Graph Abstraction and Abstract Graph Transformation · 2017-05-17 · Graph Abstraction and Abstract Graph Transformation Iovka Boneva1 Arend Rensink1 Marcos E. Kurba´n3 Jo¨rg Bauer2

Graph Abstraction and Abstract Graph Transformation

Iovka Boneva1 Arend Rensink1 Marcos E. Kurban3 Jorg Bauer2

1 Formal Methods and Tools Group, EWI-INF, University of TwentePO Box 217, 7500 AE, Enschede, The Netherlands

{bonevai,rensink }@cs.utwente.nl2 Informatics and Mathematical Modelling, Technical University of Denmark,

Building 322, DK-2800 Kongens Lyngby, DenmarkEmail: [email protected]

3 Former member of Formal Methods and Tools Group, EWI-INF, University of Twente

Abstract Many important systems like concurrent heap-manipulatingprograms, communication networks,or distributed algorithms are hard to verify due to their inherent dynamics and unboundedness. Graphs arean intuitive representation of states of these systems, where transitions can be conveniently described bygraph transformation rules.We present a framework for the abstraction of graphs supporting abstract graph transformation. The abstrac-tion method naturally generalises previous approaches to abstract graph transformation. The set of possibleabstract graphs is finite. This has the pleasant consequenceof generating a finite transition system for anystart graph and any finite set of transformation rules. Moreover, abstraction preserves a simple logic for ex-pressing properties on graph nodes. The precision of the abstraction can be adjusted according to propertiesexpressed in this logic to be verified.

Contents

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.1 Graph Transformations for System Analysis . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . 41.2 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2 Graphs and Graph Transformations . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Graph Abstraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3.1 Multiplicities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83.2 Shapes and Shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . 83.3 Abstraction Morphism and Isomorphism of Shapes . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . 123.4 Neighbourhood Shapes . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . 14

4 Canonical Shapes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . 174.1 Canonical Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . 184.2 Canonical Representation of Neighbourhood Shapes . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . 184.3 Canonical Shapes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . 19

5 Shape Transformations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215.1 Transformations of Shapes . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . 215.2 Properties of Shape Transformations . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . 235.3 Using Shape Transformations . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . 26

6 Materialisation and Normalisation . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276.1 Definition of the Set of Materialisations . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . 276.2 Effective Construction ofM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296.3 Normalisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . 306.4 Back to the Construction of the Abstract Labelled Transition System . . . . . . . . . . . . . . . . 30

7 A Modal Logic for Graphs and Shapes . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . 317.1 Syntax of the Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . 317.2 Satisfaction on Graphs and Shapes . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . 327.3 Preservation by Abstraction Morphism . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . 327.4 Preservation and Reflection for Neighbourhood Shaping .. . . . . . . . . . . . . . . . . . . . . . . . . . 347.5 Relationship between the Logic and Neighbourhood Shaping . . . . . . . . . . . . . . . . . . . . . . 34

8 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . 359 Conclusion and Further Directions . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Appendices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39A Proof of Proposition 12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39B Proof of Lemma 23 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . 39

B.1 Proof of the Statement 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . 40B.2 Proof of Statement 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . 41B.3 Proofs of Lemma 57 and Corollary 58 . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . 41

C Proof of Lemma 24 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . 44D Proof of Lemma 29 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . 45E Proof of Proposition 51 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

E.1 Preservation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . 48E.2 Reflection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . 49E.3 Preservation and reflection . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

F Proof of Lemma 45 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . 50G Proof of Lemma 55 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . 51

3

1 Introduction

Graphs constitute an important means of representation of the state of a system. Interesting qualities ofa given state have natural graph-theoretic counterparts. Specially if the system in question is one thatmanipulates the memory “heap”. Also, their inherent graphical representation makes them the “linguafranca” of software engineering, they are good to convey ideas back and forth between different com-munities such as formal verification and specification, software engineering and even end users. If weadd the concept of graph transformation for modelling transitions between system states, we form aframework that will allow people to talk about both the states of a system and how it evolves in time.

This paper presents work carried out in the context of the GROOVE project that seeks to developsuch a framework for software verification: states of a software system are represented by graphs andstatements of a programming language are given the semantics of graph transformation rules. As anexample, on Figure 1 is depicted a possible graph representation of a list. Adding a new element to thelist consists in creating a new node labelledCell with possibly associatedObject-node, and insertingit in the desired place in the list. Removing an element from the list and many other list operations canalso be seen as graph transformations.

1.1 Graph Transformations for System Analysis

A graph transformation rulep : L → R is given by its namep and a couple of graphsL,R, oftencalled left-hand side and right-hand side, respectively. Performing a graph transformation on a graphG using the rulep can be seen as finding a subgraph ofG that is isomorphic toL and replacing itwith R. Systems and system behaviour can be modelled by graphs and graph transformations. LetG0 be a graph representing an initial state of a system (e.g. the list on Figure 1) and letP be a setof transformation rules encoding all possible transitionsof the system (e.g.operations on lists). It ispossible to explore all possible accessible configurationsand evolutions of the system given byG0 andP. This is done by applying all possible transformations fromP to the start graphG0 and repeatingit iteratively to all graphs resulting from these transformations. This gives rise to a labelled transitionssystem whose states are graphs and whose transitions are applications of graph transformation rules.One can then verify properties,e.g. temporal properties, on the system using the transition system.The GROOVE tool [10] allows to construct (final portions of) such transition systems and verifytemporal properties using CTL logic.

Problems do arise when approaching this task. One such problem is the possible infinite behaviourof a system which in most cases makes it impossible to study the whole behaviour of the system.Another problem is space: even for a finite state space, each state can be quite big to represent if onedoes it naively. A usual way to circumvent these two problemsis abstraction. In Section 8 we willdescribe several related approaches that exist.

1.2 Contributions

In previous work some of the authors have proposed abstraction techniques in which graph nodes withsimilar incoming and outgoing edges [9] or similar direct neighbours [2] are summarised into a singleone. Such abstract graphs have sometimes been calledshapes[14,9] and we borrow here the samevocabulary. The number of possible such shapes is bounded. This, combined with a suitable notionof graph transformations for abstract graphs [11], guarantees a finite number of states of a transitionsystem.

As a first contribution of the paper we introduce a family ofneighbourhood shapesas a part of ageneral abstraction mechanism that subsumes previous works. For the abstraction, nodes are grouped

4

Figure 1. Graph representation of a list with four elements. EachCell contains a pointer to theObject

stored into it via aVal-edge, and possibly a pointer to the next cell via aNext-edge.

if they have similar neighbourhood up to some “radius”i, parameter of the abstraction. This allowsus to have abstractions with different precisions. Additionally, the number of possible neighbourhoodshapes is bounded. Moreover, we define graph transformations for our neighbourhood shapes, whichallows to over-approximate system behaviour while keepinga finite state space.

Our second contribution is a logic that goes hand-in-hand with our abstraction method. That is,given a formula describing a property we are interested in, our abstraction method will guaranteethat a) if the formula holds for the original graph, then it holds for the abstracted graph (we callthis property preservation); andb) if the formula holds for the abstracted graph, then it holdsfor theoriginal one too (we call this reflection).

Finally, all these ingredients can be combined for defining afully automatic method which, givenan initial graph, a set of graph transformation rules and a set of logic properties on the reachablegraphs we are interested in, will construct a finite state abstract labelled transition system on whichthese properties can be verified.

The present paper is structured as follows. Section 2 introduces graphs and graph transformations.Section 3 introduces the general abstraction mechanism as well as so called neighbourhood shapes.In Section 4 are defined canonical shapes, which are a family of shapes including neighbourhoodshapes that enjoy the good property of having a unique representation. Then in Sections 5 and 6 wedefine transformations on shapes and describe how it can be used for approximating system behaviourinto finite labelled transition systems. In Section 7 we introduce a modal logic that is preserved andreflected by the neighbourhood shaping mechanism. Section 8describes some related work. Finally,we conclude in Section 9.

2 Graphs and Graph Transformations

We are interested in finite graphs whose edges and nodes are labelled from a finite set of labelsLab.Formally, we do not associate labels with the nodes of the graph, we use instead special edges whosetarget is a particular object⊥ not in the set of nodes of the graph. This in particular allowsto havenodes with multiple labels, which shows to be very useful formodelling with graphs. Moreover, weauthorise multiple parallel edges,ie there can be several different edges having the same source andtarget nodes and the same label.

Definition 1 (graph). A graphG is a tuple(NG, EG, srcG, tgtG, labG) where

– NG is a finite set of nodes,– EG is a finite set of edges disjoint fromNG,– srcG : EG → NG andtgtG : EG → NG ∪ {⊥} with ⊥ 6∈ (NG ∪ EG) are mappings associating

with each edge its source and target nodes, respectively, and– labG : EG → Lab is labelling map for the edges of the graph. ◭

5

The mappinglabG is extended on nodes to designate the set of labels of a node,ie labG(v) = {a ∈Lab | ∃e ∈ EG : srcG(e) = v, tgtG(e) = ⊥, labG(e) = a}. 1 We will denote asv�a

G andv�a

G theset ofa-outgoing edges anda-incoming edges of the nodev, respectively. That is,v�a

G = {e ∈ EG |srcG(e) = v, labG(e) = a} and symmetrically forv�a

G. For a set of nodesV , V�a

G (resp.V�a

G) isthe extension of�a

G (resp.�a

G) on sets. Finally, forX,Y sets of nodes or nodes, we denoteX ��a

GYthe set of edges labelleda and going fromX to Y , ie X ��

a

GY = X �a

G ∩Y�a

G. When the graphG is clear from the context, we may omit the subscriptG in NG, EG, srcG, tgtG, labG, �

a

G, �a

G, and��

a

G.

Definition 2 (graph morphism). If G andH are graphs, agraph morphismf : G→ H is a functionfromNG ∪ EG ∪ {⊥} toNH ∪ EH ∪ {⊥} such that

– f preserves⊥, ie f(⊥) = ⊥, f−1(⊥) = {⊥},– f maps nodes to nodes and edges to edges,ie f(NG) ⊆ NH , f(EG) ⊆ EH ,– f is compatible with source and target mappings,ie srcH ◦f = f ◦ srcG, andtgtH ◦f = f ◦ tgtG,

and– f preserves labels,f ◦ labG = labH . ◭

A morphismf is called injective (resp.surjective, resp.bijective) if it defines an injective (resp.surjective, resp. bijective) map. A bijective morphism is also called anisomorphism.

For the sake of clarity, in the sequel of the paper we ignore the node⊥ and simply talk about nodelabels. It is easy to see that all the proofs can be adapted to this formal definition using the⊥ node.

Background on Graph Transformations

Let’s start with some notations for functions. For a setA, we denoteidA the identity function onA.For two functionsf, g, we denotef ∪ g their union, that is,f ∪ g is the function whose domain isthe union of the domains off andg and whose co-domain is the union of the co-domains off andg.The union of functions is defined only if for anyx belonging both to the domains off andg, f andgagree on their value forx.

Definition 3 (Production Rule). A graph production ruleP is a pair of graphs(L,R), called left-hand side and right-hand side respectively. A production rule can be viewed as the single graphL∪R.In this case we distinguish the following sets :

– NdelP = NL rNR andEnew

P = EL r ER are the elements to be deleted;– Nnew

P = NR rNL andEnewP = ER r EL are the elements to be created;

– NuseP = NR ∩NL andEnew

P = ER ∩ EL are the elements that remain unchanged.

The subscriptP is omitted when clear from the context.

Definition 4 (Graph Transformation). LetG be a graph andP = (L,R) be a production rule suchthatG andP are disjoint. Amatchingm for P intoG is an injective morphismm : L→ G satisfyingthe so called dangling edges application condition : for anyedgee of G, if src(e) ∈ m(Ndel) ortgt(e) ∈ m(Ndel), thene ∈ m(Edel).

If m is a matching forP intoG, thenthe transformation ofG according toP andm is the graphH defined as follows (withm′ : P → G the morphismm ∪ idNnew∪Enew):

– NH = (NG rm(Ndel)) ∪Nnew;

1 Note thatlabG(e) is a label for an edgee, andlabG(v) is a set of labels for a nodev.

6

Figure 2. Example of a production ruleP = (L,R) and its application to a graphG via matchingm : L → G. The rule morphismp is indicated by the dotted lines. For the sake of readability, thematchingm : L→ G is indicated by highlighting its imagem(L) in G. The host graphG representsa list with two elements with some additional object in the environment. The application of the ruleresults in adding a new element at the head of the list.

– EH = (EG rm(Edel)) ∪ Enew;– srcH = srcG ∪m′ ◦ srcP restricted toEH ;– tgtH = tgtG ∪m′ ◦ tgtP restricted toEH ;– labH = labG ∪ labP restricted toEH .

We writeGP,m−→ H to designate thatm is a matching forP in G andH is the graph resulting

from the transformation. ◭

The dangling edges application condition is standard in so called double push-out approach forgraph transformation. It ensures that performing a transformation does not introduce dangling edges(edges without source or target node).

On Figure 2 is depicted a production rule aiming to add an element in head of a list, as well as anexample application of this rule.

3 Graph Abstraction

It this section abstract graphs are called shapes. The name “shape” comes from work in shape analysis[14], where abstract graphs are used to represent pointer structures. Any node and any edge of a givenshape may represent several nodes/edges of someconcretegraph. We want it to carry information onthe number of summarised nodes/edges. For defining interesting abstractions, it seems necessary forthis multiplicity information to be approximate: think forinstance about abstracting a list indepen-dently of its length. In Section 3.1 we introduce the notion of multiplicity for handling approximateinformation on cardinals of sets. Then, in Section 3.2 we define the shapes that we consider, as wellas the abstraction mechanism calledshaping. It is essentially a morphism from a graph to a shape thatsatisfies some conditions.

7

Shapes may be more or less abstract. In particular, a shape may be abstracted to another shape.This yields a sub-shape relation between shapes. We define sub-shaping in Section 3.3. In the samesection, we also define isomorphism of shapes and show that isomorphic shapes represent the samesets of concrete graphs.

Finally, in Section 3.4 we define a particular family of shapes calledneighbourhood shapes.Neighbourhood shapes represent numerous advantages that will be studied in the rest of the paper.

3.1 Multiplicities

A multiplicity is an approximation of the cardinal of a (finite) set. Intuitively, all sets having strictlymore thanµ elements, for some fixed naturalµ, are considered having the same cardinal. This notionof multiplicity was also used in [9].

Definition 5 (multiplicity). For any natural numberµ > 0, let Mµ be the set{0, 1, 2, . . . , µ, ω}whereω is distinct from all natural numbers. Themultiplicity with precisionµ is the function associ-ating with each finite setU the value|U |µ in Mµ defined by:

|U |µ =

{

Card (U) if Card(U) ≤ µ,

ω otherwise.

The value|U |µ is called theµ-multiplicity of U , or simply the multiplicity ofU if µ is clear from thecontext. Elements ofMµ are called multiplicities. We writeM+

µ for the setMµ r {0}. ◭

We extend the usual ordering≥ over elements ofMµ by definingω ≥ λ for anyλ in Mµ. Sum canalso be extended over multiplicities on the expected way: let I be a finite index set and the(λi)i∈Ibe elements ofMµ. Then

∑µi∈I λi, theµ-sum of the(λi)i∈I , is

∣∣⋃

i∈I Ai∣∣µ

where the(Ai)i∈I arepairwise disjoint sets such that|Ai|µ = λi for anyi in I.

In the sequel of the paper, we consider two naturalsν, µ. Whenever their value is not specified,they may have any positive value.ν-multiplicity will be used for giving the multiplicity of sets ofnodes, andµ-multiplicity for giving the multiplicity of sets of edges.In particular, these two numberswill be parameters of graph abstractions.

3.2 Shapes and Shaping

A shape is a graph together with anode multiplicity functionthat indicates, for each node of theshape, how many nodes it summarises. Moreover, the set of nodes is partitioned into groups. Edgeswith same source node, and ending into nodes in the same group(or, respectively, edges with thesame target node, and starting in nodes in the same group) cannot be distinguished. Only the numberof such edges is indicated with the help of theedge multiplicity functionsof the shape.

We start by giving a flavour of what a shape is, in the followingexample.

Example 6 (Shape).On Figure 3 are depicted three shapes as well as values forµ andν for theseshapes. With each node of each shape is associated a multiplicity from M

+ν , indicating the number of

concrete graph nodes it represents; this is called thenode multiplicity. The dotted rectangles are de-limiting groups of nodes. By definition, this grouping can bearbitrary; in practise it would be definedby some common characteristic (e.g.nodes with same label, nodes with similar neighbourhood, etc).All edges have associated multiplicity information (fromMµ) in their end points. Sometimes, thismultiplicity is shared by several edges, indicated by the grey arc relating them. These are the so-called

8

(a) µ = 1, ν = 1 (b) µ = 1, ν = 3 (c) µ = 1, ν = 1

Figure 3. Examples of shapes.

outgoing edges multiplicity, when associated to source of the edge, andincoming edges multiplicitywhen associated to the target. Edge multiplicity intuitively indicate how many of the depicted edgesshould be there in a concrete graph. One can notice that edgesrelated in one of their end points allhave their other end point in the same group of nodes, and all have the same label. Actually, this isthe condition for relating edges. To be even more precise, according to the formal definition, edgemultiplicities are associated with a triple composed of a node, a label and a group of nodes. This willbe explained in Definition 7.

Let us now explain how one should interpret these example shapes.

(a). The shape on Figure 3(a) represents a set of bipartite concrete graphs in whicha-nodes are con-nected tob-nodes byc-edges. Each of these graphs has at least two (hereω on nodes or edgesstands for “two or more”, asν = 1) a-nodes and at least three (ω plus one)b-nodes. Moreover, ev-erya-node has at least two (ie ω) outgoingc-edges going tob-nodes. Allb-nodes except one haveonly one incoming edge; the remainingb-node has at least two incoming edges. See Figure 4(a)for some example concrete graphs.

(b). The shape on Figure 3(b) represents a set of concrete graphs having threea-nodes connected toeach-others and forming cycles ofb-edges. See Figure 4(b) for some example concrete graphs.

(c). The shape on Figure 3(c) represents a set of list-like concrete graphs havingCell-nodes connectedbynext-edges. Each of these graphs has at least one acyclic connected component of length four ormore with several (possibly zero) cyclic connected components of arbitrary length. See Figure 4(c)for some example concrete graphs. ◭

Before giving the formal definition of a shape, let us fix some notations. LetA be a set and∼ ⊆ A×A be an equivalence relation overA. Forx ∈ A, we denote[x]∼ the equivalence class ofxinduced by∼, ie [x]∼ = {y ∈ A | y ∼ x}. We denoteA/∼ the set of equivalence classes inA, ieA/∼= {[x]∼ | x ∈ A}. Moreover, if∼ and∼′ are two equivalence relations overA, we write∼ ⊆ ∼′

whenever for allx, y ∈ A, x ∼ y impliesx ∼′ y. Note that if∼ ⊆ ∼′, then any equivalence classfor ∼ is included into the equivalence class for∼′, that is, for allx ∈ A, [x]∼ ⊆ [x]∼′ . This means inparticular that any equivalence class for∼′ can be obtained as an union of equivalence classes for∼.

Formally, a shape is defined as follows:

Definition 7 (shape). A shapeS is a structure(GS ,≃S ,multn,S ,multout,S,multin,S) where

– GS = (NS , ES , srcS , tgtS , labS) is a graph;– ≃S ⊆ NS ×NS is an equivalence relation onNS called the grouping relation ofS;– multn,S : NS → M

+ν is a nodes’ multiplicity function;

– multout,S : NS × Lab ×NS /≃S→ Mµ is an outgoing edges multiplicity function and

9

(a) (b) (c)

Figure 4. Example concrete graphs that can be abstracted to the shapeson Figure 3.

– multin,S : NS × Lab ×NS /≃S→ Mµ is an incoming edges multiplicity function.

Moreover, for any nodev ∈ NS, any labela ∈ Lab and any equivalence class of nodesC ∈ NS /≃S,we require thatmultout,S(v, a, C) = 0 if, and only if,v ��

a

GSC = ∅, andmultin,S(v, a, C) = 0 if,

and only if,C ��a

GSv = ∅. ◭

As already mentioned, a shape is a representation of a set of concrete graphs. In this sense, it isan abstract graph. The fact that some concrete graph isabstractedto a given shape is determined bythe presence of so calledshaping morphism, which is a morphism from the graph to the shape thatcomplies to some additional constraints. We say then that the graph is aconcretisationof the shape.

Definition 8 (shaping morphism, concretisation).Let G be a graph andS be a shape. Ashap-ing morphism, or shaping, ofG into S is a graph morphisms : G → GS such that the followingconditions are met:

– for all w ∈ NS , multn,S(w) =∣∣s−1(w)

∣∣ν;

– for all w ∈ NS , for all a ∈ Lab, for all C ∈ NS /≃S, and for allv ∈ s−1(w),

multout,S(w, a, C) =∣∣v ��

a

G(s−1(C))∣∣µ

andmultin,S(w, a, C) =

∣∣(s−1(C)) ��

a

Gv∣∣µ.

If G is a graph andS is a shape such that there exists a shapings : G → S, then we say thatG is aconcretisationof S. The set of concretisations of a shapeS is denotedConcr(S). ◭

Example 9.The list structure from Figure 1 is a concretisation for the shape shown in Figure 5. Thecorresponding shaping maps theList-node of the graph to theList-node of the shape, the right-mostCell-node and the right-mostObject-node from the graph are mapped to the corresponding right-mostnodes from the shape. The remainingCell-nodes andObject-nodes from the graph are mapped to theleft-hand side such nodes of the shape.

10

Figure 5. Example of a shape for a list. All edge multiplicities are equal to one and are omitted.

Note that a shaping is a surjective morphism; this follows from the requirement for themultn,S

function together with the fact thatmultn,S maps to non null multiplicities, by definition of shapes.The requirements on outgoing (resp. incoming) edge multiplicities guarantee in particular that twodifferent nodesv, v′ from a graphG can be mapped to the same nodew of a shapeS only if v, v′ havethe same outgoing (resp. incoming) edges multiplicities with respect to a label and group of nodes.

Construction of Shapes In Definitions 7 and 8, a shapeS is a graph-like structure defined inde-pendently on any of its concretisations. A graphG can be abstracted to a shapeS if there exists amorphism fromG to the graph part ofS satisfying some conditions. In particular, these definitions donot give a hint how to construct shapes. In what follows, we present an alternative, constructive wayof defining a shape by providing a graph and two equivalence relations on its nodes.

LetG be a graph and∼, ≡ ⊆ NG×NG be two equivalence relations on the nodes ofG satisfyingthe following conditions:

(C1) ≡ ⊆ ∼, that is, ifv ≡ v′, thenv ∼ v′;(C2) for anyv, v′ nodes ofG, for any∼-equivalence class of nodesC ∈ NG /∼ and for any labela, if

v ≡ v′, then|v ��

a

GC|µ =∣∣v′ ��

a

GC∣∣µ

and|C ��

a

Gv|µ =∣∣C ��

a

Gv′∣∣µ

Let the equivalence relation≡ be extended on edges ofG in the following way:e ≡ e′ if srcG(e) ≡srcG(e′), tgtG(e) ≡ tgtG(e′) andlabG(e) = labG(e′).

Consider now the graphSG = (NS , ES , srcS , tgtS , labS) defined by:

– nodes ofSG are≡-equivalence classes of nodes ofG, ie NS = NG /≡;– edges ofS are≡-equivalence classes of edges ofG, ie ES = EG /≡;– for any edge[e]≡ in ES , srcS([e]≡) = [srcG(e)]≡, tgtS([e]≡) = [tgtG(e)]≡ and labS([e]≡) =

labG(e). Remark that, because of the definition of≡ on edges, the particular choice ofe for [e]≡is not important.

Consider finally the mappings : NG ∪ EG → NS ∪ ES defined by:s(v) = [v]≡ ands(e) = [e]≡for anyv in NG and anye in EG. The next lemma is not difficultly seen from the definitions, so wepresent it without proof.

Lemma 10. 1. The mappings canonically extended to⊥ defines a surjective graph morphism fromG into SG; by abuse of notation we denote this morphisms as well.

2. Let

11

– ∼S ⊆ NS×NS be the equivalence relation on nodes ofGS defined by[v]≡ ∼S [v′]≡ if v ∼ v′

for all v, v′ nodes ofG. Thanks to Condition (C1),∼S is well defined;– multn : NS → M

+ν be the mapping defined bymultn(w) =

∣∣s−1(w)

∣∣ν

for all w in NS ;– multout,multin : NS × Lab ×NS /∼S→ Mµ be the mappings defined by

multout([v]≡ , a, C) = |v ��a

GC|µ multin([v]≡ , a, C) = |C ��a

Gv|µ

for all v ∈ NG, a ∈ Lab andC ∈ NS /∼S . Thanks to Condition (C2),multout andmultin arewell-defied.

ThenS = (GS ,∼S ,multn,multout,multin) is a shape ands is a shaping morphism. ⊓⊔

It follows from this lemma that, given a graphG and two equivalence relations on the nodes ofGsatisfying Condition (C1) and Condition (C2), one can definea shapeS such that there exists a shapings : G → S. Note that all shapes can not be defined this way, for two reasons.2 First, shapes definedas in previous lemma necessarily have concretisations, andthere exist shapes without concretisations.Second, shapes defined as in previous lemma can not have parallel edges (ie edges having samesource, same target and same label), whereas shapes may havesuch parallel edges. Nevertheless, itis the case that any shape admitting concretisations and without parallel edges can be defined3 by agraphG and two equivalence relations, as explained previously.

For a graphG and equivalence relations∼ and≡ satisfying Condition (C1) and Condition (C2),we defineshape(G,∼,≡) as the shape described by Lemma 10 and we defineshaping(G,∼,≡) asthe corresponding shaping.

3.3 Abstraction Morphism and Isomorphism of Shapes

Just like graphs can be abstracted to shapes, shapes can be abstracted to (more abstract) shapes. Inthis section we describe this abstraction relation, definedby the presence of so calledabstractionmorphismbetween shapes. Then we show that this abstraction relationis composable. We also useabstraction morphisms to define the notion ofisomorphismbetween shapes with the interesting prop-erty that isomorphic shapes have the same concretisations.As we will see, these properties of shapesallow to define a pre-order on shapes.

Definition 11 (Abstraction Morphism). LetS andT be two shapes. Anabstraction morphism be-tweenthem is a graph morphismf : S → T that complies to the following axioms:

1. ∀v, v′ ∈ NS : v ≃S v′ impliesf(v) ≃T f(v′);

2. ∀w ∈ NT : multn,T (w) =(∑ν

v∈f−1(w) multn,S(v))

;

3. ∀w ∈ NT , ∀a ∈ Lab, ∀C ∈ NT /≃T , ∀v ∈ f−1(w), it holds

multout,T (w, a, C) =

µ∑

D ∈ (f−1(C))/≃S

multout,S(v, a,D)

2 Actually, there is a third reason which has to do with representation, and that is ignored here. The shapes defined as inLemma 10 come with their representation: nodes are equivalence classes of nodes of some graph, edges are equivalenceclasses of edges of some graph, and so on. Thus, two isomorphic, but not equal, graphs would define two differentshapes, although intuitively we would consider these two shapes as equivalent. This “equivalence” of shapes is calledshape isomorphism and is defined in Section 3.3.

3 Up to isomorphism; see also Footnote 2.

12

and

multin,T (w, a, C) =

µ∑

D ∈ (f−1(C))/≃S

multin,S(v, a,D).

When such a morphism exists, we say thatS is asubshapeof T , and we denote it asS ⊑ T . ◭

Note that the subshape relation falls to be an ordering relation because it is not antisymmetric. Letus now argue that the axioms in the previous definition are well defined. In the third axiom we aresumming up themultout,S(v, a,D) andmultin,S(v, a,D) for all D ∈ (f−1(C)) /≃S . It is then nec-essary that all the triples(v, a,D) belong to the domain ofmultin,S, that is, it is necessary that anysuchD belongs toNS /≃S. This is indeed the case thanks to the first axiom. Let us now make aparallel between shaping and abstraction morphism. The second condition for abstraction morphismcorresponds to the first condition for shaping, but we are summing up node multiplicities instead ofsimply counting nodes. The third condition on abstraction morphisms is very close to the second con-dition for shaping, but we are taking into account outgoing and incoming edge multiplicities insteadof simply counting edges.

Proposition 12 (Abstraction Morphisms are Composable).Let S, T andU be shapes,f be anabstraction morphism betweenS andT andg another such morphism betweenT andU . Theng ◦ f(the function composition off andg) is an abstraction morphism betweenS andU .

Proof. See Appendix A.

Let us also point out that a shaping and an abstraction morphism can also be composed, resultinginto a shaping. The next proposition is presented without proof, but it is not difficultly seen to followfrom Proposition 12 and the definition of shaping.

Proposition 13 (Shapings and Abstraction Morphisms).LetG be a graph andS andT be shapessuch that there exist a shapings : G → S and an abstraction morphismf : S → T . Then,f ◦ s :G→ T is a shaping. ⊓⊔

Shapes that are the abstraction of one another will be calledisomorphic:

Definition 14 (Isomorphism of Shapes). Two shapesS and T are isomorphicif there exists anisomorphismf : GS → GT such thatf andf−1 are abstraction morphisms. In this case,f is calledan abstraction isomorphism. ◭

It is easy to see from the definitions that iff : S → T is an abstraction isomorphism, then thegrouping relation≃T is such thatf(v) ≃T f(w) if, and only if, v ≃S w, the node multiplicityfunctionmultn,T is such thatmultn,T (f(v)) = multn,S(v), and analogously for the edge multiplicityfunctions.

Lemma 15 (Isomorphism and Concretisations).If two shapesS andT are isomorphic, then theyhave the same concretisations.

Proof. Immediately follows from the definitions and Proposition 13. ⊓⊔

The inverse is not true. Consider for instance the two shapesS andT as follows:S has a single node ofmultiplicity two and no edges.T has two nodes, each of multiplicity one, and no edges.S andT bothhave a unique concretisation (up to graph isomorphism) which is the graph with two nodes and noedges, butS andT are clearly not isomorphic. Another example are shapes without concretisations,that may have very different underlying graphs, but all havethe same concretisations.

13

Partial order relation over shapes Two shapes will be considered equivalent if they have the sameconcretisations; we denote this equivalence relation=concr. That is, for all shapesS, T , S =concr T if,and only if,Concr (S) = Concr(T ).

Lemma 16 (Partial Order). The subshape relation⊑ defines a partial order between shapes withrespect to the equivalence relation=concr.

Proof. ⊑ is clearly reflexive; it is antisymmetric, for the equivalence relation=concr, by definition ofisomorphism of shapes and by Lemma 15. Finally,⊑ is transitive by Proposition 12.

It is also easy to see that the⊑ relation is compatible with the subset relation on concretisations, inthe sense thatS ⊑ T implies thatConcr (S) ⊆ Concr (T ). This is an immediate consequence ofProposition 12 and Proposition 13. This partial order couldbe a first step making the link between ourabstraction mechanism and abstract interpretation (see,e.g., [6]). However, it does not allow to defineimmediately a Galois connection between graphs and shapes,but between sets of graphs and sets ofshapes, as the subshaping relation is in connection with thesubset relation on graphs.

3.4 Neighbourhood Shapes

Neighbourhood shapes are a special family of shapes that represent several interesting properties es-tablished in the rest of the paper. For the moment, let us onlypoint out the possibility to parametrisethe precision of abstraction offered by neighbourhood shapes. Precision of (general) shapes, that weconsidered up to now, can already be parametrised by the two multiplicities µ andν. In a neighbour-hood shape, each (abstract) node represents concrete graphnodes that have similar neighbourhood,up to some “radius”i. This i is also a parameter of the precision of neighbourhood shapes.

Neighbourhood shaping (ie abstracting into a neighbourhood shape) is always defined for graphs.That is, for any values of the parametersµ, ν andi, and for any graphG, there exists a neighbourhoodshape with the corresponding precision that is a shape forG. This does not hold for shapes with ab-straction morphisms: some shapes can be abstracted to a neighbourhood shape with a given precision,for other shapes it is not possible.

Hereafter, we define neighbourhood shaping for graphs and for shapes, describing the conditionsfor existence of the latter. For both, we first define the so-called neighbourhood equivalenceovernodes and edges of a graph (resp. shape) on which the neighbourhood shaping is based.

Neighbourhood Shape for a Graph We start by defining a family of equivalence relations over thenodes of a graph that relate nodes having similar neighbourhoods, up to some “radius”i.

Definition 17 (Neighbourhood Equivalence). LetG be a graph. For each naturali, the i neigh-bourhood equivalencerelation≡i between nodes ofG is recursively defined as:

– v ≡0 v′ if labG(v) = labG(v′);

– v ≡i+1 v′ if v ≡i v

′, and |v ��aC|µ = |v′ ��

aC|µ, and|C ��av|µ = |C ��

av′|µ for all label ain Lab and for all set of nodesC ∈ N / ≡i.

Thei-neigborhood equivalence relation is extended to edges ofG by e ≡i e′ if lab(e) = lab(e′)

andsrc(e) ≡i src(e′) and either (i)e, e′ are binary edges andtgt(e) ≡i tgt(e′) or (ii) e, e′ are edgeswith target⊥. ◭

We can now define the family of neighbourhood shapings. Two nodes are mapped to the sameshape node if they are neighbourhood equivalent up to some radius. The grouping relation is alsogiven by neighbourhood equivalence, but using a smaller radius.

14

Figure 6. Level one neighbourhood shape of a list. All edge multiplicities are equal to one and areomitted.

Definition 18 (Neighbourhood Shape of a Graph, Neighbourhood Shaping of a Graph).For anyi ≥ 1, the level i neighbourhood shape ofG is shape(G,≡i−1,≡i) and thelevel i neighbourhoodshaping ofG is shaping(G,≡i−1,≡i). ◭

In Figure 6 and Figure 7 are depicted respectively the level one and the level two neighbourhoodshapes of the list from Figure 1, forµ = 1 andν = 1. Defining the corresponding shaping morphismsis left to the reader.

The neighbourhood shape of a graph can not be dissociated from the graph because of its repre-sentation: nodes and edges of the shape are sets of nodes and sets of edges of the graph. This situationis not very convenient, we would like to be able to talk about neighbourhood shapes of graphs to des-ignate their properties and not some particular representation, that is, to designate their isomorphismclass. Thus, we overload the terms neighbourhood shape and neighbourhood shaping in the followingway. In the sequel, we will usethe neighbourhood shape of the graphG to designate the isomorphismclass of the actual neighbourhood shape ofG in the sense of Definition 18, and we will usethe neigh-bourhood shaping of the graphG for shapingss : G → S such thats = f ◦ s′, wheres′ : G→ S′ isthe actual neighbourhood shape ofG andf : S′ → S is a shape isomorphism.

Neighbourhood Shape for a Shape

Definition 19 (Neighbourhood Equivalence for Shapes).Let S = (G,≃,multn,multout,multin)be a shape. For anyi ≥ 0, the binary relation∼i over nodes ofS is defined by:

– w ∼0 w′ if lab(v) = lab(v′);

– w ∼i+1 w′ if w ∼i w

′, ≃ ⊆ ∼i and for allC ∈ NS /∼i, and for all labelsa,

µ∑

K∈NS/≃ | K⊆C

multout(w, a,K) =

µ∑

K∈NS/≃ | K⊆C

multout(w′, a,K)

and analogously for incoming edges multiplicity function.

The relation∼i is extended to edges ofS by: e ∼i e′ if src(e) ∼i src(e′), tgt(e) ∼i tgt(e′) and

lab(e) = lab(e′). ◭

The requirement≃ ⊆ ∼i intuitively says that the grouping relation should be “finer” in the senseof grouping less nodes, than the∼i relation that we are trying to define. Note that this requirement≃ ⊆ ∼i is necessary, as it ensures that anyK ∈ NS /≃ is a subset of someC ∈ NS /∼i. If

15

Figure 7. Level two neighbourhood shape of a list with four cells. All edge multiplicities are equal toone and are omitted.

this requirement is not fulfilled, then the sums in the definition above are not defined. In this case,the relations∼j for any j > i are empty. The following Example 20 illustrates the impossibility ofdefining a neighbourhood shaping relation when this requirement is not fulfilled.

Example 20.Consider the shape depicted on Figure 8, and let us try to compute∼1, the level oneneighbourhood relation on the nodes of the shape. We have[v1]∼0

= [v2]∼0= {v1, v2} and[v3]∼0

=[v4]∼0

= {v3, v4}. Clearly,≃ 6⊆ ∼0. For testing whether v3∼1 v4, we need to know whether thenumber of outgoingc-edges from v3 to nodes in{v1, v2} is the same as for v3. But this informationis not given by the shape, as we only know that v3 hasω outgoingc-edges that may go either to thegroup{v1, v2} or to the group{v3, v4}.

Figure 8. A shape withµ = 1 andν = 1. All omitted edge multiplicities are equal to one. v1. . . v4are node identities.

Lemma 21. LetS be a shape andi ≥ 1. If the relation∼i over the nodes ofS is not empty, then∼i

is an equivalence relation.

Proof. By definition of∼i, ∼i is empty if and only if≃ 6⊆ ∼i−1. Now, if ≃ ⊆ ∼i−1, then it is easy tosee that∼i is symmetric, reflexive and transitive. ⊓⊔

Definition 22 (Neighbourhood Shape of a Shape, Neighbourhood Shaping of a Shape). Let Sbe a shape andi ≥ 1. If the relation∼i over the nodes ofS is not empty, letT be the shape definedby:

– nodes areT are [v]∼ifor v node ofNS ;

– edges ofT are [e]∼ifor e edge ofES ;

16

– for any edgee′ = [e]∼iin ET (for s ∈ ES), srcT (e′) = [srcS(e)]∼i

, tgtT (e′) = [tgtS(e)]∼iand

labT (e′) = labS(e). By definition of∼i these are well defined;– ≃T=∼i−1;– for anyw ∈ NT ,

multn,T (w) =ν∑

v∈NS | [v]∼i

=w

multn,S(v)

;– for anyw ∈ NT , any labela and anyC ∈ NT /≃T ,

multout,T (w, a, C) =

µ∑

K∈NS/≃ | K⊆C

multout(w, a,K)

and similarly for incoming edges multiplicities.

ThenT is called thelevel i neighbourhood shape ofS. ◭

Note that the edge multiplicity functions are well defined bydefinition of∼i.We terminate the section by two properties of neighbourhoodshapes and neighbourhood shapings

that well be used in Section 6.

Lemma 23 (Composition of neighbourhood shapings).LetG be a graph,S, T be shapes,s : G→S, t : G→ T be shaping morphisms, andβ : T → S be an abstraction morphism such thats = β ◦ t.Then for alli the following hold.

1. If s is the leveli neighbourhood shaping ofG, thenβ is the leveli neighbourhood shaping ofT .2. If β is the leveli neighbourhood shaping ofT , thens the leveli neighbourhood shaping ofG.

G

S

T

s

t

β

Proof. See Appendix B

Lemma 24 (Common concretisation implies isomorphism).If two neighbourhood shapes have acommon concretisation, then they are isomorphic.

Proof. The proof of the lemma uses the canonical representation of neighbourhood shapes, defined inSection 4. Thus, we give it in Appendix C.

4 Canonical Shapes

Canonical shapes are a special class of shapes that includesneighbourhood shapes. More precisely,it is composed of neighbourhood shapes, and of shapes that donot admit concretisations. Canonicalshapes have so called “canonical” representation which is arepresentation of isomorphism classes ofsuch shapes. This in particular allows to define a normalisedrepresentation of (isomorphism classesof) neighbourhood shapes. Moreover, for each shaping precision (ie values forµ, ν and the neighbour-hood radiusi), the number of canonical shapes is finite. Additionally, itis decidable whether a shapeis (isomorphic to a) canonical shape, and in this case its canonical representation can be computed.All these properties make canonical shapes a good over-approximation of the set of neighbourhoodshapes.

17

4.1 Canonical Names

In this section, we introduce the notion of acanonical name. Each equivalence class with respect toa neighbourhood equivalence is uniquely identified by such aname. For example, each equivalenceclass with respect to≡0 contains only nodes having the same labels and is identified by this set oflabels. It becomes the canonical name of this equivalence class. Each equivalence relation≡i comeswith a setNCani of canonical names. As we will see, a neighbourhood shape canbe viewed as agraph whose nodes and edges are canonical names. The notion of a canonical name occurs frequentlyin literature, for example in [15].

Definition 25 (Canonical Name).The set oflevel i node canonical names, NCani, is defined induc-tively for i ≥ 0:

NCan0 = 2Lab

NCani+1 = NCani × (NCani × Lab → Mµ) × (NCani × Lab → Mµ).

The setECani of level i edge canonical namesis ECani = NCani × Lab × NCani.

LetG be a graph. The mappingnameiG maps nodes and edges ofG to their leveli canonical nameas follows. Forv node ofG, name0

G(v) = labG(v), andnamei+1G (v) = (nameiG(v),out, in) where for

each canonical nameC in NCani and for each labela in Lab (NC stands for the set of nodesv′ suchthatnameiG(v′) = C),

out(C, a) = |v ��a

GNC |µ in(C, a) = |NC ��a

Gv|µ .

For e edge ofG, nameiG(e) = (nameiG(src(e)), lab(e), nameiG(tgt(e))). ◭

Example 26.Consider the level zero node canonical nameC0 = {c, d} and the level one node canon-ical nameC1 = ({a},0, in), where0 indicates the constant function associating0 to all elements ofits domain, andin(C0, b) = 1, andin(C ′, x) = 0 for all C ′ 6= C0 and allx 6= a. C0 is the class ofnodes labelledc andd. C1 is the class of nodes labelleda that have one incomingb-edge from a nodelabelledc andd andno moreadjacent nodes. ◭

Note that the number of leveli canonical names is exponentially growing ini. However, for anyi, this number is bounded in terms of the number of atomic propositions andµ

Note 27. For anyi ≥ 0, the sets of leveli node canonical names and edge canonical names are finite.◭

The number of different canonical names is growing super-exponentially ini, that is, |NCani| ≥im = mm···

m

︸︷︷︸

i

, wherem = µ + 2. We are convinced that in practical cases the number of used

different canonical names would not reach this upper bound.

4.2 Canonical Representation of Neighbourhood Shapes

There is a quite clear relation between canonical names and the neighbourhood equivalence relation:two nodes (resp. edges) in a graph arei-neigborhood equivalent if, and only if, they have the samelevel i canonical names. Next lemma easily follows from the definitions, thus we present it withoutproof.

18

Lemma 28. For any i ≥ 0, any graphG, any two nodesv, v′ of G and any two edgese, e′ of G,v ≡i v

′ if, and only if,nameiG(v) = nameiG(v′), ande ≡i e′ if, and only if,nameiG(e) = nameiG(e′).

⊓⊔

In what follows we will show that this correspondence gives rise to a canonical representationof neighbourhood shapes. We will first introduce the actual representation, and then show that it iscanonical, in the sense of unique (up to shape isomorphism).

LetG be a graph. Consider the tripleCG = (namei(NG), namei(EG),mult), wherenamei(NG)andnamei(EG) are the sets of node and edge leveli canonical names of the graphG, respectively,andmult : namei(NG) → M

+ν is the function defined bymult(C) =

∣∣{v ∈ NG | nameiG(v) = C}

∣∣ν

for all C ∈ namei(NG). We will show thatCG is a canonical representation of the isomorphism classof the leveli neighbourhood shape ofG. This will provide us with a representation of neighbourhoodshapes that is independent on the graphs they were computed from.

Lemma 29 (Canonical Representation).LetG,H be graphs, and leti ≥ 1. The leveli neighbour-hood shapes ofG andH are isomorphic if, and only if,CG andCH are equal.

By CG andCH are equal, we mean component-wise equality, that is, equality of the sets of node andedge canonical names and equality of the node multiplicity functions that define them.

Proof. The proof is given in Appendix D. It uses results that will be introduced later, namely relation-ship between the neighbourhood shaping and the modal logic defined in Section 7.

Thus, by Lemma 29 we know that any isomorphism class of leveli neighbourhood shapes hasa canonical representation of the form(N , E ,mult), whereN ⊆ NCani, E ⊆ ECani, andmult :N → ν. Then the question arises what is the relationship between triples from (N , E ,mult) andneighbourhood shapes. This is studied in the next section.

4.3 Canonical Shapes

We denoteCSi∗ the set of triples℘(NCani) × ℘(ECani) × (NCani ⇀ M+ν ) such that for any

(N , E ,mult) ∈ CSi∗, dom(mult) = N . We will see that some elements ofCSi∗ define shapes. Itis decidable to know for a givenC ∈ CSi∗ whether it defines a shape. Moreover, some elements ofCSi∗ define neighbourhood shapes, but we think that it is not decidable to know whether an element ofCSi∗ defines a neighbourhood shape. However, we give a syntactic definition of a subset ofCSi∗ whichcontains all neighbourhood shapes.

From Canonical Names to ShapesLet (N , E ,mult) ∈ CSi∗, and consider the structureS =((N , E , src, tgt, lab),≃,multn,multout,multin), wheresrc, tgt : E → NCani, lab : E → Lab, ≃is an equivalence relation inN , multn : N → M

+ν , andmultout,multin : N × Lab × N /≃→ Mµ

defined by:

– for anye = (C, a, C ′) in E , srcS(e) = C, tgtS(e) = C ′ andlabS(e) = a;– ≃ is the smallest equivalence relation such thatC ≃ C ′ if C andC ′ have the same first component.

Remind thatC andC ′ are leveli node canonical names and their first component is a leveli − 1canonical name;

– multn = mult;– for all C ∈ NS, a ∈ Lab, andK ∈ NCani−1, multout(C, a,K) = outC(K, a), whereoutC

is the function second component ofC (remind thatC is a leveli canonical name andoutC :NCani−1 × Lab → µ);

19

– for all C ∈ NS , a ∈ Lab, andK ∈ NCani−1, multout(C, a,K) = inC(K, a), whereinC is thefunction third component ofC.

The following lemma identifies the conditions on(N , E ,mult) under whichS is a shape.

Lemma 30. If

1. E ⊆ N × Lab ×N , and2. for allC ∈ N , all K in NCani−1 and all labela, outC(K, a) = 0 if, and only if,{(C, a, C ′) ∈ E |π1(C

′) = K} = ∅ (whereπ1(C′) denotes the first component ofC ′), and similarly for inC .

thenS is a shape.

Proof. The first condition ensures that(N , E , src, tgt, lab) is a graph, and the second condition en-sures that the edge multiplicity functions ofS are consistent with its graph structure,ie edge multi-plicity is positive if, and only if, there are indeed edges towhich it corresponds. ⊓⊔

ForC ∈ CSi∗ satisfying the condition from Lemma 30, we denoteSC the corresponding shape.We have now a characterisation of elements ofCSi∗ that define shapes. In what follows we will

give some characteristics of elements ofCSi∗ that represent neighbourhood shapes.

Definition 31 (Canonical shape).A level i canonical shapeis a shape of the formSC , for C ∈ CSi∗,and such thatSC is (isomorphic to) its own leveli neighbourhood shape.

We denoteCSi the set of leveli canonical shapes. Canonical shapes will be usually represented aselements ofCSi∗, ie triples composed of a set of node canonical names, a set of edge canonical names,and a multiplicity function. This is called theircanonical representation.

Lemma 32 (Relationship between Neighbourhood Shapes and Canonical Shapes).The followingtwo are equivalent, for all leveli canonical shapeC:

1. The shapeSC is isomorphic to the neighbourhood shape of some graphG.2. The shapeSC admits concretisations.

Proof. The implication 1⇒ 2 is immediate from the definitions. For the implications 2⇒ 1, letβ : SC → SC be the leveli neighbourhood shaping ofSC . By hypothesis, we know that there exists agraphG and a shapings : G→ SS . Then, by Proposition 13 we know thatβ ◦ s is a shaping, and byLemma 23 we deduce thatβ ◦ s is the leveli neighbourhood shaping ofG.

That is, shapes that can be obtained by neighbourhood shaping are exactly canonical shapes thatadmit concretisations, up to isomorphism. In the following, we will be interested at the setCSi as asuperset of the set of leveli neighbourhood shapes.

We do not know whether it is decidable to check if a canonical shape is a neighbourhood shape.Note that according to Lemma 32 it falls to decide whether a canonical shape admits concretisations.

Conjecture 33.It is not decidable whether a shape admits concretisations.

Even if this conjecture is confirmed, it still does not answerthe previous question of decidabilitywhether a canonical shape admits concretisations. Our intuition is that the conjecture also holds forcanonical shapes.

20

Remark 34 (On Isomorphism of Canonical Shapes).We do not know whether two canonical shapescan be isomorphic without having the same node and edge sets.However, if it could happen, let’ssayC andC′ are isomorphic but do not have the same node and edge sets, then necessarilyC andC′ are not neighbourhood shapes (ie do not have concretisations). Indeed, by Lemma 15, two shapesare isomorphic if, and only if, they have the same concretisations and, by definition, the canonicalrepresentation of a neighbourhood shape is unique for its entire isomorphism class.

5 Shape Transformations

In this section we define transformations of shapes. We also establish how transformations of shapesare related to transformations of their concretisations. Finally, we discuss on properties of transforma-tions of neighbourhood shapes.

5.1 Transformations of Shapes

Definition 35 (pre-matching).LetL be a graph andS be a shape. Apre-matchingp ofL into S is agraph morphismp : L→ GS such that:

1. for all nodew in p(L), multn,w ≥∣∣p−1(w)

∣∣ν,

2. for all edgee in p(L) with source nodew, target nodew′ and labela, it holdsmultout,S(w, a, [w′]≃S) ≥

∣∣p−1(e)

∣∣ν

andmultin,S(w′, a, [w]≃S) ≥

∣∣p−1(e)

∣∣ν.

A pre-matchingp is calledconcreteif p is an injective morphism and additionally satisfies thefollowing properties :

3. for all nodev in p(NL), multn,S(v) = 1;4. for all nodev in p(NL), the equivalence class[v]≃S

is the singleton set{v}.

5. for all nodesv,w in p(NL) and for all labela, multout(v, a, {w}) =∣∣∣v ��

a

GSw

∣∣∣µ

= multin(v, a, {w}).

As shown in the next lemma, the existence of a concrete pre-matching p : L → S guarantees theexistence of a matchingm : L→ G for some graphsG concretisations ofS. A concrete pre-matchingp is a pre-matching whose image can be considered as a concrete“subgraph” of the shape. That is,nodes in the image ofp are concrete nodes,ie with multiplicity one. Let us explain in more detail whatthe conditions on edges and edge multiplicities are meant for. First, Condition 2 guarantees that theactual number of edges can indeed exist in some concretisation, so that an injective morphism fromLinto this concretisation can be constructed. Injectiveness ofp guarantees that there are at least as manyedges present fromv tow in GS as there are edges fromp−1(v) to p−1(w) in L (this for all labela).Finally, Condition 5 guarantees that the actual number of edges present fromv tow in GS is the samethat what is required by edge multiplicities. This of courseis underspecified ifmultout(v, a, {w}) = ω,in which case any number of edges greater or equal toµ+1 is correct as soon as this number is greateror equal to(p−1(v)) ��

a

L(p−1(w)) so that it guarantees injectiveness. This underspecified number ofedges plays a role in the definition of a concrete shape transformation.

Lemma 36. If c : L → S is a concrete pre-matching from the graphL to the shapeS, then for anygraphG concretisation ofS with injective shapings : G → S, there exists an injective morphismm : L→ G such thatc = s ◦m.

21

Proof. Let G be a concretisation ofS with corresponding injective shapings : G → S. Remarkfirst that for anyx ∈ NL ∪ EL node or edge ofL, s−1(c(x)) is a singleton set. This fact is easilyshown using thatc is a concrete pre-matching and thats is a shaping. Consider now the mappingm : NL ∪ EL → NG ∪ EG defined bym(x) = y wherey is the unique element ofs−1(c(x)). Thus,c = s ◦ m. The fact thatm is a morphism follows from the fact thats and c are morphisms, andinjectiveness ofm follows from injectiveness ofc and injectiveness ofs. ⊓⊔

Definition 37 (concrete shape transformation).LetP = (L,R) be a transformation rule andS bea disjoint shape, and letc be a concrete pre-matching fromL into S satisfying the following danglingedges condition: for all edgee of S, if src(e) ∈ c(Ndel) or tgt(e) ∈ c(Ndel), thene ∈ c(Edel). Thenthe transformation ofS according toP andc is the shapeT defined by:

– the graph part ofT , is the graphGT such thatGSP,c−→ GT ;

– the grouping relation≃T is defined by• for all v ∈ NS ∩NT , [v]≃T

= [v]≃S;

• for all v ∈ Nnew, [v]≃T= {v};

– the node-multiplicity function ofT is given by: for allv ∈ NT ,

multn,T (v) =

{

multn,S(v) if v ∈ NS ∩NT

1 if v ∈ Nnew;

– the outgoing edges multiplicity function ofT is given by: letNconcr = c(Nuse)∪Nnew andNabstr =NT r c(Nuse); thus Nconcr and Nabstr are disjoint,NT = Nconcr ∪ Nabstr and NS ∩ NT =Nabstr∪ c(N

use). Then, for allv ∈ NT , a ∈ Lab, C ∈ NT /≃T ,

multout,T (v, a, C) =

∣∣∣v ��

a

GTC

∣∣∣µ

if v ∈ Nconcr andC ⊆ Nconcr,

multout,S(v, a, C) if v ∈ Nabstr andC ⊆ Nabstr,

multout,S(v, a, C) if v ∈ Nabstr andC ⊆ c(Nuse) or v ∈ c(Nuse) andC ⊆ Nabstr,

0 otherwise;

– the incoming edges multiplicity function ofT is given by: for allv ∈ NT , a ∈ Lab, C ∈ NT /≃T ,

multin,T (v, a, C) =

∣∣∣C ��

a

GTv∣∣∣µ

if v ∈ Nconcr andC ⊆ Nconcr,

multin,S(v, a, C) if v ∈ Nabstr andC ⊆ Nabstr,

multin,S(v, a, C) if v ∈ Nabstr andC ⊆ c(Nuse) or v ∈ c(Nuse) andC ⊆ Nabstr,

0 otherwise.

We write thenSP,c−→ T . ◭

In Definition 37 we make some explicit assumptions on the setsC used in the definitions of theedge multiplicity functions ofT . Let us show that these assumptions hold and thusT is well defined.

The first assumption is that for allC ∈ NT /≃T we haveC =⊆ Nconcr or C ⊆ Nabstr, orC ⊆ c(Nuse). Let us show that for allv node ofT , [v]≃T

is a subset of one of the setsNabstr, Nnew

or c(Nuse). It is sufficient as, by definition,Nconcr = Nnew∪ c(Nuse). If v ∈ c(Nuse), by hypothesisc being a concrete pre-shaping, we know that[v]≃S

= {v}, and by definition of≃T , [v]≃T= [v]≃S

.If v ∈ Nnew, then, by definition of≃T we know that[v]≃T

= {v}. Finally, if v ∈ Nabstr, by definition

22

of ≃T we have[v]≃T= [v]≃S

⊆ NS . Moreover, as stated previously, we know thatv 6 ≃Sw for allw ∈ c(Nnew), thus[v]≃T

⊆ NS ∩ c(Nnew) = Nabstr.The second assumption we make is that wheneverC ⊆ Nabstr or C ⊆ c(Nuse), C is also a set in

NS /≃S (as it is used as argument of the edge multiplicity functionsof S). It is the case because ofthe definition of≃T , and reminding thatNS ∩NT = Nabstr∪ c(N

use).Another point to be clarified in Definition 37 is the definitionof the value ofmultout,T (v, a,C)

whenv ∈ Nconcr andC = {w} ⊆ Nconcr (the same for incoming edges multiplicity). This value isdefined as the number of edges actually present in the shape (up toµ), and not as some computationinvolving edge multiplicity functions ofS, as one may expect. This in particular means that the shapeT is not uniquely defined, and depends on the representation ofthe graph part ofS. However, this nondeterminism is intended, and guarantees correctness of concrete shape transformation with respectto the corresponding graph transformations when deletion of edges is involved. Consider nodesv,win c(Nuse) and labela with multout,S(v, a, {w}) = multin,S(v, a, {w}) = ω, and suppose that theruleP specifies the deletion ofk a-labelled edges between these nodes. ThenT hasω − k a-labellededges fromv tow, and of course this is not uniquely specified, as there may be several multiplicitiesλ ∈ Mµ such thatλ+ k = ω.

Definition 38 (Abstract Shape Transformation).LetP = (L,R) be a transformation rule,S be ashape andf : L → S be a pre-matching. We say thatS abstractly transforms intoT according toP

andc, and we writeS(P,f) T , whenever there exists a shapeS′, an abstraction morphismβ : S′ → S

and a concrete pre-matchingc : L→ S′ such thatf = β◦c, and there exists an abstraction morphism

β′ : T ′ → T , whereT ′ is the shape such thatS′ (P,c)−→ T ′.

5.2 Properties of Shape Transformations

We consider a fixed naturali ≥ 1. When we talk about neighbourhood shape and neighbourhoodshaping, we mean leveli neighbourhood shape and leveli neighbourhood shaping.

Theorem 39 (A concrete transformation is captured by some abstract one).LetP = (L,R) be

a transformation rule,G,H be graphs andm : L → G be a matching such thatG(P,m)−→ H. For any

shapeS and shapings : G → S such thats ◦m is a concrete pre-matching, there exists a shaping

morphismt : H → T , whereT is the shape such thatS(P,s◦m)−→ T .

Proof. Consider the morphismt : H → T defined byt(x) = s(x) for all x node or edge ofG, andt(x) = x for all x inNnew∪Enew. (It is immediate to see from the definitions of graph transformationand concrete shape transformation thatt is indeed a morphism). We show thatt is a shaping morphism.As in the definition of a concrete shape transformation, we distinguish the sets of nodesNconcr andNabstr in T , and letH ′ be the full4 sub-graph ofH with nodesNG rm(L). By definition,t coincideswith s onH ′ andtmaps nodes ofH ′ to nodes inNabstrand edges ofH ′ to edges whose two ends are inNabstr. Also,H ′ is a full sub-graph ofG. Thus, the multiplicity functions ofT satisfy the requirementsof a shaping when their domain is restricted toNabstr. For the node multiplicity function for nodesw ∈ Nconcr, we know by definitionmultn,T (w) = multn,S(w) = 1 and thatt−1(w) is a singletonset. For the edge multiplicity functionmultout,T (w, a, C) (we consider onlymultout,T , by symmetrythe same holds formultin,T ), we distinguish two cases: (i)w andC are not both inNconcr, and (ii)wandC are both inNconcr. For (i), once again pre-images ofw andC coincide fort ands, and also

4 By full sub-graph we mean a sub-graph defined by a subset of thenodes andall connecting edges.

23

the value ofmultout,T andmultout,S. For (ii), remind thatC is a singleton set,multout,T (w, a, C) isthe actual number of edges in the graphGT (up toµ), and by definitiont is an isomorphism in thisconcrete part. ⊓⊔

Theorem 40 (A concrete transformation is captured by canonical abstract transformation). LetP = (L,R) be a transformation rule,G,H be graphs andm : L → G be a matching such that

G(P,m)−→ H. LetS be the neighbourhood shape ofGwith corresponding shaping morphisms : G→ S,

and letT be the neighbourhood shape ofH with corresponding neighbourhood shapingt : H → T .

ThenS(P,f) T for some pre-matchingf .

Proof. By definition of abstract shape transformation, we need to show that there exist a pre-matchingf : L→ S, a shapeS′, an abstraction morphismβ : S′ → S, and a concrete pre-matchingc : L→ S′

such thatf = β ◦ c, and there exists an abstraction morphismβ′ : T ′ → T , whereT ′ is the shape

such thatS′ (P,c)−→ T ′. TakeS′ the trivial shape ofG, T ′ the trivial shape ofH, β = s, β′ = t, c = m

andf = s ◦m. Then the required conditions are satisfied by hypothesis. ⊓⊔

Theorem 41 (Concrete shape transformation vs. graph transformation). Let P = (L,R) be aproduction rule,S be a shape andc : L → S be a concrete pre-matching satisfying the danglingedge condition. For any graphG concretisation ofS with shapings : G→ S, there exists a matching

m : L→ G such thatc = s ◦m and ifH is the graph such thatGP,m−→ H, then there exists a shaping

t : H → T , whereT is the shape obtained bySP,c−→ T .

Proof. The injective morphismm : L→ G exists due to Lemma 36. We can definem(v) = s−1◦c(v),becauses is injective on the image ofc. (As a proof assumev1, v2 ∈ NG s.t. s(v1) = s(v2) forsomev ∈ VL with c(v) = s(v1). By definition of a shape, we obtainmultn,S(s(v1)) = 1 and thus∣∣s−1(v1)

∣∣ = 1 andv1 = v2.)

LetH be such thatGP,m−→ H. Define the mappingt : H → T defined by

t(v) =

{

v if v ∈ Nnew

s(v) otherwise

and analogously onEH . Mapping t is well-defined, because, by the definition of transformation,NH = (NG \m(Ndel)) ∪Nnew, ands is defined onNG. We need to show, thatt is a shaping, that is:

1. t is a morphism fromH to T2. for all v ∈ NT holdsmultn,T (v) =

∣∣t−1(v)

∣∣ν

3. for allw ∈ NT , for all a ∈ Lab, for all C ∈ NT /≃T , and for allv ∈ t−1(w),

multout,T (w, a, C) =∣∣v ��

a

H(t−1(C))∣∣µ

and analogously for incoming edges multiplicities.

ad 1. First, we show thatt(NH) ⊆ NT . Assumet(v) = v′ ∈ t(NH). There are two cases. Ifv′ ∈ Nnew, thenv′ = v ∈ Nnew ⊆ NT . Otherwise,v′ = s(v) for v ∈ NG \ s−1(c(Ndel)) (⋆).Assumev′ 6∈ NT but v′ ∈ s(NG). As v′ is not new, it must be the case, due to the definition ofNT = (NS \ c(Ndel) ∪ Nnew), thatv′ ∈ c(Ndel). Hence,v ∈ s−1(c(Ndel)) contradicting(⋆). Thecase for edges is similar.

24

As a next step, we will prove thatt(srcH(e)) = srcT (t(e)) for an arbitrary edgee ∈ EH . First,assumesrcH(e) ∈ Nnew implying e ∈ Enew. We compute

t(srcH(e)) = srcH(e) (Def. of t)= srcR(e) (Def. transformation andsrcR(e) is new)= srcT (e) (Def. shape transformation)= srcT (t(e)) (Def. of t)

In the second case, we havesrcH(e) 6∈ Nnew, that ist(srcH(e)) = s(srcH(e)) yielding another twocases depending on whether or note ∈ Enew. If e is not new, we have

s(srcH(e) = s(srcG(e))= srcS(s(e)) (s morphism)= srcT (s(e)) (Def. transformation)= srcT (t(e)) (Def. of t)

If e is new, we have instead

s(srcH(e)) = s(srcG(e))= srcS(s(e))= srcT (s(e))= srcT (t(e))

The cases for edges, target and label mapping are similar.

ad 2. Let v ∈ NT be arbitrary. Ifv ∈ Nnew, then there is only{v} = t−1(v) andmultn,T (v) = 1 bydefinition of abstract transformations. Assumev 6∈ Nnew. Ass is a shaping, we know that

∣∣s−1(v)

∣∣ν

=multn,Sv = multn,Tv, and it suffices to shows−1(v) = t−1(v), which is straightforward by definitionof t.

ad 3. This result follows immediately from the definition of≃T . By definition ofmultout,T , we caneither employ the fact thats is a shaping or, in case of new edges, none of them are equivalent toeither themselves or anything existing before, so all new multiplicities are in fact 1 as defined. Thisreasoning holds both for source and target multiplicities. ⊓⊔

Corollary 42 (Transformation of canonical shapes).LetP = (L,R) be a transformation rule,S, T

be canonical shapes andf : L → S be a pre-matching such thatS(P,f) T . LetS′, T ′ be the shapes,

c : L → S′ the concrete pre-matching andβ : S′ → S andβ′ : T ′ → T the abstraction morphisms

that witnessS(P,f) T . Then for any concretisationG of S′ with shaping morphisms : G → S′,

there exist a matchingm : L → G and a graphH such thatG(P,m)−→ H andT is (isomorphic to) the

neighbourhood shape ofH.

Proof. The matchingm exists by Theorem 41. By the same theorem, we know that there exists ashapingt : H → T ′. Thus,β′ ◦ t is a shaping fromH to T . We can conclude then thatT is aneighbourhood shaping (as it hasH as concretisation). By Lemma 24,β′ ◦ t is the neighbourhoodshaping ofH. ⊓⊔

25

5.3 Using Shape Transformations

We saw in the previous section several properties of concrete graph transformations with respect toshape transformations and shaping. In this section we informally describe how these results can beused for over-approximating a concrete labelled transition system by an abstract one.

Consider a graph production systemP = (G0,P), whereG0 is the start graph andP is a setof graph productions. As briefly described in the introduction, this production system gives rise to alabelled transition system (LTS for short)S which states are graphs, with start stateG0, and whichtransitions are applications of graph transformation rules. That is, any stateG of the LTS is a graphthat can be derived fromG0 by a final number of applications of graph productions starting fromG0.If the ruleP = (L,R) is applicable in the graphG with matchingm : L → G yielding the graphH, thenH is a state in the LTS and there exists a transition fromG toH labelled by(P,m). A pathstarting in the stateG1 in the LTSS is a sequence of graph transformation rulesP1, . . . , Pk suchthat there exists sequence of graphsG1, . . . , Gk and a sequence of matchingsmi : Li → Gi for all

i ∈ 1..k − 1 such that for alli ∈ 1..k − 1,GiPi,mi−→ Gi+1.

Consider now some fixed positive naturalsi, µ, ν defining a precision of a neighbourhood shap-ing. Define the LTSS ′ whose states are canonical shapes and whose transitions areabstract shapetransformations with:

– states ofS ′ are the neighbourhood shapes of states ofS, in their canonical representation andinitial state isS0, the neighbourhood shape ofG0;

– transitions ofS ′ are the transitionsSP,f T such that there exists a transitionG

P,m−→ H in T ,

wheres : G → S andt : H → T are the neighbourhood shapings ofG andH, respectively, andf = s ◦m.

By Theorem 40 we know that transitions in the LTSS ′ indeed correspond to abstract graph trans-formations. Note also that the LTSS ′ is finite, as there are only a finite number of canonical shapesfor fixed i, µ andν. Additionally, every path inS starting in the stateG is also a path inS ′ starting inthe neighbourhood shape ofG. Remark that the inverse does not hold, as every state ofS ′ may be theneighbourhood shape of several different states inS. Therefore,S ′ is a finite over-approximation ofS with respect to paths and can be used for verifyinge.g.temporal properties onS.

Unfortunately, the LTSS ′ can not be constructed without constructingS, which may be infinite.However, we can construct an LTS, denote itS ′′, that a computable and still finite over-approximationof S ′. The idea is to start from the canonical shapeS0 and construct iteratively all possible abstracttransformations. For a fixed stateS, the construction of its outgoing transitions inS ′′ can be done inthree steps:

Materialisation: in order to enumerate and construct all possible abstract transformations of a canon-ical shapeS, we first have to find and construct witnesses for these transformations (according toDefinition 38),ie find all rulesP = (L,R) and all pre-matchingsf : L→ S such that there exist ashapeS′ less abstract thanS with abstraction morphismβ : S′ → S and a concrete pre-matchingc : L → S′ with f = β ◦ c. Such shapesS′ are calledmaterialisationsof S. Constructing thematerialisations is described in Section 6.1 and Section 6.2;

Transformation: once we have computed all possible materialisations of the shapeS w.r.t. the graphproduction systemS, we can perform the actual transformations as concrete shape transforma-tions;

Normalisation: applying a concrete shape transformation on some materialisation of the canonicalshapeS does not necessarily result in a canonical shape. That is, the resulting graph cannot be a

26

state ofS ′′. The result of the transformation has to be abstracted to a neighbourhood shape. Thisis callednormalisationand is described in Section 6.3.

6 Materialisation and Normalisation

We define in this section the set of materialisations of a canonical shapeS w.r.t. some pre-matchingof a transformation rule. This set of materialisations is finite. In Section 6.2 we briefly describe analgorithm that allows to construct the set of materialisations and give some examples.

6.1 Definition of the Set of Materialisations

Let us first give a formal definition of what we call a materialisation. In the sequel we consider fixednaturalsi, µ, ν defining a precision of a neighbourhood shaping.

Definition 43 (materialisation). Given a leveli canonical shapeS and a graph productionP =(L,R) with pre-matchingf : L→ S, a materialisationof S according tof is a shapeS′ such that

– S is more abstract thanS′, i.e. there exists an abstractionβ : S′ → S;– there exists a concrete pre-matchingc : L→ S′ such thatf = β ◦ c;– let T ′ is the shape result of the transformation ofS′ with P, c. Then the leveli neighbourhood

shaping ofT ′ exists.

For any canonical shapeS, graph productionP = (L,R) and pre-matchingf : L→ S, we wantto construct the set of materialisationsM(S,P, f) that covers all possible transformations of someconcretisation ofS. That is, for all graphG concretisation ofS, there exists a shapeS′ in M(S,P, f)such thatS′ is a shaping forG. This set is defined as follows (the first two points coincide with thedefinition of a materialisation).

Definition 44 (The set of materialisationsM(S,P, f)). For a given leveli canonical shapeS anda graph productionP = (L,R) with pre-matchingf : L→ S, the setM(S,P, f) is composed of theshapesS′ that satisfy the following (up to shape isomorphism)

– S is more abstract thanS′, i.e. there exists an abstractionβ : S′ → S;– there exists a concrete pre-matchingc : L→ S′ such thatf = β ◦ c;– let S′′ be the shape obtained fromS′ as follows: to every nodev in c(L) of S′ is given an addi-

tional, fresh labellv . Then the shapeS′′ is a canonical shape.

Elements of the setM(S,P, f) are indeed materialisations. The point on which we have to argueis that after transformation, a shapeS′ in M(S,P, f) admits a leveli neighbourhood shape.

Lemma 45. LetS′ in M(S,P, f). Then the shapeT ′ result of the transformation ofS′ by c andPadmits a leveli neighbourhood shape.

Proof. (Sketch)Let S′′ be the shape that witnesses the fact thatS′ is a materialisation ofS; thatis, S′′ is the same asS′ except that it has fresh labels on the nodes inc(L). Consider also the ruleP ′′ = (L′′, R′′) obtained fromP by adding fresh labels to all nodes in a way thatc : L′′ → S′′ isa concrete matching. That is, fresh labels forL′′ andc(L) in S′′ coincide. Then the ruleP ′′ can beapplied toS′′ with matchingc, thus obtaining the graphT ′′. It is not difficult to see that the shapeT ′

is T ′′ from which the fresh labels have been removed. Then one can show that:

27

1. if T ′′ admits a leveli neighbourhood shaping, then does alsoT ′. It is shown in a more generalway for a shapeT ′ obtained from a shapeT ′′ be removing some unique labels. The proof of thisresult is quite technical and is given in Appendix F;

2. for all j ≤ i, ∼j is defined inT ′′ and moreover for all nodev ∈ T ′′ ∩ S′′, [v]∼jin S′′ is included

into [v]∼jin T ′′ whenever this former exists (ie wheneverv 6∈ Nnew).

These two allow to conclude thatT ′ admits a leveli neighbourhood shaping. In what follows we sketcha proof for the latter statement. Let us first point out that if∼j is defined onT ′′, then[v]∼j

= {v} inT ′′ and inS′′ for all nodev in c(L′′) ∪Nnew becausev has a unique label, and also[v]≃T ′′

= {v} bydefinition. Thus, we only have to bother about nodesv not inc(L′′)∪Nnew. Moreover, as by definitionthe grouping relations ofS′′ andT ′′ coincide on all nodes inNS′′ , the fact that∼j is defined is not aproblem as long as[v]∼j−1

in S′′ is included into[v]∼j−1in T ′′. So let us simply suppose that∼j is

defined and argue that ifv ∼j v′ in S′′, thenv ∼j v

′ in T ′′. Remark that the unique labels inc(L′′)influence the equivalence classes for∼j of the nodes that are in thej-neighbourhood ofc(L′′). Inother words, ifv ∼j v

′ in S′′, then eitherv andv′ are both far away fromc(L′′), or are both at thesame distance from all nodes inc(L′′). In the first case, it is clear that they are also far away from thenodesc(L′′) ∪ Nnew in T ′′ so they remain∼j-equivalent inT ′′. In the second case, intuitivelyv andv′ are connected exactly in the same way to all the nodesc(L′′), this is because of the uniqueness oflabels of these latter. Now ife.g.v is in thej-neighbourhood of some of the newly added nodes fromNnew, and thus “influenced” by this new node for its∼j equivalence class, thenv′ is influenced inexactly the same way because nodes inNnew are only connected to nodes inc(L′′), and because ofuniqueness of labels. ⊓⊔

Remark that the setM(S,P, f) is finite. Indeed, it is a set of canonical shapes over the initial setof labels augmented with the fresh labelslv, for v in c(L), and the number of different such canonicalshapes is finite.

Lemma 46 (Completeness of the Set of Materialisations).LetS be a neighbourhood shape. For allG concretisation ofS with corresponding shapings : G→ S, for all transformation ruleP = (L,R),and for all matchingm : L→ G, there exist a pre-matchingf : L→ S and a shapeS′ in M(S,P, f)such thatf = s ◦m andH abstracts toT ′, whereH andT ′ are the graph and the shape such that

GP,m−→ H andS′ P,f

−→ T ′.

Proof. It is immediate to see that ifm : L → G is a matching, then there exists a pre-matchingf : L → S such thatf = s ◦ m. This holds for all shapings : G → S, and not only for aneighbourhood shaping. Consider now the setM′(S,P, f) being the set of all shapesS′ defined by thefirst two conditions forM(S,P, f). That is,M′(S,P, f) is a possibly infinite over-set ofM(S,P, f).In particular, any graphG concretisation ofS is in M′(S,P, f) as its trivial shape. In other words,M′(S,P, f) is complete in the sense of the lemma. It is then enough to showthat for all shapeG inM′(S,P, f), there exists a shapeS′ in M(S,P, f) such thatS′ is more abstract thanG. This fallsto show that the third condition in the definition ofM(S,P, f) does not remove too much graphsand shapes from the setM′(S,P, f). This is indeed the case because this third condition ensures thatmaterialisations are not too abstract neither too concrete, but correspond to the level of abstraction ofa neighbourhood shaping. ⊓⊔

Proposition 47 (Minimality of the Set of Materialisations). For all G concretisation ofS withshapings : G → S, and all matchingm : L → P such thatf = s ◦m, there exists a unique shapeS′ in M(S,P, f) such thatG can be shaped toS′ with shapings : G→ S′, and such thatc = s ◦m,wherec : L→ S′ is the concrete pre-matching extracted fromf .

28

Proof. Let S1 andS2 be two shapes inM(S,P, f) which both satisfy the conditions of the proposi-tion, with shapingss1 : G → S1 ands2 : G → S2, and with concrete pre-matchingsc1 : L → S1

andc2 : L → S2. Consider now the canonical shapesS′1 andS′

2 that witness the fact thatS1 andS2

are materialisations (according to the third condition in the definition ofM(S,P, f).) Consider alsothe graphG′ obtained fromG by adding the fresh labellv to the nodem(v), this for allv node ofL.Then it is easy to see thats1 : G′ → S′

1 ands2 : G′ → S′2 are shapings. Moreover, asS1 andS2

are canonical shapes, then necessarilys1 ands2 are canonical shapings. As each graph has a uniqueneighbourhood shape, necessarilyS′

1 andS′2 are the same canonical shape. By definition ofS′

1 andS′

2 it immediately follows thatS1 andS2 are the same shape, as by definition elements ofM(S,P, f)are unique up to isomorphism. ⊓⊔

6.2 Effective Construction ofM

In order to effectively construct an abstract labelled transition system, one needs to be able to effec-tively construct the set of materialisationsM(S,P, f) for all canonical shapeS and a pre-matchingf : L→ S for the ruleP = (L,R). We give here a sketch of an algorithm for constructing the set ofmaterialisations.

Intuitively, a materialisation is composed of an abstract part and a materialised part. The abstractpart is the initial shapeS or sub-graphs of it. The materialised part is composed of a concrete copyof f(L) and its neighbourhood of radiusi, wherei is the level of neighbourhood shaping. The mainidea of the algorithm is to “extract” a concrete copy off(L) from S, remap the matchingf intothis concrete part yielding a concrete pre-matchingc, and then modify the obtained structure until itbecomes a correct materialisation. Remind that the structure is a materialisation if one can attach freshnames to the nodes inc(L) and obtain a neighbourhood shape. This intuitively means that in radiusi from the concrete partc(L), two nodes of any concrete graph may be grouped together onlyif theyare connected in exactly the same way to all nodes fromc(L) (up to edge multiplicities).

The algorithm starts from the shapeS and iteratively constructs structures that are a kind of pre-materialisations and refines these until they become correct materialisations. This is done by iteratingover the following steps:

extract and connect for the first iteration, “extract” a concrete copy off(L) from the shape, remapf into this concrete copy yielding a concrete pre-matchingc(L) and associate fresh labels to thenodes inc(L). This copy becomes the materialised part that will be widened by adding new nodesto it during the next iterations. For the second and next iterations, “pull” along the edges thatconnect the materialised part and the abstract part for extracting new nodes. One has to extractone node for any possible configuration with respect to the connection withc(L). The new nodesbecome part of the materialised part. Any of these extractions is accompanied by connecting allnewly extracted nodes with the abstract part in all possibleways and updating node end edgemultiplicities;

update grouping relation the grouping relation is updated so that any node that is at distance lessthan i − 1 from the concrete partc(L) becomes alone in its equivalence class for the groupingrelation. This is necessary because the fresh labels inc(L) influence the∼i−1 equivalence relationfor these nodes, which should be equal to the grouping relation (in a neighbourhood shape);

choose nodes and edgesas in the first step adds new nodes and edges, and the second step acts onthe grouping relation by splitting groups, edges that previously had all their start (or end) pointsin the same group may not be grouped anymore, but still they have associated common edgemultiplicity. The algorithm splits these multiplicity functions in all possible ways so that edges in

29

the materialised part have correct edges multiplicities. This is not done for edges in the abstractpart (as it is not always possible).

6.3 Normalisation

Applying a shape transformation to a materialisation shapedoes not yield a canonical shape. The roleof the normalisation is to perform the neighbourhood shaping of such shapes. LetS′ be a materiali-

sation inM(S,P, f), andT ′ be the graph resulting of the concrete shape transformationS′ (P,c)−→ T ′,

wherec is the concrete pre-matching corresponding tof . By definition, we know thatT ′ admits alevel i neighbourhood shape, denote itT .

6.4 Back to the Construction of the Abstract Labelled Transition System

Now all the ingredients for constructing an abstract labelled transition systemS ′′ (ALTS) are there.Consider the neighbourhood shapeS0 and set of production rulesP. Initially, S0 is the unique stateof the ALTS, and there are no transitions. For any stateS in the ALTS, and for any production ruleP = (L,R), we compute all pre-matchingsf : L → S. For all pre-matchingf , the set of materiali-sationsM(S,P, f) is computed. For all materialisationsS′ in M(S,P, f), the actual concrete shape

transformation is performedS′ (P,c)−→ T ′, wherec is the concrete pre-matchingc : L → S′ deduced

from f . Finally, the neighbourhood shapeT of T ′ is computed. IfT is not a state of the ALTS, then itis added as a state. Then a transition fromS to T with labelP, f is added to the ALTS.

Note that the ALTS is non deterministic (a state may have several outgoing transitions with thesame label), whereas a concrete LTS is always deterministic. This is because the one state can haveseveral materialisations for a fixed rule and a fixed pre-matching. In the concrete case, a rule with amatching uniquely define an application of a graph transformation and its result.

The ALTSS ′′ constructed this way is an over-approximation of all (concrete) LTSS with startgraphG0 and set of rulesP, for all graphsG0 which neighbourhood shape isS0, in the followingsense:

For any pathG1P1,m1

−→ G2P2,m2

−→ · · ·Pn−1,mn−1

−→ Gn in S, where theGi are states ofS, thePi = (Li, Ri) are transformation rules and for alli ∈ 1..n − 1,mi : Li → Gi are matchings,

there exists a unique pathS1P1,f1−→ S2

P2,f2−→ · · ·

Pn−1,mn−1

−→ Sn in S ′′, where for alli, Si is theneighbourhood shape ofGi with corresponding shapingsi : Gi → Si, andfi = si ◦mi.

To show that this property indeed holds, we need to show what follows.

1. For all concrete transitionGP,m−→ H, there exists an abstract transitionS

P,f T , whereS and

T are the neighbourhood shapes ofG andH, respectively, andf = s ◦ m for s : G → S theneighbourhood shaping ofG. This is ensured by Theorem 40.

2. This abstract transition is indeed computed and added as atransition ofS ′′. That is, show thata witness for this abstract transformation exists in the setM(S,P, f). This is ensured by thecompleteness of the set of materialisations (Lemma 46) and by the composition of neighbourhoodshapings for graphs and shapes (Lemma 23). By completeness of the set of materialisations weknow that there exists a shapeS′ in M(S,P, f) that abstraction forG, and that can be transformedto simulate the actual transformation ofG; let the shape resulting from the transformation beT ′.By composition of neighbourhood shapings, we know that the normalisation ofT ′ yields is theneighbourhood shape ofH.

3. Uniqueness of the pathS1P1,f1−→ S2

P2,f2−→ · · ·

Pn−1,mn−1

−→ Sn is ensured by uniqueness of neighbour-hood shapes.

30

7 A Modal Logic for Graphs and Shapes

In this section we define a modal logic with forward and backward modalities and counting that canbe interpreted on graphs and on shapes. We show that this logic is preserved and reflected by shapingand abstraction morphisms.

Before giving a formal definition of syntax and semantics of this logic, let us give a flavour of itby some examples.

Example 48.Consider the graph depicted on Figure 1, representing a liststructure. Here are someproperties that one could want to express for similar list structures:

1. any cell has an associated value that is some object,ie any Cell-node has an outgoingval-edgeleading to anObject-node. This can be expressed by the following formula:

Cell → 〉val〉1 ·Object.

The 〉val〉1 operator is a forward existential modality, indicating theexistence of an outgoingvaledge. With the modality is associated a multiplicity, here1, which is interpreted as “at least one”outgoingval-edge;

2. analogously, any object is the value associated to some cell, ie anyObject-node has an incomingval-edge coming from aCell-node. This is expressed by the formula

Object → 〈val〈1 ·Cell.

Here,〈val〈1 is a backward modality and indicates the existence of at least one incomingval-edge;3. we can go further and express that objects are not shared between different list cells,ie every

Object-node has exactly one incomingval-edge coming from aCell-node:

Object → ( 〈val〈1 ·Cell ∧ ¬〈val〈2 ·Cell ).

Here,¬ is the negation operator and∧ is conjunction. ◭

7.1 Syntax of the Logic

Consider a finite set of atomic propositionsP. A L(P) logic formulaφ is defined by the followingsyntax:

φ ::= tt | p | ¬φ | φ ∨ φ | φ ∧ φ | 〉a〉λ ·φ | 〈a〈λ ·φ

wherea is a label inLab, p ∈ P andλ is an element ofMµ; tt stands for the true formula,〉a〉λ·φ and〈a〈λ ·φ are forward and backward existential modalities, respectively, and¬, ∨ and∧ are the usuallogical operators.5

In Example 48, we have used labels as atomic propositions,ie the formulae in this example areL(Lab) formulae.

Thenesting depthd(φ) of a logic formulaφmeasures the maximal number of nested modalities. Itis defined recursively on the structure ofφ as :d(p) = d(tt) = 0, d(〉a〉λ·φ) = d(〈a〈λ·φ) = 1+d(φ),d(¬φ) = d(φ), d(φ ∨ φ′) = d(φ ∧ φ′) = max (d(φ), d(φ′)) for anya in Lab. We denoteLi(P) theset of logic formulae with nesting depth at mosti.

5 We explicitly add here the redundant operatorstt and∧ because in the latter we will be interested in the logic withoutnegation, which in this case can simply be defined as a syntactical fragment.

31

7.2 Satisfaction on Graphs and Shapes

Logic formulae are interpreted in graph nodes. LetG be a graph andγ : NG → 2P be a valuationfunction that associates a set of atomic propositions with any node ofG. For a graphG, a nodev inNG, a valuationγ, and a formulaφ, thesatisfaction relationG, v, γ |= φ is defined recursively on thestructure ofφ by:

– G, v, γ |= tt;– G, v, γ |= p if p ∈ γ(v);– G, v, γ |= ¬φ if G,n, γ 6|= φ;– G, v, γ |= φ ∨ φ′ if G, v, γ |= φ orG, v, γ |= φ′;– G, v, γ |= φ ∧ φ′ if G, v, γ |= φ andG, v, γ |= φ′;– G, v, γ |= 〉a〉λ ·φ if |{e ∈ v�a | G, tgt(e), γ |= φ}|µ ≥ λ;

– G, v, γ |= 〈a〈λ ·φ if |{e ∈ v�a | G, src(e), γ |= φ}|µ ≥ λ.

If G, v, γ |= φ, we say thatφ holds in nodev. We sometimes omitγ if it is clear from the context.Intuitively, a formula of the form〉a〉λ ·φ holds in a nodev if the –µ-bounded– number ofa-labellededges (e) connecting it to some nodev′ (srcG(e) = v andtgtG(e) = v′) in which φ holds is at leastλ. Analogously,〈a〈λ ·φ holds inv if the number ofa-labelled edges connecting some suchv′ to v isat leastλ.

Back to Example 48 with the definition of satisfaction of the logic in mind, one can notice that inthis example the valuationγ is not specified. As we pointed out, the formulae in this example are inL(P). A natural valuation for this logic is the one that associates to each node the set of its labels;ieγ(v) = labG(v) for all v in NG, and for all graphG.

The satisfaction relation is defined for a shape almost in thesame manner as it is defined for agraph. The differences are in the way it is defined for a modality formula:

– S, v, γ |= 〉a〉λ ·φ if λ ≤∑µ

C∈X multout,S(v, a, C) where

X = {C ∈ NS /≃S | ∀w ∈ C. S,w, γ |= φ} ;

– S, v, γ |= 〈a〈λ ·φ if λ ≤∑µ

C∈X multin,S(v, a, C) where:

X = {C ∈ NS /≃S | ∀w ∈ C. S,w, γ |= φ} .

In the case of shapes, formulae are interpreted a bit differently. We no longer count individuala-labelled edges going out of (resp. coming into) a node, but instead sum-up the outgoing (resp. incom-ing) edge multiplicities associated to that node and to a group of nodesC such that all nodes inCsatisfy the formulaφ.

Example 49.Back to our list example, the formulaCell → 〈Next〈1 ·(List ∨ Cell) holds all nodes ofthe shape on Figure 5.

7.3 Preservation by Abstraction Morphism

Let s : G → S be a shaping morphism from the graphG to the shapeS. We say thats preservesapropertyp if wheneverp holds in the nodev of S, it also holds in the nodes(v) of S. Inversely, wesay thats reflectsp if wheneverp holds in the nodeα(v) of S, it also holds in the nodev of G. Onecan also talk about preservation and reflection by an abstraction morphismα : S → T .

32

Preservation and reflection are very important characterisations. If an abstraction preserves a setof properties, these properties can be verified on the abstract level. If an abstraction reflects a setof properties, then any characterisation of a shape graph also holds for its concretisations. If bothpreservation and reflection hold, verifying a property on a graph is equivalent to verifying it on theabstract level.

As we will see in the next section, the neighbourhood shapingpreserves and reflects all propertiesdefined by logic formulae of the corresponding depth. We start in this section by a more general resultabout preservation and reflection by abstraction morphism,identifying the necessary conditions for itto hold.

In Definition 50 we define what we mean by preservation and reflection of a property, in the mostgeneral case. In Proposition 51 we announce the result for preservation and reflection for abstractionmorphisms, and in Proposition 53 the one for general shapings.

Definition 50. LetP be a set of atomic propositions,S, T be shapes,γS : NS → 2P andγT : NT →

2P be valuations, and letR be a set of properties such that the satisfaction relationsS, v, γS |= pandT,w, γT |= p are defined for any nodesv ∈ NS , w ∈ NT and for any propertyp ∈ R. We saythatα preservesR underγS , γT if for any p ∈ R and for anyv ∈ NS we haveS, v, γS |= p impliesT, α(v), γT |= p. We say thatα reflectsR underγS , γT if for anyp ∈ R and for anyv ∈ NT we haveT, v, γT |= p impliesS,w, γS |= p for anyw ∈ α−1(v).

In the following we show how, under some conditions on the relationship betweenα, ≃T andγT ,the satisfaction of logic formulae of depth one is preservedand/or reflected byα. For a shapeT anda valuationγ : NT → 2P we say that≃T is compatible withγ if for any two nodesv,w of T , ifv ≃T w, thenγ(v) = γ(w). The negation free fragment ofL1(P) is the set ofL1(P) formulae thatdo not use the negation operator (¬).

Proposition 51 (Preservation and Reflection).LetP be a set of atomic propositions,S, T be shapes,γS : NS → 2P andγT : NT → 2P be valuation functions such that≃T is compatible withγT , andlet α : S → T be an abstraction morphism.

(preservation) If α preservesP underγS , γT , thenα preserves the negation free fragment ofL1(P)underγS , γT .

(reflection) If α reflectsP underγS, γT , thenα reflects the negation free fragment ofL1(P) underγS , γT .

(preservation and reflection) 6 If α preserves and reflectsP under γS , γT , thenα preserves andreflectsL1(P) (possibly with negation) underγS , γT .

Proof. See appendix E.

This preservation and reflection result can easily be extended on shaping (ie for S being a graphandα a shaping morphism in the previous proposition). One can define preservation and reflection onthe same way for shaping as for abstraction morphisms, as well as the notion of a grouping relationcompatible with a shaping. We only enunciate the result without explicitly giving the definitions.

6 Preservation for formulae with negation may seem contradictory with the Morphism Preservation Theorem for finitestructures [13]. This theorem states that a first-order formula is preserved by morphism if, and only if, it is equivalentto an existential positive formula. Some modal logic formulae cannot be expressed in first-order logic without negation(e.g.¬〉a〉λ ·tt.) However, in our case, shapes contain information on interpretation of such negated formulae, by meansof the multiplicity functions, which explains this apparent contradiction.

33

Proposition 52. LetP be a set of atomic propositions,G be a graph,S be a shape ands : G → Sbe a shaping compatible withP.

(preservation) If s preservesP, thens preserves any negation-freeM(P) formulaφ.(reflection) If s reflectsP, thens reflects any negation-freeM(P) formulaφ.(preservation and reflection) If s preserves and reflectsP, thens preserves and reflects anyM(P)

formulaφ.

Proof. It is easy to show for the trivial shapingtG. Then the result follows from composition ofabstraction morphisms and the Proposition 51.

7.4 Preservation and Reflection for Neighbourhood Shaping

The neighbourhood shaping enjoys the good properties of preservation and reflection ofL(Lab) for-mulae with the appropriate depth.

Proposition 53 (Preservation and Reflection).LetG be a graph andS be a shape obtained by theleveli neighbourhood shaping ofG, for somei ≥ 1, with corresponding shapings : G → S. Thenspreserves and reflectsLi(Lab).

Proof. (Sketch)The proof goes by induction oni, using Proposition 51 and the fact thatLi+1(Lab) isequivalent toL1(R) whereR is the a set properties defined byLi(Lab).

Thus, for any propertyφ of L(Lab) to be verified on a graphG, one can use the leveli neighbour-hood shape ofG for verifying φ, wherei is the nesting depth of the formulaφ. This means that theneighbourhood shaping provides a graph abstraction mechanism that is parametrised by the propertieswe want to verify, and that guarantees preservation and reflection of these properties.

Example 54.DenoteG the graph on Figure 1 andS its level one neighbourhood shape (Figure 6), andlet s : G → S be the corresponding neighbourhood shaping. Letφ be the formula of nesting depthtwo 〉Next〉1 ·〉Next〉1 ·tt (which intuitively expresses that there is aNext-path of length two startingfrom the node). We have thatS,w3 |= φ, butG, v4 6|= φ, ands(v4) = w3. That is,φ is not reflected bys. Consider nowT the level two neighbourhood shape ofG, depicted on Figure 7; the correspondingshapingt : G → T is not difficult to define. One can easily check that the formulaφ is reflected byt.

◭

7.5 Relationship between the Logic and Neighbourhood Shaping

The modal logic that we presented in this section is tightly related to the neighbourhood equiva-lence relation and canonical names. We already stated in Lemma 28 that two nodes of a graph areneighbourhood equivalent if, and only if, they have the samecanonical name. Here we enlarge thischaracterisation by the logic: two nodes arei-neighbourhood equivalent if, and only if, they satisfythe same logic formulae of depthi.

Lemma 55. Two nodesv, v′ of a graph G arei-neigborhood equivalent if, and only if, the sameLi(Lab) formulae hold inv and inv′.

Proof. See appendix G

The following relationship between canonical names and logic formulae is also easy to see: to anycanonical name corresponds a logic formula that holds exactly in the nodes having this name.

34

Lemma 56. For any i ≥ 1 and any leveli node canonical nameC, there exists anLi(Lab) formulaφC such that for any graphG and any nodev ofG, namei(G)(v) = C if, and only if,G, v |= φC .

Proof. (Idea)The formulaφC can be effectively constructed by induction oni.

8 Related Work

Abstract Graph TransformationsIn [9] one of the authors defined a notion of abstract graphs inwhich abstract graph nodes may summarise an unbounded number of concrete graph nodes. Theseabstractions are only used for deterministic simple graphs. With the abstract graph are associatedconstraints on the multiplicities of incoming and outgoingedges for the nodes in a concrete instance.In the same paper are also introduced canonical abstract graphs whose size is bounded and that roughlycorresponds to the level one neighbourhood abstraction in the present work. In [11] these canonicalabstract graphs are used for transformations.

In [2] are introduced the so called Partner Graph Grammars, suitable formalism for dynamic com-munication systems. They come with an abstraction mechanism on graphs and an adequate notionof abstract graph transformations. Preservation and reflection are shown for first-order logic with-out equality and an interesting subclass of abstraction morphisms. Moreover, a CTL-based logic onlabelled transition systems is showed to be invariant underabstraction.

Shape Analysis and 3-Valued LogicThe work of Sagivet al. on shape analysis (see [14,15] foroverviews) has resulted in different abstraction mechanisms allowing to finitely abstract structures ofunbounded size. In [15] is presented an abstraction framework that can be parametrised by the proper-ties to be preserved; the framework is implemented in the TVLA tool [8,16]. In this work, the authorsuse logical structures to represent memory states of programs; abstract structures are 3-valued logi-cal structures. Properties on these structures are defined using first-order logic with transitive closure(FO+TC). Dynamics of systems are encoded by updating the sets of predicates associated to the (ab-stract or concrete) structure. As graphs are logical structures and our modal logic can be encoded intofirst-order logic, the abstraction mechanism proposed in [15] is more general than the ours. Concern-ing preservation of logical properties, Sagivet al.’s “embedding theorem” states that any informationextracted from an abstract structure via a FO+TC formulaφ is a conservative approximation of theinformation extracted from the concrete structure viaφ. In this sense, our preservation and reflectionresult is more general than the embedding theorem, but holdsfor a modal logic and abstraction mech-anism that are weaker than FO+TC and abstraction using abstraction predicates. We believe that thebenefits of our approach come from the possibility of full automation. A set of graph transformationrules that is given as concrete semantics can be used as is forthe abstract semantics. Moreover, weguarantee to preserve the precision defined by depthi logic formulae, wherei is the level of abstrac-tion. In TVLA, it may be necessary to define “by-hand” some update-predicates in order to guaranteethe required precision. Apart complexity issues, our framework should be easy to integrate into agraph transformation tool such as GROOVE [7].

Abstract Regular Model CheckingIn regular model checking (seee.g.[5,1]), states of programs arerepresented as words or trees on finite alphabets, and dynamics are modelled as word or tree trans-duction. Initial states of a system are represented by a regular (word or tree) automatonInit, and badconfigurations by a regular automatonBad. Checking whether a bad configuration is reached consistsin testing whether the setτ∗(Lang(Init)) ∩ Lang(Bad) is empty, whereτ is the transduction, andτ∗

designates a repetition of this transduction. In general the problem is not decidable, asτ∗(Lang(Init))

35

may not be computable in a finite number of steps. Abstract regular (word or tree) model checking[4,3] proposes a method for over-approximating the set of reachable statesτ∗(Lang(Init)) by a setof the formLang(τ∗α(Init)), whereα is an appropriate abstraction function for automatons, andτα isintuitively the (tree or word) transducerτ lifted to automatons. That is,τα allows to apply transfor-mations on sets of trees or words, and a parallel may be made with transformation of abstract graphswhich actually aims to over-approximate transformations of the set of their concretisations.

Logic Based ApproachesNot so closely related but still relevant are several methods for modellingprogram states – or the memory heap – by relational structures, and operations by instructions modify-ing these relational structures; these can be qualified as logic-based approaches. For example, in [17]is introduced a fragment of first-order logic with transitive closure for expressing properties on linkeddata structures, represented as graphs. The logic allows tospecify pre-conditions and post-conditions,and to verify loop invariants. Program operations are directly expressed in the logic. We can also siteseparation logic (see [12] for an introduction) which has been a very active field of research for thelast few years.

9 Conclusion and Further Directions

We presented a general mechanism for graph abstraction. We also defined graph transformations forabstract graphs that allows to approximate behaviour of systems defined as graphs and graph trans-formations. As the number of possible different abstract graphs is finite, this approximation is finite.The construction of an abstract labelled transition systemcan be fully automatised. Our abstractionmechanism can be parametrised in several ways, thus obtaining different levels of precision. In par-ticular, this can be parametrised in order to preserve and reflect properties on graphs expressed in amodal logic that we also present in this paper. That is, the abstraction will guarantee that a (finite)set of properties hold in a graph if, and only if, they hold in its abstraction, and this also holds for allabstract graphs obtained by graph transformations starting from some initial start graph. This givesa parametrisable and fully automatised framework for verifying properties on systems described bygraphs and graph transformations.

Our abstraction mechanism presents however some drawbackswhich cause poor efficiency. Thisis related in the precision of the abstraction.

Precision Our abstraction mechanism is not very precise, in the sense that concretisations of the sameabstract graph may be very different in their shape and structure (see for example the list-like shapeon Figure 3(c) and its concretisations on Figure 4(c)). Obviously, abstraction always leads to lossof precision. However, one could hope that the abstraction method is precise enough for interestingexamples such as list and list manipulations.

Complexity The insufficient precision is closely related to performance issues. Performing graphtransformations on abstract graphs requires the so called materialisation step, which consists in locallyconcretising the abstract graph in order to extract a copy ofthe left-hand side of the graph transfor-mation rule on which the actual transformation can be performed. In our abstraction mechanism, thematerialisation part may lead to a very large number of materialisations. Each of this materialisationspotentially results into a different application of the transformation rule, and a different result graph.This affects the performance of our algorithm, as we have to explore many different abstract trans-formations, and lots of them may never occur into a concrete labelled transition system. Moreover, as

36

we do not have a procedure for deciding whether an abstract graph admits concretisations (see Con-jecture 33), the abstract labelled transition system may contain states that do not correspond to anyconcrete graph.

In order to improve our mechanism for abstract transformations, we need to improve the precisionof the abstraction. This could be done in several ways.

One possible direction to be explored is restricting the graphs on which we apply the method. Forinstance, deterministic graphs have shown to be a good modelfor software systems and the memoryheap and in our method we can expect that this restriction would decrease the number of possibleabstract graphs.

Another improvement would be to increase the precision of the abstraction mechanism. However,one has to be careful with adapting the abstraction mechanism especially if the result of preservationof logic formulae is to be kept. The difficulty comes from the fact that whatever properties one de-cides to preserve (and make them parameters of the abstraction mechanism), these properties shouldbe possible to update on abstract graphs after a graph transformation. We have several examples ofsuch properties that give an interesting improvement of theprecision, but can not be updated aftertransformation. Cyclicity and connectivity are such examples. That is, if a cyclicity or connectivityproperty is associated to some node or a set of nodes, then after performing an abstract graph transfor-mation we cannot tell whether it still holds. However, the information on existence of cycles of smallsize may be integrated with using for instance hybrid logic.

A third possibility is to restrict the graph transformations that we allow. This is related to oursecond direction on improving precision. Actually, the abstract transformation mechanism and theabstraction mechanism are closely related, in the sense that properties used for abstraction should bepossible to update, or at least conservatively update, after the graph transformation.

References

1. ABDULLA , P. A., JONSSON, B., MAHATA , P.,AND D ’ORSO, J. Regular tree model checking. InProceedings of 14thInternational Conference on Computer Aided Verification (CAV’02) (2002), vol. 2404 ofLNCS, SV, pp. 555–568.

2. BAUER, J. Analysis of Communication Topologies by Partner Abstraction. PhD thesis, Universitat des Saarlandes,2006.

3. BOUAJJANI, A., HABERMEHL, P., ROGALEWICZ, A., AND VOJNAR, T. Abstract regular tree model checking. InPro-ceedings of the 7th International Workshop on Verification of Infinite-State Systems (INFINITY 2005)(2006), vol. 149of ENTCS, Els, pp. 37–48.

4. BOUAJJANI, A., HABERMEHL, P., AND VOJNAR, T. Abstract regular model checking. InProceedings of 16thInternational Conference on Computer Aided Verification (CAV’04) (2004), no. 3114 in LNCS, SV.

5. BOUAJJNI, A., JONSSON, B., NILSSON, M., AND TOUILI , T. Regular model checking. InProceedings of 12thInternational Conference on Computer Aided Verification (CAV’00) (2000), vol. 1855 ofLNCS.

6. COUSOT, P. Abstract interpretation.Symposium on Models of Programming Languages and Computation, ACMComputing Surveys 28, 2 (June 1996), 324–328.

7. The GROOVE tool.http://groove.sf.net/ .8. LEV-AMI , T., AND SAGIV, M. TVLA: A System for Implementing Static Analyses. InSeventh International Static

Analysis Symposium (SAS’00)(2000).9. RENSINK, A. Canonical graph shapes. InProgramming Languages and Systems — European Symposium on Pro-

gramming (ESOP)(2004), D. A. Schmidt, Ed., vol. 2986 ofLecture Notes in Computer Science, Springer-Verlag,pp. 401–415.

10. RENSINK, A. The GROOVE Simulator: A tool for state space generation.In Applications of Graph Transformationswith Industrial Relevance (AGTIVE’03)(2004), pp. 479–485.

11. RENSINK, A., AND DISTEFANO, D. Abstract graph transformation. InInternational Workshop on Software Verifica-tion and Validation (SVV)(2005), Electronic Notes in Theoretical Computer Science.

12. REYNOLDS, J. C. Separation logic: A logic for shared mutable data structures. In17th IEEE Symposium on Logic inComputer Science (LICS 2002)(2002), IEEE Computer Society, pp. 55–74.

37

http://groove.sf.net/

13. ROSSMAN, B. Existential positive types and preservation under homomorphisms. In20th IEEE Symposium on Logicin Computer Science(2005), CSP, pp. 467–476.

14. SAGIV, M., REPS, T., AND WILHELM , R. Solving shape-analysis problems in languages with destructive updating.ACM Trans. Program. Lang. Syst. 20, 1 (Jan. 1998), 1–50.

15. SAGIV, M., REPS, T., AND WILHELM , R. Parametric shape analysis via 3-valued logic.ACM Trans. Program. Lang.Syst. 24, 3 (May 2002), 217–298.

16. The TVLA tool.http://www.cs.tau.ac.il/˜tvla/ .17. YORSH, G., RABINOVICH , A., SAGIV, M., MEYER, A., AND BOUAJJANI, A. A logic of reachable patterns in linked

data-structures. InProceedings Foundations of Software Science and Computation Structures, 2006 (FOSSACS 2006)(2006), vol. 3921 ofLNCS, SV.

38

http://www.cs.tau.ac.il/~tvla/

A Proof of Proposition 12

Proposition 12 Let S, T andU be shapes,f be an abstraction morphism betweenS andT and ganother such morphism betweenT andU . Theng ◦ f (the function composition off and g) is anabstraction morphism betweenS andU .

Proof. The first two axioms of Definition 11 are not difficultly seen tobe met forg ◦ f . For the thirdone, we only consider the property on the outgoing edges multiplicity function; the one for incomingedges multiplicity follows by symmetry.

Consider a nodew in NU , a labela and a class of group-equivalent nodesC ∈ NU /≃U . Let alsov′ ∈ NT be a node such thatf(v) = v′ andg(v′) = w. Then, byg being an abstraction morphism,we know that

multout,U (w, a, C) =

µ∑

D′ ∈ (g−1(C))/≃T

multout,T (v′, a,D′).

On the other hand, byf being an abstraction morphism and by definition ofv′, the right-hand side ofthis equality can be developed giving the following

multout,U (w, a, C) =

µ∑

D′ ∈ (g−1(C))/≃T

µ∑

D ∈ (f−1(D′))/≃S

multout,S(v, a,D).

Now, given that anyD′ in the inner sum is mapped to one and only oneD (this is a basic consequenceof f being a – total – function), we can combine the two sums into one:

multout,U(w, a, C) =

µ∑

D ∈ (f−1(g−1(C)))/≃S

multout,S(v, a, C),

which asserts thatg ◦ f is an abstraction morphism betweenS andU . ⊓⊔

B Proof of Lemma 23

Lemma 23LetG be a graph,S, T be a shapes,s : G → S, t : G → T be shaping morphisms, andβ : T → S be an abstraction morphism such thats = β ◦ t.

1. If s is the neighbourhood shaping ofG, thenβ is the neighbourhood shaping ofT .2. If β is the neighbourhood shaping ofT , thens the neighbourhood shaping ofG.

For Statement 1, the proof goes as follows (see also Figure 9):

– We first show that the neighbourhood shaping ofT exists, let it be the morphismβ′ : T → T ′,– We then define that there exists a morphismf : T ′ → S which is an abstraction isomorphism and

such thatβ = f ◦ β′.

For Statement 2, we show that there exists a morphismf : S′ → S such thats = f ◦ s′, wheres′ : G→ S′ is the neighbourhood shaping of the graphG. See also Figure 10.

In the following we consider a fixedi for the level of neighbourhood shaping.

39

Figure 9. Proof of Statement 1

B.1 Proof of the Statement 1

The Neighbourhood Shaping ofT exists For showing that the neighbourhood shaping ofT exists,it is enough to show that∼i is defined. By definition,∼i is defined if∼i−1 is defined and≃T⊆∼i−1.This is shown in the following lemma.

Lemma 57. LetG be a graph,S, T be a shapes,s : G → S, t : G → T be shaping morphisms, andβ : T → S be an abstraction morphism such thats = β ◦ t. If s is the neighbourhood shaping ofG,then∼i−1 is defined on the nodes ofT , and≃T⊆∼i−1.

Lemma 57 will be shown in Section B.3. The proof of this lemma allows to establish the followingcorollary. This corollary will be used later on for the proofof Statement 1, and also for the proof ofStatement 2. Corollary 58 is also shown in Section B.3.

Corollary 58. LetG be a graph,S, T be a shapes,s : G → S, t : G → T be shaping morphisms,andβ : T → S be an abstraction morphism such thats = β ◦ t. If at least one of these conditions isverified:

1. s is the neighbourhood shaping ofG,2. β is the neighbourhood shaping ofT ,

then for any0 ≤ j ≤ i, and fol allv, v′ ∈ NG and all e, e′ ∈ EG,

v ≡j v′ ⇔ t(v) ∼j t(v

′) and e ≡j e′ ⇔ t(e) ∼j t(e

′).

The Abstraction Isomorphism f Exists We show here that there exists a morphismf : T ′ → Swhich is an abstraction isomorphism and such thatβ = f ◦ β′ (see Figure 9). Remind that thatβ′ : T → T ′ is the neighbourhood shaping ofT . We start by defining a mappingf from nodes andedgesT ′ to nodes and edges ofS, and we show that this mapping is a morphism, it is bijective and fandf−1 are abstraction morphisms.

Define a mappingf such thatβ = f ◦ β′ Remind that the shapingt and the abstraction morphismβ′ are surjective. Thus, any node (resp. edge) ofT ′ can be written ast(β′(x)) for some node (resp.edge)x of G. Thenf is defined by: for anyt(β′(x)) node or edge ofT ′, f(t(β′(x))) = s(x). Thenβ = f ◦ β′ by definition off and usings = β ◦ t.

Show thatf is a morphismThe fact thatf defined as previously is a morphism is not very difficult todeduce using thatt, β, β′ are morphisms.

Show thatf is a bijection Showing thatf is a surjection is easily done using the definition off andthe fact thats is a surjection. Let us show thatf is an injection, that is, for anyt(β′(v)), t(β′(v′))nodes ofT ′, if t(β′(v)) 6= t(β′(v′)), thens(v) 6= s(v′). Now, t(β′(v)) 6= t(β′(v′)) if, and only if,,by definition,t(v) 6 ∼it(v

′) and, using Corollary 58, if, and only if,v 6 ≡iv′, which is equivalent to

s(v) 6= s(v′) by definition of the neighbourhood shapings. The same reasoning can be applied toedges.

40

Figure 10.Proof of Statement 2

Show thatf and f−1 are abstraction morphismsThis is not difficult to show using the followingfacts:

1. for all nodesw,w′ of T ′, w ≃T ′ w′ if, and only if, f(w) ≃T ′ f(w′). This follows from thefact that≃T ′=∼i and≃S=≡i, and using the dependence and characteristics of the shapings andabstraction morphismss, t, β, β′, f ;

2. for all node or edgex of S, s−1(x) = (t ◦ β′ ◦ f)−1(x). This fact together with the previous oneensure equality of the multiplicity functions ofS andT ′.

B.2 Proof of Statement 2

We start by definingf first as a mapping, then showing that it is indeed a morphism, abijection, andf andf−1 are abstraction morphisms.

Define a mappingf such thats = f ◦ s′ Remind thats′ : G → S′ is the neighbourhood shapingof G. As s′ is a shaping morphism, it is surjective, thus any node (resp.edge) ofS′ can be written ass′(x) for x a node (resp. edge) ofG. Thenf is defined by: for anyx ∈ NG ∪ EG, f(s′(x)) = s(x).Thus,s = f ◦ s′ by definition.

Show thatf is a morphism Showing thatf is a morphism is not difficult using thats′ and s aremorphisms.

Show thatf is a bijection The morphismf is surjective ass′ ands are surjective. For injection, wehave to show that for all nodesv, v′ ofG, if s′(v) 6= s′(v′), thens(v) 6= s(v′) (and the same for edges,but it easily follows). Ass′ is the neighbourhood shaping ofG, we know thats′(v) 6= s′(v′) if, andonly if, v 6≡i v

′. On the other hand, ass = β ◦ t andβ is the neighbourhood shaping ofT , we havethats(v) 6= s(v′) if, and only if, t(v) 6∼i v

′. Now, by Corollary 58 we know thatv 6≡i v′ if, and only

if, t(v) 6∼i v′, which shows thatf in injective.

Show thatf andf−1 are abstraction morphismsAs for Statement 1, it is not difficult to show usingthe results that have already been established.

B.3 Proofs of Lemma 57 and Corollary 58

Let us first show Lemma 57, then we will argue how its proof is used for deducing Corollary 58.

41

Proof of Lemma 57Lemma 57LetG be a graph,S, T be a shapes,s : G → S, t : G → T be shaping morphisms, andβ : T → S be an abstraction morphism such thats = β ◦ t. If s is the neighbourhood shaping ofG,then∼i−1 is defined on the nodes ofT , and≃T⊆∼i−1.

We show by induction on0 ≤ j ≤ i− 1 that

IHA(j): ∼j is defined,IHB(j): assuming that IHA(j), ≃T⊆∼j,IHC(j): assuming IHA(j) and IHB(j), ∀w ∈ NG, t([w]≡j

) = [t(w)]∼j.

We start with the following intermediate result.

Fact 59 For anyk ≤ i, it holds that

∀v, v′ ∈ NG, t(v) ≃T t(v′) implies v ≡k v

′

Proof. The proof of this fact goes as follows.

t(v) ≃T t(v′) =⇒ (β is an abstraction morphism)

β(t(v)) ≃S β(t(v′)) ⇐⇒ (s = β ◦ t)s(v) ≃s (v′) ⇐⇒ (s is the leveli neighbourhood shaping ofG)v ≡i v =⇒ (holds for anyj ≥ i)v ≡j v

′

◭

Going back to the proof of the lemma, using Fact 59 and definition of⊆ for equivalence relations,we can see that for IHB(j) it is enough to show the following

∀v, v′ ∈ NG, v ≡j v′ impliest(v) ∼j t(v

′) (1)

Base caseFor the base case,j = 0. For IHA(0), ∼0 is always defined.For IHB(0), we have to show (1). It is the case that for any nodesv, v′ ∈ NG, t(v) ∼0 t(v

′) if, andonly if, v ≡0 v

′; this is because∼0 and≡0 only take into account labels for grouping nodes and labelsare preserved and reflected by shaping. The same argument allows to see that IHC(0) also holds.

General caseAssume that the induction hypotheses IHA(k), IHB(k) and IHC(k) hold for anyk < j.Let us show that they hold forj.

For IHA(j), by definition∼j is defined if∼j−1 is defined and≃T⊆∼j−1, thus IHA(j) follows fromIHA(j − 1) and IHB(j − 1).

For IHB(j), we first establish two intermediary results in Fact 60 and Fact 61.

Fact 60 It holds that

∀v ∈ NG, ∀u ∈ NG, ∀a ∈ Lab,

µ∑

K∈NT/≃T |K⊆[t(u)]∼j−1

multout,T (t(v), a,K) =∣∣∣v ��

a

G[u]≡j−1

∣∣∣µ.

42

Proof. By definition,multout,T (t(v), a,K) is equal to∣∣v ��

a

G(t−1(K))∣∣µ

(for all v, a,K). Note nowthat theK ∈ NT /≃T summed-up above form a partition of the set[t(u)]∼j−1

; this comes from thefact that≃T⊆ NT / ∼j−1 (IHB(j − 1)). Then, by definition of set multiplicity function,

µ∑

K∈NT/≃T |K⊆[t(u)]∼j−1

multout,T (t(v), a,K) =∣∣∣v ��

a

G(t−1([t(u)]∼j−1))

∣∣∣µ

and it holds for allv ∈ NG, all u ∈ NG and all labela. Now by IHC(j − 1), [t(u)]∼j−1= t([u]≡j−1

),

thereforet−1([t(u)]∼j−1) = t−1(t([u]≡j−1

)) = [u]≡j−1. This terminates the proof of Fact 60. ◭

Fact 61 It holds that∀v, v′ ∈ NG, v ≡j v

′ ⇐⇒ t(v) ∼j t(v′)

Proof. By definition of the neighbourhood equivalence relations ongraphs and shapes,

v ≡j v′ ⇐⇒ ∀u ∈ NG, ∀a ∈ Lab,

∣∣∣v ��

a

G[u]≡j−1

∣∣∣µ

=∣∣∣v′ ��

a

G[u]≡j−1

∣∣∣µ

and

t(v) ∼j t(v′) ⇐⇒ ∼j−1 is defined and∀u ∈ NG, ∀a ∈ Lab,

µ∑

K∈NT/≃T |K⊆[t(u)]∼j−1

multout,T (t(v), a,K) =

µ∑

K∈NT/≃T |K⊆[t(u)]∼j−1

multout,T (t(v′), a,K).

The statement of Fact 61 immediately follows from these definitions and Fact 60. ◭

Back to the proof of IHB(j), we have to show (1). This immediately follows from Fact 59 andFact 61.

Finally, for IHC(j), we have to show that∀w ∈ NG, t([w]≡j) = [t(w)]∼j

. By definition,t([w]≡j) is

the set {

t(w′)

∣∣∣∣∀u ∈ NG, ∀a ∈ Lab,

∣∣∣w′

��a

G[u]≡j−1

∣∣∣µ

=∣∣∣w ��

a

G[u]≡j−1

∣∣∣µ

}

and[t(w)]∼jis the set

t(w′)

∣∣∣∣∣∣∣

∀u ∈ NG, ∀a ∈ Lab,

µ∑

K∈NT/≃T |K⊆[t(u)]∼j−1

multout,T (t(w′), a,K) =

µ∑

K∈NT/≃T |K⊆[t(u)]∼j−1

multout,T (t(w),

According to Fact 60, these two sets are equal. This terminates the proof for IHC(j), and thus theproof of Lemma 57.

Proof of Corollary 58Corollary 58 LetG be a graph,S, T be a shapes,s : G → S, t : G → T be shaping morphisms,andβ : T → S be an abstraction morphism such thats = β ◦ t. If at least one of these conditions isverified:

1. s is the neighbourhood shaping ofG,

43

2. β is the neighbourhood shaping ofT ,

then for any0 ≤ j ≤ i, and fol allv, v′ ∈ NG and all e, e′ ∈ EG,

v ≡j v′ ⇔ t(v) ∼j t(v

′) and e ≡j e′ ⇔ t(e) ∼j t(e

′).

We only show the corollary for nodes, the statement for edgeseasily follows by definitions. Onecan notice that the statement of this corollary is very similar to what has been shown in Fact 61.However, there are some small differences either in the hypotheses, or in what has been proved. Wewill show how the proof of Fact 61 can be completed for showingthe corollary.

The first difference is that Fact 61 is shown forj < i. However, the proof of Fact 61 can beextended forj = i. Figure 11 illustrates what needs to be shown for Fact 61 withj = i. That is, forshowing Fact 61 withj = i, we use Fact 60 withj = i; the proof of Fact 60 forj uses IHB(j − 1)and IHC(j − 1). Thus, it is enough to show that IHC(0) and IHB(j) for all 0 ≤ j ≤ i− 1 hold. (HereIHC() and IHB() denote the induction hypotheses used for proving Lemma 57).

Fact 60j = i

IHC(i − 1) Fact 60j = i − 1

... Fact 60j = 1

IHC(0)

IHB(i − 1) IHB(i − 2) IHB(1)

Fact 61j = i

Figure 11.Proof dependence for Fact 61.

Now, if condition 1 of the corollary holds, it corresponds exactly to the hypotheses of Lemma 57.Thus IHC(0) and IHB(j) for all 0 ≤ j ≤ i − 1 can be shown. If condition 2 of the corollary holds,IHB(j) holds for all0 ≤ j ≤ i − 1. Remind that IHB(j) states that≃T⊆∼j, and this is the case be-cause the neighbourhood shapingβ of T exists. Moreover, it is immediate that∀w ∈ NG, t([w]≡0

) =[t(w)]∼0

(that is, IHC(0)) holds under condition 2.

C Proof of Lemma 24

Lemma 24If two neighbourhood shapes have a common concretisation, then they are isomorphic.

Proof. (Sketch) We show that any shaping to a neighbourhood shape is a neighbourhood shaping.That is, ifG is a graph,s : G → S is its neighbourhood shaping andt : G → T is some arbitraryshaping withT being a neighbourhood shape (i.e. there exists a graphH with neighbourhood shapingt′ : H → T ), thenT andS are isomorphic. We will consider thatS andT are given with theircanonical representation (see Section 4.2), and we will show thatS andT have the same canonicalrepresentation. By Lemma 29, this implies thatS andT are isomorphic. Letv be a node ofG. Remind

44

that s(v) andt(v) are canonical names. If we show thats(v) = t(v) (as a canonical name), then itwould imply that the set of node canonical names ofS andT are the same (remind that the morphismss andt are surjective). The same is similarly shown for edges.

A level i canonical name is of the form(C,out, in), whereout and in are multiplicity functions,andC is a leveli − 1 canonical name. Of course,C has as first component a leveli − 2 canonicalname, and so on. Thus, a leveli canonical name somehow contains a levelj canonical name for any0 ≤ j ≤ i. In the following we call it its levelj component.

We show that (for anyv ∈ NG):

– for all 0 ≤ j ≤ i, the levelj components oft(v) ands(v) (considered as node canonical names)are the same,

– s(v) andt(v) have the sameout andin multiplicity functions.

The proof of these two statements goes by induction onj. We omit it here. ⊓⊔

D Proof of Lemma 29

.Lemma 29LetG,H be graphs, and leti ≥ 1. The leveli neighbourhood shapes ofG andH are

isomorphic if, and only if,CG andCH are equal.

Proof. For the right-to-left direction, we will show thatCG defines uniquely a shapeS and the shapeS is isomorphic to the leveli neighbourhood shape ofG. LetS = (GS ,≃,multn,multout,multin) bethe shape defined by:

– NS = N , ES = E and for anye = (C, a, C ′) in E , srcS(e) = C, tgtS(e) = C ′ andlabS(e) = a;– ≃ is the smallest equivalence relation such thatC ≃ C ′ if C andC ′ have the same first component.

Remind thatC andC ′ are leveli canonical names and their first component is a leveli − 1canonical name;

– multn = mult;– for all C ∈ NS , a ∈ Lab, andK ∈ NCani−1, multout(C, a,K) = outC(K, a), whereoutC is the

function second component ofC (remind thatC is a leveli canonical name);– for all C ∈ NS , a ∈ Lab, andK ∈ NCani−1, multout(C, a,K) = inC(K, a), whereinC is the

function third component ofC (remind thatC is a leveli canonical name).

Note thatS is indeed a shape. We do not show this here, but a similar construction is introduced andshown correct in Section 4.3.

Let us now show thatS is isomorphic to the leveli neighbourhood shape ofG. ConsiderT , thelevel i neighbourhood shape ofG, and consider the functionf = (fn, fe), fn : NS → NT , fe : ES →ET defined by:

– fn(C) = {v ∈ NG | nameiG(v) = C};– fe(Ce) = {e ∈ EG | nameiG(e) = Ce}.

45

Using Lemma 28,fn andfe are bijections, and it is not difficult to see thatf is a graph morphism, thusa graph isomorphism. Showing thatf is an abstraction morphism is quite technical, but not difficult,and only uses definitions ofS, of T , of abstraction morphism and of neighbourhood shaping. Thisterminates the proof of the right-to-left direction.

Now, for the left-to-right direction, letS be the leveli neighbourhood shape ofG with neighbour-hood shapings : G → S, and letT be the leveli neighbourhood shape ofH with neighbourhoodshapingt : H → T . Suppose thatS andT are isomorphic with isomorphismf : S → T . We use themodal logic to prove thatCG andCH are equal. We are using the following results on the modal logic.

(1) Neighbourhood shaping preserves and reflects logic formulae (Proposition 53).(2) For any graphG, any two nodesv,w of G, v,w are leveli neighbourhood equivalent if, and only

if, v,w have the same leveli canonical names, if, and only if,v,w satisfy the same depthi logicformulae (Lemma 28 and Lemma 55).

(3) For any leveli canonical nameC, there exists a representative formulaφC such that in any graphG, any nodev of G, nameiG(v) = C if, and only if,G, v |= φC (Lemma 56).

(4) By (1), (2) and (3), we can deduce that for any graphG andi ≥ 1, if S is the leveli neighbourhoodshape ofG with corresponding shapings : G → S, and ifC = nameiG(v) for somev node ofG,thenS, s(v) |= φC .

Let CG = (NG, EG,multG) andCH = (NH , EH ,multH). Remark first that the modal logic cannotdistinguish isomorphic structures, and this holds both forgraph and shapes.This means that(⋆) if vis a node ofS, then for any leveli logic formulaφ, S, v |= φ if, and only if, T, f(v) |= φ. Now,let C ∈ NG, and letv be a node ofG s.t. nameiG(v) = C. Then, by (3),G, v |= φC , and by (4),S, s(v) |= φC . Now, by (⋆) we deduce thatT, f(s(v)) |= φC . By preservation and reflection of thelogic (by (1)), we have that for anyw ∈ t−1(f(s(v))) node ofH,H,w |= φC . By (3), we deduce thatC is the leveli canonical name ofw ∈ NH , thusC ∈ NH . That is, we just showed thatNG ⊆ NH .Symmetrically we can show thatNH ⊆ NG, and thusNG = NH .

It is not difficult to prove that alsoEG = EH , and the same for the multiplicity functions. ⊓⊔

E Proof of Proposition 51

Proposition 51LetP be a set of atomic propositions,S, T be shapes,γS : NS → 2P andγT : NT →

2P be valuation functions such that≃T is compatible withγT , and letα : S → T be an abstractionmorphism.

(preservation):If α preservesP underγS , γT , thenα preserves the negation free fragment ofL1(P)underγS , γT .

(reflection): If α reflectsP underγS , γT , thenα reflects the negation free fragment ofL1(P) underγS , γT .

(preservation and reflection):7 If α preserves and reflectsP underγS , γT , thenα preserves and re-flectsL1(P) (possibly with negation) underγS , γT .

7 Preservation for formulae with negation may seem contradictory with the Morphism Preservation Theorem for finitestructures [13]. This theorem states that a first-order formula is preserved by morphism if, and only if, it is equivalentto an existential positive formula. Some modal logic formulae cannot be expressed in first-order logic without negation(e.g.¬〉a〉λ ·tt.) However, in our case, shapes contain information on interpretation of such negated formulae, by meansof the multiplicity functions, which explains this apparent contradiction.

46

The rest of the section is devoted to the proof of this proposition.LetM(P) be the set of logic formulae defined by the symbolφ in the following syntax:

φ ::= tt | 〉a〉λ ·ψ | 〈a〈λ ·ψ | φ ∨ φ | φ ∧ φ | ¬φ

ψ ::= p | ψ ∨ ψ | ψ ∧ ψ | ¬ψ | tt

The set of propositions defined byψ above is denotedBool (P). It is not difficult to see thatφ definesa grammar forL1(P), thusM(P) is exactly the logicL1(P). We will use this grammar in the prooffor an induction on the structure of aL1(P) formula.

Let us state Proposition 51 using the previous notations. Let P be a set of atomic propositions andS, T be shapes,γS : NS → 2P andγS : NS → 2P be valuations such that≃T is compatible withγT , andα : S → T be an abstraction morphism. Ifα preservesP, then for any nodev in NS and foranyM(P) formulaφ without negation

(preservation) S, v, γS |= φ impliesT, α(v), γT |= φ

If α reflectsP, then for any nodev in NS and for anyM(P) formulaφ without negation

(reflection) T, α(v), γT |= φ impliesS, v, γS |= φ

If moreoverα preserves and reflectsP, then for any nodev it NS , and for anyM(P) formula φ(possibly with negation), both (preservation) and (reflection) hold.

For brevity, we will omit the valuationsγS andγT , as they are fixed for each of the shapes.

We first show some preliminary lemmas.

Lemma 62 (α preserves / reflectsBool (P)). If α preservesP, thenα preservesBool (P), that is, foranyBool (P) formulaψ without negation and for any nodev in NS, if S, v |= ψ, thenT, α(v) |= ψ.

If α reflectsP, thenα reflectsBool(P) without negation, that is, for anyBool(P) formula ψwithout negation and for any nodev in NS , if T, α(v) |= ψ, thenS, v |= ψ.

If α preserves and reflectsP, thenα preserves and reflectsBool (P), that is, for anyBool (P)formulaψ and for any nodev in NS , S, v |= ψ, if, and only if,T, α(v) |= ψ.

Proof. The proof is an easy induction on the structure ofψ that we will omit. ⊓⊔

Lemma 63 (≃T is compatible with Bool (P)). If ≃T is compatible withγT , for any two nodesv,win NT and for any formulaψ in Bool (P) if v ≃T w, thenT, v, γT |= ψ if, and only if,T,w, γT |= ψ.

Proof. By induction on the structure ofψ; the base case forφ = p uses the fact that≃T is compatiblewith P.

We call this property≃T is compatible withBool (P), in the sense that two≃T -equivalent nodessatisfy the sameBool (P) formulae.

Let us now go to the proof of Proposition 51. Consider a nodev in NS fixed from now on. Wefirst show preservation.

47

E.1 Preservation

Assume thatα preservesP, and letφ be aM(P) formula without negation s.t.S, v |= φ. We willshow thatT, α(v) |= φ and the proof goes by induction on the structure ofφ. For the base case, eitherφ = tt, and then the proposition is trivial, orφ is in Bool (P) without negation, in which case theproposition follows from Lemma 62. For the induction step, if φ = φ1 ∨ φ2 or φ = φ1 ∧ φ2, then,by definition of satisfaction and by induction hypothesis, preservation property easily follow. Let usnow show the preservation forφ = 〉a〉λ ·ψ for someψ in Bool (P) without negation. By definition,S, v |= 〉a〉λ ·ψ if, and only if,

µ∑

D∈X

multout,S(v, a,D) ≥ λ

andT, α(v) |= 〉a〉λ ·ψ if, and only if,

µ∑

C∈Y

multout,T (α(v), a, C) ≥ λ

whereXS,ψ andXT,ψ are the sets

X = {D ∈ NS /≃S | ∀w ∈ D. S,w |= ψ }

Y = {C ∈ NT /≃T | ∀w ∈ C. T,w |= ψ}

By definition of abstraction,∑µ

C∈Y multout,T (α(v), a, C) is equal to

µ∑

C∈Y

µ∑

D ∈ (α−1(C))/≃S

multout,S(v, a,D) (2)

Now, for any two differentC1 andC2 group-equivalent classes inY , the sets of nodesα−1(C1) andα−1(C2) are different (asα is functional onNS). Then, by commutativity associativity ofµ-sum, thesum in (2) is equal to

µ∑

D ∈ (α−1(S

C∈Y C))/≃S

multout,S(v, a,D). (3)

Consider now the set of nodesY ′ = {w ∈ NT | T,w |= ψ}.

As ≃T is compatible withBool (P) (Lemma 63) andψ is a formula inBool (P), we have that if twonodesw,w′ are in someC ∈ NT /≃T , thenT,w |= ψ if, and only if, T,w′ |= ψ. We deduce thatif Y ′ contains some nodew of the group-equivalence classC, thenC ⊆ Y ′. Thus,Y = Y ′ /≃T , or,equivalently,

⋃

C∈Y C = Y ′. Now,α being a morphism,α−1(Y ′) is the set of nodesX ′:

X ′ = {w ∈ NS | T, α(w) |= ψ}.

Therefore, the sum in (3) is equivalent to

µ∑

D ∈ X′/≃S

multout,S(v, a,D). (4)

48

Now, by preservation ofBool (P), we have thatD ∈ X implies thatD is in the set

{D′ ∈ NS /≃S

∣∣∀w ∈ D′.T, α(w) |= ψ

}

and it is easy to see that thenD ∈ X ′ /≃S . That is, the sum in (4) has more components than thesum

∑µD∈X multout,S(v, a,D), which by hypothesis we know being greater thanλ. As the sum in (4)

is equivalent to∑µ

C∈Y multout,T (α(v), a, C), we conclude that this latter is greater thanλ, thusφ ispreserved.

E.2 Reflection

Assume thatα reflectsP, and letφ be aM(P) formula without negation s.t.T, α(v) |= φ. We willshow thatS, v |= φ and the proof goes by induction on the structure ofφ. For the casesφ = tt, φ inBool (P), φ = φ1 ∨ φ2 andφ = φ1 ∧ φ2, the proof goes as for preservation.

Forφ being a modality formula, the proof is close to the proof of preservation. However, there isa particular point on which one has to pay attention, due to the asymmetry in the hypotheses of theproposition, namely, we have a hypothesis for compatibility of ≃T with γT , but there is no a similarhypothesis for≃S andγS . Therefore, we briefly remind the steps of the proof that are common withthe proof for preservation, and then do the remaining part.

Letφ = 〉a〉λ·ψ for someψ in Bool(P) without negation. We have to show that∑µ

D∈X multout,S(v, a,D) ≥λ using that

∑µC∈Y multout,T (α(v), a, C) ≥ λ, where the setsX andY are as for preservation. As for

preservation, we can establish that∑µ

C∈Y multout,T (α(v), a, C) is equal to the sum in (4). It is thenenough to show that

(⋆) if D ∈ X ′ /≃S, thenD ∈ X.

Consider the setX ′′

X ′′ = {w ∈ NS | S,w |= ψ andT, α(w) |= ψ}.

By reflection ofBool(P), andψ being aBool (P) formula, we deduce thatD ∈ X ′ /≃S impliesD ∈ X ′′ /≃S . Using the definition ofX, one can see that then for(⋆) it is enough to show

(⋆⋆) if D ∈ X ′′ /≃S , thenD ∈ NS /≃S.

This remains to show that the setX ′′ contains only entire classes of nodes for≃S. That is where theconditionT, α(w) |= ψ in the definition ofX ′′, which may seem redundant, is used to compensatethe asymmetry of the hypotheses pointed out before. Let us show that ifw ≃S w

′, andS,w |= ψ, andT, α(w) |= ψ, thenS,w′ |= ψ, which is sufficient for(⋆⋆).

By α being an abstraction morphism, we know thatw ≃S w′ impliesα(w) ≃T α(w′). By com-

patibility of ≃T with Bool (P) (Lemma 63), it follows thatT, α(w) |= ψ if, and only if,T, α(w′) |= ψ.By hypothesis,T, α(w) |= ψ, then alsoT, α(w′) |= ψ. Finally, by reflection ofψ, we deduce thatS,w′ |= ψ.

E.3 Preservation and reflection

We finally show preservation and reflection in presence of theadditional hypothesis thatα preservesand reflectsP. The proof is very similar as for the previous cases, and goesby induction on thestructure ofφ. More precisely, we show that for any formulaφ, S, v |= φ if, and only if,T, α(v) |= φ.For the base case, ifφ is tt it is trivial, and if φ is a formula fromBool (P), the result follows fromLemma 62. For the induction, ifφ is a forward or backward modality formula, the proof goes on the

49

same way that the proof for preservation and reflection. Forφ = φ1 ∨ φ2, the result is an immediateconsequence of the definition of satisfaction. The only remaining case isφ = ¬φ′, for which we usethat preservation of the negated formula¬φ′ is equivalent to reflection of the sub-formulaφ′. That is,S, v |= ¬φ if, and only if,S, v 6|= φ if, and only if,, by induction hypothesis,T, α(v) 6|= φ if, and onlyif, T, α(v) |= ¬φ.

F Proof of Lemma 45

The result of the following lemma is used without proof in Lemma 45.

Lemma 64. LetU ′′ be a shape that admits a leveli neighbourhood shaping, and let the shapeU ′ beobtained fromU ′′ by removing some unique node labels. ThenU ′ also admits a leveli neighbourhoodshaping. Moreover, for all nodev in NU ′ and for all 1 ≤ j ≤ i, [v]∼j

in U ′′ is included into[v]∼jin

U ′.

Proof. We denoteN the set of nodes ofU ′ andU ′′, and we denote[v]Uj the equivalence class of thenodev for the equivalence relation∼j in the shapeU , whereU may be one ofU ′ orU ′′. We show, byinduction onj for j ∈ 1..i, that

IH (j) ∼j is defined onU ′ and for allv in N , [v]U′′

∼j⊆ [v]U

′

∼j

For the base case,IH (0) immediately follows from definitions of∼0 and the shapesU ′ andU ′′.For the induction step, letj > 0. Remind that∼j is defined inU ′ if ≃U ′⊆∼j−1, or, equivalently,

for all nodev, [v]≃U′⊆ [v]U

′

∼j−1. By definition ofU ′′ we know that[v]≃U′

= [v]≃U′′. AsU ′′ admits a

level i neighbourhood shaping, we have[v]≃U′′⊆ [v]U

′

∼j−1, and byIH (j − 1), [v]U

′′

∼j−1⊆ [v]U

′

∼j−1.

Next we have to show that[v]U′′

∼j⊆ [v]U

′

∼j. Supposev ∼j v

′ in U ′′ and let’s show that alsov ∼j v′

in U ′. By definition, this latter holds if, and only if, for allC ∈ N / ∼j−1, and for all labela,

µ∑

K∈N/≃U′ | K⊆C

multout(w, a,K) =

µ∑

K∈N/≃U′ | K⊆C

multout(w′, a,K)

and analogously for incoming edges multiplicity function.By IH (j − 1), the setC is the union ofdisjoint setsC1, . . . , Cn that are all equivalence classes for∼j−1 in U ′′, ie

µ∑

K∈N/≃U′ | K⊆C

multout,U ′(w, a,K) =

µ∑

l∈1..n

µ∑

K∈N/≃U′′ | K⊆Cl

multout,U ′′(w, a,K)

and the same forw′. This is well defined because the shapesU ′ andU ′′ have the same nodes andedges, the same multiplicities, and the same grouping relation. As∼j is defined onU ′′, for anyCl theequality

µ∑


multout,U ′′(w, a,K) =

µ∑


multout,U ′′(w′, a,K)

holds, thus the equality of the whole sum holds.

50

Consider now the shapeT ′′ as described in the sketch of the proof. We have to show thatT ′′

admits a leveli neighbourhood shaping. That is, it is enough to show that∼j is defined inT ′′ for allj ∈ 1..i (∼0 being always defined). We will show that for allv ∈ NS′′ , [v]∼j

in T ′′ is equal to[v]∼j

in S′′. It is enough as≃T ′′ and≃S′′ coincide on nodes inNS′′ , thus≃S′′⊆∼j in S′′ would imply≃T ′′⊆∼j in T ′′, and nodes inNnew have also singleton classes for the equivalence relations≃T ′′ and∼j (the latter because they contain fresh labels).

The proof that[v]∼jin T ′′ is equal to[v]∼j

in S′′ is quite technical, but does not use any difficultidea. We rather present it in an intuitive way. Suppose thatv ∼j v

′ in S′′. Then

1. eitherv andv′ are both at distancej or less from some node inc(L′′)∪Nnew and their equivalenceclass is influenced by one or more of the fresh labels,

2. orv andv′ are both far away fromc(L′′) ∪Nnew.

Remark now that if a nodew is at distanced from c(L′′) in S′′, then it is at distance at leastd fromc(L′′) ∪Nnew in T ′′. So, such a node may join the equivalence class of some other nodes.

G Proof of Lemma 55

Lemma 55 Two nodesv, v′ of a graph G arei-neigborhood equivalent if, and only if, the sameLi(Lab) formulae hold inv and inv′.

The proof goes by induction oni. For brevity, we will writev |= φ instead ofG, v, γ |= φ as thegraphG and the valuationγ are fixed.

For the base caseWe havei = 0. For the⇒ direction, assume thatv ≡0 v′. Then, by definition,

lab(v) = lab(v′). Let φ be aL0 formula; by easy induction on the structure ofφ one can show thatv |= φ if, and only if,v′ |= φ. For the⇐ direction, assume that it is not the case thatv ≡0 v

′. Then weeasily deduce that there is formulaφ which holds in one ofv, v′ but not in the other; it is sufficient totakeφ = a wherea is a label inlab(v)∪ lab(v′) but not inlab(v)∩ lab(v′) and we know by assumptionthat this label exists.

For the inductionWe havei > 0. For the⇒ direction, assume thatv ≡i v′. We will show that for any

Li formulaφ, v |= φ if, and only if,v′ |= φ and the proof goes by induction on the structure ofφ. Theonly interesting cases are forφ being〉a〉λ·φ′ and〈a〈λ·φ′. Let us show it for〉a〉λ·φ′, the other case issymmetrical. So, letφ be the formula〉a〉λ·φ′. Then, by definition of the satisfaction relation,v |= φ if,and only if,

∣∣v �

a ∩Sφ′�a

∣∣µ≥ λ andv′ |= φ if, and only if,

∣∣v′ �a ∩Sφ′�

a

∣∣µ≥ λ, whereSφ′ denotes

the set of nodes ofG in whichφ′ holds. We will show that∣∣v �

a ∩Sφ′�a

∣∣µ

=∣∣v′ �a ∩Sφ′�

a

∣∣µ, which

allows us to conclude thatv |= φ if, and only if,v′ |= φ.Let N /≡i−1 denote the set of equivalence classes of nodes ofG induced by the≡i−1 equiv-

alence relation. Let, for anyC in N /≡i−1, FC denote the set ofLi−1 formulae that hold in thenodes inC : FC = {ψ ∈ Li−1 | ∀v ∈ C : v |= ψ}. Then, asφ′ is anLi−1 formula and us-ing the induction hypothesis oni, it is easy to see thatSφ′ is the set

⋃

C∈N/≡i−1 |φ′∈FCC�

a. In this

case, by distributivity of the multiplicity function over set union, we deduce that∣∣v �

a ∩Sφ′�a

∣∣µ

=∑µ

C∈N/≡i−1 |φ′∈FC|v �

a ∩C�a|µ. Now, by assumption we have thatv ≡i v

′, so by definition of the

≡i equivalence relation we have that for anyC in N /≡i−1, |v �a ∩C�

a|µ = |v′ �a ∩C�a|µ. Thus,

∣∣v �

a ∩Sφ′�a

∣∣µ

=∑µ

C∈N/≡i−1

|v′ �a ∩C�a|µ and this last quantity is equal to|v′ �a ∩C�

a|µ.For the⇐ direction,

51

Assumev 6≡i+1 v′. If this is the case, we know that there exist a labela ∈ Lab and an equiv-

alence classC ∈ NG /≡i for which eitherov = |v �a ∩C�

a|µ 6= |v′ �a ∩C�a|µ = ov′ or

iv = |v �a ∩C�

a|µ 6= |v′ �a ∩C�a|µ = iv′ . For the moment, let us believe that there exists a

formulaψ ∈ Li that only one suchC satisfies. Letφ be:

〉a〉max(ov ,ov′) ·ψ if ov 6= ov′

〈a〈max(iv ,iv′) ·ψ otherwise

As a) no other≡i-equivalence class satisfiesψ, and b) all nodes inC satisfyψ (by inductive hy-pothesis); we can deduce thatC is exactly the set of nodes that satisfiesψ. Thereby,φ is satisfied byonly one ofv or v′. To show that such aψ exists, consider the following: for eachC ′ ∈ NG /≡i, s.t.C ′ 6= C, we can find aψC′ ∈ Li s.t.C |= ψ andC ′ 6|= ψ8, due to ind. hypothesis too. So we can takeψ to beψ =

∧

C′∈NG/≡i | C′ 6=C ψC′

8 Slight abuse of notation.

52

Documents

Graph Abstraction and Abstract Graph Transformation · 2017-05-17 · Graph Abstraction and Abstract Graph Transformation Iovka Boneva1 Arend Rensink1 Marcos E. Kurba´n3 Jo¨rg Bauer2