CS 641 Lecture -*- Outline -*- * Relational Assignment (9.4) We extend the assignment notation to specify relational updates to states, i.e., a relation between old and new states. ------------------------------------------ RELATIONAL ASSIGNMENT (9.4) Definition: let x: S -> G be an attribute, let x':G be a fresh variable, and let b.x': S -> Bool be a Boolean expression. Then the relational assignment, (x := x' | b.x'), is defined as ^ (x := x' | b.x').s = {s' | (\exists x' :: s' == set.x.x'.s /\ b.x'.s)} Lemma. (alpha conversion) Suppose x' and z do not occur free in Phi and z is free for x' in b.x'. Then Phi |- (x := x' | b.x') == (x := z | (b.x')[x' := z]) ------------------------------------------ i.e., (x := x' | b.x') == (x := z | b.z) Note that x' is bound, and this is a binding form (like lambda). Notation: I'm showing the bound (logical) variable x' explicitly where it occurs, to indicate that it may appear free in b.x'. I don't show the attribute x, since it's not subject to the same scoping problems, and it's not a logical variable. However, x can of course occur in b.x' (where it means val.x). Examples: (x := x' | x' > x + 1) In Morgan's notation, this is x:[x == oldx, x > oldx + 1] In Hehner's notation, this is x' > x + 1. You don't have to use the primed variable, although that's conventional... (q,r := q',r' | q*x + r == y /\ r >= 0) ------------------------------------------ Lemma 9.3: (x := x' | b.x').s.s' <==> (\exists x' :: s' == set.x'.x'.s /\ b.x'.s) ------------------------------------------ The lemma is more convenient to work with in proofs because it's at the level of the vruth values. Q: How would you prove this lemma? just expand the definitions Q: how should a multiple relational assignment be defined? Q: how would you extend lemma 9.3 for multiple relational assignments? Lemma 9.3 (alternative definition for multiple relational assignments) Let x1,...,xn be distinct attributes. Then (x1,...,xn := x1',...,xn' | b.x1'.....xn').s.s' <==> (\exists x1' ... xn' :: s' == (set.x1.x1'; ...; set.xn.xn').s /\ b.x1'.....xn'.s) ** Basic Properties To make proofs easier, it's more convenient to have the properties of relational assignments stated in terms of assignment statements... ------------------------------------------ Theorem 9.4: assume that x is a list of program variables, and that b and c are Boolean expressions. Then (a) var x |- (x := x' | F) == False (b) var x |- (x := x' | b.x' /\ c.x') == (x := x' | b.x') \intersect (x := x' | c.x') (c) var x |- (x := x' | b.x' \/ c.x') == (x := x' | b.x') \union (x := x' | c.x') (d) var x |- (x := x' | b.x') \subseteq (x := x' | c.x') <==> (\forall x' :: b.x' \subseteq c.x') ------------------------------------------ the proof of case (d) is given on page 157 case (a) is a homework problem Proof of Theorem 9.4(b) (thanks to Curt Clifton): By extensionality it suffices to prove the following. var x |- ((x := x' | b.x') \intersect (x := x' | c.x')).s.g <==> { definition of \intersect for relations, predicates } "(x := x' | b.x').s.g" /\ "(x := x' | c.x').s.g" <==> { lemma 9.3, twice } (\exists x' :: g == set.x.x'.s /\ b.x'.s) /\ "(\exists x' :: g == set.x.x'.s /\ c.x'.s)" <==> { alpha conversion } (\exists x' :: g == set.x.x'.s /\ b.x'.s) /\ (\exists z :: g == set.x.z.s /\ c.z.s) <==> { predicate calculus (/\ distributes over \exists, twice) } (\exists x' (\exists z :: "g == set.x.x'.s /\ g == set.x.z.s" /\ b.x'.s /\ c.z.s) <==> { lemma (g == set.x.x'.s /\ g == set.x.z.s) <==> x' == z /\ g == set.x.x'.s /\ g == set.x.z.s } (\exists x' :: (\exists z :: x' == z /\ g == set.x.x'.s /\ g == set.x.z.s /\ b.x'.s /\ c.z.s) <==> { one-point rule } (\exists x' :: "g == set.x.x'.s /\ g == set.x.x'.s" /\ b.x'.s /\ c.x'.s) <==> { /\ is idempotent } (\exists x' :: g == set.x.x'.s /\ b.x'.s /\ c.x'.s) <==> { lemma 9.3 } (x := x' | b.x' /\ c.x').s.g QED Lemma. g == set.x.x'.s /\ g == set.x.z.s <==> x' == z /\ g == set.x.x'.s /\ g == set.x.z.s |- x' == z /\ g == set.x.x'.s /\ g == set.x.z.s <==> { ==> antisymmetric } * x' == z /\ g == set.x.x'.s /\ g == set.x.z.s ==> { /\ elimination } g == set.x.x'.s /\ g == set.x.z.s * g == set.x.x'.s /\ g == set.x.z.s <==> { predicate calculus (T /\ rule, == is reflexive) } "z" == z /\ g == set.x.x'.s /\ g == set.x.z.s ==> { substituting equals for equals } * z == z /\ g == set.x.x'.s /\ g == set.x.z.s ==> { /\ elimination } g == set.x.x'.s /\ g == set.x.z.s ==> { lemma below } x' == z . x' == z /\ g == set.x.x'.s /\ g == set.x.z.s . g == set.x.x'.s /\ g == set.x.z.s QED Lemma var x |- set.x.y.s == set.x.z.s ==> y == z. Proof: var x |- set.x.y.s == set.x.z.s ==> { operand congruence } val.x.(set.x.y.s) == val.x.(set.x.z.s) <==> { variable property (a) } y == z QED ------------------------------------------ ARBITRARY MEETS AND JOINS Lemma var x |- (x := x' | (\forall i \in I :: b.i.x')) == (\intersect i \in I :: (x := x' | b.i.x')) Lemma var x |- (x := x' | (\exists i \in I :: b.i.x')) == (\union i \in I :: (x := x' | b.i.x')) ------------------------------------------ to work with assignments with different variables, use the following... ------------------------------------------ Lemma 9.5: assume that x and y are lists of program variables, and that b.x' is a Boolean expression in which y' does not occur free. Then var x, y |- (x := x' | b.x') == (x,y := x',y' | b.x' /\ y' == y) ------------------------------------------ Q: how would you prove this? Proof: By extensionality, it suffices to prove the following. Assume that y' does not occur free in b.x'. var x, y |- (x,y := x',y' | b.x' /\ y' == y).s.s' == { alternative definition for multiple relational assignments } (\exists x' y' :: s' == "(set.x.x'; set y.y').s" /\ "(b.x' /\ y' == y).s") == { definition of forward composition, pointwise extension } (\exists x' y' :: s' == set y.y'.(set.x.x'.s) /\ b.x'.s /\ y' == y.s) == { notation } (\exists x' :: (\exists y' :: s' == set y.y'.(set.x.x'.s) /\ b.x'.s /\ y' == y.s)) == { one-point rule, y' does not occur free in b.x' } (\exists x' :: s' == "set y.(y.s).(set.x.x'.s)" /\ b.x'.s) == { state attribute property (e) } (\exists x' :: s' == set.x.x'.s /\ b.x'.s) == { lemma 9.3 } (x := x' | b.x').s.s' QED we also have the following monoid properties ------------------------------------------ Theorem 9.6: assume that x is a list of attributes. Then (a) var x |- (x := x' | x' == x) == Id (b) var x |- (x := x'' | b.x''); (x:= x' | c.x') == (x := x' | (\exists x'' :: b.x'' /\ (c.x')[x := x''])) ------------------------------------------ Q: why is the "Id" capitalized in part (a)? because we're not defining state transformers, but relations the statement of part (b) in the book uses x' as the bound variable in both relational assignments. But this is equivalent. Q: What is (c,d := c',d' | d' > 7); (c,d := c',d' | d' == d /\ c' > 0)? (c,d := c',d' | d' > 7); (c,d := c',d' | d' == d /\ c' > 0)? == { alpha } (c,d := e,f | f > 7); (c,d := c',d' | d' == d /\ c' > 0) == { Theorem 9.6(b) } (c,d := c',d' | (\exists e f :: f > 7 /\ d' == f /\ c' > 0)) == { drop vacuous quantifier } (c,d := c',d' | (\exists f :: f > 7 /\ d' == f /\ c' > 0)) == { one-point rule } (c,d := c',d' | d' > 7 /\ c' > 0)) ------------------------------------------ Theorem 9.7: Assume x is a list of program variables, e is an expression, and b and c.x' are Boolean expressions. Furthermore, assume that x' does not occur free in b or e. Then (a) var x |- |b| == (x := x' | b /\ x == x') (b) var x |- |x := e| == (x := x' | x' == e) (c) var x |- dom.(x := x' | c.x') == (\exists x' :: c.x') ------------------------------------------ ** Derived Properties of Relational Assignments ------------------------------------------ INDEPENDENT RELATIONAL ASSIGNMENT Corollary 9.8: assume that x and y are disjoint lists of attributes. (a) If y' does not occur free in b.x', and x' does not occur free in c.y', then var x, y |- (x := x' | b.x'); (y := y' | c.y') == (x,y := x',y' | b.x' /\ c.y'[x := x']) (b) If x and x' do not occur free in c.y', and if y and y' do not occur free in b.x', then var x, y |- (x := x' | b.x'); (y := y' | c.y') == (y := y' | c.y'); (x := x' | b.x') ------------------------------------------ Q: how do these follow from Theorem 9.6? use theorem 9.6(b), expand... ------------------------------------------ ADDING LEADING AND TRAIL AND ASSIGNMENTS Corollary 9.9: (a) If x' and y' are not free in e, then var x, y |- (x, y := x', y' | b.x'.y'[x := e]) == |x := e|; (x, y := x', y' | b.x'.y') (b) If x' is not free in b.y', and if y is not free in e, then var x, y |- (x, y := x', y' | b.y' /\ x' == e) == (y := y' | b.y'); |x := e[y' := y]| ------------------------------------------ Q: What do these mean? *** dividing a problem into subproblems we can use theorem 9.6b, sequential composition to live larger problems into smaller ones example: (x, y := x', y' | x' == min.q.r /\ y' == max.q.r) == (x := x' | x' == min.q.r); (y := y' | y' == max.q.r)