Loose Semantics and Constraints for Graph ... - Semantic Scholar

Loose Semantics and Constraints for Graph Transformation Systems? Reiko Heckel1 , Hartmut Ehrig1 , Uwe Wolter1, Andrea Corradini2 ?? 1 TU Berlin, FR 6-1, Franklinstrasse 28/29, 10587 Berlin, Germany

freiko, ehrig, [email protected]

2 CWI, Kruislaan 413, 1098 SJ Amsterdam, The Netherlands [email protected]

Abstract. The main aim of this paper is an extension of the theory of al-

gebraic graph transformation systems by a loose semantics. For this purpose, graph transitions are introduced as a loose interpretation of graph productions. They are de ned using a double pullback construction in contrast to classical graph derivations based on double-pushouts. Two characterisation results relate graph transitions to the classical double-pushout derivations and to amalgamated derivations, respectively. Moreover, a loose semantics for graph transformation systems is de ned, which associates with each system a category of models (deterministic transition systems) de ned as coalgebras over a suitable functor. Such category has a nal object, which includes all nite and in nite transition sequences. Constraints are introduced in order to restrict the loose semantics of graph transformation systems. The coalgebraic framework makes it possible to de ne a general notion of logic of behavioural constraints. Instances include, for example, start graphs, application and consistency conditions, and temporal logic constraints. We show that the considered semantics can be restricted to a nal coalgebra semantics for systems with behavioural constraints. Parts of the paper are submitted for publication as [HEWC97a,HEWC97b].

1 Introduction The theory of graph transformation systems basically studies a variety of formalisms which extend the theory of formal languages in order to deal with structures more general than strings, like graphs and maps. A graph transformation system allows one to describe nitely a (possibly in nite) collection of graphs, i.e., those which can be obtained from a start graph through repeated applications of graph productions. Each production can be applied to a graph by replacing an occurrence of its left-hand side with its right-hand side. The form of graph productions and the mechanisms stating how a production can be applied to a graph and what the resulting graph is, depend on the speci c formalism. Among the various formulations of graph transformation, the \algebraic, Double Pushout (DPO) approach" [EPS73,Ehr79] is one of the most successful, mainly because of its exibility. In fact, since the basic notions of production and direct derivation are de ned in terms of diagrams and constructions in a Research partially supported by the German Research Council (DFG) and the TMR network GETGRATS ?? A. Corradini is on leave from Dipartimento di Informatica, Pisa. He is also supported by the EC Fixed Contribution Contract n. EBRFMBICT960840 ?

2

category, they can be de ned in a uniform way for a wide range of structures. Moreover, many results can be proved once and for all using categorical techniques. Graph transformation systems have been widely used to model graphical structures and their evolution in Computer Science and Biology. In Computer Science, main application areas have been programming languages, data base and information systems, term rewriting with shared substructures, and generation as well as analysis of languages based on graphs instead of words and trees (see [ENRR87,EKR91,CEER96]). During the last years,1 the theory of graph transformation systems developed towards a fundamental semantical model for concurrency (generalising Petri nets [Cor96]) and for the speci cation of software systems [ET95]. Traditionally the semantics of a graph transformation system is de ned as the collection of all its direct derivations or derivation sequences (for example, in [CEL+ 96,HCEL96] these are generated from the system via a free construction). Such a semantics assumes that the behaviour of the system is completely speci ed. However, there are many situations where such an assumption is no longer adequate, as in the case of speci cation of reactive systems, and of parametrised or modular speci cations. Graph transformations have been used recently to specify reactive systems in the German-Brazilian project GRAPHIT, where in cooperation with an industrial partner a telephone system has been speci ed [Rib96b]. It turned out that graph transformations seem to have a great potential as a speci cation technique for reactive systems, provided that the classical theory of graph transformation systems is extended to handle open semantics and control aspects in terms of some kind of behavioural constraints. For such systems, in fact, the actual behaviour depends on the interaction with the external environment. Another current stream of research concerns the enrichment of graph transformation based speci cation with modularity and parametrisation techniques [AEH+ 96,EE96,EHTE97]. Also in these cases, an open or loose semantics has to be provided for modules with import/export interfaces, parametrised speci cation components, or partial views of a system to be developed because they cannot be assumed to specify completely the behaviour of a system. A similar problem has been addressed in the eld of algebraic speci cations too, where a well-accepted solution is a loose semantics that associates with a speci cation the category of all algebras satisfying it [EM85]. Therefore we propose in this paper a loose semantics for graph transformation systems, based on two main technical ingredients: An original loose interpretation of graph productions, that takes into account also the possible eect of interactions with the environment, and a category of models de ned via coalgebraic techniques. Concerning the rst point, the usual interpretation of a graph production (in the DPO approach) is that it determines the changes to the current state for the matched subgraph. The remaining part is considered as a context, and 1 Mainly in the framework of two European projects, the Esprit Basic Research Working

Groups COMPUGRAPH I and II (1989-1996).

3

it is left unchanged: This can be interpreted as an implicit frame condition , stating that nothing must happen beyond what is explicitly speci ed. If, on the other hand, productions are considered as incomplete descriptions of the transformations to be performed, this assumption is no longer valid. The production still determines the changes to the matched subgraph, but for the context anything can happen. This idea is captured by the notion of graph transition . A graph transition ensures that we preserve, delete, and add at least as much as it is speci ed by the production, but it allows to model also addition and deletion of other items which may be caused by the environment. Technically speaking, graph transitions are based on a double-pullback construction, unlike direct derivations that are classically de ned using a double-pushout construction. Two important results characterise graph transitions in terms of extended direct derivations, and of amalgamated graph derivations (using the union of two productions along a common subproduction), respectively. Concerning the second point, the category of models of a graph transformation system is de ned as the category of coalgebras with respect to a suitable functor, based on the transitions of the system. More precisely, a model for a graph transformation system G is de ned as a transition system with terminal states that takes no input and at each step outputs a transition of G. The category of models has a nal object: The full transition system over G, containing all its nite and in nite transition sequences. It is worth stressing that unlike the theory of algebraic speci cation, where the loose semantics is a category of algebras, we use a coalgebraic approach: This is consistent with the fact that coalgebras are often suggested as models of behaviours for objects and systems. Furthermore, while in a purely rule-based framework it is usually dicult to control the order and frequency of rule applications (control aspects that are very important for the speci cation of reactive system), the coalgebraic loose semantics we propose allows us to handle in a very satisfactory way a large class of constraints imposed on the behaviour of a graph transformation system. A generic logic of behavioural constraints is introduced. It is shown that for each behavioural constraint, the restriction to the behaviours that satisfy the constraint is a cofree construction. The paper is organised as follows. After recalling the basic notions of the double-pushout approach to graph transformation systems in Section 2, in Section 3 we introduce graph transitions via a double-pullback construction, and relate them to the classical notion of direct derivations and to amalgamated derivations. Next in Section 4 we de ne the category of models for a graph transformation system as a suitable category of coalgebras, called graph transition systems. Section 5 introduces the notion of logic of behavioural constraint, and presents several instances including, for example, start graphs, application and consistency conditions, and temporal logic constraints.

2 Basic Notions of Typed Graph Transformation Systems This section reviews basic notions and de nitions of the algebraic double-pushout (DPO) approach to the transformation of typed graphs [Ehr79,CMR96].

4

A directed graph G = (V; E; s; t) consists of a set of vertices V , a set of edges E , and two mappings s; t : E ! V which provide a source and a target vertex for every edge. A graph morphism f : G ! H is a pair of functions (fV : GV ! HV ; fE : GE ! HE ) which is compatible with the graph structure, i.e., fV  sG = sH  fE and fV  tG = tH  fE . Graphs and total graph morphisms constitute a category which is called Graph. Given a graph TG 2 jGraphj, the category GraphTG of typed graphs over TG and typed graph morphisms is the comma category (Graph # TG). The category Graph has all limits and colimits. Hence, the comma category (Graph # TG) has all limits and colimits as well, and the construction of pushouts and pullbacks coincides in Graph and (Graph # TG) up to the additional typing information. If not stated otherwise, graphs and graph morphisms will be assumed to be typed over TG in the following. Graph productions according to the DPO approach are speci ed by spans r R. The left-hand side L contains the of injective graph morphisms L l? K ?! items that must be present for an application of the production, the right-hand side R those that are present afterwards, and the context graph K speci es the \gluing items\, i.e., the objects which are read during application but are not consumed. De nition 1 (graph production and transformation system). A graph production p : s is composed of a production name p and of a span of inr R), called production span. If no jective graph morphisms s = (L l? K ?! confusion is possible, we will sometimes make reference to a production p : s l L). simply as p, or also as s. The reverse production of p is p?1 : (R r? K ?! A (typed) graph transformation system G = hTG; P;  i consists of a type graph TG, a set of production names P , and a mapping  associating with each production name p a production span  (p). If p 2 P is a production name and  (p) = s, we say that p : s is a production of G. A (typed) graph grammar GG = hG; G0i is a typed graph transformation system G = hTG; P; i together with a start graph G0 2 jGraphTG j. 4 Direct derivations in the DPO approach are de ned as double pushout constructions. De nition 2 (DPO derivation). A double-pushout d is a diagram like in the left of Figure 2 on page 7, where top and bottom are production spans r R) is a production, a and (1) and (2) are pushouts. If p : (L l? K ?! direct derivation from G to H is denoted by G =p=d ) H . We also write p=d if G and H are understood, and denote by In; Out, and pn the projections In(p=d) = G; Out(p=d) = H , and pn(p=d) = p. A derivation in a graph transformation system G is a nite or in nite se=d1 =d2 quence of direct derivations G0 p=1 ) G1 p=2) G2 : : : where p1 ; p2; : : : are production names of G. A derivation in a grammar GG = hG; G0i is a derivation in G that starts in G0. 4 The existence of a direct derivation is characterised by the gluing conditions [Ehr79]:

5 r R) be a Characterisation 3 (gluing conditions). Let p : (L l? K ?! production and dL : L ! G be a graph morphism, called match for p. Then, there exists a direct derivation G =p=d ) H if and only if the following two condi-

tions are satis ed:

identi cation condition: Whenever there are vertices or edges x; y 2 L with dL(x) = dL (y), then x = y or x; y 2 l(K ), i.e., both are preserved by the production.

dangling condition: For each deleted vertex x 2 dL(L ? l(K )) and each edge y 2 G with s(y) = x or t(y) = x also y is deleted i.e., y 2 dL(L ? l(K )). 4 Actually, the gluing conditions only characterise the existence of the pushout complement, i.e., the context graph D and morphisms l and dK such that subdiagram (1) in the left of Figure 2 is a pushout. Then, also pushout (2) exists since GraphTG is cocomplete. r R) Operationally speaking, the application of a production p : (L l? K ?! to a graph G consists of three steps. First, the match dL : L ! G has to be chosen, providing an occurrence of L in G, such that the gluing conditions are satis ed. Then, all objects of G matched by L ? l(K ) are removed. This leads to the context graph D. Finally, the objects of R ? r(K ) are added to D leading to the derived graph H . Hence, the application of p deletes and creates exactly what is speci ed by the production, i.e., there is an implicit frame condition stating that everything that is not rewritten explicitly by the production is left unchanged. HookOn

HookOff : (

L

☎

K

☎ ☎ (3)

HookOn HookOff Phone Ring

TG Ph

R

)

(4)

HookOff

HookOn

☎ Ring

HookOff

☎ ☎ G1

Ring

D2

Ring

G2

Fig. 1. Telephone example. Our sample graph transformation system GPh = hTGPh; fHookOff; g; Ph i models (part of) the user's interaction with a telephone (see [Rib96b] for the full case study). Type graph TGPh and production HookOff : (L K ! R) are shown in Figure 1, and  : (; ; ! ;) is the empty production. The typing is indicated by the inscription of vertices and the phone icon. Using production HookOff , the user may change the hook status of the phone, while  models an idle step of the user. A direct derivation using HookOff is given by the pushout diagrams (3) and (4) in Figure 1. The parallel application of productions p1 and p2 (without any synchronisation) is modelled by the application of the so-called parallel production p1 + p2 constructed as the disjoint union (coproduct) of p1 and p2. If both productions

6

are intended to share certain objects and eects, this may be speci ed by a common subproduction p0 . This means that p0 is embedded into p1 and p2 , by double-pullback diagrams, i.e., diagrams like in Figure 2 on the left where (1) and (2) are pullbacks. The synchronised application of p1 and p2 sharing p0 is described by the amalgamated production p1 p0 p2 . It is constructed by gluing productions p1 and p2 over p0 [BFH87].

De nition 4 (parallel and amalgamated productions). If pi : (Li li? ri Ki ?! Ri ) are graph productions for i = 1; 2, the parallel production p + p : r R + R ) is obtained by componentwise coproduct (L + L l? K + K ?! 1

1

2

1

2

1

2

2

constructions of left-hand side, interface, and right-hand side graphs, while the morphisms l and r are induced by the universal property of K1 + K2 . A derivap2 =d tion G p1=+) H using the parallel production is called parallel derivation. r0 A subproduction morphism e1 : p0 ! p1 for p0 : (L0 l0? K0 ?! R0) is a triple of graph morphisms e1 = he1L ; e1 K ; e1R i with e1 X : X0 ! X1 for X 2 fL; K; Rg such that the two resulting squares are pullbacks. If p0 is subproduction of p1 and p2 , i.e., there are subproduction morphisms ei : p0 ! pi r3 R3) is for i = 1; 2, the amalgamated production p1 p0 p2 : (L3 l3? K3 ?! e2 X e1 X obtained componentwise by constructing the pushout X1 ?! X3 ? X2 of e2 X X2, while l3 and r3 are induced by the universal property of X1 e1?X X0 ?! p  0 p2 =d the pushout object K3. A derivation G 1 =p) H using the amalgamated production is called amalgamated derivation. 4

3 From Double-Pushout Derivations to Double-Pullback Transitions In this section a loose notion of graph transformation is introduced, which we call graph transition. As anticipated in the introduction, a graph transition will ensure that we preserve, delete, and add at least as much as it is speci ed by the production, but it allows to model also addition and deletion of other items which may be caused by the environment. This means dropping the implicit frame condition of the previous section, which ensures that those parts of the graph that are not matched by the production are left unchanged. Instead, we allow to de ne explicit frame conditions that protect only some explicitly given parts of the graphs from unspeci ed changes. Let us introduce now graph transitions, that are de ned simply by replacing the double-pushout diagram of direct derivations with a double-pullback (DPB). Next graph transitions will be characterised as extended direct (DPO) derivations on the one hand, and as amalgamated and parallel derivations on the other hand. r R) be a production De nition 5 (graph transition). Let p : (L l? K ?!

and d be a DPB diagram as in Figure 2 on the left. Then, G p=d ; H forms a graph transition from G to H via p : s, shortly: p-transition. As for direct derivations, we omit G and H if they are understood and denote by In; Out, and pn the

7

L

l

K

r

R

dL (1) dK (2) dR G

l

D r H

G

dL eG

L l K r R d0L (3) d (4) d0R d K R 0 0 G 0 H eH 0 H l l D r r

Fig. 2. DPO (resp., DPB) diagram d and characterisation of DPB as extended DPO. corresponding projections. The set2 of all transitions in a graph transformation system G is denoted by G; . 4 A sequence of two transitions is shown in Figure 3. The rst one, given by pullbacks (1) and (2), uses the empty production . It represents a step where the phone starts ringing while the user is idle. The second transition (using HookOff ) consists of pullbacks (3) and (4). It has the unspeci ed eect of turning the bell o. HookOn

L

☎ (1)

(2)

HookOn

HookOn

☎

☎

☎

G0

D1

Ring

HookOff

R

☎ ☎ (3)

HookOn

K

L2

☎ ☎ K2

R2

Ring

(4)

HookOff

☎ ☎ G1

☎

D2

HookOn HookOff

HookOn HookOff

Phone

Phone

Ring

G2

TG Ph

FC Ph

Fig. 3. A sample transition sequence. Let us investigate the notion of graph transition from a more operational   l r point of view. As usual, a span G ? D ?! H represents a transformation where G ? l(D) is deleted, l(D)  G is preserved as r(D)  H , and R ? r (D) is newly created. Then, referring to the left diagram of Figure 2: { Commutativity of (1) and (2) ensures that the image of K in G is preserved in D and H , i.e., dL (l(K ))  l (D) and dR (r(K ))  r(D). { Pullback property of (1) ensures that at least every image of L ? l(K ) in G is deleted, i.e., dL (L ? l(K )) \ l(D) = ;. { Pullback property of (2) ensures that at least every image of R ? r(K ) in H is newly created, i.e., dR(R ? r(K )) \ r (D) = ;. It is worth stressing that graph transitions may not only have additional eects but do also exist more frequently than DPO derivations. In general, the left-hand side morphism dL of a graph transition may satisfy neither the identi cation nor the dangling condition of the corresponding production, and 2 In general, this is a class rather than a set. In order to avoid foundational problems, however,

we assume that for all graphs in Graph the sets of vertices and edges are chosen as subsets of a global set U of names. Then, Graph is a small category and the transitions in G form a set.

8

so does the right hand side. Consider for example the transitions in Figure 4. The production in the left transition deletes two vertices 1 and 2 and generates 10 and 20. The match identi es 1 and 2, i.e., it does not satisfy the identi cation condition (cf. Characterisation 3). Nevertheless there is a transition removing vertex 1 = 2 from the given graph. Symmetrically, on the right-hand side, the transition decides to generate only one vertex 10 = 20 instead of two as stated in the production. In the middle of Figure 4 there is another example of a match for a production violating the identi cation condition: At the same time, the production tries to preserve and to delete the vertex 1 = 2 of the given graph. Obviously, this leads to a con ict, i.e., there is no transition using this match. Finally, on the right-hand side, a transition is shown where the left-hand side morphism does not satisfy the dangling condition. Here, the transition exists and removing the dangling edge is an unspeci ed eect. Symmetrically, it is possible to attach edges to newly created vertices, which is shown in the righthand side. Summarising, transitions may not be faithful with respect to the number of deleted or generated elements and they may delete dangling edges. They are not able, however, to resolve con icts of preservation and deletion. 1 2

1=2

1’ 2’

1’=2’

1 2

1

1

1=2

1

1

1’

1’

Fig. 4. Transitions that do not satisfy the gluing conditions. Motivated by these observations we introduce faithful and safe transitions:

De nition 6 (faithful and safe transitions). A transition G p=d ; H using l r p : (L ? K ?! R) is called faithful if dL : L ! G and dR : R ! H satisfy the

identi cation conditions of p and p?1 , respectively. It is called safe if dL and dR satisfy the gluing conditions of p and p?1. 4 Both transitions in the sequence of Figure 3 are safe. The transition in Figure 4 on the left is not faithful, while the one on the right is faithful but not safe. Transitions are now related to direct derivations and to derivations via amalgamated productions. First, we show that each faithful transition is equivalent to a direct derivation, preceded by an additional deletion and followed by an additional insertion step, both represented by total injective graph morphisms.

Theorem 7 (transitions are extended direct derivations). If p : s is a production, the following statements are equivalent:

1. There is a faithful transition G p=d ; H with d = hdL; dK ; dRi as in Figure 2 on the left.

9 p=d 2. There are a direct derivation G0 = ) H 0 and injective graph morphisms 0 0 eG : G ! G and eH : H ! H such that eG  l0 = l and eH  r0 = r (see Figure 2 on the right). Proof. 1. ) 2.: By pushout property of (3) and (4), eG and eH exist. We show that eG is injective, i.e., that for vertices and edges respectively, x; y 2 G0 with eG (x) = eG (y) implies x = y. The same arguments apply to eH . Since (3) is a pushout, d0L and l0 are jointly surjective. Hence we have the cases (i) to (iii): If (i) x; y 2 l0(D), then x = y follows from commutativity of the lower triangle and injectivity of l . If (ii) x; y 2 d0L(L), then x = y follows from commutativity of the left triangle and the fact that dL satis es the identi cation condition of p. Finally, if (iii) there is x0 2 D and y 0 2 L such that l0(x0) = x and d0L(y 0) = y we have l(x0) = dL (y 0) by commutativity of both triangles. By pullback construction there is z 2 K with dK (z ) = x0 and l(z ) = y 0 . Then, commutativity of (3) implies that x = l0(dK (z )) = d0L (l(z )) = y . 2. ) 1.: In Graph, pushouts with injective horizontal morphisms are also pullbacks. Then, pullback properties of the outer squares follow by monomorphism property of eG and eH . Since (3) and (4) are pushouts, the identi cation condition holds for d0L and d0R . Due to injectivity of eG and eH it holds for dL and dR . 2 The transition (3)+(4) in Figure 3, for example, can be simulated by rst removing from G1 the Ring -vertex and its edge, and then applying HookOff to its own left-hand side L. The non-faithful transition in Figure 4 on the left, however, can not be represented in this way. This shows that the restriction to faithful transitions in 1. is indeed necessary. Now we want to characterise graph transitions by parallel and amalgamated derivations. The idea is, to regard a transitions as part of an application of an amalgamated derivations, i.e., a transition via p1 means that p1 is participating in a certain transformation (among other productions). The same relationship holds for safe transitions and parallel derivations. Theorem 8 (transitions vs. parallel/amalgamated derivations). If p1 is a production, the following statements are equivalent: =d1 1. There is a transition G p1; H. 2. There are a production p2 and a common subproduction p0 of p1 and p2 such p  0 p2 =d that there exists a direct derivation G 1 =p) H using the amalgamated production p1 p0 p2 . 0

p2 =e Moreover, there is a parallel derivation G p1=+) H if and only if the transition p1 =d1 G ; H is safe. Proof. Let ei : p0 ! pi for i = 1; 2 be the subproduction morphisms into p1 and p2 , and ei : pi ! p1 p0 p2 be their morphisms to the amalgamated production. p  0 p2 =d \2. =) 1.": It is easy to show that an amalgamated derivation G 1 =p) H induces a transition G p1;=d1 H by d1 = d  e1 , using the fact that each DPO diagram is a DPB diagram and that e1 is a DPB diagram, too.

10

\1. =) 2.": For the reverse direction, we use the following complement construction for graphs: If m : L ! G is a total graph morphism, the complement m  : L ! G is the (embedding of the) smallest subgraph of G such that a pullback of m and m is also pushout, i.e., such that (i) m and m  are jointly surjective and (ii) x 6= y 2 L with m(x) = m(y ) implies m(x) 2 L . Such a complement exists because m  = idG : G ! G satis es these properties, and they are closed under intersection of subgraphs of G. Hence, the complement L  G can be constructed as the intersection of all subgraphs G0  G satisfying (i) and (ii). Moreover, we use the following two pushout/pullback decomposition lemmata in Graph (see left diagram of Figure 5): 1. Special PO/PB Decomposition Lemma [BFH87] : Let (1) be pushout, (1+2) be pullback, and E ! F be monomorphism. Then (2) is a pullback. 2. Decomposition of Pushout Complements [Hec95] : Let all vertical arrows be monomorphisms, (2) be pullback and (1+2) be pushout. Then, (1) is pushout. =d1 Given the transition G p1; H we construct a complementary transition p2 =d2 G ; H via a new production, p2 and a common subproduction p0 with ei : p0 ! pi such that the bottom span G D ! H of the two transitions p  p =id is equal to the amalgamated production p1 p0 p2. Then G 1 =p0)2 H is an amalgamated DPO derivation. Consider the middle diagram of Figure 5, where pullbacks (1) and (2) form the DPB diagram d1 . Let L 1 ! G and R 1 ! H be the complements of L1 ! G and R1 ! H , and (3) and (4) be constructed as pullbacks. By building rst the pullback of KL ! D and KR ! D and then the pushout of the resulting morphisms one obtains KL ! K2 and KR ! K2. The morphism K2 ! D is induced by the universal pushout property of K2 s.t. the two triangles between D; KL; KR, and K2 commute. Now, building the pushouts (5) and (6) we obtain L2 ! G and R2 ! H by their universal property. Since D ! G and D ! H are injective we can apply the Special PO/PB Decomposition Lemma and conclude that d2 = hL2 ! G; K2 ! D; R2 ! H i is a DPB diagram.

L1 A C E

(1) (2)

B

G

D

L 1

F

L2

K1

(1) (3) (5)

(2)

D KL

KR K2

(4) (6)

R1 H

L 0

R 1

L0

R2

L1

(1) (2)

L 1 L2 G

Fig. 5. Proof of Theorem 8: Relating transitions and amalgamated derivations. Now forming the (componentwise) pullback of d1 and d2 we get the production p0 and subproduction morphisms ei : p0 ! pi for i = 1; 2. It follows

11

K1 L1 d1 L

K1 + K2 l L1 + L2 L2 eK eL G

l



K2

D

Fig. 6. Proof of Theorem 8: Relating safe transitions and parallel derivations. from pullback composition and decomposition properties that these are DPB diagrams. The amalgamated production p1 p0 p2 is obtained as componentwise pushout of e1 and e2 . It remains to show that the bottom span G D ! H is equal to the amalgamated production. Therefore, we show that the (componentwise) pullback of d1 and d2 is a (componentwise) pushout. By construction of L 1 ! G as complement of L1 ! G, the pullback diagram (1+2) in Figure 5 on the right is also a pushout. In the construction above, L 1 ! G is then decomposed to L 1 ! L2 ! G. It can be shown that both are injective. Building pullback (2) as part of the componentwise pullback construction of d1 and d2 above leads to the decomposition of (1+2), where L 0 ! L0 is obtained by the universal pullback property such that (1) commutes. It follows from Lemma Decomposition of Pushout Complements [Hec95] above that (1) is a pushout. Hence, by pushout decomposition, also (2) is a pushout. The same arguments apply to the right hand sides, and it follows from the 3-cube lemma, part 1 in [CEL+ 96] that the p  p =id pullback of the interface graphs is a pushout as well. Thus, G 1 =p0)2 H forms an amalgamated derivation where production and bottom span are identical. Now we show the part on parallel derivations and safe transitions: For a p2 =e parallel derivation G p1=+) H it follows from the Parallelism Theorem (see e.g., [CMR+ 97]) that (d  in1 )L satis es the gluing condition of p1 , where in1 is the injection of p1 into p1 + p2 . By symmetry, (d  in1 )R satis es the gluing =d1 condition of p?1 1 . Hence, G p1; H is a safe transition. For the reverse, the diagram of Figure 6 shows the left-hand sides of the =d2 given transition G p1;=d1 H , the transition G p2; H constructed above, and the parallel production p1 + p2. The square between L1 + L2; K1 + K2; G and D, referred to as (1) in the following, is obtained by the universal coproduct property such that all subdiagrams commute. It shall form the left-hand side of p2 =e the parallel derivation G p1=+) H , i.e., we have to show that (1) is a pushout. It is straightforward to show that a commutative diagram like (1), where l; l are injective and eL ; eK are surjective, is a pushout if eL (x) = eL (y ) implies x = y or x; y 2 l(K1 + K2), i.e., eL satis es the identi cation condition. Notice

12

that eL ; eK are surjective since d1L ; d2L and d1K ; d2K are pushout morphisms, and hence, jointly surjective. Let x; y 2 L1 + L2 with eL (x) = eL (y ). We distinguish three main cases. If x; y 2 L1, then x; y 2 l1(K1) since by assumption d1 L satis es the identi cation condition. If x; y 2 L2 this implies that x = y since d2 L is by construction injective. In both cases this means x; y 2 l(K1 + K2). If, without loss of generality, x 2 L1 and y 2 L2, we have by construction of L2 as pushout object of (5) that y has a preimage in K2 or in L 1 . In the rst case, y 2 l2(K2), i.e., eL(y) is preserved by p2. If now x 62 l1(K1), then eL(y) is deleted by p1 as well as preserved by p2 which leads to a contradiction. In the second case, i.e., if y originates from L1, we have by minimality of the complement construction additional cases (i) to (iii). In all three cases we shall show that x 2 l1(K1) implying that y 2 l2 (K2) by a symmetric contradiction as above. (i) eL (x) is a vertex with an attached edge that is outside the match of d1, i.e., the edge must be in L 1 in order to make m and m  jointly surjective and the vertex eL (x)  in order to make L1 a graph. Assume that x 62 l1(K1), i.e., eL (x) is deleted by p1. Since there is a context edge attached to eL (x) this would violate the dangling condition of p1 , which contradicts the assumption of a safe transition, i.e., x 2 l1(K1). (ii) eL(x) is a vertex or edge of G with more than one preimage in L1 . Then x 2 l1(K1) since d1L satis es the identi cation condition. (iii) eL (x) is a vertex of G with an edge attached to it that ts in case (ii). Then, both preimages of the edge are preserved, and so is x by homomorphism properties of l1. This shows that diagram (1) is a pushout. Since symmetric arguments apply p2 =e to the right-hand side, we conclude that e is a double-pushout and G p1=+) H a parallel DPO derivation. 2 The eect of the transition (3)+(4) in Figure 3, for example, can be obtained by applying the productions HookOff and p2 : (L2 K2 ! R2 ) in the upper right of Figure 3 in parallel. Here, p2 represents an internal operation of the telephone that complements the HookOff action of the user. In order to ensure that, e.g., the hook status of the phone is protected from the in uence of the environment, we may declare a subgraph FCPh of the type graph TGPh in Figure 3 as explicit frame condition. Then, the instances of the types of FCPh , i.e., Phone, HookOn, HookO and the edges in between, should only be created and deleted explicitly by the productions. If all types were protected (i.e., FCPh = TGPh ), transitions would be restricted to direct derivations. In this way we are able to recover the classical DPO interpretation of productions as special case of the loose one.

De nition 9 (reduct, explicit frame condition). Let TG; FC 2 jGraphj be graphs and FC  TG. Then, for each typed graph g : G ! TG 2 jGraphTG j its FC -reduct (g : G ! TG)FC is given by g 0 : G0 ! FC 2 jGraphFC j in the inverse image square below, where G0 = g ?1(FC ) and g 0 = g jFC is the codomain restriction of g to FC . The FC -reduct of a graph morphism f : (g1 : G1 ! TG) ! (g2 : G2 ! TG2) 2 GraphTG is (f )FC = f jG01 : (g1)FC ! (g2 )FC where f jG01 is the domain restriction of f to G01 = g1?1 (TG0)  G1.

13

G G0 g (1) g0 TG FC

An explicit frame condition for a graph transformation system G = hTG; P; i is a graph FC  TG. A transition G p=d ; H in G satis es the frame condition FC if (d)FC , the FC -reduct of the double-pullback diagram d, is a double-pushout diagram. 4 Above, the FC -reduct is extended from objects and morphisms to diagrams in GraphTG . This is possible because it forms a functor ( )FC : GraphTG ! GraphFC . Categorically speaking, diagram (1) above is a particular pullback square (where the horizontal arrows are inclusions) and the FC -reduct of a morphism is de ned by the universal property. It follows from general pullback composition and decomposition properties that the reduct of a transition is a transition again. Constructing the FCPh -reduct of the transition sequence in Figure 3 results in removing the Ring vertex and the corresponding edge from the graph G1. The reduced sequence is a DPO derivation. Hence, the original transitions satisfy the explicit frame condition FCPh .

4 Coalgebraic Loose Semantics The semantics of a graph transformation system is often de ned in an operational way as the collection of all its direct derivations or derivation sequences. Such a semantics implicitly assumes that the behaviour of the system is completely speci ed. If the graph transformation system is intended to model an open reactive system, however, this assumption is no longer adequate, because also the possible interactions with the environment have to be modelled in some way. Therefore, there is a need for a loose semantics which allows one to model aspects of the environment even if they are not explicitly speci ed. The notion of graph transition introduced in the previous section allows us to model any possible interaction with the environment occurring at the level of individual derivation steps of the system. Considering now computations, a reasonable model is certainly provided by the collection of all transition sequences. However, such a model would be too much \permissive", because all possible interactions with the environment would be allowed for: One would also need some tool to constrain such interactions in some way. Therefore our proposal, elaborated in this and in the following sections, is to associate with each system a collection of models, together with some formal techniques that allows us to restrict the focus to a suitable subset of the models when additional information about the interaction with the environment is provided, usually in the form of behavioural constraints. The loose semantics we are introducing is therefore conceptually similar to the loose semantics of algebraic speci cations, de ned by the category of all algebras satisfying the given speci cation where some algebras may satisfy additional properties.

14

Recently graph transformation systems have been equipped with a categorical semantics where a free construction generates all the possible nite derivations [CEL+ 96,HCEL96]. Similar semantics were de ned for other rule-based formalisms as well, like Petri Nets [MM90] and Conditional Equational Term Rewriting [Mes92]. The categorical framework would make easy the de nition of a category of models where the free model is initial (as done for example in [Mes92]). However, this approach would not allow for de ning a model containing only a proper subset of the computations of the free one, as discussed below in this section. Rather than an algebraic setting, coalgebras seem more suitable for our purposes. Coalgebras are often suggested as models of behaviours for objects and systems (see e.g., [Rei95,Rut96,Jac95]). Typical examples include nite state automata, various notions of transition systems, and streams (in nite sequences) which have been used for example as semantics for CCS. Providing graph transformation systems with a coalgebraic semantics can make them comparable with speci cations written in other speci cation techniques. The coalgebraic framework provides handy techniques for both de ning and reasoning about behaviours, including a general notion of bisimulation and a coinduction principle (see [Rut96] for a tutorial introduction). Also, in nite objects (transition sequences, derivation trees, unfoldings) are handled in an easy and natural way, see e.g., [Rei95]. Since for many systems an in nite (nonterminating) behaviour is assumed, this is a desirable feature for the semantics of graph transformation systems as well. We present now a coalgebraic loose semantics for a graph transformation systems G based on graph transitions. A model for G is a deterministic transition system with terminal states that at each step outputs a transition of G. Such models are de ned as coalgebras over a suitable functor, and they form a category having a nal object, the full transition system over G, that includes all nite and in nite transition sequences. Let T be an endofunctor of a category C. A T -coalgebra (see [Bar93]) is a pair hC; i consisting of an object C and a morphism  : C ! T (C ) in C. A morphism f : hC; i ! hC 0; 0i of coalgebras is a morphism f : C ! C 0 in C such that T (f )   = f  0 . This de nes category CT , called the category of T -coalgebras.

De nition 10 (category of graph transition systems). Let TG : Set ! Set be the endofunctor de ned by TG(S ) = (G;  S ) + 1 on objects and TG (f ) = (idG;  f )+ id on arrows (recall that G; is the set of all transitions in G, while 1 denotes the nal object f?g in Set). Then, a graph transition system T = hS; step : S ! (G;  S ) + 1i over G is a TG -coalgebra such that step(s) = ht; s0 i and step(s0 ) = ht0 ; s00i implies that Out(t) = In(t0). The category GraTS(G) of graph transition systems over G is the full subcategory of the category SetTG of TG-coalgebras having all graph transition systems as objects. 4 Intuitively, a graph transition system T = hS; stepi is a deterministic automaton with nal states hS; next : S ! S; first : S ! G; i. The partial 1

15

functions first and next are de ned for all states s 2 S where step(s) = ht; s0 i, and in this case next(s) = s0 and first(s) = t. Hence, step(s) = ? represents the case where both next(s) and first(s) are unde ned, i.e., the termination of the automaton [Rei95]. A state transition from s to s0 in S requires no input, but produces a graph transition in G; as output (observation). Due to the absence of input, the future behaviour of the system is fully determined by its current state. In terms of next and first, the condition in De nition 10 can be reformulated as Out(first(s)) = In(first(next(s))), i.e., the output graph of the rst transition equals the input graph of the second, and so on. We de ne nexti as the ith iteration of next by next0 = idS and nexti+1 = next  nexti . The loose semantics of a graph transformation system G is de ned as the category GraTS(G) of all graph transition systems over G: This is regarded as the category of its \models".

Construction 11 (full transition system). Let G be a graph transformation system. Then, the full transition system T S (G) = hS; stepi over G is given

by

{ the set S of all partial function s : IlN ! G; where IlN are the natural numbers, such that dom(s) is a pre x of IlN and Out(s(n ? 1)) = In(s(n)) for all 0 < n < jdom(s)j (for all n > 0 if dom(s) = IlN). { step(s) = hs(0); s0i if dom(s) =6 ;, where dom(s0) = dom(s) ? jdom(s)j (dom(s0) = dom(s) if dom(s) = IlN ) and 8n 2 dom(s0):s0(n) = s(n + 1). If dom(s) = ;, then step(s) = ?. 4 The full transition system over G is nal in GraTS(G): Theorem 12 ( nal coalgebra semantics). For each graph transformation system G, the full transition system T S (G) over G is nal in GraTS(G). The unique morphism for some T 2 jGraTS(G)j is denoted by T : T ! T S (G). Proof. Let T = hS 0; step0i be an object of GraTS(G). Then, T : T ! T S (G) is uniquely determined by T (s0 )(i) = first0 (next0 i (s0 )) for all s0 2 S 0. 2 If s0 2 S 0 is a state of T, then T (s0) is a transition sequence representing

the behaviour of s0 . Two states with the same behaviour are bisimilar [Rut96]. For the full transition system T S (G) this means that if two transition sequences are bisimilar, then they are already equal, i.e., T S (G) provides a minimal representation of all possible behaviours of G. It is worth summarising here some advantages of having de ned the category of models GraTS(G) via coalgebraic instead of algebraic techniques, obtaining for example an initial model by a free construction, as in [CEL+ 96,HCEL96]. First of all, the free construction in the mentioned papers only generates nite sequences, while the full transition system contains both nite and in nite sequences. But more importantly, in the algebraic approach all models have to include a homomorphic image of all the computations of the initial model, thus there are no models corresponding to some kind of restriction of behaviour. On the contrary, the coalgebraic framework allows for the de nition of various expressive techniques for considering models that realize only part of the

16

behaviours of the nal model. Such techniques, based on various kinds of constraints, will be described in more detail in the next section. Before concluding this section, it is worth stressing that in the coalgebraic framework introduced above, it is possible to de ne various other kinds of models for graph transformation systems by considering coalgebras with respect to other functors. For example, let PG and AG be the endofunctors on Set de ned as PG (S ) = Pf (G;  S ) and AG (S ) = A ! (G;  S ), where Pf is the nite powerset functor, and A is a set of actions. Then PG -coalgebras are (bounded) non-deterministic transition systems that at each step output a transition over G and pass to a new state, chosen from a nite set of possible alternatives. AG -coalgebras are instead non-terminating transition systems with input set A and output set G; . Most notions and results presented in this and the next sections can be rephrased, mutatis mutandis, for these other kinds of coalgebras, and for many others (see [Rut96] for further examples of transition systems as coalgebras). We leave the analysis of these variations and of their relevance for the theory of graph transformation systems as a future topic of research.

5 Behavioural Constraints for Graph Transformation Systems While the rule-based approach of graph transformations is well-suited to describe state transformations where the states are modelled by graphs, it is dicult to control the order and frequency of rule applications in a purely rule-based framework. Such control aspects, however, are most important for the speci cation of reactive systems, but the theory of graph transformations oers only little help for this problem up to now. For this reason we study behavioural constraints for graph transformation systems. We introduce logics of behavioural constraints as a general framework including, for example, start graphs, explicit frame conditions (as introduced in Section 3), application and consistency conditions (as studied in [HHT96,HW95]) and temporal logic constraints. These constraints are de ned explicitly at the end of this section. The main result of this section (see Theorem 16) shows that the full transition system can be restricted to those transition sequences satisfying the behavioural constraints such that we obtain a nal coalgebra semantics with behavioural constraints.

De nition 13 (logic of behavioural constraints). A logic of behavioural constraints for graph transformation systems LOBC = hConstr; j=i is given by a class Constr(G) of behavioural constraints and a satisfaction relation j=G jGraTS(G)j  Constr(G) for each graph transformation system G, such that for each c 2 Constr(G) the empty graph transition system satis es c, and satisfaction is closed under homomorphic images and union of subcoalgebras.3

T0 = hS 0 ; step0 i is a subcoalgebra of T = hS; stepi, written T0  T, if S 0  S and step0 = stepjS is the restriction of step to S . The homomorphic image of a coalgebra T under a morphism f : T ! T0 is the subcoalgebra f (T)  T0 determined by f (S ), the set-theoretical image of S . Coalgebras are closed under set-theoretical union just like algebras are closed under set-theoretical intersection.

3 A transition system

0

17

The satisfaction relation is extended to sets of behavioural constraints C 

Constr(G) in the obvious way.

4

A constrained graph transition system is one which satis es certain behavioural constraints: De nition 14 (constrained graph transition systems). A graph transformation system with behavioural constraints GC = hG; C i consists of a graph transformation system G together with a set of behavioural constraints C  Constr(G). The category of (constrained) graph transition systems GraTS(GC) over GC is the full subcategory of GraTS(G) where for each T 2 jGraTS(GC)j we have that T j=G C . 4

Proposition 15 (restriction is right adjoint). For each graph transformation system with constraints GC = hG; C i, the inclusion functor EGC : GraTS(GC) ! GraTS(G) has a right adjoint jC : GraTS(G) ! GraTS(GC). Proof. Given T 2 GraTS(G), let TjC 2 GraTS(GC) be the union of all transition systems T  T such that T j=G C . It follows from De nition 13 that TjC satis es C . Hence TjC is the largest subcoalgebra of T with this 1

1

property. Let T be the corresponding inclusion. In order to show the universal property assume T0 2 jGraTS(GC)j and f : T0 ! T 2 GraTS(G). The unique restriction f C : T0 ! TjC of f is then given by i  fe where fe is the restriction of f to f (T0 )  T and i the inclusion of f (T0 )  TjC . This inclusion exists because by De nition 13 satisfaction is closed under homomorphic images, i.e., f (T0 ) j=G C , and TjC is the largest subsystem of T with this property. Uniqueness of f C for T  f C = f follows from monomorphism property of T . T f T0 T TjC

i

fe

f (T0)

2 Now, the nal coalgebra semantics can be lifted to graph transformation systems with constraints:

Theorem 16 ( nal coalgebra semantics with beh. constraints). For each graph transformation system with behavioural constraints GC = hG; C i, the constrained transition system T S (G)jC is nal in GraTS(GC). Proof. Directly from Theorem 12, Proposition 15, and the fact that cofree constructions preserve nal objects. 2

A particular way of restricting the behaviour of a system is to specify an initial state. In the case of graph transformation, this is done by adding a start graph, which turns a graph transformation system into a grammar. In order to have a nal coalgebra semantics for graph grammars as well we de ne start graphs as behavioural constraints:

18

De nition 17 (start graphs as behavioural constraints). Given a graph transformation system G = hTG; P;  i, a graph G0 2 jGraphTG j, and a graph transition system T = hS; stepi 2 GraTS(G), we say that s 2 S is reachable from G0 if there are n 2 IlN (including zero) and s0 2 S such that In(first(s0 )) = G0 and nextn (s0) = s. Now let Start = hConstr; j=i be given by Constr(G) = jGraphTG j and T j=G G0 i s is reachable from G0 for all s 2 S . 4 Proposition 18 (start graphs). Start = hConstr; j=i as de ned above forms a logic of behavioural constraints. Proof. It is obvious that for each G0 2 jGraphTG j all sequences of the empty transition system are reachable from G0, and that this property is closed under the union of subcoalgebras. For the preservation by homomorphic images assume f : T ! T0 2 GraTS(G). We have to show that if s 2 ST is reachable from G0 then so is f (s). Let n 2 IlN and s0 2 ST such that In(first(s0 )) = G0 and nextn (s0 ) = s. By homomorphism property of f we have that f (next(s)) = next0 (f (s)) and first(s) = first0 (f (s)) provided that next(s) and first(s) are de ned. Thus, there is f (s0 ) 2 ST0 such that next0 n (f (s0)) = f (nextn (s0)) = f (s) and In(first0 (f (s0)) = In(first(s0 )) = G0. De nedness of first(s0 ) and nextn (s0 ) follows by assumption. 2 This de nes categories GraTS(GG) of graph transition systems over a graph grammar GG. Theorem 19 ( nal coalgebra semantics of graph grammars). For each graph grammar GG = hG; G0i, the transition system T S (GG) = T S (G)jG0 is nal in GraTS(GG). Proof. Directly from Theorem 16 and Proposition 18. 2 In some cases it makes sense to de ne behavioural constraints over graph grammars rather than graph transformation systems. Thus we have to adopt the corresponding de nitions: De nition 20 (behavioural constraints for grammars). A logic of behavioural constraints for graph grammars is de ned like in De nition 13 by replacing graph transformation systems G by graph grammars GG. In the same way, the notions of graph grammar with behavioural constraints and constrained graph transition system over a grammar are obtained from De nition 14. 4 The cofree restriction and the nal coalgebra semantics can be lifted to graph grammars with behavioural constraints as well: Theorem 21 (coalg. semantics for grammars with constraints). For each graph grammar with constraints GGC = hGG; C i, the inclusion functor EGGC : GraTS(GGC) ! GraTS(GG) has a right adjoint jC : GraTS(GG) ! GraTS(GGC). Consequently, the constrained transition system T S (GG)jC is nal in GraTS(GGC). Proof. Directly from Proposition 15 and the fact that GraTS(GG) is a full subcategory of GraTS(G). 2

19

6 Temporal Logic Constraints and Other Examples In this section several logics of behavioural constraints, especially temporal logic constraints, are de ned and motivated by the telephone example. All of these examples follow a generic scheme. Given a graph transformation system G, constraints and their satisfaction are de ned for transition sequences in G rst. Then, a logic of behavioural constraints is derived from this in one of three possible ways, by universal quanti cation either (I) over all sequences, (II) over runs (i.e., maximal sequences), or (III) over initial runs (i.e., runs that start in the start graph of a grammar).

De nition 22 (pre x, run, initial run). For two transition sequences s and s0 in T S (G) we say that s is a pre x of s0 , written s v s0 , if dom(s)  dom(s0) and s0 jdom s = s. (Recall that transition sequences are represented as partial functions s; s0 : IlN ! G; in Construction 11.) If G is a graph transformation system and T = hST ; stepT i 2 jGraTS(G)j, a behaviour s 2 ST is called run if for all s0 2 ST , T (s) v T (s0 ) implies that s and s0 are bisimilar, i.e., T (s) = T (s0). Let GG = hG; G i be a graph grammar and T 2 jGraTS(GG)j. Then, a run s in T is initial if In(first(s)) = G. 4 Proposition 23 (constraints for transition sequences). Assume for each graph transformation system G a class of behavioural constraints Constr(G) together with a satisfaction relation j=seq G  S  Constr(G) for transition sequences, where T S (G) = hS; stepi is the full transition system over G. Then, there is a logic of behavioural constraints LOBC I = hConstr; j=I i where j=IG  jGraTS(G)j  Constr(G) is de ned by T j=IG c () for all s 2 ST : T (s) j=seq G c. Moreover, LOBC II = hConstr; j=II i forms a logic of behavioural constraints where j=II (G)j  Constr(G) is given by T j=II G  jGraTS G c () for all runs r seq in T: T (r) j=G c. Finally, a logic of behavioural constraints LOBC III = hConstrIII ; j=III i for graph grammars GG = hG; G i is de ned by ConstrIII (GG) = Constr(G) and j=III )j  Constr(GG) where T j=III GG  jGraTS(GG GG c () for all initial seq runs r in T: T (r) j=G c. ( )

0

0

0

Proof. In all three cases we have to show that for each constraint c the empty transition system satis es c (1), that satisfaction is closed under homomorphic images (2), and under union of subcoalgebras (3). Let's start with LOBC I . Here, (1) is obvious since ST = ; implies an universal quanti cation over an empty set of transition sequences. c i T0 (f (s)) j=seq For (2) we have that T (s) j=seq G c for any s I 2 ST G 0 and f : T ! T since T = T0  f by uniqueness of T . Thus, T j=G c i seq I 8s 2 ST:T(s) j=seq G c i 8s 2 ST :T0 (f (s)) j=G c i f (T) j=G c. For (3) assume graph transition systems T1 ; T2  T with Ti = hSi; stepi i and let T0 = hS1 [ S2; step0 i denote their union. Then, T1 ; T2 j=IG c i 8s1 2 c i 8s 2 S1 [ S2:T0 (s) j=seq c ^ 8s2 2 S2:T2 (s2) j=seq S1 :T1 (s1 ) j=seq G c i G G I 0 I T j=G c. This shows that LOBC is a logic of behavioural constraints.

20

Consider LOBC II now. As above (1) is obvious. For (2) assume f : T ! T0 . We have to show for each s 2 ST with f (s) = s0 that, if s0 is a run in f (T) then s is a run in T. Assume t 2 ST with T (s) v T(t). Since, T(s) = T0 (s0 ) and T(t) = T0 (t0 ) we have T0 (s0) v T0 (t0 ). Thus, T0 (s0) = T0 (t0) since s0 is a run, implying that T (s) = T (t). This shows that s is a run in T. It follows by the same arguments as for LOBC I now that T j=II f (T) j=IIG c. G c implies II I Also, (3) for LOBC follows from the arguments for LOBC and the fact that each run in T0 is also a run in one of its subsystems Ti . Finally, the same applies to LOBC III using the fact that for each s 2 ST we have that In(first(s)) = In(first0(f (s))). 2 In order to de ne a particular logic it is now sucient to provide a notion of constraints and satisfaction for transition sequences and to specify if the logic shall be of type I, II, or III. The rst three examples below are of type I. Hence, assume a graph transformation system G = hTG; P;  i and let T S (G) = hS; stepi be the full transition system over G.

Proposition 24 (faithful and safe transitions). Let Constrseq(G) = seq ffaithful; safeg and j=G  S ffaithful; safeg be de ned by s j=G faithful safe ) i the transition first(s) is faithful (safe) (see De nition 6). (s j=seq G Then, FS = hConstr; j=i de ned according to Proposition 23 forms a logic of behavioural constraints.

Proof. Directly from Proposition 23.

2

Proposition 25 (explicit frame conditions). Let Constr(G) = fFCseq 2 GraphjFC  TGg be the set seq of all frame conditions over G and j=G  S  Constr(G) be de ned by s j=G FC i the transition first(s) satis es FC (see De nition 9). Then, Frame = hConstr; j=I i de ned according to Proposition 23 forms a logic of behavioural constraints of type I.

Proof. Directly from Proposition 23.

2

The frame condition FCPh of Figure 3, for example, ensures that telephones are not created and deleted spontaneously, and that the hook state of the phone may only be changed by the user.

Proposition 26 (application conditions). Let Constr(G) be the set of all pairs hp; Ai where p 2 P and A(p) is a positive or negative application condition for  (p) in the sense of [HHT96]. Moreover, de ne j=seq G  S  Constr(G) by p=d s j=seq G hp; A(p)i i first(s) = G ; H implies that the match dL : L ! G for p satis es A(p). Then, AC = hConstr; j=I i de ned according to Proposition 23 forms a logic of behavioural constraints of type I. Proof. Directly from Proposition 23.

2

Proposition 27 (graphical consistency conditions [HW95]). Let Constr(G) be the set of all injective morphisms c : X ! Y 2 GraphTG . An

21

assignment for X in a graph G is an injective morphism a : X ! G. It is a solution for c if there is an injective b : Y ! G such that b  c = a. Now, de ne seq j=seq G  S  Constr(G) by s j=G c i eachI assignment a : X ! In(first(s)) is a solution for c. Then, CC = hConstr; j= i de ned according to Proposition 23 forms a logic of behavioural constraints of type I.

2

Proof. Directly from Proposition 23.

For the condition c on the left of Figure 7, a graph satis es c if for each occurrence of X there is also an occurrence of Y , i.e., if a phone is ringing then the hook must be on. Hence, c is satis ed by the graph G1 of Figure 1 but not by the derived graph G2. c

HookOn

☎ Ring

c

X

☎ Ring

P* Ph Y

☎ Ring

☎

X

c

☎

L Y

Y

Gi l Di+1 r Gi+1 (1) (2) a(i) ki a(i + 1)

Ring

X

Fig. 7. Graphical consistency condition, temporal logic constraint with L = HookOff ; , and X -augmented derivation step (bottom span only).

In the rest of this section we de ne temporal logic constraints as a logic of behavioural constraints using case II and III of Proposition 23. Therefore, let G = hTG; P; i be a graph transformation system and GG = hG; G0i be a graph grammar. If Q is a set of atomic propositions, the language of propositional temporal formulas over a graph transformation system G has the form

 ::= Q j : j 1 ^ 2 j [L] j hLi where Q 2 Q, and L  P  is a set of sequences over production names. The intended meaning of [L] is, that after every application of a sequence of productions w 2 L,  holds. Dually, hLi means that there exists an application of a production sequence w 2 L such that  holds. This propositional language is, of course, not able to express any property of the graphs in a derivation sequences. Hence, we have to combine it with a calculus like graphical consistency conditions. The resulting language shall be a graphical temporal logic where consistency conditions for graphs are connected by the propositional temporal operators de ned above.

De nition 28 (interpreted temporal formulas). Assume an interpretation I of atomic propositions Q 2 Q by graphical consistency conditions I (Q) over G (cf. Proposition 27). Then, for each graph X 2 jGraphTG j the class ConstrX (G) of X -interpreted temporal formulas is given by all formulas  of the propositional temporal language where I (Q) : X ! YQ for each atomic proposition Q in . The class Constr(G) of interpreted temporal formulas over G is the union of all ConstrX (G) for X 2 jGraphTGj. 4

22

A sample temporal logic constraint is shown in Figure 7 in the middle. It says that every state reachable from the initial state by productions in PPh has to satisfy the following condition: If the phone is ringing, then the hook is taken o and after some nite number of (idle) steps, the phone will stop ringing. In order to de ne the satisfaction of a X -interpreted temporal formula by a derivation sequence, we have to provide assignments for X into the graphs of the sequence which are compatible with the derivation steps.

De nition 29 (complete assignment). Let s 2 S be a derivation sequence in G and X 2 jGraphTG j be a graph. An assignment a for X in s, written

a : X ; s, is a possibly in nite sequence a = (a(0)a(1) : : :) of assignments for X in graphs Gi (i.e., total injective morphisms a(i) : X ! Gi ) where for any i =di step Gi p; Gi+1 of the sequence s there exists a ki : X ! Di+1 such that (1) and (2) in Figure 7 on the right commute. The assignment a is complete if it

4

has maximal length.

The pleasant fact about complete assignments is that they are uniquely determined by their rst element a(0) and the sequence s, i.e.,

Proposition 30 (continuation of a on s). If s is a derivation sequence in G and a : X ! In(first(s)) is an assignment for X in the rst graph of the 0

0

sequence, then there is a unique complete assignment a : X ; s with a(0) = a0 .

2

Proof. See [Koc96].

De nition 31 (labelled transition system over X ). For each graph transformation system G = hTG; P;  i and each graph X 2 jGraphTG j, the w )  ) of G over X consists of labelled transition system TX (G) = (AX ; (?! w2P { the set AX of all complete assignment a : X ; s in derivation sequences of G and { for each sequence of productionw names w = p : : :pn 2 P  a transition relaw tion ?! AX  AX where a ?! a0 i a : X ; s and a0 is the continuation 0

of a(n) on nextn (s) and pi = pn(first(nexti (s))) for all i = 1 : : :n, i.e., a0 is reachable from a by application of w.

4

Now we are able to de ne the satisfaction of interpreted temporal formulas by derivation sequences in G:

De nition 32 (satisfaction of interpreted temporal formulas). Let w  TX (G) = (AX ; (?!)w2P ) be the labelled transition system of a graph transformation system G over X 2 jGraphTG j and let I be an interpretation of the atomic propositions Q 2 Q. We de ne the satisfaction of X -interpreted temporal formulas  2 ConstrX (G) by complete assignments a 2 AX inductively as { a j=G;I Q i a(0) is a solution for I (Q) (cf. Proposition 27),

23

{ a j=G;I : i a 6j=G;I , { a j=G;I  ^  i a j=G;I  and a j=Gw;I  , { a j=G;I [L] i for all a0 2 AX , a ?! a0 for some w 2 L implies that a0 j=G;I , w a0 for some w 2 L and { a j=G;I hLi i there exists a0 2 AX with a ?! a0 j=G;I . 1

2

1

2

Now, a derivation sequence s satis es an X -interpreted temporal formula , 4 written s j=seq G;I , i a j=G;I  for all complete assignments a : X ; s. According to Proposition 23, this de nes a logic of behavioural constraints:

Proposition 33 (temporal logic constraints). TempII = hConstrII ; j=II i and TempIII = hConstrIII ; j=III i de ned according to Proposition 23 using the

satisfaction relation of De nition 32 form two logics of behavioural constraints for graph grammars. Proof. Directly from Proposition 23.

2

Theorem 34 ( nal coalgebra semantics for temporal constraints).

Let TempII and TempIII be de ned as above. In both cases, for each graph grammar with temporal logic constraints GC = hGG; C i, the restriction T S (GG)jC of the full transition system T S (GG) is a nal object in GraTS(GC). Proof. By Proposition 33 and Theorem 16.

2

In TempII the constraints are evaluated w.r.t. behaviours of maximal length only. It can be shown that this property is closed under reachability, i.e., if s is maximal in a transition system T, then also next(s) is maximal in T. This means that all formulas are implicitly quanti ed over all subsequent states. Syntactically, this can be expressed by adding to each formula  the \always" operator [P  ], i.e., [P  ]. Contrastingly, for logic TempIII , the evaluation of formulas is restricted to those maximal sequences that begin in the start graph G0 of a grammar, i.e., the constraints are less restrictive than in TempII .

7 Conclusion In this paper we have shown how to extend the algebraic theory of graph transformations by a loose interpretation of graph productions and by a loose coalgebraic semantics for graph transformation systems, which allows to handle various kinds of behavioural constraints. Both extensions are motivated in order to provide a satisfactory semantics for partially speci ed systems, that may arise when modelling reactive systems, or in the case of parametrised or modular speci cations. The loose interpretation of graph productions is an original contribution that can be useful for other rule based formalisms as well. For example, it is wellknown that graph transformation systems properly generalise P/T Petri nets

24

[Cor96]; in particular, by representing a net transition t as a graph production

(t), it can be shown that the ring of the transition at a given marking M is faithfully modelled by a double-pushout direct derivation using (t) from the (discrete) graph representing M , and vice versa. Using this correspondence, one can provide a loose interpretation of the ring of net transitions by using the corresponding faithful double-pullback transitions. Such a \loose ring" of t would delete from M at least the tokens in t's pre-conditions (but possibly more) and would generate at least the tokens in t's post-conditions (but possibly more). Quite obviously, any such loose ring can be regarded as the eect of the concurrent ring of t with a production t0 that deletes from M the tokens that are not in t's pre-conditions, and generates the tokens that are not in t's postconditions. The last theorem of Section 3 provides a similar characterisation for graph double-pullback transitions in terms of amalgamated derivations. Such result is not trivial, for the simple reason that for a given a subgraph G  H , the complement of G in H is not necessarily a graph (while the complement M ? M 0 of a marking M 0  M is still a marking). It is a topic for future work to study the possible applications of this notion of loose ring of Petri net transitions. As far as the coalgebraic semantics and the logic of behavioural constraints are concerned, they are well-known for other speci cation techniques, but seem to be original in the framework of graph transformation systems. The application of coalgebraic techniques to graph transformation certainly deserves further investigation. Among the many possible topics for future research one may consider the de nition and analysis of other coalgebraic semantics based on dierent functors; the analysis of bisimulation relations over graph transition systems, as they are automatically induced by the coalgebraic semantics. Last but not least, the loose semantics we proposed should be lifted to a functorial semantics (leading to an indexed category) based on a suitable category of graph transformation systems. There are various notions of graph transformation system morphisms to contend with in literature ([CEL+ 96,PP96,HCEL96,Rib96a,BC96]). We only mention that in the category proposed in [Rib96a], pullbacks are used for describing a sort of parallel composition with synchronisation of systems. Since the nal coalgebra semantics can be characterised via a cofree construction (that preserves pullbacks) this semantics would be compositional with respect to such parallel composition. The authors like to thank Fabio Gadducci, Martin Groe-Rhode, Manuel Koch and Julia Padberg for their remarks and contributions.

References [AEH+ 96] M. Andries, G. Engels, A. Habel, B. Homann, H.-J. Kreowski, S. Kuske, D. Plump, A. Schurr, and G. Taentzer. Graph transformation for speci cation and programming. to appear, 1996. [Bar93] M. Barr. Terminal coalgebras in well-founded set theory. Theoretical Computer Science, (114):299{315, 1993. [BC96] R. Banach and A. Corradini. An Op bration Account of Typed DPO and DPB Graph Transformation: General Productions. Technical Report UMCS-96-11-2, University of Manchester, Department of Computer Science, 1996.

25 [BFH87]

P. Bohm, H.-R. Fonio, and A. Habel. Amalgamation of graph transformations: a synchronization mechanism. Journal of Computer and System Science, 34:377{ 408, 1987. [CEER96] J. Cuny, H. Ehrig, G. Engels, and G. Rozenberg, editors. 5th International Workshop on Graph Grammars and their Application to Computer Science, number 1073 in Lecture Notes in Computer Science. Springer Verlag, 1996. [CEL+ 96] A. Corradini, H. Ehrig, M. Lowe, U. Montanari, and J. Padberg. The category of typed graph grammars and its adjunction with categories of derivations. In LNCS 1073 , Proc. Williamsburg, U.S.A., pages 56{74. Springer Verlag, 1996. [CMR96] A. Corradini, U. Montanari, and F. Rossi. Graph processes. Fundamenta Informaticae, 26(3,4):241{266, 1996. [CMR+ 97] A. Corradini, U. Montanari, F. Rossi, H. Ehrig, R. Heckel, and M. Lowe. Algebraic approaches to graph transformation part i: Basic concepts and double pushout approach. In G. Rozenberg, editor, The Handbook of Graph Grammars, Volume 1: Foundations. World Scienti c, 1997. To appear. Preprint available as technical report, No. TR-96-17, University of Pisa, Department of Computer Science at URL http://www.di.unipi.it/TR/TRengl.html. [Cor96] A. Corradini. Concurrent Graph and Term Graph Rewriting. In U. Montanari and V. Sassone, editors, Proceedings CONCUR'96, volume 1119 of LNCS, pages 438{464. Springer Verlag, 1996. [EE96] H. Ehrig and G. Engels. Pragmatic and semantic aspects of a module concept for graph transformation systems. In LNCS 1073 , Proc. Williamsburg, U.S.A., pages 137{154. Springer Verlag, 1996. [Ehr79] H. Ehrig. Introduction to the algebraic theory of graph grammars. In V. Claus, H. Ehrig, and G. Rozenberg, editors, 1st Graph Grammar Workshop, Lecture Notes in Computer Science 73, pages 1{69. Springer Verlag, 1979. [EHTE97] H. Ehrig, R. Heckel, G. Taentzer, and G. Engels. A combined reference modeland view-based approach to system speci cation. Submitted, 1997. [EKR91] H. Ehrig, H.-J. Kreowski, and G. Rozenberg, editors. 4th International Workshop on Graph Grammars and their Application to Computer Science, number 532 in Lecture Notes in Computer Science. Springer Verlag, 1991. [EM85] H. Ehrig and B. Mahr. Fundamentals of Algebraic Speci cation 1: Equations and Initial Semantics, volume 6 of EATCS Monographs on Theoretical Computer Science. Springer Verlag, Berlin, 1985. [ENRR87] H. Ehrig, M. Nagl, G. Rozenberg, and A. Rosenfeld, editors. 3rd International Workshop on Graph Grammars and their Application to Computer Science, number 291 in Lecture Notes in Computer Science. Springer Verlag, 1987. [EPS73] H. Ehrig, M. Pfender, and H.J. Schneider. Graph grammars: an algebraic approach. In 14th Annual IEEE Symposium on Switching and Automata Theory, pages 167{180. IEEE, 1973. [ET95] H. Ehrig and G. Taentzer. COMPUGRAPH II: A survey of research goals and main results. Bulletin EATCS, 57:85{95, 1995. [HCEL96] R. Heckel, A. Corradini, H. Ehrig, and M. Lowe. Horizontal and vertical structuring of typed graph transformation systems. Mathematical Structures in Computer Science, 6(6):613{648, December 1996. [Hec95] R. Heckel. Embedding of conditional graph transformations. In G. Valiente Feruglio and F. Rosello Llompart, editors, Proc. Colloquium on Graph Transformation and its Application in Computer Science. Technical Report B-19, Universitat de les Illes Balears, 1995. [HEWC97a] R. Heckel, H. Ehrig, U. Wolter, and A. Corradini. Double-pullback transitions and coalgebraic loose semantics for graph transformation systems. Submitted., 1997. [HEWC97b] R. Heckel, H. Ehrig, U. Wolter, and A. Corradini. Integrating the speci cation techniques of graph transformation and temporal logic. Submitted., 1997. [HHT96] A. Habel, R. Heckel, and G. Taentzer. Graph grammars with negative application conditions. Fundamenta Informaticae, 26(3,4):287{314, 1996. [HW95] R. Heckel and A. Wagner. Ensuring consistency of conditional graph grammars { a constructive approach. Proc. of SEGRAGRA'95

26

[Jac95] [Koc96] [Mes92] [MM90] [PP96] [Rei95] [Rib96a] [Rib96b] [Rut96]

"Graph Rewriting and Computation", Electronic Notes of TCS, 2, 1995. http://www.elsevier.nl/locate/entcs/volume2.html.

B. Jacobs. Inheritance and cofree constructions. Technical Report CS-R9564, CWI Amsterdam, 1995. M. Koch. Modellierung und Nachweis der Konsistenz von verteilten Transaktionsmodellen fur Datenbanksysteme mit algebraischen Graphgrammatiken. Technical Report 96-36, TU-Berlin, 1996. Master's thesis. J. Meseguer. Conditional rewriting logic as a uni ed model of concurrency. TCS, 96:73{155, 1992. J. Meseguer and U. Montanari. Petri nets are monoids. Information and Computation, 88(2):105{155, oct. 1990. F Parisi-Presicce. Transformations of graph grammars. In J. Cuny, H. Ehrig, G. Engels, and G. Rozenberg, editors, Proc. Fifth Intl. Workshop on Graph Grammars and Their Application to Comp. Sci., volume 1073 of Lecture Notes in Computer Science, pages 428{442. Springer, 1996. H. Reichel. An approach to object semantics based on terminal co-algebras. Math. Struc. in Comp. Science, 5:129{152, 1995. L. Ribeiro. Parallel Composition and Unfolding Semantics of Graph Grammars. PhD thesis, TU Berlin, 1996. L. Ribeiro. A telephone system's speci cation using graph grammars. Technical Report 96-23, Technical University of Berlin, 1996. J.J.M.M. Rutten. Universal coalgebra: a theory of systems. Technical Report CS-R9652, CWI, 1996.