \(val^{\mathcal {S}^{\prime }}(y)\) (by construction of G) and because V a l is injective. Next, because \(rule^{\mathcal {S}^{\prime }}(y)\) is static, we only have to consider input and message atoms:

• Let \(\boldsymbol {l}\in body^{\mathcal {S}^{\prime }}(y)|_{\varUpsilon _{\textnormal {in}}}\). We have, I⊧V a l(l), as desired, because l is added to s n d M s g _G , which is true under V a l with respect to I.

• Let \(\boldsymbol {l}\in body^{\mathcal {S}^{\prime }}(y)|_{\varUpsilon _{\textnormal {msg}}}\). Because \(rule^{\mathcal {S}^{\prime }}(y)\) is message-positive, l is a fact. Moreover, we have \(\boldsymbol {l}\in M_{j}^{G}\). By applying the induction hypothesis to transition j, we know that V a l(l) is delivered during transition j, as desired.

□

Claim D.2

Let \(\mathcal {T}\) and \(\mathcal {S}\) be two structurally equivalent derivation trees of π, that derive the same output or memory fact f. Abbreviate \(n=map_{\mathcal {S}, \mathcal {T}}\) . For each \(x\in a^{\mathcal {S}}\) , the valuations \(val^{\mathcal {S}}(x)\) and \(vaL^{\mathcal {T}}(n(x))\) assign the same values to the free variables of the rule \(rule^{\mathcal {S}}(x)=rule^{\mathcal {T}}(n(x))\).²¹

Proof

We show the property by induction on the length of the path from the root to the node \(x\in a^{\mathcal {S}}\) in question. In the base case, simply \(x=root^{\mathcal {S}}\) and \(n(x)=root^{\mathcal {T}}\). We are given that \(fact^{\mathcal {S}} (root^{\mathcal {S}})=fact^{\mathcal {T}}(root^{\mathcal {T}})\). Hence, valuations \(val^{\mathcal {S}}(root^{\mathcal {S}})\) and \(val^{\mathcal {T}}(root^{\mathcal {T}})\) assign the same values to free variables. Moreover, because f is an output or memory fact, \(rule^{\mathcal {S}}(root^{\mathcal {S}})\) is message-bounded, and thus any variable occurring in an output or memory literal in the body must be a free variable. Hence, for every alpha child y of \(root^{\mathcal {S}}\), we have \(fact^{\mathcal {S}}(y)=fact^{\mathcal {T}}(n(y))\). The reasoning can now be repeated for y. □