The collection of state functions
y
1,:::
,y
n is called a renement map-ping. The \barred variable"
y
iis the state function with which implements the variabley
i of .To prove (51), one must nd a renement mapping such that )
is valid. The completeness theorem then implies that the proof of )
can be reduced to the proof of valid action formulas by using the rules of Figure 5. But can the requisite renement mapping always be found? Does the validity of (51) imply the existence of a renement mapping such that
) is valid?
The answer is no; a renement mapping need not exist. As an example, we return to Programs 1 and 2, represented by formulas of Figure 3 on page 18 and of Figure 7 on page 32. Program 2 permits precisely the same sequences of values for
x
andy
as does Program 1. Therefore, the formula9sem
;
pc1
;
pc2: , which describes only the sequences of values forx
andy
allowed by Program 2, is equivalent to . Can we prove this equivalence? We already sketched the proof of ) , which by Rule E2 implies
(9 sem
;
pc1
;
pc2 : )). In this case, has no internal variables, so the
renement mapping is the trivial one consisting of the empty set of barred variables. Now consider the converse,
) (9sem
;
pc1
;
pc2 : ) (52)Can we dene the requisite state functions sem, pc1, and pc2 in terms of
x
andy
(the only variables that occur in ) so that Program 1 allows them to assume only those sequences of values that Program 2 allows the corresponding variables to assume? Clearly not. There is no way to infer from the values ofx
andy
what the values of sem, pc1, and pc2 should be.Thus, there does not exist a renement mapping for which implies . To prove (52), one must modify by adding dummy variables. Intu- itively, a dummy variable is one that is added to a program without aecting the program's behavior. Formally, adding a dummy variable
d
to a formula means nding a formula d such that9d
: d is equivalent to . (Thevariable
d
is assumed not to occur free in .) Formula (52) can be proved by adding two dummy variablesh
andp
to . That is, we can construct a formula hp such that9h;p
: hp is equivalent to , and can then prove(9
h;p
:hp)
) (9sem
;
pcby constructing a renement mapping such that hp implies . The rene- ment mapping can be found because the state functions sem, pc1, and pc2
are allowed to depend upon
h
andp
as well asx
andy
.In general, renement mappings can always be found if we add the right dummy variables. The completeness theorem of [1] shows that, under certain reasonable assumptions about and , if (51) is valid, then it can in prin- ciple be proved by adding dummy variables to and nding the requisite renement mapping. This theorem and the completeness theorem provide a relative completeness result for TLA formulas of the form (51) when and are formulas of the form Init^2[N]f^
F
, withF
the conjunction offairness conditions.
9.3.3 \Barring" Fairness
When has the canonical form Init ^2[N]f ^
F
, the formula equalsInit ^2[N]f ^
F
. IfF
is the conjunction of fairness conditions of theform WFg(M) and SFg(M), then
F
is the conjunction of \barred" fairnessconditions WFg(M) and SFg(M).
We might expect that WFg(M) would be equivalent to WFg(M) and
SFg(M) equivalent to SFg(M), but that need not be the case. It is true
that
WFg(M) 23:Enabled hMig _ 23hMig
SFg(M) 23:Enabled hMig _ 32hMig
(53) However, Enabled hMig is not necessarily equivalent to Enabled hMig. For
example, let Mbe the action (
x
0=x
)^ (
y
06
=
y
), letg
equal (x;y
), and let the renement mapping be dened by x =z
and y =z
. Then EnabledhMigequals true, so Enabled hMig equals true. But
Enabled hMig Enabled h(
x
0=x
) ^ (y
0 6 =y
)i (x;y) fby denition ofMandg g Enabled h(x 0= x) ^ (y 0 6 = y)i (x;y) fby denition of :::g Enabled h(z
0=z
) ^ (z
0 6 =z
)i (z;z) fby denition ofx andyg Enabled false fby denition ofh:::i::: g
false fby denition ofEnabledg
Thus, Enabled hMig is not equivalent to Enabled hMig. In general, the
Enabled hMig, so we can't obtain Enabled hMig from Enabled hMig by
blindly barring all variables.
In rules WF2 and SF2, the formulas WFg(M) and SFg(M) are dened
by (53). The rules are sound when M is any action,
g
any state function,and Enabled hMig any predicate|assuming that WFg(M) and SFg(M)
are dened by (53). In practice, the barred formulas will be obtained from unbarred ones by substituting \barred variables" (state functions) for vari- ables, as in our example.