Yuri, Logic, and Computer Science

state machines (ASMs) form a relatively new computation model holding the promise that they can simulate any computational system in lockstep. In particular, an instance of the ASM model has recently been introduced for computing queries to relational databases [120]. This model, to which we refer as the BGS model, provides a powerful query language in which all computable queries can be expressed. In this paper, we show that when one is only interested in polynomial-time computations, BGS is strictly more powerful than both QL and WHILE NEW, two well-known computationally complete query languages. We then show that when a language such as WHILE NEW is extended with a duplicate elimination mechanism, polynomial-time simulations between the language and BGS become possible. 140. Yuri Gurevich, Wolfram Schulte, Charles Wallace: Investigating Java Concurrency Using Abstract State Machines. In: Abstract State Machines: Theory and Applications, Springer LNCS 1912 (2000), 151–176 We present a mathematically precise, platform-independent model of Java concurrency using the Abstract State Machine method. We cover all aspects of Java threads and synchronization, gradually adding details to the model in a series of steps. We motivate and explain each concurrency feature, and point out subtleties, inconsistencies and ambiguities in the official, informal Java specification. 141. Yuri Gurevich: Sequential Abstract State Machines capture Sequential Algorithms. ACM ToCL 1:1 (July 2000), 77–111 What are sequential algorithms exactly? Our claim, known as the sequential ASM thesis, has been that, as far as behavior is concerned, sequential algorithms are exactly sequential abstract state machines: For every sequential algorithm A, there is a sequential abstract state machine B that is behaviorally identical to A. In particular, B simulates A step for step. In this paper we prove the sequential ASM thesis, so that it becomes a theorem. But how can one possibly prove a thesis? Here is what we do. We formulate three postulates satisfied by all sequential algorithms (and, in particular, by sequential abstract state machines). This leads to the following definition: a sequential algorithm is any object that satisfies the three postulates. At this point the thesis becomes a precise statement. And we prove the statement. This is a non-dialog version of the dialog [136]. An intermediate version was published in MSR-TR-99-65 141a. Yuri Gurevich: Sequential Abstract State Machines capture Sequential Algorithms. Russian translation of [141], by P.G. Emelyanov. In: Marchuk A.G. (ed.) Formal Methods and Models of Informatics, System Informatics 9 ( 2004), 7–50, Siberian Branch of the Russian Academy of Sciencies 142. Andreas Blass, Yuri Gurevich: The Underlying Logic of Hoare Logic. Originally in BEATCS 70 (February 2000), 82–110. Reprinted in: Current Trends in Theoretical Computer Science, World Scientific (2001), 409–436 Formulas of Hoare logic are asserted programs φ P ψ where P is a program and φ, ψ are assertions. The language of programs varies; in the 1980 survey by Krzysztof Apt, one finds the language of while programs and various extensions of it. But the assertions are traditionally expressed in first-order logic (or extensions of it). In that sense, first-order logic is the underlying logic of Hoare logic. We question the tradition and demonstrate, on the simple example of while programs, that alternative assertion logics have some advantages. For some natural assertion logics, the expressivity hypothesis in Cook’s completeness theorem is automatically satisfied. 143. Andreas Blass, Yuri Gurevich: Background, Reserve, and Gandy Machines. In: P. Clote and H. Schwichtenberg (eds.) CSL’2000, Springer LNCS 1862 (2000), 1–17 Algorithms often need to increase their working space, and it may be convenient to pretend that the additional space was really there all along but was not previously used. In particular, abstract state machines have, by definition [103], an infinite reserve. Although the reserve is a naked set, it is often desirable to have some external structure over it. For example, in [120] every state was required to include all finite sets of its atoms, all finite sets of these, etc. In this connection, we define the notion of a background class of structures. Such a class specifies the constructions (like finite sets or lists) available as “background” for algorithms. The importation of reserve elements must be non-deterministic, since an algorithm has no way to distinguish one reserve element from another. But this sort of non-determinism is much more benign than general non-determinism. We capture this intuition with the notion of inessential non-determinism. Alternatively, one could insist on specifying a particular one of the available reserve elements to be imported. This is the approach used in [Robin Gandy, “Church’s thesis and principles for mechanisms”. In: J. Barwise et al. (eds.) The Kleene Symposium, North-Holland, 1980, 123–148]. The price of this insistence is that the specification cannot be algorithmic. We show how to turn a Gandy-style deterministic, non-algorithmic process into a non-deterministic algorithm of the sort described above, and we prove that Gandy’s notion of “structural” for his processes corresponds to our notion of “inessential non-determinism.” 144. Andreas Blass, Yuri Gurevich: Choiceless Polynomial Time Computation and the Zero-One Law. In: P. Clote and H. Schwichtenberg (eds.) CSL’2000, Springer LNCS 1862 (2000), 18–40 This paper is a sequel to [120], a commentary on [Saharon Shelah (#634) “Choiceless polynomial time logic: inability to express”, same proceedings], and an abridged version of [149] that contains complete proofs of all the results presented here. The BGS model of computation was defined in [120] with the intention of modeling computation with arbitrary finite relational structures as inputs, with essentially arbitrary data structures, with parallelism, but without arbitrary choices. It was shown that choiceless polynomial time, the complexity class defined by BGS programs subject to a polynomial time bound, does not contain the parity problem. Subsequently, Shelah proved a zero-one law for choiceless-polynomialtime properties. A crucial difference from the earlier results is this: Almost all finite structures have no non-trivial automorphisms, so symmetry considerations cannot be applied to them. Shelah’s proof therefore depends on a more subtle concept of partial symmetry. After struggling for a while with Shelah’s proof, we worked out a presentation which we hope will be helpful for others interested in Shelah’s ideas. We also added some related results, indicating the need for certain aspects of the proof and clarifying some of the concepts involved in it. Unfortunately, this material is not yet fully written up. The part already written, however, exceeds the space available to us in the present volume. We therefore present here an abridged version of that paper and promise to make the complete version available soon. 145. Mike Barnett, Egon Börger, Yuri Gurevich, Wolfram Schulte, Margus Veanes: Using Abstract State Machines at Microsoft: A Case Study. In: P. Clote and H. Schwichtenberg (eds.) CSL’2000, Springer LNCS 1862 (2000), 367–379 Our goal is to provide a rigorous method, clear notation and convenient tool support for high-level system design and analysis. For this purpose we use abstract state machines (ASMs). Here we describe a particular case study: modeling a debugger of a stack based runtime environment. The study provides evidence for ASMs being a suitable tool for building executable models of software systems on various abstraction levels, with precise refinement relationships connecting the models. High level ASM models of proposed or existing programs can be used throughout the software development cycle. In particular, ASMs can be used to model inter-component behavior on any desired level of detail. This allows one to specify application programming interfaces more precisely than it is done currently. 145.5. Colin Campbell, Yuri Gurevich: Table ASMs. In: Formal Methods and Tools for Computer Science, Eurocast 2001, eds. R. Moreno-Diaz and A. QuesadaArencibia, Universidad de Las Palmas de Gran Canaria, Canary Islands, Spain (February 2001), 286–290 Ideally, a good specification becomes the basis for implementing, testing and documenting the system it defines. In practice, producing a good specification is hard. Formal methods have been shown to be helpful in strengthening the meaning of specifications, but despite their power, few development teams have successfully incorporated them into their software processes. This experience indicates that producing a usable formal method is also hard. This paper is the story of how a particular theoretical result, namely the normal forms of Abstract State Machines, motivated a genuinely usable form of specification that we call ASM Tables. We offer it for two reasons. The first is that the result is interesting in and of itself and – it is to be hoped – useful to the reader. The second is that our result serves as a case study of a more general principle, namely, that in bringing rigorous methods into everyday practice, one should not follow the example of Procrustes: we find that it is indeed better to adapt the bed to the person than the other way round. We also offer a demonstration that an extremely restricted syntactical form can still contain sufficient expressive power to describe all sequential machines. 146. Andreas Blass, Yuri Gurevich: Inadequacy of Computable Loop Invariants. ACM ToCL 2:1 (January 2001), 1–11 Hoare logic is a widely recommended verification tool. There is, however, a problem of finding easily-checkable loop invariants; it is known that decidable assertions do not suffice to verify WHILE programs, even when the preand postconditions are decidable. We show here a stronger result: decidable invariants do not suffice to verify single-loop programs. We also show that this problem arises even in extremely simple contexts. Let N be the structure consisting of the set of natural numbers together with the functions S(x) = x + 1, D(x) = 2x and function H(x) that is equal to x/2 rounded down. There is a single-loop program P using only three variables x, y, z such that the asserted program x = y = z = 0 {P} false is partially correct on N but any loop invariant I(x, y, z) for this asserted program is undecidable. 147. Yuri Gurevich, Alex Rabinovich: Definability in Rationals with Real Order in the Background. Journal of Logic and Computation 12:1 (2002), 1–11 The paper deals with logically definable families of sets of rational numbers. In particular, we are interested whether the families definable over the real line with a unary predicate for the rationals are definable over the rational order alone. Let φ(X,Y ) and ψ(Y ) range over formulas in the first-order monadic language of order. Let Q be the set of rationals and F be the family of subsets J of Q such that φ(Q, J) holds over the real line. The question arises whether, for every formula φ, the family F can be defined by means of a formula ψ(Y ) interpreted over the rational order. We answer the question negatively. The answer remains negative if the first-order logic is strengthened to weak monadic second-order logic. The answer is positive for the restricted version of monadic second-order logic where set quantifiers range over open sets. The case of full monadic second-order logic remains open. 148. Andreas Blass, Yuri Gurevich: A New Zero-One Law and Strong Extension Axioms. Originally in BEATCS 72 (October 2000), 103–122. Reprinted in: Current Trends in Theoretical Computer Science, World Scientific (2004), 99–118 This article is a part of the continuing column on Logic in Computer Science. One of the previous articles in the column was devoted to the zero-one laws for a number of logics playing prominent role in finite model theory: first-order logic FO, the extension FO+LFP of first-order logic with the least fixed-point operator, and the infinitary logic where every formula uses finitely many variables [95]. Recently Shelah proved a new, powerful, and surprising zero-one law. His proof uses so-called strong extension axioms. Here we formulate Shelah’s zero-one law and prove a few facts about these axioms. In the process we give a simple proof for a “large deviation” inequality à la Chernoff. 149. Andreas Blass, Yuri Gurevich: Strong Extension Axioms and Shelah’s Zero-One Law for Choiceless Polynomial Time. JSL 68:1 (2003), 65–131 This paper developed from Shelah’s proof of a zero-one law for the complexity class “choiceless polynomial time,” defined by Shelah and the authors. We present a detailed proof of Shelah’s result for graphs, and describe the extent of its generalizability to other sorts of structures. The extension axioms, which form the basis for earlier zero-one laws (for first-order logic, fixed-point logic, and finitevariable infinitary logic) are inadequate in the case of choiceless polynomial time; they must be replaced by what we call the strong extension axioms. We present an extensive discussion of these axioms and their role both in the zero-one law and in general. ([144] is an abridged version of this paper, and [148] is a popular version of this paper.) 150. Andreas Blass, Yuri Gurevich, Saharon Shelah: On Polynomial Time Computation Over Unordered Structures. JSL 67:3 (2002), 1093–1125 This paper is motivated by the question whether there exists a logic capturing polynomial time computation over unordered structures. We consider several algorithmic problems near the border of the known, logically defined complexity classes contained in polynomial time. We show that fixpoint logic plus counting is stronger than might be expected, in that it can express the existence of a complete matching in a bipartite graph. We revisit the known examples that separate polynomial time from fixpoint plus counting. We show that the examples in a paper of Cai, Fürer, and Immerman, when suitably padded, are in choiceless polynomial time yet not in fixpoint plus counting. Without padding, they remain in polynomial time but appear not to be in choiceless polynomial time plus counting. Similar results hold for the multipede examples of Gurevich and Shelah, except that their final version of multipedes is, in a sense, already suitably padded. Finally, we describe another plausible candidate, involving determinants, for the task of separating polynomial time from choiceless polynomial time plus counting. 150a. Andreas Blass, Yuri Gurevich: A Quick Update on the Open Problems in article [150] (December 2005). 151. Yuri Gurevich: Logician in the land of OS: Abstract State Machines at Microsoft. LICS 2001, IEEE Symp. on Logic in Computer Science, IEEE Computer Society (2001), 129–136 Analysis of foundational problems like “What is computation?” leads to a sketch of the paradigm of abstract state machines (ASMs). This is followed by a brief discussion on ASMs applications. Then we present some theoretical problems that bridge between the traditional LICS themes and abstract state machines. 152. Anuj Dawar, Yuri Gurevich: Fixed Point Logics. The Bulletin of Symbolic Logic 8:1 (2002), 65–88 Fixed-point logics are extensions of first-order predicate logic with fixed point operators. A number of such logics arose in finite model theory but they are of interest to much larger audience, e.g. AI, and there is no reason why they should be restricted to finite models. We review results established in finite model theory, and consider the expressive power of fixed-point logics on infinite structures. 153. Uwe Glaesser, Yuri Gurevich, Margus Veanes: Universal Plug and Play Machine Models. MSR-TR -2001-59 Recently, Microsoft took a lead in the development of a standard for peer-topeer network connectivity of various intelligent appliances, wireless devices and PCs. It is called the Universal Plug and Play Device Architecture (UPnP). We construct a high-level Abstract State Machine (ASM) model for UPnP. The model is based on the ASM paradigm for distributed systems with real-time constraints and is executable in principle. For practical execution, we use AsmL, the Abstract state machine Language, developed at Microsoft Research and integrated with Visual Studio and COM. This gives us an AsmL model, a refined version of the ASM model. The third part of this project is a graphical user interface by means of which the runs of the AsmL model are controlled and inspected at various levels of detail as required for simulation and conformance testing, for example. 154. Wolfgang Grieskamp, Yuri Gurevich, Wolfram Schulte and Margus Veanes: Generating Finite State Machines from Abstract State Machines. ISSTA 2002, International Symposium on Software Testing and Analysis, ACM Software Engineering Notes 27:4 (2002), 112–122 We give an algorithm that derives a finite state machine (FSM) from a given abstract state machine (ASM) specification. This allows us to integrate ASM specs with the existing tools for test-case generation from FSMs. ASM specs are executable, but have typically too many, often infinitely many, states. We group ASM states into finitely many hyperstates, which are the nodes of the FSM. The links of the FSM are induced by the ASM state transitions. 155. Yuri Gurevich, Wolfram Schulte, Margus Veanes: Toward Industrial Strength Abstract State Machines. MSR-TR-2001-98 A powerful practical ASM language, called AsmL, is being developed in Microsoft Research by the group on Foundations of Software Engineering. AsmL extends the language of original ASMs in a number of directions. We describe some of these extensions. 156. Yuri Gurevich, Nikolai Tillmann: Partial Updates: Exploration. Springer J. of Universal Computer Science 7:11 (2001), 918–952 The partial update problem for parallel abstract state machines has manifested itself in the cases of counters, sets and maps. We propose a solution of the problem that lends itself to an efficient implementation and covers the three cases mentioned above. There are other cases of the problem that require a more general framework. 157-1. Andreas Blass, Yuri Gurevich: Abstract State Machines Capture Parallel Algorithms. ACM ToCL 4:4 (October 2003), 578–651 We give an axiomatic description of parallel, synchronous algorithms. Our main result is that every such algorithm can be simulated, step for step, by an abstract state machine with a background that provides for multisets. See also [157-2]. 157-2. Andreas Blass, Yuri Gurevich: Abstract State Machines Capture Parallel Algorithms: Correction and Extension. ACM ToCL 9:3 (June 2008), Article 19 We consider parallel algorithms working in sequential global time, for example circuits or parallel random access machines (PRAMs). Parallel abstract state machines (parallel ASMs) are such parallel algorithms, and the parallel ASM thesis asserts that every parallel algorithm is behaviorally equivalent to a parallel ASM. In an earlier paper [157-1], we axiomatized parallel algorithms, proved the ASM thesis and proved that every parallel ASM satisfies the axioms. It turned out that we were too timid in formulating the axioms; they did not allow a parallel algorithm to create components on the fly. This restriction did not hinder us from proving that the usual parallel models, like circuits or PRAMs or even alternating Turing machines, satisfy the postulates. But it resulted in an error in our attempt to prove that parallel ASMs always satisfy the postulates. To correct the error, we liberalize our axioms and allow on-the-fly creation of new parallel components. We believe that the improved axioms accurately express what parallel algorithms ought to be. We prove the parallel thesis for the new, corrected notion of parallel algorithms, and we check that parallel ASMs satisfy the new axioms. 158. Andreas Blass, Yuri Gurevich: Algorithms vs. Machines. Originally in BEATCS 77 (June 2002), 96–118. Reprinted in: Current Trends in Theoretical Computer Science, World Scientific (2004), 215–236 In a recent paper, the logician Yiannis Moschovakis argues that no state machine describes mergesort on its natural level of abstraction. We do just that. Our state machine is a recursive ASM. 159. Uwe Glaesser, Yuri Gurevich, Margus Veanes: Abstract Communication Model for Distributed Systems. IEEE Transactions on Software Engineering 30:7 (July 2004), 458–472 In some distributed and mobile communication models, a message disappears in one place and miraculously appears in another. In reality, of course, there are no miracles. A message goes from one network to another; it can be lost or corrupted in the process. Here we present a realistic but high-level communication model where abstract communicators represent various nets and subnets. The model was originally developed in the process of specifying a particular network architecture, namely the Universal Plug and Play architecture. But it is general. Our contention is that every message-based distributed system, properly abstracted, gives rise to a specialization of our abstract communication model. The purpose of the abstract communication model is not to design a new kind of network; rather it is to discover the common part of all message-based communication networks. The generality of the model has been confirmed by its successful reuse for very different distributed architectures. The model is based on distributed abstract state machines. It is implemented in the specification language AsmL and is being used for testing distributed systems. 160. Andreas Blass, Yuri Gurevich: Pairwise Testing. Originally in BEATCS 78 (October 2002), 100–132. Reprinted in: Current Trends in Theoretical Computer Science, World Scientific (2004), 237–266 We discuss the following problem, which arises in software testing. Given some independent parameters (of a program to be tested), each having a certain finite set of possible values, we intend to test the program by running it several times. For each test, we give the parameters some (intelligently chosen) values. We want to ensure that for each pair of distinct parameters, every pair of possible values is used in at least one of the tests. And we want to do this with as few tests as possible. 161. Yuri Gurevich, Nikolai Tillmann: Partial Updates. Theoretical Computer Science 336:2–3 (26 May 2005), 311–342. (A preliminary version in: Abstract State Machines 2003, Springer LNCS 2589 (2003), 57–86) A datastructure instance, e.g. a set or file or record, may be modified independently by different parts of a computer system. The modifications may be nested. Such hierarchies of modifications need to be efficiently checked for consistency and integrated. This is the problem of partial updates in a nutshell. In our first paper on the subject [156], we developed an algebraic framework which allowed us to solve the partial update problem for some useful datastructures including counters, sets and maps. These solutions are used for the efficient implementation of concurrent data modifications in the specification language AsmL. The two main contributions of this paper are (i) a more general algebraic framework for partial updates and (ii) a solution of the partial update problem for sequences and labeled ordered trees. 162. Yuri Gurevich, Saharon Shelah: Spectra of Monadic Second-Order Formulas with One Unary Function. LICS 2003, 18th Annual IEEE Symposium on Logic in Computer Science, IEEE Computer Society (2003), 291–300 We prove that the spectrum of any monadic second-order formula F with one unary function symbol (and no other function symbols) is eventually periodic, so that there exist natural numbers p > 0 (a period) and t (a p-threshold) such that if F has a model of cardinality n > t then it has a model of cardinality n+ p. (In the web version, some additional proof details are provided because some readers asked for them.) 163. Mike Barnett, Wolfgang Grieskamp, Yuri Gurevich, Wolfram Schulte, Nikolai Tillmann, Margus Veanes: Scenario-oriented Modeling in AsmL and Its Instrumentation for Testing. In: 2nd International Workshop on Scenarios and State Machines: Models, Algorithms, and Tools, (2003) 8–14, held at ICSE 2003, International Conference on Software Engineering 2003 We present an approach for modeling use cases and scenarios in the Abstract state machine Language and discuss how to use such models for validation and verification purposes. 164. Andreas Blass, Yuri Gurevich: Algorithms: A Quest for Absolute Definitions. Originally in BEATCS 81 (October 2003), 195–225. Reprinted in: Current Trends in Theoretical Computer Science, World Scientific (2004), 283–311. Reprinted in: A. Olszewski et al. (eds.) Church’s Thesis After 70 Years, Ontos Verlag (2006), 24–57 What is an algorithm? The interest in this foundational problem is not only theoretical; applications include specification, validation and verification of software and hardware systems. We describe the quest to understand and define the notion of algorithm. We start with the Church-Turing thesis and contrast Church’s and Turing’s approaches, and we finish with some recent investigations. 165. Yuri Gurevich: Abstract State Machines: An Overview of the Project. In: D. Seipel and J. M. Turull-Torres (eds.) Foundations of Information and Knowledge Systems, Springer LNCS 2942 (2004), 6–13 We quickly survey the ASM project, from its foundational roots to industrial applications. 166. Andreas Blass, Yuri Gurevich: Ordinary Interactive Small-Step Algorithms, I. ACM ToCL 7:2 (April 2006), 363–419. A preliminary version was published as MSR-TR-2004-16 This is the first in a series of papers extending the Abstract State Machine Thesis – that arbitrary algorithms are behaviorally equivalent to abstract state machines – to algorithms that can interact with their environments during a step, rather than only between steps. In the present paper, we describe, by means of suitable postulates, those interactive algorithms that (1) proceed in discrete, global steps, (2) perform only a bounded amount of work in each step, (3) use only such information from the environment as can be regarded as answers to queries, and (4) never complete a step until all queries from that step have been answered. We indicate how a great many sorts of interaction meet these requirements. We also discuss in detail the structure of queries and replies and the appropriate definition of equivalence of algorithms. Finally, motivated by our considerations concerning queries, we discuss a generalization of first-order logic in which the arguments of function and relation symbols are not merely tuples of elements but orbits of such tuples under groups of permutations of the argument places. 167. Yuri Gurevich: Intra-Step Interaction. In: W. Zimmerman and B. Thalheim (eds.) Abstract State Machines 2004, Springer LNCS 3052 (2004), 1–5 For a while it seemed possible to pretend that all interaction between an algorithm and its environment occurs inter-step, but not anymore. Andreas Blass, Benjamin Rossman and the speaker are extending the Small-Step Characterization Theorem (that asserts the validity of the sequential version of the ASM thesis) and the Wide-Step Characterization Theorem (that asserts the validity of the parallel version of the ASM thesis) to intra-step interacting algorithms. A later comment: This was my first talk on intra-step interactive algorithms. The intended audience was the ASM community. [174] is a later talk on this topic, and it is addressed to a general computer science audience. 168. Yuri Gurevich, Rostislav Yavorskiy: Observations on the Decidability of Transitions. In: W. Zimmerman and B. Thalheim (eds.) Abstract State Machines 2004, Springer LNCS 3052 (2004), 161–168 Consider a multiple-agent transition system such that, for some basic types T1, ..., Tn, the state of any agent can be represented as an element of the Cartesian product T1×· · ·×Tn. The system evolves by means of global steps. During such a step, new agents may be created and some existing agents may be updated or removed, but the total number of created, updated and removed agents is uniformly bounded. We show that, under appropriate conditions, there is an algorithm for deciding assume-guarantee properties of one-step computations. The result can be used for automatic invariant verification as well as for finite state approximation of the system in the context of test-case generation from AsmL specifications. 169. Yuri Gurevich, Benjamin Rossman, Wolfram Schulte: Semantic Essence of AsmL. Theoretical Computer Science 343:3 (17 October 2005), 370–412 Originally published as MSR-TR-2004-27 The Abstract state machine Language, AsmL, is a novel executable specification language based on the theory of Abstract State Machines. AsmL is objectoriented, provides high-level mathematical data-structures, and is built around the notion of synchronous updates and finite choice. AsmL is fully integrated into the .NET framework and Microsoft development tools. In this paper, we explain the design rationale of AsmL and provide static and dynamic semantics for a kernel of the language. 169a. Yuri Gurevich, Benjamin Rossman, Wolfram Schulte: Semantic Essence of AsmL: Extended Abstract. In: F. S. de Boer et al. (eds.) FMCO 2003, Formal Methods of Components and Objects, Springer LNCS 3188 (2004), 240–259 This is an extended abstract of article [169]. 170. Andreas Blass, Yuri Gurevich: Ordinary Interactive Small-Step Algorithms, II. ACM ToCL 8:3 (July 2007), article 15. A preliminary version was published as a part of MSR-TR-2004-88 This is the second in a series of three papers extending the proof of the Abstract State Machine Thesis – that arbitrary algorithms are behaviorally equivalent to abstract state machines – to algorithms that can interact with their environments during a step rather than only between steps. The first paper is [166]. As in that paper, we are concerned here with ordinary, small-step, interactive algorithms. This means that the algorithms (1) proceed in discrete, global steps, (2) perform only a bounded amount of work in each step, (3) use only such information from the environment as can be regarded as answers to queries, and (4) never complete a step until all queries from that step have been answered. After reviewing the previous paper’s formal description of such algorithms and the definition of behavioral equivalence, we define ordinary, interactive, small-step abstract state machines (ASM’s). Except for very minor modifications, these are the machines commonly used in the ASM literature. We define their semantics in the framework of ordinary algorithms, and we show that they satisfy the postulates for these algorithms. This material lays the groundwork for the final paper in the series, in which we shall prove the Abstract State Machine Thesis for ordinary, intractive, small-step algorithms: All such algorithms are equivalent to ASMs. 171. Andreas Blass, Yuri Gurevich: Ordinary Interactive Small-Step Algorithms, III. ACM ToCL 8:3 (July 2007), article 16. A preliminary version was published as a part of MSR-TR-2004-88 This is the third in a series of three papers extending the proof of the Abstract State Machine Thesis – that arbitrary algorithms are behaviorally equivalent to abstract state machines – to algorithms that can interact with their environments during a step rather than only between steps. The first two papers are [166] and [170]. As in those papers, we are concerned here with ordinary, small-step, interactive algorithms. After reviewing the previous papers’ definitions of such algorithms, of behavioral equivalence, and of abstract state machines (ASMs), we prove the main result: Every ordinary, interactive, small-step algorithm is behaviorally equivalent to an ASM. We also discuss some possible variations of and additions to the ASM semantics. 172. Andreas Blass, Yuri Gurevich: Why Sets? BEATCS 84 (October 2004). Revised and published as MSR-TR-2006-138; then reprinted in: A. Avron et al. (eds.) Pillars of Computer Science: Essays Dedicated to Boris (Boaz) Trakhtenbrot on the Occasion of His 85th Birthday, Springer LNCS 4800 (2008). Sets play a key role in foundations of mathematics. Why? To what extent is it an accident of history? Imagine that you have a chance to talk to mathematicians from a far away planet. Would their mathematics be set-based? What are the alternatives to the set-theoretic foundation of mathematics? Besides, set theory seems to play a significant role in computer science, in particular in database theory and formal methods. Is there a good justification for that? We discuss these and related issues. 173. Andreas Blass, Yuri Gurevich, Lev Nachmanson, Margus Veanes: Play to Test. MSR-TR-2005-04. FATES 2005, 5th International Workshop on Formal Approaches to Testing of Software, Edinburgh (July 2005) Testing tasks can be viewed (and organized!) as games against nature. We introduce and study reachability games. Such games are ubiquitous. A single industrial test suite may involve many instances of a reachability game. Hence the importance of optimal or near optimal strategies for reachability games. We find out when exactly optimal strategies exist for a given reachability game, and how to construct them. 174. Yuri Gurevich: Interactive Algorithms 2005 with Added Appendix. In: D. Goldin et al. (eds.) Interactive Computation: The New Paradigm, Springer-Verlag (2006), 165–182. Originally in: J. Jedrzejowicz and A. Szepietowski (eds.) Proceedings of MFCS 2005 Math Foundations of Computer Science (2005), Gdansk, Poland, Springer LNCS 3618 (2005), 26–38 (without the appendix) A sequential algorithm just follows its instructions and thus cannot make a nondeterministic choice all by itself, but it can be instructed to solicit outside help to make a choice. Similarly, an object-oriented program cannot create a new object all by itself; a create-a-new-object command solicits outside help. These are but two examples of intra-step interaction of an algorithm with its environment. Here we motivate and survey recent work on interactive algorithms within the Behavioral Computation Theory project. 175. Yuri Gurevich, Paul Schupp: Membership Problem for Modular Group. SIAM Journal on Computing 37:2 (2007), 425–459. The modular group plays an important role in many branches of mathematics. We show that the membership problem for the modular group is polynomial time in the worst case. We also show that the membership problem for a free group remains polynomial time when elements are written in a normal form with exponents. 176. Andreas Blass, Yuri Gurevich, Dean Rosenzweig, Benjamin Rossman: Interactive Small-Step Algorithms I: Axiomatization. Logical Methods in Computer Science 3:4 (2007), paper 3. A preliminary version appeared as MSR-TR-2006-170 In earlier work, the Abstract State Machine Thesis – that arbitrary algorithms are behaviorally equivalent to abstract state machines – was established for several classes of algorithms, including ordinary, interactive, small-step algorithms. This was accomplished on the basis of axiomatizations of these classes of algorithms. Here we extend the axiomatization and, in a companion paper, the proof, to cover interactive small-step algorithms that are not necessarily ordinary. This means that the algorithms (1) can complete a step without necessarily waiting for replies to all queries from that step and (2) can use not only the environment’s replies but also the order in which the replies were received. This is essentially part one of MSR-TR-2005-113. [182] is essentially the remainder of the technical report. 177. Yuri Gurevich, Tanya Yavorskaya: On Bounded Exploration and Bounded Nondeterminism. MSR-TR-2006-07 This report consists of two separate parts, essentially two oversized footnotes to [141]. In Chapter I, Yuri Gurevich and Tatiana Yavorskaya present and study a more abstract version of the bounded exploration postulate. In Chapter II, Tatiana Yavorskaya gives a complete form of the characterization, sketched in [141], of bounded-choice sequential algorithms. 178. Andreas Blass, Yuri Gurevich: Program Termination, and Well Partial Orderings. ACM ToCL 9:3 (July 2008) The following known observation may be useful in establishing program termination: if a transitive relation R is covered by finitely many well-founded relations U1, . . . , Un then R is well-founded. A question arises how to bound the ordinal height |R| of the relation R in terms of the ordinals αi = |Ui|. We introduce the notion of the stature ‖P‖ of a well partial ordering P and show that |R| less than or equal to the stature of the direct product α1 × · · · × αn and that this bound is tight. The notion of stature is of considerable independent interest. We define ‖P‖ as the ordinal height of the forest of nonempty bad sequences of P , but it has many other natural and equivalent definitions. In particular, ‖P‖ is the supremum, and in fact the maximum, of the lengths of linearizations of P . And the stature of the direct product α1 × · · · × αn is equal to the natural product of these ordinals. 179. Yuri Gurevich, Margus Veanes, Charles Wallace: Can Abstract State Machines Be Useful in Language Theory? Theoretical Computer Science 376 (2007) 17–29. Extended Abstract in DLT 2006, Developments in Language Theory, Springer LNCS 4036 (2006), 14–19 The abstract state machine (ASM) is a modern computation model. ASMs and ASM based tools are used in academia and industry, albeit in a modest scale. They allow one to give high-level operational semantics to computer artifacts and to write executable specifications of software and hardware at the desired abstraction level. In connection with the 2006 conference on Developments in Language Theory, we point out several ways that we believe abstract state machines can be useful to the DLT community. 180. Andreas Blass, Yuri Gurevich: A Note on Nested Words. MSR-TR-2006-139 For every regular language of nested words, the underlying strings form a context-free language, and every context-free language can be obtained in this way. Nested words and nested-word automata are generalized to motley words and motley-word automata. Every motley-word automation is equivalent to a deterministic one. For every regular language of motley words, the underlying strings form a finite intersection of context-free languages, and every finite intersection of context-free languages can be obtained in this way. 181. Yuri Gurevich: ASMs in the Classroom: Personal Experience. In: D. Bjørner and M. C. Henson (eds.) Logics of Specification Languages, Springer (2008), 599–602 We share our experience of using abstract state machines for teaching computation theory at the University of Michigan. 182. Andreas Blass, Yuri Gurevich, Dean Rosenzweig, Benjamin Rossman: Interactive Small-Step Algorithms II: Abstract State Machines and the Characterization Theorem. Logical Methods in Computer Science 3:4 (2007), paper 4. A preliminary version appeared as MSR-TR-2006-171 In earlier work, the Abstract State Machine Thesis – that arbitrary algorithms are behaviorally equivalent to abstract state machines – was established for several classes of algorithms, including ordinary, interactive, small-step algorithms. This was accomplished on the basis of axiomatizations of these classes of algorithms. In a companion paper [176] the axiomatization was extended to cover interactive small-step algorithms that are not necessarily ordinary. This means that the algorithms (1) can complete a step without necessarily waiting for replies to all queries from that step and (2) can use not only the environment’s replies but also the order in which the replies were received. In order to prove the thesis for algorithms of this generality, we extend here the definition of abstract state machines to incorporate explicit attention to the relative timing of replies and to the possible absence of replies. We prove the characterization theorem for extended ASMs with respect to general algorithms as axiomatized in [176]. 183. Dan Teodosiu, Nikolaj Bjørner, Yuri Gurevich, Mark Manasse, Joe Porkka: Optimizing File Replication over Limited-Bandwidth Networks using Remote Differential Compression. MSR-TR-2006-157 Remote Differential Compression (RDC) protocols can efficiently update files over a limited-bandwidth network when two sites have roughly similar files; no site needs to know the content of another’s files a priori. We present a heuristic approach to identify and transfer the file differences that is based on finding similar files, subdividing the files into chunks, and comparing chunk signatures. Our work significantly improves upon previous protocols such as LBFS and RSYNC in three ways. Firstly, we present a novel algorithm to efficiently find the client files that are the most similar to a given server file. Our algorithm requires 96 bits of metadata per file, independent of file size, and thus allows us to keep the metadata in memory and eliminate the need for expensive disk seeks. Secondly, we show that RDC can be applied recursively to signatures to reduce the transfer cost for large files. Thirdly, we describe new ways to subdivide files into chunks that identify file differences more accurately. We have implemented our approach in DFSR, a state-based multimaster file replication service shipping as part of Windows Server 2003 R2. Our experimental results show that similarity detection produces results comparable to LBFS while incurring a much smaller overhead for maintaining the metadata. Recursive signature transfer further increases replication efficiency by up to several orders of magnitude. 184. Martin Grohe, Yuri Gurevich, Dirk Leinders, Nicole Schweikardt, Jerzy Tyszkiewicz, Jan Van den Bussche: Database Query Processing Using Finite Cursor Machines. Theory of Computing Systems 44:4 (April 2009), 533–560. An earlier version appeared in: ICDT 2007, International Conference on Database Theory, Springer LNCS 4353 (2007), 284–298 We introduce a new abstract model of database query processing, finite cursor machines, that incorporates certain data streaming aspects. The model describes quite faithfully what happens in so-called “one-pass” and “two-pass query processing”. Technically, the model is described in the framework of abstract state machines. Our main results are upper and lower bounds for processing relational algebra queries in this model, specifically, queries of the semijoin fragment of the relational algebra. 185. Andreas Blass, Yuri Gurevich: Zero-One Laws: Thesauri and Parametric Conditions. BEATCS 91 (February 2007), 125–144. Reprinted in: A. Gupta et al. (eds.) Logic at the Crossroads: An Interdisciplinary View, Allied Publishers Pvt. Ltd., New Delhi (2007), 187–206 The zero-one law for first-order properties of finite structures and its proof via extension axioms were first obtained in the context of arbitrary finite structures for a fixed finite vocabulary. But it was soon observed that the result and the proof continue to work for structures subject to certain restrictions. Examples include undirected graphs, tournaments, and pure simplicial complexes. We discuss two ways of formalizing these extensions, Oberschelp’s parametric conditions (Springer Lecture Notes in Mathematics 969, 1982) and our thesauri of [149]. We show that, if we restrict thesauri by requiring their probability distributions to be uniform, then they and parametric conditions are equivalent. Nevertheless, some situations admit more natural descriptions in terms of thesauri, and the thesaurus point of view suggests some possible extensions of the theory. 186. Andreas Blass, Yuri Gurevich: Background of Computation. BEATCS, 92 (June 2007) In a computational process, certain entities (for example, sets or arrays) and operations on them may be automatically available, for example by being provided by the programming language. We define background classes to formalize this idea, and we study some of their basic properties. The present notion of background class is more general than the one we introduced in an earlier paper [143], and it thereby corrects one of the examples in that paper. The greater generality requires a non-trivial notion of equivalence of background classes, which we explain and use. Roughly speaking, a background class assigns to each set (of atoms) a structure (for example, of sets or arrays or combinations of these and similar entities), and it assigns to each embedding of one set of atoms into another a standard embedding between the associated background structures. We discuss several, frequently useful, properties that background classes may have, for example that each element of a background structure depends (in some sense) on only finitely many atoms, or that there are explicit operations by which all elements of background structures can be produced from atoms. 187. Robert H. Gilman, Yuri Gurevich, Alexei Miasnikov: A Geometric Zero-One Law. JSL 74:3 (September 2009) Each relational structure X has an associated Gaifman graph, which endows X with the properties of a graph. If x is an element of X, let Bn(x) be the ball of radius n around x. Suppose that X is infinite, connected and of bounded degree. A first-order sentence s in the language of X is almost surely true (resp. a.s. false) for finite substructures of X if for every x in X, the fraction of substructures of Bn(x) satisfying s approaches 1 (resp. 0) as n approaches infinity. Suppose further that, for every finite substructure, X has a disjoint isomorphic substructure. Then every s is a.s. true or a.s. false for finite substructures of X. This is one form of the geometric zero-one law. We formulate it also in a form that does not mention the ambient infinite structure. In addition, we investigate various questions related to the geometric zero-one law. 188. Nachum Dershowitz, Yuri Gurevich: A natural axiomatization of computability and proof of Church’s Thesis. Bulletin of Symbolic Logic 14:3 (September 2008), 299–350. An earlier version was published as MSR-TR-2007-85 Church’s Thesis asserts that the only numeric functions that can be calculated by effective means are the recursive ones, which are the same, extensionally, as the Turing-computable numeric functions. The Abstract State Machine Theorem states that every classical algorithm is behaviorally equivalent to an abstract state machine. This theorem presupposes three natural postulates about algorithmic computation. Here, we show that augmenting those postulates with an additional requirement regarding basic operations gives a natural axiomatization of computability and a proof of Church’s Thesis, as Gödel and others suggested may be possible. In a similar way, but with a different set of basic operations, one can prove Turing’s Thesis, characterizing the effective string functions, and – in particular – the effectively-computable functions on string representations of numbers. 188a. Yuri Gurevich: Proving Church’s Thesis. CSR 2007, Computer Science – Theory and Applications, 2nd International Symposium on Computer Science in Russia, Springer LNCS 4649 (2007), 1–3 This is an extended abstract of the opening talk of CSR 2007. It is based on [188]. 189. Yuri Gurevich, Dirk Leinders, Jan Van den Bussche: A Theory of Stream Queries. DBPL 2007, 11th International Symposium on Database Programming Languages, Springer LNCS 4797 (2007), 153–168 Data streams are modeled as infinite or finite sequences of data elements coming from an arbitrary but fixed universe. The universe can have various built-in functions and predicates. Stream queries are modeled as functions from streams to streams. Both timed and untimed settings are considered. Issues investigated include abstract definitions of computability of stream queries; the connection between abstract computability, continuity, monotonicity, and non-blocking operators; and bounded memory computability of stream queries using abstract state machines (ASMs). 190. Nikolaj Bjørner, Andreas Blass, Yuri Gurevich: Content-Dependent Chunking for Differential Compression, the Local Maximum Approach. Journal of Computer and System Sciences 76:3–4 (May–June 2010), 154–203. Originally published as MSR-TR-2007-109 When a file is to be transmitted from a sender to a recipient and when the latter already has a file somewhat similar to it, remote differential compression seeks to determine the similarities interactively so as to transmit only the part of the new file not already in the recipient’s old file. Content-dependent chunking means that the sender and recipient chop their files into chunks, with the cutpoints determined by some internal features of the files, so that when segments of the two files agree (possibly in different locations within the files), the cutpoints in such segments tend to be in corresponding locations, and so the chunks agree. By exchanging hash values of the chunks, the sender and recipient can determine which chunks of the new file are absent from the old one and thus need to be transmitted. We propose two new algorithms for content-dependent chunking, and we compare their behavior, on random files, with each other and with previously used algorithms. One of our algorithms, the local maximum chunking method, has been implemented and found to work better in practice than previously used algorithms. Theoretical comparisons between the various algorithms can be based on several criteria, most of which seek to formalize the idea that chunks should be neither too small (so that hashing and sending hash values become inefficient) nor too large (so that agreements of entire chunks become unlikely). We propose a new criterion, called the slack of a chunking method, which seeks to measure how much of an interval of agreement between two files is wasted because it lies in chunks that don’t agree. Finally, we show how to efficiently find the cutpoints for local maximum chunking. 191. Yuri Gurevich, Itay Neeman: DKAL: Distributed-Knowledge Authorization Language. MSR-TR-2008-09. First appeared as MSR-TR-2007-116 DKAL is an expressive declarative authorization language based on existential fixed-point logic. It is considerably more expressive than existing languages in the literature, and yet feasible. Our query algorithm is within the same bounds of computational complexity as, e.g., that of SecPAL. DKAL’s distinguishing features include – explicit handling of knowledge and information, – targeted communication that is beneficial with respect to confidentiality, security, and liability protection, – the flexible use and nesting of functions, which in particular allows principals to quote (to other principals) whatever has been said to them, – flexible built-in rules for expressing and delegating trust, – information order that contributes to succinctness. 191a. Yuri Gurevich, Itay Neeman: DKAL: Distributed-Knowledge Authorization Language. CSF 2008, 21st IEEE Computer Security Foundations Symposium, 149– 162 This is an extended abstract of [191]. DKAL is a new declarative authorization language for distributed systems. It is based on existential fixed-point logic and is considerably more expressive than existing authorization languages in the literature. Yet its query algorithm is within the same bounds of computational complexity as, e.g., that of SecPAL. DKAL’s communication is targeted, which is beneficial for security and for liability protection. DKAL enables flexible use of functions; in particular, principals can quote (to other principals) whatever has been said to them. DKAL strengthens the trust delegation mechanism of SecPAL. A novel information order contributes to succinctness. DKAL introduces a semantic safety condition that guarantees the termination of the query algorithm. 192. Andreas Blass, Nachum Dershowitz, Yuri Gurevich: When Are Two Algorithms the Same? Bulletin of Symbolic Logic 15:2 (2009), 145–168. An earlier version was published as MSR-TR-2008-20 People usually regard algorithms as more abstract than the programs that implement them. The natural way to formalize this idea is that algorithms are equivalence classes of programs with respect to a suitable equivalence relation. We argue that no such equivalence relation exists. 193. Andreas Blass, Yuri Gurevich: Two Forms of One Useful Logic:. Existential Fixed Point Logic and Liberal Datalog, BEATCS 95 (June 2008), 164–182 A natural liberalization of Datalog is used in the Distributed Knowledge Authorization Language (DKAL). We show that the expressive power of this liberal Datalog is that of existential fixed-point logic. The exposition is self-contained. 194. Andreas Blass, Yuri Gurevich: One Useful Logic That Defines Its Own Truth. MFCS 2008, 33rd International Symposium on Mathematical Foundations of Computer Science, Springer LNCS 5162 (2008), 1–15 Existential fixed point logic (EFPL) is a natural fit for some applications, and the purpose of this talk is to attract attention to EFPL. The logic is also interesting in its own right as it has attractive properties. One of those properties is rather unusual: truth of formulas can be defined (given appropriate syntactic apparatus) in the logic. We mentioned that property elsewhere, and we use this opportunity to provide the proof. 195. Nikolaj Bjørner, Andreas Blass, Yuri Gurevich, Madan Musuvathi: Modular difference logic is hard. MSR-TR-2008-140 In connection with machine arithmetic, we are interested in systems of constraints of the form x + k ≤ y + l. Over integers, the satisfiability problem for such systems is polynomial time. The problem becomes NP complete if we restrict attention to the residues for a fixed modulus N . 196. Andreas Blass, Yuri Gurevich: Persistent Queries in the Behavioral Theory of Algorithms. ACM ToCL, to appear. An earlier version appeared as MSR-TR2008-150 We propose a syntax and semantics for interactive abstract state machines to deal with the following situation. A query is issued during a certain step, but the step ends before any reply is received. Later, a reply arrives, and later yet the algorithm makes use of this reply. By a persistent query, we mean a query for which a late reply might be used. Syntactically, our proposal involves issuing, along with a persistent query, a location where a late reply is to be stored. Semantically, it involves only a minor modification of the existing theory of interactive small-step abstract state machines. 197. Yuri Gurevich, Arnab Roy: Operational Semantics for DKAL: Application and Analysis. TrustBus 2009, 6th International Conference on Trust, Privacy and Security in Digital Business, Springer LNCS 5695 (2009),149–158 DKAL is a new authorization language based on existential fixed-point logic and more expressive than existing authorization languages in the literature. We present some lessons learned during the first practical application of DKAL and some improvements that we made to DKAL as a result. We develop operational semantics for DKAL and present some complexity results related to the operational semantics. 198. Yuri Gurevich, Itay Neeman: Infon Logic: the Propositional Case. ACM ToCL, to appear. The ToCL version is a correction and slight extension of the version called The Infon Logic published in BEATCS 98 (June 2009), 150–178 Infons are statements viewed as containers of information (rather then representations of truth values). In the context of access control, the logic of infons is a conservative extension of logic known as constructive or intuitionistic. Distributed Knowledge Authorization Language uses additional unary connectives “p said” and “p implied” where p ranges over principals. Here we investigate infon logic and a narrow but useful primal fragment of it. In both cases, we develop the model theory and analyze the derivability problem: Does the given query follow from the given hypotheses? Our more involved technical results are on primal infon logic. We construct an algorithm for the multiple derivability problem: Which of the given queries follow from the given hypotheses? Given a bound on the quotation depth of the hypotheses, the algorithm works in linear time. We quickly discuss the significance of this result for access control. 199. Nikolaj Bjørner, Yuri Gurevich, Wolfram Schulte, and Margus Veanes: Symbolic Bounded Model Checking of Abstract State Machines. International Journal of Software and Informatics 3:2–3 (June/September 2009), 149–170 Abstract State Machines (ASMs) allow us to model system behaviors at any desired level of abstraction, including levels with rich data types, such as sets or sequences. The availability of high-level data types allows us to represent state elements abstractly and faithfully at the same time. AsmL is a rich ASM-based specification and programming language. In this paper we look at symbolic analysis of model programs written in AsmL with a background T of linear arithmetic, sets, tuples, and maps. We first provide a rigorous account of the update semantics of AsmL in terms of background T, and we formulate the problem of bounded path exploration of model programs, or the problem of Bounded Model Program Checking (BMPC), as a satisfiability modulo T problem. Then we investigate the boundaries of decidable and undecidable cases for BMPC. In a general setting, BMPC is shown to be highly undecidable (Σ1-complete); restricted to finite sets, the problem remains RE-hard (Σ1-hard). On the other hand, BMPC is shown to be decidable for a class of basic model programs that are common in practice. We apply Satisfiability Modulo Theories (SMT) tools to BMPC. The recent SMT advances allow us to directly analyze specifications using sets and maps with specialized decision procedures for expressive fragments of these theories. Our approach is extensible; background theories need in fact only be partially solved by the SMT solver; we use simulation of ASMs to support additional theories that are beyond the scope of available decision procedures.State Machines (ASMs) allow us to model system behaviors at any desired level of abstraction, including levels with rich data types, such as sets or sequences. The availability of high-level data types allows us to represent state elements abstractly and faithfully at the same time. AsmL is a rich ASM-based specification and programming language. In this paper we look at symbolic analysis of model programs written in AsmL with a background T of linear arithmetic, sets, tuples, and maps. We first provide a rigorous account of the update semantics of AsmL in terms of background T, and we formulate the problem of bounded path exploration of model programs, or the problem of Bounded Model Program Checking (BMPC), as a satisfiability modulo T problem. Then we investigate the boundaries of decidable and undecidable cases for BMPC. In a general setting, BMPC is shown to be highly undecidable (Σ1-complete); restricted to finite sets, the problem remains RE-hard (Σ1-hard). On the other hand, BMPC is shown to be decidable for a class of basic model programs that are common in practice. We apply Satisfiability Modulo Theories (SMT) tools to BMPC. The recent SMT advances allow us to directly analyze specifications using sets and maps with specialized decision procedures for expressive fragments of these theories. Our approach is extensible; background theories need in fact only be partially solved by the SMT solver; we use simulation of ASMs to support additional theories that are beyond the scope of available decision procedures. 200. Yuri Gurevich, Itay Neeman: DKAL 2 – A Simplified and Improved Authorization Language. MSR-TR-2009-11 Knowledge and information are central notions in DKAL, a logic based authorization language for decentralized systems, the most expressive among such languages in the literature. Pieces of information are called infons. Here we present DKAL 2, a surprisingly simpler version of the language that expresses new important scenarios (in addition to the old ones) and that is built around a natural logic of infons. Trust became definable, and its properties, postulated earlier as DKAL house rules, are now proved. In fact, none of the house rules postulated earlier is now needed. We identify also a most practical fragment of DKAL where the query derivation problem is solved in linear time. 201. Andreas Blass, Nachum Dershowitz, Yuri Gurevich: Exact Exploration and Hanging Algorithms. CSL 2010, 19th EACSL Annual Conference on Computer Science Logic (August 2010), to appear Recent analysis of sequential algorithms resulted in their axiomatization and in a representation theorem stating that, for any sequential algorithm, there is an abstract state machine (ASM) with the same states, initial states and state transitions. That analysis, however, abstracted from details of intra-step computation, and the ASM, produced in the proof of the representation theorem, may and often does explore parts of the state unexplored by the algorithm. We refine the analysis, the axiomatization and the representation theorem. Emulating a step of the given algorithm, the ASM, produced in the proof of the new representation theorem, explores exactly the part of the state explored by the algorithm. That frugality pays off when state exploration is costly. The algorithm may be a high-level specification, and a simple function call on the abstraction level of the algorithm may hide expensive interaction with the environment. Furthermore, the original analysis presumed that state functions are total. Now we allow state functions, including equality, to be partial so that a function call may cause the algorithm as well as the ASM to hang. Since the emulating ASM does not make any superfluous function calls, it hangs only if the algorithm does. 202. Andreas Blass, Yuri Gurevich, Efim Hudis: The Tower-of-Babel Problem, and Security Assessment Sharing. MSR-TR-2010-57. BEATCS 101 (June 2010), to appear The tower-of-Babel problem is rather general: How to enable a collaboration among experts speaking different languages? A computer security version of the tower-of-Babel problem is rather important. A recent Microsoft solution for that security problem, called Security Assessment Sharing, is based on this idea: A tiny common language goes a long way. We construct simple mathematical models showing that the idea is sound.