CS 641 Lecture -*- Outline -*- * Using Relations To Reason About Programs ** Relations As Programs (9.5) relations allow better modeling of programs than just functional assignment, because they allow for: - partiality, e.g., division can be modeled as a partial relation - nontermination, can be modeled as undefinedness - nondeterminism, a relation may "return" several values/states however, this doesn't permit us to directly distinguish angelic and demonic nondeterminism, and to mix the two ------------------------------------------ RELATIONS AS PROGRAMS (9.5) Relations can model - partiality, for R: S <-> G, when dom.R != S - nontermination - nondeterminism when R.s has more than one element Conditional state relation: ^ if p then Q else R = |p|;Q \union |!p|;R Guarded relations: |p1|;R1 \union ... \union |p2|;R2 Reflexive transitive closure: ^ R* = (\union i : i >= 0 : R^{i}), where R^{0} == Id, R^{i+1} == R;R^{i}, for i >= 0 Iterated relation: ^ while p do R od = (|p|;R)*; |!p| ------------------------------------------ Q: Do conditional state relations preserve determinism? yes, see Exercise 9.4. Q: What happens if the guards in a guarded relation are not mutually exclusive? Q: When does (while p do R od).s.s' hold? when there's a sequence of states s==s_0, s_1, ..., s_n==s', such that p.s_0 /\ R.s_0.s_1 ... p.s_{n-1} /\ R.s_{n-1}.s_n /\ !p.s_n Q: What is (while true do |x := x+1| od).s ? the empty set of states ------------------------------------------ LANGUAGE OF STATE RELATIONS Nondeterministic language (specifications) S ::= Id | |b| | (x := x' | b) | S1 ; S2 | S1 \union S2 | S* where b is an expression, x is a list of state attributes Deterministic language (programs) P ::= Id | |b| | |x := e| | P1 ; P2 | if b then P1 else P2 fi | while b do P od where b is an expression, x is a list of state attributes ------------------------------------------ Q: Is the specification language deterministic? Q: Is the programming language deterministic? Total? Q: How would you define blocks for relations? see exercise 9.12 ** Correctness and Refinement (9.6) Now we go back to the setting of chapter 1, where we're modeling the behavior of agents whose interaction is bound by contracts. *** angelic choices Remember that angelic choices correspond to an implementation's (our agent's) choices... ------------------------------------------ CORRECTNESS AND REFINEMENT (9.6) ANGELIC CHOICES Suppose only our agent can make choices: R1 \union R2 means s {| R |} q iff p {| R |} q iff Def: R is angelically correct wrt p and q iff ------------------------------------------ ... R1 \join R2 ... (\exists s' :: R.s.s' /\ q.s') ... (\forall s : p.s : s {| R |} q) i.e., (\forall s : p.s : (\exists s' :: R.s.s' /\ q.s')) ... p {| R |} q Q: When does our agent have to breach the contract? when there's no such final state that satisfies q. ------------------------------------------ TOTAL CORRECTNESS Suppose R is deterministic. What does p {| R |} q mean then? ------------------------------------------ ... for every initial state that satisfies p, there has to exist a final state, reachable via R, that satisfies q Q: In what sense is this angelic? Our agent is supposed to be able to finish its turn, when the precondition is satisfied, finding a final state that satisfies p, playing according to R. So a missing final state means that we lose because we can't make the right move. ------------------------------------------ ANGELIC REFINEMENT If our agent is making choices, when is R \refinedby_A R'? ------------------------------------------ ... when R \subseteq R', because we have more choices, so no fewer "winning" moves Q: If R \refinedby_A R', does s {| R |} q ==> s {| R' |} q ? yes, see exercise 9.10 "it's better give the angels more choices" Q: If R \refinedby_A R', is R' at least as defined as R? yes Q: If R \refinedby_A R', is R' at least as deterministic as R? no Q: Is this the right notion of refinement of a specification? No, because from the caller's point of view, the nondeterminism is not chosen by the caller. This leads to... *** demonic choices ------------------------------------------ DEMONIC CHOICES Suppose only the other agent can make choices: R1 \union R2 means s {| R |} q iff p {| R |} q iff Def: R is demonically correct wrt p and q iff ------------------------------------------ ... R1 \join^o R2 == R1 \meet R2 because the choices are made by the other agent ... (\forall s' :: R.s.s' ==> q.s') because in this case every choice the other agent makes (i.e., every possible post-state in R.s) must establish the postcondition ... (\forall s : p.s : s {| R |} q) i.e., (\forall s : p.s : (\forall s' :: R.s.s' ==> q.s')) ... p {| R |} q Q: What happens if there's no final state that satisfies q? Then the other agent loses. note how this corresponds to a specification. ------------------------------------------ PARTIAL CORRECTNESS Suppose R is deterministic. What does p {| R |} q mean then? ------------------------------------------ ... for every initial state that satisfies p, each a final state, reachable via R, must satisfy q. Q: In what sense is this demonic? The other agent is supposed to be able to finish its turn when the precondition is satisfied, playing by R, finding a final state that satisfies q. So a missing final state means that the other agent loses because it can't make the right move. ------------------------------------------ DEMONIC REFINEMENT If our agent is making choices, when is R \refinedby_D R'? ------------------------------------------ ... when R \superseteq R', because the other agents has no more "winning" moves Q: If R \refinedby_D R', does s {| R |} q ==> s {| R' |} q ? no, get s {| R |} q <== s {| R' |} q ? "don't give more choices to demons" Q: If R \refinedby_D R', is R' at least as defined as R? no Q: If R \refinedby_D R', is R' at least as deterministic as R? yes *** Relations As Specifications Q: Which is the right notion of refinement of a specification? Demonic nondeterminism, because from the caller's point of view, the nondeterminism is not chosen by the caller. ------------------------------------------ REFINEMENT OF SPECIFICATIONS (x := y | -e < x - y*y < e) \refinedby_D if x >= 0 and e > 0 then (x := y | -e < x - y*y < e) else True fi \refinedby_D if x >= 0 and e > 0 then (x := y | -e < x - y*y < e) else Id fi ------------------------------------------