Part 7.
Phantoms: Legal States That
Cannot Be Constructed
1
Are There Legal States That
Can’t Be Built?
State s is a phantom state (or phantom
architecture) if
It is legal (it satisfies the SoP rules) BUT
It cannot be constructed, starting with just a
bare containment tree, and repeatedly using
rules (productions) to add dependency edges
A ruleset that allows phantoms is called
phantomic
Do phantoms exist?
2
Example: Step-Wise
Construction of a State
Example ruleset:
T  S  PoT  PoToC  ToC
Ruleset has 4 productions:
1)
2)
3)
4)
f
T
T
T
T
D (S)
D (P T)
D (P T C)
D (T C)
Step 1
(1) T D (S)
Start with tree,
successively add edges
allowed by productions
Step 2
(4) T D (T C)
Step 3
(2) T D (P T)
This example ruleset allows no phantoms. Note: Phantoms
cannot be constructed in a step-wise manner.
3
Example Phantom #1:
The “Cyclic
Export” Ruleset & An “Identic” Phantom
Consider this rule: E  C  E o E
Rule means:
An E edge can follow a child C edge, or
An E edge can follow two E edges
root
root
Phantom 
OK 
x
x
y
z
C E
y
z
yEy=yEoEy
Thus, the state is
legal. State has only
loop (ID) edges. It
is an “identic” state.
Phantom doesn’t use the “C” right-hand side
4
Example Phantom #2
Non-Identic Phantom
Consider this rule:
R  RoP  RoC
Rule means:
An R edge can follow an R then a P edge, or
An R edge can follow an R then a C edge
R
x
C P
w
R
wRx=wRoPx
wRy=wRoCy
So, this is legal
y
The R edges are not ID self loops (not identities)
Maybe show multi-recursive phantom??
5
Some Simple Permission Rules
Three simple rulesets:
1. R  All
edge
where All means every
Every state is legal and constructive.
2. R  R
Every state is legal and they are all phantoms
except f.
3. R  All  R
All states are constructive. However, if we delete
production (R D All) while keeping (R D R), there
are phantoms.
6
A Multi-Recursive Ruleset with
Phantoms
Ruleset:
RRoPoR
x
R
P
y
This state is a phantom. Follow R then P then R to
compute R. So R is legal. But R cannot be constructed
from the empty state.
Multi-recursive because R depends on itself more than once.
7
Why Are Most “Serious” Example
SoP Rules Constructive?
Is there a hidden assumption that
causes them to be constructive?
Is there an algorithm to check SoP rules
for constructivity? No, it is an open question
whether such an algorithm exists. But with appropriate
restrictions, such an algorithm exists.
8
Part 8.
Abstract Permission Systems
(APT)
9
Abstracting Away From the
Graph Basis of SoP
Some properties of SoP rulesets have little to do
with the underlying structure of the state graph.
To confirm this, we will now take an abstract
approach, which ignores the graph structure.
Any SoP ruleset, with a corresponding tree, can
be projected to this abstract form.
Essence of this abstraction is:
Legality simply means prefixpoint of given function f
So, legality properties become properties of pfp’s
States are not necessarily graphs
10
Fixed Points: Terminology
When x = f(x)
We say x is a fixpoint (fp) or a fixed point
of function f
When x  f(x)
We say x is a prefixpoint (pfp) or a pre
fixed point of function f
Some authors alternately use the
term postfixpoint (post fixed point)
instead of prefixpoint
11
Basis for Abstract Permission
Theory
Fundamental concepts
E
f : 2E  2E
Derived concepts
Lf (s) =def s  f(s)
Q =def 2E
States s, t, …  Q
st
f =def { }
Finite set of elements
(Abstraction of set of triples)
Permission function
(Maps states to states)
Legality of state s as prefixpoint
State space (abstraction of
subset of triples)
Abstraction of graphs (states)
Operator on states
Empty state, contains no triples
Monotonicity not yet assumed
12
Aside: Alternate Terminology
We could use the term “well-formed”
instead of “legal”, so instead of
Lf(s) or L(s)
we would write
WFf(s) or WF(s).
13
How to Map SoP Ruleset R with
Tree T to Abstract Form
Def. Element set E consists of every every
triple that can be formed with variables v
from the ruleset R and with nodes N in tree
T.
Def. Permission function f is defined in
terms of state s and rules set R as follows:
f(s) =def (Based on state s, compute the set of
triples specified by sums, i.e., those alled by
right hand sides of ruleset R)
14
Piecewise Legality
Def. Element e is legal in state s when it is
member of f(s):
Lf(e) =def e  f(s)
Lemma. State s is legal iff all its elements are
legal:
Lf(s) =  e  s  Lf(e)
Proof. We re-write RHS into LHS:
 e  s  Lf(e) =  e  s  e  f(s)
= s  f(s)
= Lf(s)
QED
Hence, piecewise legality holds abstractly, independent of graph
structure and independent of monotonicity.
15
Three Definitions of Legality
MicroSoft PPT Bug Messes Up Format of this Slide??
Def. State t permits state s when s is a least as large as t and
s contains only elements permitted by t:
t  s =def t  s  f(t)
3 Legality Definitions
1. Lf (s) = s  f (s)
2. L (s) =  t  t  s
3. L*(s) = f * s
Prefixpoint
t permits s
Constructive
We will explore the relationship among these 3 kinds of
legality. For most, “serious” example SoP rules:
Lf(s) = L(s) = L*(s)
If f is monotonic, t  s means you can legally add edges to t
to make s
16
Phantom Architectures
An state (an architecture) is a phantom if it is
legal, but cannot be constructed.
Constructive (s) =def f * s
Phantom (s) =def Lf(s) & not constructive(s)
where f is the empty state.
A ruleset is constructive if all its legal states are
constructive (are not phantoms).
17
When f Is Not Monotonic …
Example. s = f  t, f(s) = t, f(t) = s, so f(t)  f(s)
Function f not monotonic because not true that
f(s) = t
s  t  f(s)  f(t)
 f
Observe that
f
Lf(t) = false, L(t) = true, L*(t) = true
f(t) = s = f
Lemma. Not true that for all f, Lf(t) = L(t)
Proof. In example, Lf(t) is false, but L(t) is true
Lemma. Not true that for all f, Lf(t) = L*(t)
Proof. In example, Lf(t) is false, but L*(t) is true.
In fact, in this case L*(t)  Lf(t) is false.
These results are counter intuitive if you are used to dealing with
monotonic systems.
18
When f is Monotonic …
Lemma A. If f is monotonic and there exists t such that t  s,
then s is legal.
f(s)
Proof. The definition of t  s is:

f(t)
t  s  f(t) Since f is monotonic, it follows that

f(t)  f(s)
Hence,
t  s  f(t)  f(s) Hence,

s
s  f(s)
So by definion of legality,

t
s is legal. QED
Lemma B. If f is monotonic and s is constructive, then s is legal.
Proof. If s is constructive, i.e., if
f * s
then there exist states s1, s2, … sn such that
f  s1  s2 …  sn  s
When s = f , s is legal. Otherwise sn  s, in which case, by the
previous lemma, s is legal. QED
Since SoP is monotonic, these results apply.
19
When f is Monotonic …
Theorem. If f is monotonic
Lf(s) = L(s)
ie
(1) s  f (s)
  t  t  s  f(t)
and (2)  t  t  s  f(t)  s  f (s)
Proof.
(1) Obvious: Let t be s.
(2) Proven in previous lemma.
(Follows from monotonicity,
and from transitivity of  )
f(s)

f(t)


s


t
20
SoP Rules are Monotonic, So…
Corollary. In SoP systems
Lf(s) = L(s)
Proof. True because SoP systems are
monotonic
Non-SoP permission rules are not necessarly monotonic
21
Does Ruleset R Avoid Phantoms?
For a particular f or ruleset R, for all s, does
Lf(s) = L*(s)?
Is this always true for SoP rulesets?
Phantom architecture problem: Give algorithm
to decide if ruleset allows phantoms
(regardless of size of ruleset or size of tree)
A “solution” to the phantom architecture problem is given below
22
Assume f is Monotonic
In the rest of this section on Abstract
Permission Theory, we shall assume
that f is monotonic.
Recall f as defined by any SoP rulesets is
monotonic.
23
Tarski-Knaster Theorem
Since f is monotonic, based on  as an ordering
operator, the Tarski-Knaster Theorem
applies:
Theorem. f(f) is a fixpoint. It is a least
fixpoint.
So, if f is repeatedly applied to empty state f,
eventually we find a fixpoint state s = f(f),
such that
f(s) = s
Because s is a least fixpoint, there is no t,
t  s, such that f(t) =t
24
Partitioning by Fixpoints
Observation. Given monotonic f,
the prefixpoints (legal states) are
partitioned by f(s) , i.e.,
PARTi =def { s  f(s) = fpi}
where fpi is the i-th fixpoint.
So, s and t are in the
same partition when
f(s) = f(t)
fp0
s
fp1
t
PART0
PART1
…etc…
Note: Every prefixpoint s necessarily converges to a fixpoint f(s)
25
MicroSoft Problem: Turn “E” (exists) backwards??
Local Minimum and Maximum
Def.
locmax(s) =def E r  s  r  x
and not E t  s  s  t
locmin(s) =def E t  s  s  t
and not E r  s  r  s
Note that these 3 are equivalent:
E r  s  r  x = E t  s  s  t = pfp(s)
Lemma.
a) locmax(s)  fp(s)
b) Each partition contains one local max (its fp).
c) Each partition contains one or more local min’s.
t
max
s
r
t
min
s
r
Proofs are not hard, but not obvious?? Rename as pfpmax and pfpmin??
26
The “Shape” of Partitions
For monotonic f, there are one or more
partitions. Each has a single
maximum (fixpoint) and one of
more minima.
fp0
fp1
PART0
PART1
min
min
min
min
f
27
Permission Within a Partition
For monotonic f, if you follow
permission edges (forward or
backwards), you stay in the
same partition:
Def. s 0 t =def s  t or s -1 t
Theorem. If s and t are legal,
s 0* t  f(s) = f(t)
Proof. (1) s  t  f(s) = f(t)
So, s 0* t  f(s) = f(t)
(2) f(s) = f(t)  s * f(s) and
f(t) -1 * t
 s 0* t
(1a)
(1b)
f(s)  f(t)
f(t)  f(s)
f(s)

f(t)

f(s)

f(t)

t
f(t)




f(s)
 
 s
Part (2) of proof should be expanded??
f(t)

t


f2(s)

f(s)
 
 s
28
Necessary & Sufficient
Condition for Phantoms
Theorem. For monotonic f, there are phantoms iff there is
more than one local minimum.
Proof.
(1) If there is a local minimum s, besides f, then s is a
phantom.
(2) Suppose there is no local minimum except f. Then for
any legal state s  f, there exists t such that t  s and
such that t  s. So, f * s and so s not a phantom.
Collollary. If there is more than one fixpoint, there are
phantoms. If there is more than one partition, there are
phantoms.
Is proof clear??
29
Do f and R exist that minimally
cause phantoms?
Lemma. There exists monotonic function f such
that f has exactly one fp and has a phantom.
Lemma. There exists monotonic function f
defined by SoP ruleset by R tree T such that f
has exactly one fp and has a phantom.
Proof. These two lemmas will be proven by
giving an example that satisfies them…
Moral. Even if you know that a ruleset has only
one fp, you still don’t know whether it has a
phantom.
30
Proving Two Lemmas by Giving
an Example
Proof. Proof is by giving tree T and ruleset R that define f which
has 1 fp and 1 phantom. Let T be a trivial tree, consisting of a
single node x. Let R be this ruleset:
v1  ID  v2, v2  v1  v2
Tree T can have only these 2 triples (both are ID triples):
V1 = (x v1 x), V2 = (x v2 x)
Tree T with ruleset R has only these 4 states:
f = {}, s1 = {V1}, s2 = {V2}, s1,2 = {V1, V2}
State s2 is a phantom.
s1,2 which is fp
The only fp is s1,2 .
f 
f 
s1
s2 which is phantom

f 
f
31