1

Part 7.Phantoms: Legal States That Cannot Be Constructed

2

Are There Legal States That Can’t Be Built?

State s is a phantom state (or phantom architecture) if

It is legal (it satisfies the SoP rules) BUTIt cannot be constructed, starting with just a bare containment tree, and repeatedly using rules (productions) to add dependency edges

A ruleset that allows phantoms is called phantomicDo phantoms exist?

3

Example: Step-Wise Construction of a State

Example ruleset:T S P o T P o T o C T o CRuleset has 4 productions: 1) T (S)2) T (P T)3) T (P T C)4) T (T C)

(1) T (S) (4) T (T C) (2) T (P T)

This example ruleset allows no phantoms. Note: Phantoms cannot be constructed in a step-wise manner.

Start with tree, successively add edges allowed by productions

Step 1 Step 2 Step 3

4

Example Phantom #1: The “Cyclic

Export” Ruleset & An “Identic” Phantom

Consider this rule: E C E o ERule means:

An E edge can follow a child C edge, orAn E edge can follow two E edges

EC

OK

root

x y

z

root

x y

z

Phantom

y E y = y E o E yThus, the state is legal. State has only loop (ID) edges. It is an “identic” state.

Phantom doesn’t use the “C” right-hand side

5

Example Phantom #2Non-Identic Phantom

Consider this rule:R R o P R o C

Rule means:An R edge can follow an R then a P edge, orAn R edge can follow an R then a C edge

w R x = w R o P xw R y = w R o C ySo, this is legal

C P

R

Ry

x

w

The R edges are not ID self loops (not identities)Maybe show multi-recursive phantom??

6

Some Simple Permission Rules

Three simple rulesets: 1. R All where All means every

edgeEvery state is legal and constructive.

2. R REvery state is legal and they are all phantoms

except .

3. R All RAll states are constructive. However, if we delete

production (R All) while keeping (R R), there are phantoms.

7

A Multi-Recursive Ruleset with Phantoms

Ruleset:

R R o P o R

PR

x

y

This state is a phantom. Follow R then P then R to compute R. So R is legal. But R cannot be constructed from the empty state.

Multi-recursive because R depends on itself more than once.

8

Why Are Most “Serious” Example SoP Rules Constructive?

Is there a hidden assumption that causes them to be constructive?

Is there an algorithm to check SoP rules for constructivity? No, it is an open question whether such an algorithm exists. But with appropriate restrictions, such an algorithm exists.

9

Part 8.Abstract Permission Systems (APT)

10

Abstracting Away From the Graph Basis of SoP

Some properties of SoP rulesets have little to do with the underlying structure of the state graph.To confirm this, we will now take an abstract approach, which ignores the graph structure. Any SoP ruleset, with a corresponding tree, can be projected to this abstract form.Essence of this abstraction is:

Legality simply means prefixpoint of given function fSo, legality properties become properties of pfp’sStates are not necessarily graphs

11

Fixed Points: Terminology

When x = f(x)We say x is a fixpoint (fp) or a fixed point of function f

When x f(x)We say x is a prefixpoint (pfp) or a pre fixed point of function f

Some authors alternately use the term postfixpoint (post fixed point) instead of prefixpoint

12

Basis for Abstract Permission Theory

Fundamental conceptsE Finite set of elements

(Abstraction of set of triples)f : 2E 2E Permission function

(Maps states to states)Derived concepts

Lf (s) =def s f(s) Legality of state s as prefixpoint

Q =def 2E State space (abstraction of subset of triples)

States s, t, … Q Abstraction of graphs (states)s t Operator on states =def { } Empty state, contains no triples

Monotonicity not yet assumed

13

Aside: Alternate Terminology

We could use the term “well-formed” instead of “legal”, so instead of

Lf(s) or L(s)

we would write WFf(s) or WF(s).

14

How to Map SoP Ruleset R with Tree T to Abstract Form

Def. Element set E consists of every every triple that can be formed with variables v from the ruleset R and with nodes N in tree T.Def. Permission function f is defined in terms of state s and rules set R as follows:

f(s) =def (Based on state s, compute the set of triples specified by sums, i.e., those alled by right hand sides of ruleset R)

15

Piecewise Legality

Def. Element e is legal in state s when it is member of f(s):

Lf(e) =def e f(s)

Lemma. State s is legal iff all its elements are legal:

Lf(s) = e s Lf(e)

Proof. We re-write RHS into LHS: e s Lf(e) = e s e f(s)

= s f(s) = Lf(s) QED

Hence, piecewise legality holds abstractly, independent of graph structure and independent of monotonicity.

16

Def. State t permits state s when s is a least as large as t and s contains only elements permitted by t:

t s =def t s f(t)

3 Legality Definitions

1. Lf (s) = s f (s) Prefixpoint 2. L (s) = t t s t permits s 3. L*(s) = * s Constructive

We will explore the relationship among these 3 kinds of legality. For most, “serious” example SoP rules:

Lf(s) = L(s) = L*(s)

If f is monotonic, t s means you can legally add edges to t to make s

Three Definitions of LegalityMicroSoft PPT Bug Messes Up Format of this Slide??

17

Phantom Architectures

An state (an architecture) is a phantom if it is legal, but cannot be constructed.

Constructive (s) =def * s

Phantom (s) =def Lf(s) & not constructive(s)

where is the empty state.

A ruleset is constructive if all its legal states are constructive (are not phantoms).

18

When f Is Not Monotonic …Example. s = t, f(s) = t, f(t) = s, so f(t) f(s)Function f not monotonic because not true that

s t f(s) f(t)Observe thatLf(t) = false, L(t) = true, L*(t) = true

Lemma. Not true that for all f, Lf(t) = L(t)

Proof. In example, Lf(t) is false, but L(t) is true

Lemma. Not true that for all f, Lf(t) = L*(t)

Proof. In example, Lf(t) is false, but L*(t) is true.

In fact, in this case L*(t) Lf(t) is false.

f(s) = t

f(t) = s =

ff

These results are counter intuitive if you are used to dealing with monotonic systems.

19

Lemma A. If f is monotonic and there exists t such that t s, then s is legal.

Proof. The definition of t s is:t s f(t) Since f is monotonic, it follows that f(t) f(s) Hence,t s f(t) f(s) Hence,s f(s) So by definion of legality,s is legal. QED

Lemma B. If f is monotonic and s is constructive, then s is legal.Proof. If s is constructive, i.e., if

* sthen there exist states s1, s2, … sn such that

s1 s2 … sn s

When s = , s is legal. Otherwise sn s, in which case, by the previous lemma, s is legal. QED

When f is Monotonic …

Since SoP is monotonic, these results apply.

s

t

f(s)

f(t)

20

Theorem. If f is monotonicLf(s) = L(s)

ie (1) s f (s) t t s f(t) and (2) t t s f(t) s f (s)

Proof. (1) Obvious: Let t be s.(2) Proven in previous lemma.(Follows from monotonicity,

and from transitivity of )

When f is Monotonic …

t

s

f(t)

f(s)

21

SoP Rules are Monotonic, So…

Corollary. In SoP systems Lf(s) = L(s)

Proof. True because SoP systems are monotonic

Non-SoP permission rules are not necessarly monotonic

22

Does Ruleset R Avoid Phantoms?

For a particular f or ruleset R, for all s, does Lf(s) = L*(s)?

Is this always true for SoP rulesets?

Phantom architecture problem: Give algorithm to decide if ruleset allows phantoms (regardless of size of ruleset or size of tree)

A “solution” to the phantom architecture problem is given below

23

Assume f is Monotonic

In the rest of this section on Abstract Permission Theory, we shall assume that f is monotonic.

Recall f as defined by any SoP rulesets is monotonic.

24

Tarski-Knaster Theorem

Since f is monotonic, based on as an ordering operator, the Tarski-Knaster Theorem applies:

Theorem. f() is a fixpoint. It is a least fixpoint.

So, if f is repeatedly applied to empty state , eventually we find a fixpoint state s = f(), such that

f(s) = s Because s is a least fixpoint, there is no t, t

s, such that f(t) =t

25

Partitioning by Fixpoints

Observation. Given monotonic f, the prefixpoints (legal states) are partitioned by f(s) , i.e., PARTi =def { s f(s) = fpi}

where fpi is the i-th fixpoint.

So, s and t are in the same partition when

f(s) = f(t)

fp0

st

fp1

PART0 PART1

…etc…

Note: Every prefixpoint s necessarily converges to a fixpoint f(s)

26

Local Minimum and MaximumDef. locmax(s) =def E r s r x and not E t s s tlocmin(s) =def E t s s t and not E r s r s Note that these 3 are equivalent:

E r s r x = E t s s t = pfp(s)Lemma.a) locmax(s) fp(s)b) Each partition contains one local max (its fp).c) Each partition contains one or more local min’s.

MicroSoft Problem: Turn “E” (exists) backwards??

s

r

t

min

s

r

t

max

Proofs are not hard, but not obvious?? Rename as pfpmax and pfpmin??

27

The “Shape” of Partitions

For monotonic f, there are one or more partitions. Each has a single maximum (fixpoint) and one of more minima.

PART0PART1

min minmin

min

fp0 fp1

28

Permission Within a PartitionFor monotonic f, if you follow

permission edges (forward or backwards), you stay in the same partition:

Def. s 0 t =def s t or s -1 tTheorem. If s and t are legal, s

0* t f(s) = f(t) Proof. (1) s t f(s) = f(t)So, s 0* t f(s) = f(t) (2) f(s) = f(t) s * f(s) and

f(t) -1 * t s 0* t

Part (2) of proof should be expanded??

(1a)

f(s) f(t)

(1b)

f(t) f(s)

f2(s)

f(s)

s t

f(t)

f(t)

f(s)

f(t)

s t

f(t) f(s)

f(s)

29

Necessary & Sufficient Condition for PhantomsTheorem. For monotonic f, there are phantoms iff there is

more than one local minimum.Proof. (1) If there is a local minimum s, besides , then s is a

phantom.(2) Suppose there is no local minimum except . Then for

any legal state s , there exists t such that t s and such that t s. So, * s and so s not a phantom.

Collollary. If there is more than one fixpoint, there are phantoms. If there is more than one partition, there are phantoms.

Is proof clear??

30

Do f and R exist that minimally cause phantoms?Lemma. There exists monotonic function f such

that f has exactly one fp and has a phantom.Lemma. There exists monotonic function f

defined by SoP ruleset by R tree T such that f has exactly one fp and has a phantom.

Proof. These two lemmas will be proven by giving an example that satisfies them…

Moral. Even if you know that a ruleset has only one fp, you still don’t know whether it has a phantom.

31

Proving Two Lemmas by Giving an ExampleProof. Proof is by giving tree T and ruleset R that define f which

has 1 fp and 1 phantom. Let T be a trivial tree, consisting of a single node x. Let R be this ruleset:

v1 ID v2, v2 v1 v2

Tree T can have only these 2 triples (both are ID triples):V1 = (x v1 x), V2 = (x v2 x)

Tree T with ruleset R has only these 4 states: = {}, s1 = {V1}, s2 = {V2}, s1,2 = {V1, V2}

State s2 is a phantom.

The only fp is s1,2 .

s1 s2 which is phantom

f

f f

s1,2 which is fp