THE PROBLEMS OF BELIEF REVISION

An Example

Suppose that you have a database that contains, among other things, the following pieces of information (in some form of code):

α: All European swans are white.

β: The bird caught in the trap is a swan.

γ: The bird caught in the trap comes from Sweden.

δ: Sweden is part of Europe.

If your database is coupled with a program that can compute logical inferences in the given code, the following fact is derivable from α – δ:

ε: The bird caught in the trap is white.

Now suppose that, as a matter of fact, the bird caught in the trap turns out to be black. This means that you want to add the fact –ε, i.e., the negation of ε, to the database. But then the database becomes inconsistent. If you want to keep the database consistent, which is normally a sound methodology, you need to revise it. This means that some of the beliefs in the original database must be retracted. You don't want to give up all of the beliefs since this would be an unnecessary loss of valuable information. So you have to choose between retracting α, β, γ or δ.

The problem of belief revision is that logical considerations alone do not tell you which beliefs to give up, but this has to be decided by some other means.

This book is about programs as mathematical objects. We focus on one of the aspects of programs, namely their functionality, their meaning or semantics. Following Dijkstra we express the semantics of a program by the weakest precondition of the program as a function of the postcondition. Of course, programs have other aspects, like syntactic structure, executability and (if they are executable) efficiency. In fact, perhaps surprisingly, for programming methodology it is useful to allow a large class of programs, many of which are not executable but serve as partially implemented specifications.

Weakest preconditions are used to define the meanings of programs in a clean and uniform way, without the need to introduce operational arguments. This formalism allows an effortless incorporation of unbounded nondeterminacy. Now programming methodology poses two questions. The first question is, given a specification, to design a general program that is proved to meet the specification but need not be executable or efficient, and the second question is to transform such a program into a more suitable one that also meets the specification.

We do not address the methodological question how to design, but we concentrate on the mathematical questions concerning semantic properties of programs, semantic equality of programs and the refinement relation between programs. We provide a single formal theory that supports a number of different extensions of the basic theory of computation. The correctness of a program with respect to a specification is for us only one of its semantic properties.

INTRODUCTION

Studies of the dynamics of (rational) belief have reached a new degree of sophistication through the formal models developed in particular by Levi (1980) and by Alchourrón, Gärdenfors, and Makinson (the AGM model, Alchourrón et al. 1985 and Gärdenfors 1988). In these models, an individual's beliefs are represented by a set that is closed under logical consequence. The AGM model and its underlying assumptions have had a profound influence on the study of belief base updating in computer science. Although states of belief are, for obvious reasons, represented in computer applications by finite sets of sentences, it is common to demand that “results from an update must be independent of the syntax of the original K[nowledge] B[ase]” (Katsuno and Mendelzon 1989). In other words, operations on finite sets are treated more or less as shadows of operations on the (infinite) logical closures of these sets.

In this paper, a different representation of beliefs will be introduced. A formalized belief state will consist of an ordered pair <K,Cn>. K, or the belief base, is a set of expressions that is not necessarily closed under logical consequence. It represents the basic facts on which an individual grounds her beliefs. Cn is a consequence operator, such that Cn(K) represents her beliefs (namely both the elements of K and the conclusions she draws from them).

INTRODUCTION

In the last five years, there has been much concern in Artificial Intelligence about the problem of belief revision. A rather exciting feature of the on-going debate is that it has led to an interaction between fields which usually ignore each other, such as logic, probability theory, fuzzy set and possibility theory, and their epistemological underpinnings. In his book, Gärdenfors (1988) emphasizes in a convincing way that notions of epistemic state can be defined in the framework of logic as well as in the one of probability theory and that similar postulates can be put forward in the two settings, for the purpose of devising rational updating operations that take place upon the arrival of new pieces of information. On the other hand Spohn (1988), in trying to refine the logical notion of epistemic state, viewed as a consistent and deductively closed set of propositions, comes close to Shackle's (1961) notions of degrees of potential surprise, as well as Zadeh's (1978) possibility theory. However he proposes revision rules that are in some way in accordance with probability theory where probabilities only take infinitesimal values (Spohn, 1990). Besides, one of the main outcomes of Gärdenfors' logical theory of belief change is that any revision process underlies an ordering of propositions that form the epistemic state; the rationality postulates force this ordering to satisfy specific properties, and the only numerical set-functions that can account for these properties are the so-called necessity measures that play a basic role in possibility theory (Dubois and Prade, 1988).

This chapter is devoted to the formal definition of the semantics of sequential composition, unbounded choice and recursion and to the proofs of the properties of commands that were introduced and used in the previous chapters. The semantics of the simple commands is taken for granted, but otherwise the reader should not rely on old knowledge but only use facts that have already been justified in the new setting. At the end of the chapter, the foundations of the previous chapters will be complete.

Some examples of the theory are given in the exercises at the end of the chapter. The text of the chapter has almost no examples. One reason is that the chapters 1, 2 and 3 may be regarded as examples of the theory. On the other hand, every nontrivial example tends to constitute additional theory.

In Section 4.1, we introduce complete lattices and investigate the lattice of the predicate transformers and some important subsets. Section 4.2 contains our version of the theorem of Knaster–Tarski. A syntactic formalism for commands with unbounded choice is introduced in Section 4.3.

Section 4.4 contains the main definition. From the definition on simple commands, the functions wp and wlp are extended to procedure names and command expressions. In Sections 4.5 and 4.6, the healthiness laws, which are postulated for simple commands, are extended to procedure names and command expressions.

Knowledge update has been a matter of concern to two quite separate traditions: one in philosophical logic, and another in artificial intelligence. In this paper we draw on both traditions to develop a theory of update, based on conditional logic, for a kind of knowledge base that has proven to be of interest in artificial intelligence. After motivating and formulating the logic on which our theory is based, we will prove some basic results and show how our logic can be used to describe update in an environment in which knowledge bases can be treated as truth-value assignments in four-valued logic. In keeping with Nuel Belnap's terminology in Belnap (1977a) and Belnap (1977b), we will refer to such truth-value assignments as set-ups or as four-valued set-ups.

Paraconsistency, primeness, and atomistic update

For the moment we will not say exactly what a four-valued set-up is. Instead we will describe informally some conditions under which it would be natural to structure one's knowledge base as a four-valued set-up. One of these conditions has to do with the treatment of inconsistent input; a second has to do with the representation of disjunctive information; the third concerns what kinds of statements can be the content of an update.

Inconsistent input

A logical calculus is paraconsistent if it cannot be used to derive arbitrary conclusions from inconsistent premises. Belnap argues in general terms that paraconsistent reasoning is appropriate any context where an automated reasoner must operate without any guarantee that its input is consistent, and where nondegenerate performance is desirable even if inconsistency is present. Knowledge bases used in AI applications are cases of this sort.

INTRODUCTION

This chapter describes a model of autonomous belief revision (ABR) which discriminates between possible alternative belief sets in the context of change. The model determines preferred revisions on the basis of the relative persistence of competing cognitive states. It has been implemented as ICM (increased coherence model); a belief revision mechanism encompassing a three-tiered ordering structure which represents a blend between coherence and foundational theories of belief revision.

The motivation for developing the model of ABR is as a component of a model of communication between agents. The concern is choice about changing belief. In communication, agents should be designed to choose whether as well as how to revise their beliefs. This is an important aspect of design for multi-agent contexts as open environments (Hewitt, 1986), in which no one element can be in possession of complete information of all parts of the system at all times. Communicated information cannot therefore be assumed to be reliable and fully informed. The model of ABR and system ICM, represent the first phase in the development of a computational model of cooperative, yet autonomously determined communication. The theory of ABR and communication is explicated in section 2.

Section 3 follows with an outline of the problem of multiple alternative revisions, and a discussion of preference and strength of belief issues from an AI perspective. This section includes the relevant comparative and theoretical background for understanding the model of ABR described in section 4.

In this chapter we fulfil the remaining proof obligations of Chapter 12. Section 13.1 contains a strengthened version of Theorem 4(8), our version of the theorem of Knaster-Tarski. In Section 13.2, we provide the basic set-up, in which we need not yet distinguish between wp and wlp. Section 13.3 contains the construction of the strong preorder and the proofs of rule 12(4) and a variation of rule 12(5). In this way, the proof of the accumulation rule 12(5) is reduced to the verification of two technical conditions: sup-safety (for wp) and inf-safety (for wlp). These conditions comprise the base case of the induction and a continuity property.

In Section 13.4, the base case is reduced to a condition on function abort⊙. Section 13.5 contains the proof for inf-safety. Section 13.6 contains the definition of the set Lia and the proof for sup-safety. In Sections 13.7 and 13.8 we justify the rules for Lia stated in Section 11.2.

It may seem unsatisfactory that, in the presence of unbounded nondeterminacy, computational induction needs such a complicated theory. The examples in Sections 11.7 and 12.4, however, show that the accumulation rules 11(6) and 12(5) need their complicated conditions. Therefore, corresponding complications must occur in the construction or in the proofs.

INTRODUCTION

Consider a knowledge base represented by a theory ψ of some logic, say propositional logic. We want to incorporate into ψ a new fact, represented by a sentence μ of the same language. What should the resulting theory be? A growing body of work (Dalal 1988, Katsuno and Mendelzon 1989, Nebel 1989, Rao and Foo 1989) takes as a departure point the rationality postulates proposed by Alchourrón, Gärdenfors and Makinson (1985). These are rules that every adequate revision operator should be expected to satisfy. For example: the new fact μ must be a consequence of the revised knowledge base.

In this paper, we argue that no such set of postulates will be adequate for every application. In particular, we make a fundamental distinction between two kinds of modifications to a knowledge base. The first one, update, consists of bringing the knowledge base up to date when the world described by it changes. For example, most database updates are of this variety, e.g. “increase Joe's salary by 5%”. Another example is the incorporation into the knowledge base of changes caused in the world by the actions of a robot (Ginsberg and Smith 1987, Winslett 1988, Winslett 1990). We show that the AGM postulates must be drastically modified to describe update.

The second type of modification, revision, is used when we are obtaining new information about a static world.

The purpose of this book is to develop the semantics of imperative sequential programs. One prerequisite for reading is some familiarity with the use of predicates in programming, as exposed for instance in the books [Backhouse 1986], [Dijkstra 1976], or [Gries 1981]. Some mathematical maturity is another prerequisite: we freely use sets, functions, relations, orders, etc. We strive for providing complete proofs. This requires many backward references but, of course, the reader may sometimes prefer to ignore them. Actually, at every assertion the reader is invited to join the game and provide a proof himself.

In every chapter, the formulae are numbered consecutively. For reference to formulae of other chapters we use the convention that i(j) denotes formula (j) of Chapter i.

At the end of almost every chapter we give a number of exercises, grouped according to the latest relevant section. When referring to exercise i.j.k, we mean exercise k of Section i.j. Some exercises are simple tests of the reader's apprehension, while other exercises contain applications and extensions of the main text. For (parts of) exercises marked with ♡ we provide solutions in Chapter 16.

References to the literature are given in the form [X n], for author X and year n, possibly followed by a letter.

Semantics of imperative sequential programs

The word ‘semantics’ means ‘meaning’. In the title of this book, it announces two central themes. The meaning of a program is given by its specification.

INTRODUCTION

There are many ways to change a theory. The tasks of adding a sentence to a theory and of retracting a sentence from a theory are non-trivial because they are usually constrained by at least three requirements. The result of a revision or contraction of a theory should again be a theory, i.e., closed under logical consequence, it should be consistent whenever possible, and it should not change the original theory beyond necessity. In the course of the Alchourrón-Gärdenfors-Makinson research programme, at least three different methods for constructing contractions of theories have been proposed. Among these the “safe contraction functions” of Alchourrón and Makinson (1985, 1986) have played as it were the role of an outsider. Gärdenfors and Makinson (1988, p. 88) for instance state that ‘another, quite different, way of doing this [contracting and revising theories] was described by Alchourrón and Makinson (1985).’ (Italics mine.) The aim of the present paper is to show that this is a miscasting.

In any case, it seems that the intuitions behind safe contractions are fundamentally different from those behind its rivals, the partial meet contractions of Alchourrón, Gärdenfors and Makinson (1985) and the epistemic entrenchment contractions of Gärdenfors and Makinson (1988). Whereas the latter notions are tailored especially to handling theories (as opposed to sets of sentences which are not closed under a given consequence operation), safe contraction by its very idea focusses on minimal sets of premises sufficient to derive a certain sentence.

In this chapter, we start again from scratch. Now the meaning of a command is not defined by means of the functions wp and wlp, but by means of the input–output relation of a command. This point of view is closer to the intuitive ideas of most programmers, but —in our view— it is less adequate for program development.

The relational point of view is useful for the analysis of special properties of commands such as totality, termination and determinacy. It provides easy definitions or characterizations of composition, nondeterminate choice, guards and assertions. All these concepts can therefore be treated in this chapter.

When the relational point of view is used in the analysis of repetitions or recursive procedures, one needs to consider finite and infinite sequences of states, usually accompanied by many case distinctions. Such operational reasoning can be useful or necessary, but it is preferable to avoid it whenever possible. We introduce some of the necessary techniques in Chapter 9. It is used only in Chapters 14 and 15.

Although we use the definitions of Section 1.1 and some other concepts introduced in Chapters 1 and 3, this chapter is largely independent of the previous chapters. In fact, it can be read to support them.

In Section 6.1, we introduce (input–output) relations and their weakest preconditions, and we show that relations when interpreted as commands satisfy the healthiness laws introduced in Section 3.2. In Section 6.2, we give the relational interpretation of guards, sequential composition and nondeterminate choice.

In this chapter we present a number of more or less isolated extensions of the fundamental concepts. They broaden the view but have no high priority. We do not need the theory of Chapter 4.

In Section 5.1 we give our version of refinement of commands. Refinement is a very important concept in programming methodology. In this book it plays a less prominent rôle. It occurs in some exercises and it comes again to the fore in Chapter 12. Section 5.2 contains an example where a refinement between procedures is proved by means of the induction rules of Section 2.7.

In Section 5.3 we introduce the calculational method of insertion of guards. This method can be regarded as an alternative to annotation. It is especially useful for proofs of semantic equality. In Section 5.4 this method is used to handle a complicated example that is needed in Chapter 12.

Section 5.5 contains a discussion of strongest postconditions.

In Section 5.6 we prepare the ground for an extension of the termination argument used in Theorem 2(16). The harvest is reaped in Section 5.7, where we present a generalization of Theorem 2(16) and a Necessity Rule for wlp.

Refinement and relative refinement

The function of a compiler is to transform programs written in some high-level programming language, say Pascal, into machine instructions.