INTRODUCTION

This chapter describes a model of autonomous belief revision (ABR) which discriminates between possible alternative belief sets in the context of change. The model determines preferred revisions on the basis of the relative persistence of competing cognitive states. It has been implemented as ICM (increased coherence model); a belief revision mechanism encompassing a three-tiered ordering structure which represents a blend between coherence and foundational theories of belief revision.

The motivation for developing the model of ABR is as a component of a model of communication between agents. The concern is choice about changing belief. In communication, agents should be designed to choose whether as well as how to revise their beliefs. This is an important aspect of design for multi-agent contexts as open environments (Hewitt, 1986), in which no one element can be in possession of complete information of all parts of the system at all times. Communicated information cannot therefore be assumed to be reliable and fully informed. The model of ABR and system ICM, represent the first phase in the development of a computational model of cooperative, yet autonomously determined communication. The theory of ABR and communication is explicated in section 2.

Section 3 follows with an outline of the problem of multiple alternative revisions, and a discussion of preference and strength of belief issues from an AI perspective. This section includes the relevant comparative and theoretical background for understanding the model of ABR described in section 4.

In this chapter we fulfil the remaining proof obligations of Chapter 12. Section 13.1 contains a strengthened version of Theorem 4(8), our version of the theorem of Knaster-Tarski. In Section 13.2, we provide the basic set-up, in which we need not yet distinguish between wp and wlp. Section 13.3 contains the construction of the strong preorder and the proofs of rule 12(4) and a variation of rule 12(5). In this way, the proof of the accumulation rule 12(5) is reduced to the verification of two technical conditions: sup-safety (for wp) and inf-safety (for wlp). These conditions comprise the base case of the induction and a continuity property.

In Section 13.4, the base case is reduced to a condition on function abort⊙. Section 13.5 contains the proof for inf-safety. Section 13.6 contains the definition of the set Lia and the proof for sup-safety. In Sections 13.7 and 13.8 we justify the rules for Lia stated in Section 11.2.

It may seem unsatisfactory that, in the presence of unbounded nondeterminacy, computational induction needs such a complicated theory. The examples in Sections 11.7 and 12.4, however, show that the accumulation rules 11(6) and 12(5) need their complicated conditions. Therefore, corresponding complications must occur in the construction or in the proofs.

INTRODUCTION

Consider a knowledge base represented by a theory ψ of some logic, say propositional logic. We want to incorporate into ψ a new fact, represented by a sentence μ of the same language. What should the resulting theory be? A growing body of work (Dalal 1988, Katsuno and Mendelzon 1989, Nebel 1989, Rao and Foo 1989) takes as a departure point the rationality postulates proposed by Alchourrón, Gärdenfors and Makinson (1985). These are rules that every adequate revision operator should be expected to satisfy. For example: the new fact μ must be a consequence of the revised knowledge base.

In this paper, we argue that no such set of postulates will be adequate for every application. In particular, we make a fundamental distinction between two kinds of modifications to a knowledge base. The first one, update, consists of bringing the knowledge base up to date when the world described by it changes. For example, most database updates are of this variety, e.g. “increase Joe's salary by 5%”. Another example is the incorporation into the knowledge base of changes caused in the world by the actions of a robot (Ginsberg and Smith 1987, Winslett 1988, Winslett 1990). We show that the AGM postulates must be drastically modified to describe update.

The second type of modification, revision, is used when we are obtaining new information about a static world.

The purpose of this book is to develop the semantics of imperative sequential programs. One prerequisite for reading is some familiarity with the use of predicates in programming, as exposed for instance in the books [Backhouse 1986], [Dijkstra 1976], or [Gries 1981]. Some mathematical maturity is another prerequisite: we freely use sets, functions, relations, orders, etc. We strive for providing complete proofs. This requires many backward references but, of course, the reader may sometimes prefer to ignore them. Actually, at every assertion the reader is invited to join the game and provide a proof himself.

In every chapter, the formulae are numbered consecutively. For reference to formulae of other chapters we use the convention that i(j) denotes formula (j) of Chapter i.

At the end of almost every chapter we give a number of exercises, grouped according to the latest relevant section. When referring to exercise i.j.k, we mean exercise k of Section i.j. Some exercises are simple tests of the reader's apprehension, while other exercises contain applications and extensions of the main text. For (parts of) exercises marked with ♡ we provide solutions in Chapter 16.

References to the literature are given in the form [X n], for author X and year n, possibly followed by a letter.

Semantics of imperative sequential programs

The word ‘semantics’ means ‘meaning’. In the title of this book, it announces two central themes. The meaning of a program is given by its specification.

INTRODUCTION

There are many ways to change a theory. The tasks of adding a sentence to a theory and of retracting a sentence from a theory are non-trivial because they are usually constrained by at least three requirements. The result of a revision or contraction of a theory should again be a theory, i.e., closed under logical consequence, it should be consistent whenever possible, and it should not change the original theory beyond necessity. In the course of the Alchourrón-Gärdenfors-Makinson research programme, at least three different methods for constructing contractions of theories have been proposed. Among these the “safe contraction functions” of Alchourrón and Makinson (1985, 1986) have played as it were the role of an outsider. Gärdenfors and Makinson (1988, p. 88) for instance state that ‘another, quite different, way of doing this [contracting and revising theories] was described by Alchourrón and Makinson (1985).’ (Italics mine.) The aim of the present paper is to show that this is a miscasting.

In any case, it seems that the intuitions behind safe contractions are fundamentally different from those behind its rivals, the partial meet contractions of Alchourrón, Gärdenfors and Makinson (1985) and the epistemic entrenchment contractions of Gärdenfors and Makinson (1988). Whereas the latter notions are tailored especially to handling theories (as opposed to sets of sentences which are not closed under a given consequence operation), safe contraction by its very idea focusses on minimal sets of premises sufficient to derive a certain sentence.

In this chapter, we start again from scratch. Now the meaning of a command is not defined by means of the functions wp and wlp, but by means of the input–output relation of a command. This point of view is closer to the intuitive ideas of most programmers, but —in our view— it is less adequate for program development.

The relational point of view is useful for the analysis of special properties of commands such as totality, termination and determinacy. It provides easy definitions or characterizations of composition, nondeterminate choice, guards and assertions. All these concepts can therefore be treated in this chapter.

When the relational point of view is used in the analysis of repetitions or recursive procedures, one needs to consider finite and infinite sequences of states, usually accompanied by many case distinctions. Such operational reasoning can be useful or necessary, but it is preferable to avoid it whenever possible. We introduce some of the necessary techniques in Chapter 9. It is used only in Chapters 14 and 15.

Although we use the definitions of Section 1.1 and some other concepts introduced in Chapters 1 and 3, this chapter is largely independent of the previous chapters. In fact, it can be read to support them.

In Section 6.1, we introduce (input–output) relations and their weakest preconditions, and we show that relations when interpreted as commands satisfy the healthiness laws introduced in Section 3.2. In Section 6.2, we give the relational interpretation of guards, sequential composition and nondeterminate choice.

In this chapter we present a number of more or less isolated extensions of the fundamental concepts. They broaden the view but have no high priority. We do not need the theory of Chapter 4.

In Section 5.1 we give our version of refinement of commands. Refinement is a very important concept in programming methodology. In this book it plays a less prominent rôle. It occurs in some exercises and it comes again to the fore in Chapter 12. Section 5.2 contains an example where a refinement between procedures is proved by means of the induction rules of Section 2.7.

In Section 5.3 we introduce the calculational method of insertion of guards. This method can be regarded as an alternative to annotation. It is especially useful for proofs of semantic equality. In Section 5.4 this method is used to handle a complicated example that is needed in Chapter 12.

Section 5.5 contains a discussion of strongest postconditions.

In Section 5.6 we prepare the ground for an extension of the termination argument used in Theorem 2(16). The harvest is reaped in Section 5.7, where we present a generalization of Theorem 2(16) and a Necessity Rule for wlp.

Refinement and relative refinement

The function of a compiler is to transform programs written in some high-level programming language, say Pascal, into machine instructions.

The nondeterminacy considered thus far in this monograph was loose in the sense of [Park 1979]: any choice or sequence of choices allowed by the command is acceptable behaviour of the implementation, but the fact that a choice is allowed does not mean that it can ever occur.

While reasoning about concurrent computations, and in the design of communicating processes, we have to deal with unpredictable execution, which is yet not completely loose. We may want to assume that a computation delegated to another process eventually yields an answer or that, if a stream of messages is sent, eventually an acknowledgement comes back.

Such assumptions are called fairness assumptions. Fairness is a subject in itself with a highly operational flavour. There are many different kinds of fairness, cf. [Francez 1986] and [Lehmann e.a. 1981], but it seems that most definitions cannot elegantly be expressed in terms of predicate-transformation semantics. Therefore, we restrict ourselves to predicative fairness, a kind of fairness proposed in [Morris 1990] and [Queille-Sifakis 1983].

In the literature, fairness is usually treated only for repetitions. In [Morris 1990], fairness of tail-recursive procedures without mutual recursion is treated. We give a definition applicable to arbitrary procedures. Our formalization is in agreement with the treatment of loc.cit. in the case of tail recursion. Mutual recursion and ‘calls before the tail’ seem to be adequately treated. Our formalization leads to overly optimistic specifications if a procedure body contains sequentially ordered recursive calls.

We come back to the informal description of wp and wlp given in Section 1.2. This description is used to justify two more postulates concerning wp and wlp, the so-called healthiness laws. These postulates are due to [Dijkstra 1976]). They are theorems of the standard relational semantics, but in predicate-transformation semantics they need not be imposed. In fact, recently, some investigators (cf. [Backvon Wright 1989b], [Morgan-Gardiner 1990]) have proposed specification constructs that lead to violations of the laws (so these constructs cannot be expressed in relational semantics). Command serve from the second example in 1.2 belongs to this category.

In the remainder of this book the healthiness laws are imposed since they form the natural boundary of the theory of Chapter 4. Another reason for imposing them is that they hold for all practical imperative languages and for the relational model of computation (see Chapter 6).

In this chapter, we introduce the laws with an informal justification and we treat the main formal implications.

Conjunctivity properties of predicate transformers

Since the healthiness laws prescribe certain properties of the predicate transformers wp.c and wlp.c for commands c, it is useful to introduce these properties for arbitrary predicate transformers.

INTRODUCTION

Belief revision is the process of incorporating new information into a knowledge base while preserving consistency. Recently, belief revision has received a lot of attention in AI, which led to a number of different proposals for different applications (Ginsberg 1986; Ginsberg, Smith 1987; Dalal 1988; Gärdenfors, Makinson 1988; Winslett 1988; Myers, Smith 1988; Rao, Foo 1989; Nebel 1989; Winslett 1989; Katsuno, Mendelzon 1989; Katsuno, Mendelzon 1991; Doyle 1990). Most of this research has been considerably influenced by approaches in philosophical logic, in particular by Gärdenfors and his colleagues (Alchourrón, Gärdenfors, Makinson 1985; Gärdenfors 1988), who developed the logic of theory change, also called theory of epistemic change. This theory formalizes epistemic states as deductively closed theories and defines different change operations on such epistemic states.

Syntax-based approaches to belief revision to be introduced in Section 3 have been very popular because of their conceptual simplicity. However, there also has been criticisms since the outcome of a revision operation relies an arbitrary syntactic distinctions (see, e.g., (Dalal 1988; Winslett 1988; Katsuno, Mendelzon 1989))—and for this reason such operations cannot be analyzed on the knowledge level. In (Nebel 1989) we showed that syntax-based approaches can be interpreted as assigning higher relevance to explicitly represented sentences. Based on that view, one particular kind of syntax-based revision, called base revision, was shown to fit into the theory of epistemic change. In Section 4 we generalize this result to prioritized bases.

In this chapter, we develop syntactic criteria on commands, which imply disjunctivity properties for their weakest preconditions. We suppose that the disjunctivity properties of the simple commands are known and try to generalize these properties to procedures and composite commands. From this chapter onward, the theory of Chapter 4 is indispensable.

In Section 8.1 we introduce, for a given set R of predicate transformers, a set of commands called the syntactic reflection Sy.R of R. The main property is that wp.q ∈ R for all q ∈ Sy.R. In Section 8.2 we provide methods to prove that a command belongs to the syntactic reflection.

In Section 8.3 the theory is specialized to the case that R is characterized by a disjunctivity property. Section 8.4 contains the next specialization, namely to the classes of total commands, of disjunctive commands, and of finitely nondeterminate commands. For our purposes the first two classes merely serve as examples or test cases. Our real aim is the class of the finitely nondeterminate commands. It is this class, or rather its syntactic reflection, that plays a key role in Chapters 11 and 13.

Syntactic reflection of semantic properties

Throughout this section we let R be a sup-closed subset of MT. We are interested in syntactic criteria on commands c ∈ A⊙ that imply wp.c ∈ R. Our solution consists of an algebraic definition of a subset Sy.R of A⊙ with wp.q ∈ R for all q ∈ Sy.R.

In this chapter, we reconcile the definition of the semantics of recursive procedures, cf. Chapter 4, with the relational semantics of Chapter 6. The idea is that the two semantical paradigms meet halfway. Therefore, the chapter consists of two parts.

The first part is based on predicate-transformation semantics, cf. Chapter 4. In Section 9.1, we describe the stack implementation of recursive procedures. This implementation can be regarded as an interpreter: the whole recursive declaration is interpreted by means of a tail-recursive procedure with a stack of continuations as a value parameter. The correctness of the interpreter is proved in Section 9.2.

In the second part of the chapter we treat the relational semantics of recursive procedures. This is done in two steps. In Section 9.3, we define the relational semantics of a tail-recursive declaration by means of a transitive closure in a graph of configurations. By Chapter 6, these relational semantics induce predicate transformers. We then show that the predicate transformers correspond to wp and wlp as defined for such a declaration in Chapter 4. In Section 9.4, the ideas and results of the preceding sections are combined. The stack implementation of 9.1 is combined with the relational semantics of tail recursion (cf. Section 9.3) to define the relational semantics of an arbitrary recursive declaration. The results of 9.2 and 9.3 imply that these relational semantics correspond to the predicate-transformation semantics of Chapter 4.