A categorical foundation for structured reversible flowchart languages: Soundness and adequacy

10/10/2017 ∙ by Robert Glück, et al. ∙ Københavns Uni Association for Computing Machinery 0

Structured reversible flowchart languages is a class of imperative reversible programming languages allowing for a simple diagrammatic representation of control flow built from a limited set of control flow structures. This class includes the reversible programming language Janus (without recursion), as well as more recently developed reversible programming languages such as R-CORE and R-WHILE. In the present paper, we develop a categorical foundation for this class of languages based on inverse categories with joins. We generalize the notion of extensivity of restriction categories to one that may be accommodated by inverse categories, and use the resulting decision maps to give a reversible representation of predicates and assertions. This leads to a categorical semantics for structured reversible flowcharts, which we show to be both sound, adequate, and fully abstract with respect to the operational semantics under certain conditions.



There are no comments yet.


page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1. Introduction

Reversible computing is an emerging paradigm that adopts a physical principle of reality into a computation model without information erasure. Reversible computing extends the standard forward-only mode of computation with the ability to execute in reverse as easily as forward. Reversible computing is a necessity in the context of quantum computing and some bio-inspired computation models. Regardless of the physical motivation, bidirectional determinism is interesting in its own right. The potential benefits include the design of innovative reversible architectures (e.g., [34, 33, 37]), new programming models and techniques (e.g., [40, 17, 28]), and the enhancement of software with reversibility (e.g., [8]).

Today the semantics of reversible programming languages are usually formalized using traditional metalanguages, such as structural operational semantics or denotational semantics based on complete partial orders (e.g., [19, 40]). However, these metalanguages were introduced for the definition of conventional (irreversible) programming languages. The fundamental properties of a reversible language, such as the required backward determinism and the invertibility of object language programs, are not naturally captured by these metalanguages. As a result, these properties are to be shown for each semantic definition. This unsatisfying state of affairs is not surprising, however, as these properties have been rarely required for more than half a century of mainstream language development. The recent advances in the area of reversible computing have changed this situation.

This paper provides a new categorical foundation specifically for formalizing reversible programming languages, in particular the semantics of reversible structured flowchart languages [36, 39], which are the reversible counterpart of the structured high-level programming languages used today. This formalization is based on join inverse categories with a developed notion of extensivity for inverse categories, which gives rise to natural representations of predicates and assertions, and consequently to models of reversible structured flowcharts. It provides a framework for modelling reversible languages, such that the reversible semantic properties of the object language are naturally ensured by the metalanguage.

The semantic framework we are going to present in this paper covers the reversible structured languages regardless of their concrete formation, such as atomic operations, elementary predicates, and value domains. State of the art reversible programming languages that are concretizations of this computation model include the well-known imperative language Janus [40] without recursion, the while languages R-WHILE and R-CORE with dynamic data structures [19, 20], and the structured reversible language SRL with stacks and arrays [39]. Structured control-flow is also a defining element of reversible object-oriented languages [22]. Further, unstructured reversible flowchart languages, such as reversible assembly languages with jumps [14, 4] and the unstructured reversible language RL [39], can be transformed into structured ones thanks to the structured reversible program theorem [36].

The main contribution of this paper is to provide a metalanguage formalism based on join inverse categories that is geared to formalize the reversible flowchart languages. The languages formalized in this framework are ensured to have the defining reversible language properties, including backward determinism and local invertibility. Another main property of the formalism is that every reversible structured language that is syntactically closed under inversion of its elementary operations is also closed under inversion of reversible control-flow operators. This is particularly useful, as it is sufficient to check this property for elementary constructs to ensure the correctness of the associated program inverter. Key to our formalism are decisions, which provide a particularly advantageous reversible representation of predicates and their corresponding assertions. This insight may guide the design of reversible constructs that are often quite involved to model in a reversible setting, such as pattern matching.

The results in this paper are illustrated by introducing a family of small reversible flowchart languages for reversible computing with integer data, a reversible counterpart of the family of classic counter languages used for theoretical investigations into irreversible languages. The family introduced here may well serve the same purpose in a reversible context.

Overview: In Section 2, we give an introduction to structured reversible flowchart languages, while Section 3 describes the restriction and inverse category theory used as backdrop in later sections. In Section 4, we warm up by developing a notion of extensivity for inverse categories, based on extensive restriction categories and its associated concept of decisions. Then, in Section 5, we put it all to use by showing how decisions may be used to model predicates and ultimately also reversible flowcharts, and we show that these are computationally sound and adequate with respect to the operational semantics in Section 6. In Section 7, we extend the previous theorems by giving a sufficient condition for equational full abstraction. In Section 8, we show how to verify program inversion using the categorical semantics, develop a small language to exemplify our framework, and discuss other applications in reversible programming. Section 9 offers some concluding remarks.

2. Reversible structured flowcharts

Structured reversible flowcharts [36, 39] naturally model the control flow behavior of reversible (imperative) programming languages in a simple diagrammatic representation, as classical flowcharts do for conventional languages. A crucial difference is that atomic steps are limited to partial injective functions and they require an additional assertion, an explicit orthogonalizing condition, at join points in the control flow.

A structured reversible flowchart is built from four blocks (Figure 1): An atomic step that performs an elementary operation on a domain specified by a partial injective function ; a while loop over a block with entry assertion and exit test ; a selection of block or with entry test and exit assertion ; and a sequence of blocks and .

25. 25.25. 25.25.
(a) Step (b) While loop (c) Selection (d) Sequence
Figure 1. Structured reversible flowcharts.

A structured reversible flowchart consists of one main block. Blocks have unique entry and exit points, and can be nested any number of times to form more complex flowcharts. The interpretation of consists of a given domain (typically of stores or states, which we shall denote by ) and a finite set of partial injective functions and predicates . Computation starts at the entry point of in an initial (the input), proceeds sequentially through the edges of , and ends at the exit point of in a final (the output), if is defined on the given input. Though the specific set of predicates depend on the flowchart language, they are often (as we will do here) assumed to be closed under Boolean operators, in particular conjunction and negation. The operational semantics for these, shown in Figure 2, are the same as in the irreversible case (see, e.g., [35]): We use the judgment form here to mean that the predicate evaluated on the state results in the Boolean value .

Figure 2. Operational semantics for Boolean predicates.

The assertion in a reversible while loop (marked by a circle, as introduced in [40]) is a new flowchart operator: the predicate must be true when the control flow reaches the assertion along the -edge, and false when it reaches the assertion along the -edge; otherwise, the loop is undefined. The test (marked by a diamond) has the usual semantics. This means that in a loop is repeated as long as and are false.

The selection has an assertion , which must be true when the control flow reaches the assertion from , and false when the control flow reaches the assertion from ; otherwise, the selection is undefined. As usual, the test selects or . The assertion makes the selection reversible.

Despite their simplicity, reversible structured flowcharts are reversibly universal [3], which means that they are computationally as powerful as any reversible programming language can be. Given a suitable domain for finite sets of atomic operations and predicates, there exists, for every injective computable function , a reversible flowchart that computes .

Reversible structured flowcharts (Figure 1) have a straightforward representation as program texts defined by the grammar

It is often assumed, as we will do here, that the set of atomic steps contains a step that acts as the identity. The operational semantics for these flowchart structures (or simply commands) are shown in Figure 3. Here, the judgment form is used and taken to mean that the command converges in the state resulting in a new state . Note the use of the meta-command : This does not represent any reversible flowchart structure (and is thus not a syntactically valid command), but is rather a piece of internal syntax used to give meaning to loops. This is required since the role of the entry assertion in a reversible while loop changes after the first iteration: When entering the loop from the outside (i.e., before any iterations have occured), the entry assertion must be true, but when entering from the inside (i.e., one or more iterations), the entry assertion must be false.

Figure 3. Operational semantics for the reversible flowchart structures.

The reversible structured flowcharts defined above corresponds to the reversible language R-WHILE [19], but their value domain, atomic functions and predicates are unspecified. As a minimum, a reversible flowchart needs blocks (a), (b), and (d) from Figure 1, because selection can be simulated by combining while loops that conditionally skip the body block or execute it once. R-CORE [20] is an example of such a minimal language.

3. Restriction and inverse categories

The following section contains the background on restriction and inverse category theory necessary for our later developments. Unless otherwise specified, the definitions and results presented in this section can be found in introductory texts on the subject (e.g., [15, 21, 10, 11, 12]).

Restriction categories [10, 11, 12] axiomatize categories of partial maps. This is done by assigning to each morphism a restriction idempotent , which we think of as a partial identity defined precisely where is. Formally, restriction categories are defined as follows. A restriction category is a category equipped with a combinator mapping each morphism to a morphism satisfying

  1. [(i),ref=]

  2. ,

  3. ,

  4. , and

for all suitable . As an example, the category of sets and partial functions is a restriction category, with if is defined at , and undefined otherwise. Note that being a restriction category is a structure, not a property; a category may be a restriction category in several different ways (e.g., assigning for each morphism gives a trivial restriction structure to any category).

In restriction categories, we say that a morphism is total if , and a partial isomorphism if there exists a (necessarily unique) partial inverse such that and . Isomorphisms are then simply the total partial isomorphisms with total partial inverses. An inverse category can then be defined as a special kind of restriction category111This is a rather modern definition due to [10]. Originally, inverse categories were defined as the categorical extensions of inverse semigroups; see [27].. An inverse category is a restriction category where each morphism is a partial isomorphism. Every restriction category gives rise to an inverse category (the cofree inverse category of , see [26]), which has as objects all objects of , and as morphisms all of the partial isomorphisms of . As such, since partial isomorphisms in are partial injective functions, a canonical example of an inverse category is the category of sets and partial injective functions.

Since each morphism in an inverse category has a unique partial inverse, as also suggested by our notation this makes inverse categories canonically dagger categories [30], in the sense that they come equipped with a contravariant endofunctor satisfying and for each morphism and object .

Given two restriction categories and , the well-behaved functors between them are restriction functors, i.e., functors satisfying . Analogous to how regular semigroup homomorphisms preserve partial inverses in inverse semigroups, when and are inverse categories, all functors between them are restriction functors; specifically they preserve the canonical dagger, i.e., .

Before we move on, we show some basic facts about restriction idempotents in restriction (and inverse) categories that will become useful later (see also, e.g., [10, 15]). In any restriction category, it is the case that

  1. [(i), ref=]

  2. ,

  3. ,

  4. ,

  5. ,

  6. if is total then , and

  7. if is total then so is .

for all morphisms and .


For (1) , and (2) by using (1). For (3) we have , while (4) follows by using (3). A special case of (4) is (5) since total means that , and so . Finally, (6) follows by total means that , so by this and (3), , so is total as well. ∎

3.1. Partial order enrichment and joins

A consequence of how restriction (and inverse) categories are defined is that hom sets may be equipped with a partial order given by iff (this extends to an enrichment in the category of partial orders and monotone functions). Intuitively, this states that is below iff behaves exactly like when restricted to the points where is defined. Notice that any morphism below an identity is a restriction idempotent under this definition, since iff , i.e., iff .

A sufficient condition for each to have a least element is that has a restriction zero; a zero object in the usual sense which additionally satisfies for each endo-zero map . One may now wonder when has joins as a partial order. Unfortunately, has joins of all morphisms only in very degenerate cases. However, if instead of considering arbitrary joins we consider joins of maps that are somehow compatible, this becomes much more viable. In a restriction category, say that morphisms and are disjoint iff ; and compatible iff . It can be shown that disjointness implies compatibility, as disjointness is expectedly symmetric. Further, we may extend this to say that a set of parallel morphisms is disjoint iff each pair of morphisms is disjoint, and likewise for compatibility. This gives suitable notions of join restriction categories. A restriction category has compatible (disjoint) joins if it has a restriction zero, and satisfies that for each compatible (disjoint) subset of any hom set , there exists a morphism such that

  1. [(i), ref=]

  2. for all , and for all implies ;

  3. ;

  4. for all ; and

  5. for all .

For inverse categories, the situation is a bit more tricky, as the join of two compatible partial isomorphisms may not be a partial isomorphism. To ensure this, we need stronger relations: In an inverse category, say that parallel maps and are disjoint iff and ; and compatible iff and . We may now extend this to notions of disjoint sets and compatible sets of morphisms in inverse categories as before. This finally gives notions of join inverse categories: An inverse category has compatible (disjoint) joins if it has a restriction zero and satisfies that for all compatible (disjoint) subsets of all hom sets , there exists a morphism satisfying (1) – (4) of Definition 3.1. An example of a join inverse category is of sets and partial injective functions. Here, for a set of compatible partial injective functions is constructed as the function with graph the union of the graphs of all ; or equivalently as the function

Similarly, the category of topological spaces and partial homeomorphisms (i.e., partial injective functions which are open and continuous in their domain of definition) is an inverse category with joins constructed in the same way. Further, for any join restriction category , the cofree inverse category of is a join inverse category as well [21, Lemma 3.1.27], and joins on both restriction and inverse categories can be freely adjoined [21, Sec. 3.1]. A functor between restriction (or inverse) categories with joins is said to be join-preserving when .

3.2. Restriction coproducts, extensivity, and related concepts

While a restriction category may very well have coproducts, these are ultimately only well-behaved when the coproduct injections and are total; if this is the case, we say that the restriction category has restriction coproducts. If a restriction category has all finite restriction coproducts, it also has a restriction zero serving as unit. Note that in restriction categories with restriction coproducts, the coproduct injections (respectively ) are partial isomorphisms with partial inverse (respectively ).

In [12], it is shown that the existence of certain maps, called decisions, in a restriction category with restriction coproducts leads to the subcategory of total maps being extensive (in the sense of, e.g., [7]). This leads to the definition of an extensive restriction category222The name is admittedly mildly confusing, as an extensive restriction category is not extensive in the usual sense. Nevertheless, we stay with the established terminology.. A restriction category is said to be extensive (as a restriction category) if it has restriction coproducts and a restriction zero, and for each map there is a unique decision satisfying





In the above, denotes the codiagonal . A consequence of these axioms is that each decision is a partial isomorphism; one can show that must be partial inverse to (see [12]). Further, when a restriction category with restriction coproducts has finite joins, it is also extensive with . As an example, is extensive with for given by

While inverse categories only have coproducts (much less restriction coproducts) in very degenerate cases (see [15]

), they may very well be equipped with a more general sum-like symmetric monoidal tensor, a disjointness tensor.

A disjointness tensor on a restriction category is a symmetric monoidal restriction functor satisfying that its unit is the restriction zero, and that the canonical maps

are jointly epic, where respectively is the left respectively right unitor of the monoidal functor .

It can be straightforwardly shown that any restriction coproduct gives rise to a disjointness tensor. A useful interaction between compatible joins and a join-preserving disjointness tensor in inverse categories was shown in [5, 26], namely that it leads to a -trace (in the sense of [24, 31]): Let be an inverse category with (at least countable) compatible joins and a join-preserving disjointness tensor. Then has a trace operator given by

satisfying , where .

4. Extensivity of inverse categories

As discussed earlier, extensivity of restriction categories hinges on the existence of certain partial isomorphisms – decisions – yet their axiomatization relies on the presence of a map that is not a partial isomorphism, the codiagonal.

In this section, we tweak the axiomatization of extensivity of restriction categories to one that is equivalent, but additionally transports more easily to inverse categories. We then give a definition of extensitivity for inverse categories, from which it follows that is an extensive inverse category when is an extensive restriction category.

Recall that decisions satisfy the following two axioms:




As mentioned previously, an immediate problem with this is the reliance on the codiagonal. However, intuitively, what (D.1) states is simply that the decision cannot do anything besides to tag its inputs appropriately. Using a disjoint join, we reformulate this axiom to the following:


Note that this axiom also subtly states that disjoint joins of the given form always exist.

Say that a restriction category is pre-extensive if it has restriction coproducts, a restriction zero, and a combinator mapping each map to a pre-decision (with no additional requirements). We can then show the following:

Let be a pre-extensive restriction category. The following are equivalent:

  1. [(i), ref=]

  2. is an extensive restriction category.

  3. Every pre-decision of satisfies (D.1) and (D.2).

  4. Every pre-decision of satisfies (D’.1) and (D.2).

To show this theorem, we will need the following lemma:

In an extensive restriction category, joins of the form exist for all maps and and are equal to .


By [9], for any map in an extensive restriction category, . But then . ∎

We can now continue with the proof.


The equivalence between (1) and (2) was given in [12]. That (2) and (3) are equivalent follows by

where we note that the join exists and equals when every pre-decision satisfies (D.1) and (D.2) by Lemma 4. That the join also exists when every pre-decision satisfies (D’.1) and (D.2) follows as well, since the universal mapping property for coproducts guarantees that the only map satisfying is itself, so we must have , and

which was what we wanted. ∎

Another subtle consequence of our amended first rule is that is its own restriction idempotent (and likewise for ) since , as the maps below identity are precisely the restriction idempotents.

Our next snag in transporting this definition to inverse categories has to do with the restriction coproducts themselves, as it is observed in [15] that any inverse category with restriction coproducts is a preorder. Intuitively, the problem is not that unicity of coproduct maps cannot be guaranteed in non-preorder inverse categories, but rather that the coproduct map in a restriction category is not guaranteed to be a partial isomorphism when and are.

For this reason, we will consider the more general disjointness tensor for sum-like constructions rather than full-on restriction coproducts, as inverse categories may very well have a disjointness tensor without it leading to immediate degeneracy. Notably, has a disjointness tensor, constructed on objects as the disjoint union of sets (precisely as the restriction coproduct in , but without the requirement of a universal mapping property). This leads us to the following definition:

An inverse category with a disjointness tensor is said to be extensive when each map has a unique decision satisfying




As an example, is an extensive inverse category with the unique decision for a partial injection given by

Aside from a shift from coproduct injections to the quasi-injections of the disjointness tensor, a subtle change here is the notion of join. That is, for restriction categories with disjoint joins, any pair of maps with has a join – but for inverse categories, we additionally require that their inverses are disjoint as well, i.e., that , for the join to exist. In this case, however, there is no difference between the two. As previously discussed, a direct consequence of this axiom is that each must be its own restriction idempotent. Since restriction idempotents are self-adjoint (i.e., satisfy ), they are disjoint iff their inverses are disjoint.

Since restriction coproducts give rise to a disjointness tensor, we may straightforwardly show the following theorem.

When is an extensive restriction category, is an extensive inverse category.

Further, constructing the decision as (i.e., mirroring the construction of decisions in restriction categories with disjoint joins), we may show the following.

Let be an inverse category with a disjointness tensor, a restriction zero, and finite disjoint joins which are further preserved by the disjointness tensor. Then is extensive as an inverse category.

Before we proceed, we show two small lemmas regarding decisions and the (join preserving) disjointness tensor (for the latter, see also [15]). In any inverse category with a disjointness tensor, it is the case that

  1. [(i), ref=]

  2. ,

  3. and ,

  4. if and otherwise.


For (1), adding subscripts on identities and zero maps for clarity,

and analogously for . For (2),

and again, the proof for is analogous. To show (3) when

and similarly for (noting that follows by the universal mapping property of the zero object ). For , we proceed with the case where and , yielding

where follows by the fact that factors through (by the universal mapping property of ) and the fact that (since serves as unit for ), so factors through as well. The case where and is entirely analogous. ∎

In any extensive inverse category, it is the case that

  1. [(i), ref=]

  2. ,

  3. ,

  4. , and

  5. .


To show (1), we have by definition of the join that , where the equality follows precisely by the first axiom of decisions. Since by (since by Lemma 3), it follows by transitivity of (since it is a partial order) that . But since iff , it follows from that .

For (2), using Lemma 4 we start by noting that

and similarly

and since , we have

Using this, we may prove (3) (and later (4)) as follows:

where follows by (1). Using these again, we show (4) by

which was what we wanted. ∎

5. Modelling structured reversible flowcharts

In the following, let be an inverse category with (at least countable) compatible joins and a join-preserving disjointness tensor. As disjoint joins are compatible, it follows that is an extensive inverse category with a (uniform) -trace operator.

In this section, we will show how this framework can be used model reversible structured flowchart languages. First, we will show how decisions in extensive inverse categories can be used to model predicates, and then how this representation extends to give very natural semantics to reversible flowcharts corresponding to conditionals and loops.

5.1. Predicates as decisions

In suitably equipped categories, one naturally considers predicates on an object as given by maps . In inverse categories, however, the mere idea of a predicate as a map of the form is problematic, as only very degenerate maps of this form are partial isomorphisms. In the following, we show how decisions give rise to an unconventional yet ultimately useful representation of predicates. To our knowledge this representation is novel, motivated here by the necessity to model predicates in a reversible fashion, as decisions are always partial isomorphisms.

The simplest useful predicates are the predicates that are always true (respectively always false). By convention, we represent these by the left (respectively right) injection (which are both their own decisions),

Semantically, we may think of decisions as a separation of an object into witnesses and counterexamples of the predicate it represents. In a certain sense, the axioms of decisions say that there is nothing more to a decision than how it behaves when postcomposed with or . As such, given the convention above, we think of as the witnesses of the predicate represented by the decision , and as its counterexamples.

With this in mind, we turn to boolean combinators. The negation of a predicate-as-a-decision must simply swap witnesses for counterexamples (and vice versa). In other words, we obtain the negation of a decision by postcomposing with the commutator of the disjointness tensor,

With this, it is straightforward to verify that, e.g., , as

For conjunction, we exploit that our category has (specifically) finite disjoint joins, and define the conjunction of predicates-as-decisions and by

The intuition behind this definition is that the witnesses of a conjunction of predicates is given by the meet of the witnesses of the each predicate, while the counterexamples of a conjunction of predicates is the join of the counterexamples of each predicate. Note that this is then precomposed with to ensure that the result is only defined where both and are; this gives

Noting that the meet of two restriction idempotents is given by their composition, this is precisely what this definition states. Similarly we define the disjunction of and by

as then has as witnesses the join of the witnesses of and , and as counterexamples the meet of the counterexamples of and . With these definitions, it can be shown that, e.g., the De Morgan laws are satisfied. However, since we can thus construct this from conjunctions and negations, we will leave disjunctions as syntactic sugar.

That all of these are indeed decisions can be shown straightforwardly, as summarized in the following closure theorem.

Decisions in are closed under Boolean negation, conjunction, and disjunction.

5.2. Reversible structured flowcharts, categorically

To give a categorical account of structured reversible flowchart languages, we assume the existence of a suitable distinguished object of stores, which we think of as the domain of computation, such that we may give denotations to structured reversible flowcharts as morphisms .

Since atomic steps (corresponding to elementary operations, e.g., store updates) may vary from language to language, we assume that each such atomic step in our language has a denotation as a morphism . In the realm of reversible flowcharts, these atomic steps are required to be partial injective functions; here, we abstract this to require that their denotation is a partial isomorphism (though this is a trivial requirement in inverse categories).

Likewise, elementary predicates (e.g., comparison of values in a store) may vary from language to language, so we assume that such elementary predicates have denotations as well as decisions . If necessary (as is the case for Janus [40]), we may then close these elementary predicates under boolean combinations as discussed in the previous section.

To start, we note how sequencing of flowcharts may be modelled trivially by means of composition, i.e.,

or, using the diagrammatic notation of flowcharts and the string diagrams for monoidal categories in the style of [31] (read left-to-right and bottom-to-top),

Intuitively, a decision separates an object into witnesses (in the first component) and counterexamples (in the second). As such, the partial inverse to a decision must be defined only on witnesses in the first component, and only on counterexamples in the second. But then, where decisions model predicates, codecisions (i.e