Upload
dagmar
View
13
Download
2
Embed Size (px)
DESCRIPTION
Part 7. Phantoms: Legal States That Cannot Be Constructed. Are There Legal States That Can’t Be Built?. State s is a phantom state (or phantom architecture) if It is legal (it satisfies the SoP rules) BUT - PowerPoint PPT Presentation
Citation preview
1
Part 7.Phantoms: Legal States That Cannot Be Constructed
2
Are There Legal States That Can’t Be Built?
State s is a phantom state (or phantom architecture) if
It is legal (it satisfies the SoP rules) BUTIt cannot be constructed, starting with just a bare containment tree, and repeatedly using rules (productions) to add dependency edges
A ruleset that allows phantoms is called phantomicDo phantoms exist?
3
Example: Step-Wise Construction of a State
Example ruleset:T S P o T P o T o C T o CRuleset has 4 productions: 1) T (S)2) T (P T)3) T (P T C)4) T (T C)
(1) T (S) (4) T (T C) (2) T (P T)
This example ruleset allows no phantoms. Note: Phantoms cannot be constructed in a step-wise manner.
Start with tree, successively add edges allowed by productions
Step 1 Step 2 Step 3
4
Example Phantom #1: The “Cyclic
Export” Ruleset & An “Identic” Phantom
Consider this rule: E C E o ERule means:
An E edge can follow a child C edge, orAn E edge can follow two E edges
EC
OK
root
x y
z
root
x y
z
Phantom
y E y = y E o E yThus, the state is legal. State has only loop (ID) edges. It is an “identic” state.
Phantom doesn’t use the “C” right-hand side
5
Example Phantom #2Non-Identic Phantom
Consider this rule:R R o P R o C
Rule means:An R edge can follow an R then a P edge, orAn R edge can follow an R then a C edge
w R x = w R o P xw R y = w R o C ySo, this is legal
C P
R
Ry
x
w
The R edges are not ID self loops (not identities)Maybe show multi-recursive phantom??
6
Some Simple Permission Rules
Three simple rulesets: 1. R All where All means every
edgeEvery state is legal and constructive.
2. R REvery state is legal and they are all phantoms
except .
3. R All RAll states are constructive. However, if we delete
production (R All) while keeping (R R), there are phantoms.
7
A Multi-Recursive Ruleset with Phantoms
Ruleset:
R R o P o R
PR
x
y
This state is a phantom. Follow R then P then R to compute R. So R is legal. But R cannot be constructed from the empty state.
Multi-recursive because R depends on itself more than once.
8
Why Are Most “Serious” Example SoP Rules Constructive?
Is there a hidden assumption that causes them to be constructive?
Is there an algorithm to check SoP rules for constructivity? No, it is an open question whether such an algorithm exists. But with appropriate restrictions, such an algorithm exists.
9
Part 8.Abstract Permission Systems (APT)
10
Abstracting Away From the Graph Basis of SoP
Some properties of SoP rulesets have little to do with the underlying structure of the state graph.To confirm this, we will now take an abstract approach, which ignores the graph structure. Any SoP ruleset, with a corresponding tree, can be projected to this abstract form.Essence of this abstraction is:
Legality simply means prefixpoint of given function fSo, legality properties become properties of pfp’sStates are not necessarily graphs
11
Fixed Points: Terminology
When x = f(x)We say x is a fixpoint (fp) or a fixed point of function f
When x f(x)We say x is a prefixpoint (pfp) or a pre fixed point of function f
Some authors alternately use the term postfixpoint (post fixed point) instead of prefixpoint
12
Basis for Abstract Permission Theory
Fundamental conceptsE Finite set of elements
(Abstraction of set of triples)f : 2E 2E Permission function
(Maps states to states)Derived concepts
Lf (s) =def s f(s) Legality of state s as prefixpoint
Q =def 2E State space (abstraction of subset of triples)
States s, t, … Q Abstraction of graphs (states)s t Operator on states =def { } Empty state, contains no triples
Monotonicity not yet assumed
13
Aside: Alternate Terminology
We could use the term “well-formed” instead of “legal”, so instead of
Lf(s) or L(s)
we would write WFf(s) or WF(s).
14
How to Map SoP Ruleset R with Tree T to Abstract Form
Def. Element set E consists of every every triple that can be formed with variables v from the ruleset R and with nodes N in tree T.Def. Permission function f is defined in terms of state s and rules set R as follows:
f(s) =def (Based on state s, compute the set of triples specified by sums, i.e., those alled by right hand sides of ruleset R)
15
Piecewise Legality
Def. Element e is legal in state s when it is member of f(s):
Lf(e) =def e f(s)
Lemma. State s is legal iff all its elements are legal:
Lf(s) = e s Lf(e)
Proof. We re-write RHS into LHS: e s Lf(e) = e s e f(s)
= s f(s) = Lf(s) QED
Hence, piecewise legality holds abstractly, independent of graph structure and independent of monotonicity.
16
Def. State t permits state s when s is a least as large as t and s contains only elements permitted by t:
t s =def t s f(t)
3 Legality Definitions
1. Lf (s) = s f (s) Prefixpoint 2. L (s) = t t s t permits s 3. L*(s) = * s Constructive
We will explore the relationship among these 3 kinds of legality. For most, “serious” example SoP rules:
Lf(s) = L(s) = L*(s)
If f is monotonic, t s means you can legally add edges to t to make s
Three Definitions of LegalityMicroSoft PPT Bug Messes Up Format of this Slide??
17
Phantom Architectures
An state (an architecture) is a phantom if it is legal, but cannot be constructed.
Constructive (s) =def * s
Phantom (s) =def Lf(s) & not constructive(s)
where is the empty state.
A ruleset is constructive if all its legal states are constructive (are not phantoms).
18
When f Is Not Monotonic …Example. s = t, f(s) = t, f(t) = s, so f(t) f(s)Function f not monotonic because not true that
s t f(s) f(t)Observe thatLf(t) = false, L(t) = true, L*(t) = true
Lemma. Not true that for all f, Lf(t) = L(t)
Proof. In example, Lf(t) is false, but L(t) is true
Lemma. Not true that for all f, Lf(t) = L*(t)
Proof. In example, Lf(t) is false, but L*(t) is true.
In fact, in this case L*(t) Lf(t) is false.
f(s) = t
f(t) = s =
ff
These results are counter intuitive if you are used to dealing with monotonic systems.
19
Lemma A. If f is monotonic and there exists t such that t s, then s is legal.
Proof. The definition of t s is:t s f(t) Since f is monotonic, it follows that f(t) f(s) Hence,t s f(t) f(s) Hence,s f(s) So by definion of legality,s is legal. QED
Lemma B. If f is monotonic and s is constructive, then s is legal.Proof. If s is constructive, i.e., if
* sthen there exist states s1, s2, … sn such that
s1 s2 … sn s
When s = , s is legal. Otherwise sn s, in which case, by the previous lemma, s is legal. QED
When f is Monotonic …
Since SoP is monotonic, these results apply.
s
t
f(s)
f(t)
20
Theorem. If f is monotonicLf(s) = L(s)
ie (1) s f (s) t t s f(t) and (2) t t s f(t) s f (s)
Proof. (1) Obvious: Let t be s.(2) Proven in previous lemma.(Follows from monotonicity,
and from transitivity of )
When f is Monotonic …
t
s
f(t)
f(s)
21
SoP Rules are Monotonic, So…
Corollary. In SoP systems Lf(s) = L(s)
Proof. True because SoP systems are monotonic
Non-SoP permission rules are not necessarly monotonic
22
Does Ruleset R Avoid Phantoms?
For a particular f or ruleset R, for all s, does Lf(s) = L*(s)?
Is this always true for SoP rulesets?
Phantom architecture problem: Give algorithm to decide if ruleset allows phantoms (regardless of size of ruleset or size of tree)
A “solution” to the phantom architecture problem is given below
23
Assume f is Monotonic
In the rest of this section on Abstract Permission Theory, we shall assume that f is monotonic.
Recall f as defined by any SoP rulesets is monotonic.
24
Tarski-Knaster Theorem
Since f is monotonic, based on as an ordering operator, the Tarski-Knaster Theorem applies:
Theorem. f() is a fixpoint. It is a least fixpoint.
So, if f is repeatedly applied to empty state , eventually we find a fixpoint state s = f(), such that
f(s) = s Because s is a least fixpoint, there is no t, t
s, such that f(t) =t
25
Partitioning by Fixpoints
Observation. Given monotonic f, the prefixpoints (legal states) are partitioned by f(s) , i.e., PARTi =def { s f(s) = fpi}
where fpi is the i-th fixpoint.
So, s and t are in the same partition when
f(s) = f(t)
fp0
st
fp1
PART0 PART1
…etc…
Note: Every prefixpoint s necessarily converges to a fixpoint f(s)
26
Local Minimum and MaximumDef. locmax(s) =def E r s r x and not E t s s tlocmin(s) =def E t s s t and not E r s r s Note that these 3 are equivalent:
E r s r x = E t s s t = pfp(s)Lemma.a) locmax(s) fp(s)b) Each partition contains one local max (its fp).c) Each partition contains one or more local min’s.
MicroSoft Problem: Turn “E” (exists) backwards??
s
r
t
min
s
r
t
max
Proofs are not hard, but not obvious?? Rename as pfpmax and pfpmin??
27
The “Shape” of Partitions
For monotonic f, there are one or more partitions. Each has a single maximum (fixpoint) and one of more minima.
PART0PART1
min minmin
min
fp0 fp1
28
Permission Within a PartitionFor monotonic f, if you follow
permission edges (forward or backwards), you stay in the same partition:
Def. s 0 t =def s t or s -1 tTheorem. If s and t are legal, s
0* t f(s) = f(t) Proof. (1) s t f(s) = f(t)So, s 0* t f(s) = f(t) (2) f(s) = f(t) s * f(s) and
f(t) -1 * t s 0* t
Part (2) of proof should be expanded??
(1a)
f(s) f(t)
(1b)
f(t) f(s)
f2(s)
f(s)
s t
f(t)
f(t)
f(s)
f(t)
s t
f(t) f(s)
f(s)
29
Necessary & Sufficient Condition for PhantomsTheorem. For monotonic f, there are phantoms iff there is
more than one local minimum.Proof. (1) If there is a local minimum s, besides , then s is a
phantom.(2) Suppose there is no local minimum except . Then for
any legal state s , there exists t such that t s and such that t s. So, * s and so s not a phantom.
Collollary. If there is more than one fixpoint, there are phantoms. If there is more than one partition, there are phantoms.
Is proof clear??
30
Do f and R exist that minimally cause phantoms?Lemma. There exists monotonic function f such
that f has exactly one fp and has a phantom.Lemma. There exists monotonic function f
defined by SoP ruleset by R tree T such that f has exactly one fp and has a phantom.
Proof. These two lemmas will be proven by giving an example that satisfies them…
Moral. Even if you know that a ruleset has only one fp, you still don’t know whether it has a phantom.
31
Proving Two Lemmas by Giving an ExampleProof. Proof is by giving tree T and ruleset R that define f which
has 1 fp and 1 phantom. Let T be a trivial tree, consisting of a single node x. Let R be this ruleset:
v1 ID v2, v2 v1 v2
Tree T can have only these 2 triples (both are ID triples):V1 = (x v1 x), V2 = (x v2 x)
Tree T with ruleset R has only these 4 states: = {}, s1 = {V1}, s2 = {V2}, s1,2 = {V1, V2}
State s2 is a phantom.
The only fp is s1,2 .
s1 s2 which is phantom
f
f f
s1,2 which is fp