© 2003, Yishai Feldman Proving Sufficient Completeness Example: Set ADT
© 2003, Yishai Feldman The Set ADT: Types and Functions TYPES SET[G] FUNCTIONS u emptyset : SET[G] u has : SET[G] G BOOLEAN u count : SET[G] INTEGER u empty : SET[G] BOOLEAN u extend : SET[G] G SET[G] u prune : SET[G] G SET[G] u intersect : SET[G] SET[G] SET[G] u merge : SET[G] SET[G] SET[G]
© 2003, Yishai Feldman The Set ADT: Axioms, Part 1 AXIOMS A1 empty (s) count (s) = 0 A2 count (emptyset) = 0 A3 not has (emptyset, x) A4 has (s, x) extend (s, x) = s A5 not has (s, x) count (extend (s, x)) = count (s) + 1 A6 has (extend (s, x), y) has (s, y) or x = y A7 not has (s, x) prune (s, x) = s A8 has (s, x) count (prune (s, x)) = count (s) – 1 A9 has (prune (s, x), y) has (s, y) and x y A10 has (merge(s, t), x) has (s, x) or has (t, x) A11 has (intersect (s, t), x) has (s, x) and has (t, x)
© 2003, Yishai Feldman Proof Summary emptysetextendpruneintersectmerge hasA3A6A9A10A11 countA2A4, A5A7, A8—— emptyA1
© 2003, Yishai Feldman Sufficient Completeness Part I: Correctness Since there are no preconditions, every well- formed expression is correct.
© 2003, Yishai Feldman Sufficient Completeness Part II: Compute Values The axioms in Part 1 are sufficiently complete for for has queries with all set expressions, and for empty and count queries with set expressions that do not contain intersect and merge. Any query expression must have the form q(e), where q is one of the query functions, and e is a set- valued expression. We will treat each query function separately, and will prove the claim by induction on the structure of the set-expression e. The induction measure is the size of the expression, that is, the number of function symbols in it.
© 2003, Yishai Feldman Induction Scheme The base case is e = emptyset. In the inductive case, e can be one of the following expressions: u extend (s, x), u prune (s, x), u merge (s, t), or u intersect (s, t). Because of the restrictions in the claim of sufficient completeness, we can ignore the last two cases except when q = has.
© 2003, Yishai Feldman Case 1: q = has(e, y) e = emptyset. In this case, the expression is has (emptyset, y). By A3 we know that not has (emptyset, y) is true, so that has (emptyset, y) is false. e = extend (s, x). By A6 we can reduce the expression has (e, y) to has (s, y) or x = y, which is computable by induction since s is a smaller expression than e. e = prune (s, x). This is similar to the previous case, using A9. e = merge (s, t). Use A10 to reduce the given expression to has (s, y) or has (t, y). Both s and t are smaller than e, and therefore both queries are computable by induction. e = intersect (s, t). This is similar to the previous case, using A11.
© 2003, Yishai Feldman Case 2: q = count(e) e = emptyset. By A2 we know that count (emptyset) = 0. e = extend (s, x). By the previous case, we can compute the value of has (s, x). If it is true, we can use A4 to show that e = extend (s, x) = s, and therefore the expression count (e) reduces to count (s), which is computable by induction. If has (s, x) is false, we can use A5 to reduce the expression count (e) to count (s) + 1, which is again computable by induction. e = prune (s, x). Again, we know the value of has (s, x). If it is true, we can use A8 to reduce the expression count (e) to count (s) – 1, which is computable by induction. If it is false, we can use A7 to show that e = prune (s, x) = s, and therefore the expression count (e) reduces to count (s), which is again computable by induction.
© 2003, Yishai Feldman Case 3: q = empty(e) By the previous case, we can always compute the value of count (e). We can then use A1 to compute the value of empty (e).
© 2003, Yishai Feldman The Set ADT: Axioms, Part 2 A12 merge (extend (s, x), t) = extend (merge (s, t), x) A13 has (t, x) merge (prune (s, x), t) = merge (s, t) A14 not has (t, x) merge (prune (s, x), t) = prune (merge (s, t), x) A15 not has (t, x) intersect (extend (s, x), t) = intersect (s, t) A16 has (t, x) intersect (extend (s, x), t) = extend (intersect (s, t), x) A17 intersect (prune (s, x), t) = prune (intersect (s, t), x) A18 merge (emptyset, s) = s A19 intersect (emptyset, s) = emptyset
© 2003, Yishai Feldman Sufficient Completeness, Part 2 We can now complete the proof of sufficient completeness for the remaining cases: count and empty queries for set-expressions containing merge and intersect. The proof will show that it is possible to reduce any set expression containing merge and intersect to one that does not contain them, using Part 2 of the axioms. Intuitive idea: axioms A12-A17 “push down” occurrences of merge and intersect into their first arguments to the innermost parts of the expression, where axioms A18-A19 eliminate them.
© 2003, Yishai Feldman Induction Scheme The induction measure m(e) is defined for a set- expression e as follows: u The weight of a function call in e is: 0, if the function is extend, prune, or emptyset; size (s), if the function is merge (s, t) or intersect (s, t); u m(e) is the sum of the weights of all function calls in e. It is easy to see that m(e) 0.
© 2003, Yishai Feldman Base Case If m(e) = 0, the expression e does not contain merge or intersect, and the claim is trivially true.
© 2003, Yishai Feldman Inductive Case (1) Suppose m(e) > 0. Let f (s, t) be the innermost occurrence of merge or intersect in e. If s = emptyset, use axiom A18 or A19 to reduce this expression to t or emptyset. All non-zero weights of function calls in e necessarily decrease, and one has been completely eliminated. Therefore the expression e is equal to another expression of smaller weight, and the claim is true by the induction hypothesis.
© 2003, Yishai Feldman Inductive Case (2) If s is not emptyset, it can only be a call to extend or prune. One of the axioms A12-A17 can be used to reduce e to an equal expression of smaller weight. (By the previous part of the proof we can compute the values of all has expressions.) The claim now follows from the induction hypothesis.