1 00:00:00,000 --> 00:00:01,375 PROFESSOR: So we're going to talk 2 00:00:01,375 --> 00:00:03,560 about state machines, which is a topic 3 00:00:03,560 --> 00:00:06,780 that you're going to see in many further courses, 4 00:00:06,780 --> 00:00:11,530 because state machines model step by step processes. 5 00:00:11,530 --> 00:00:14,540 And of course, if you think about a computation, normally 6 00:00:14,540 --> 00:00:17,500 the way you think about it is that it's doing instructions, 7 00:00:17,500 --> 00:00:19,700 step by step, one after another, until it finally 8 00:00:19,700 --> 00:00:21,660 reaches termination. 9 00:00:21,660 --> 00:00:25,030 Likewise, various digital circuits 10 00:00:25,030 --> 00:00:28,180 move through stages or states until they 11 00:00:28,180 --> 00:00:30,800 produce a final answer. 12 00:00:30,800 --> 00:00:33,390 So state machines come up in at least those circumstances 13 00:00:33,390 --> 00:00:34,350 and in many others. 14 00:00:34,350 --> 00:00:35,933 And the general model of state machine 15 00:00:35,933 --> 00:00:38,050 involves the idea that you can give it input 16 00:00:38,050 --> 00:00:40,110 and it responds to them, but we don't really 17 00:00:40,110 --> 00:00:42,870 need that for our purposes. 18 00:00:42,870 --> 00:00:45,850 So let's look at our example of a state machine. 19 00:00:45,850 --> 00:00:48,640 Here's maybe a particular simple one. 20 00:00:48,640 --> 00:00:54,600 This is a description of a state machine that counts to 99. 21 00:00:54,600 --> 00:00:57,660 So the circles are indicating what its states are, and we've 22 00:00:57,660 --> 00:01:00,930 named them from 0 through 99. 23 00:01:00,930 --> 00:01:03,460 And then there's a final state called overflow, 24 00:01:03,460 --> 00:01:06,700 and that funny arc is an indication 25 00:01:06,700 --> 00:01:10,980 that if you're in overflow mode and you 26 00:01:10,980 --> 00:01:13,040 make another step by following the arc, 27 00:01:13,040 --> 00:01:14,910 you get back to overflow mode. 28 00:01:14,910 --> 00:01:17,710 But if you're in 0, you can make a step to 1. 29 00:01:17,710 --> 00:01:20,560 And if you're in 1, you can make a step to 2, and so on. 30 00:01:20,560 --> 00:01:25,680 So starting off at the start state, which is generally 31 00:01:25,680 --> 00:01:30,810 indicated by that double mark. 32 00:01:30,810 --> 00:01:32,880 So to indicate where to start. 33 00:01:32,880 --> 00:01:35,800 Then the description of this machine, 34 00:01:35,800 --> 00:01:39,290 consistent in complete description is a set of states 35 00:01:39,290 --> 00:01:43,060 which are pictured as 0 through 99 plus overflow, 36 00:01:43,060 --> 00:01:45,240 a set of transitions which are indicated 37 00:01:45,240 --> 00:01:47,900 by the arrows, which is how one state can 38 00:01:47,900 --> 00:01:50,340 move to another state. 39 00:01:50,340 --> 00:01:52,550 And the transitions can be summarised 40 00:01:52,550 --> 00:01:54,520 by saying that there of the form of i 41 00:01:54,520 --> 00:01:58,260 to i plus 1 for i between 0 and 99. 42 00:01:58,260 --> 00:02:02,090 And then there's a 99 transition to overflow, 43 00:02:02,090 --> 00:02:04,840 and once you're in overflow, you stay in overflow. 44 00:02:04,840 --> 00:02:08,090 So the picture at the top is saying exactly the same thing 45 00:02:08,090 --> 00:02:11,190 as we've said here in mathematical notation, 46 00:02:11,190 --> 00:02:14,930 explicitly describing what the transitions are. 47 00:02:14,930 --> 00:02:17,337 So this is a machine that if you really build something 48 00:02:17,337 --> 00:02:19,170 to behave this way, it wouldn't be much use, 49 00:02:19,170 --> 00:02:21,180 because once it's overflowed, it's dead, 50 00:02:21,180 --> 00:02:23,020 because it stays there. 51 00:02:23,020 --> 00:02:26,050 Real machine to be useful would have a reset transition, which 52 00:02:26,050 --> 00:02:27,870 took overflow back to zero. 53 00:02:27,870 --> 00:02:32,660 But this illustrates the basic idea. 54 00:02:32,660 --> 00:02:36,620 So let's look at a fun example from a Die Hard movie. 55 00:02:36,620 --> 00:02:38,920 I've forgotten which one it was. 56 00:02:38,920 --> 00:02:41,970 But there was one with Bruce Willis and Samuel Jackson 57 00:02:41,970 --> 00:02:45,520 playing a detective and a friend that he 58 00:02:45,520 --> 00:02:49,680 meets who helps him deal with a bad man, 59 00:02:49,680 --> 00:02:51,740 as is the case in all these movies. 60 00:02:51,740 --> 00:02:53,920 This time, the bad man's name is Simon. 61 00:02:53,920 --> 00:02:55,720 And what Simon says to them as they 62 00:02:55,720 --> 00:02:58,200 stand behind the fountain in the park shown 63 00:02:58,200 --> 00:03:00,905 on the previous slide is that on the foundation, 64 00:03:00,905 --> 00:03:03,140 there should be two jugs, do you see them? 65 00:03:03,140 --> 00:03:05,250 A five gallon and a three gallon. 66 00:03:05,250 --> 00:03:08,310 Fill one of these jugs with exactly four gallons of water 67 00:03:08,310 --> 00:03:11,240 and place it on the scale, and the timer will stop. 68 00:03:11,240 --> 00:03:13,490 The timer and the scale are not shown in that picture, 69 00:03:13,490 --> 00:03:16,490 but there's a scale and a timer nearby. 70 00:03:16,490 --> 00:03:18,950 You must be precise, one ounce more or less 71 00:03:18,950 --> 00:03:20,550 will result in detonation. 72 00:03:20,550 --> 00:03:24,790 If you're still alive in five minutes, we'll speak. 73 00:03:24,790 --> 00:03:25,610 OK. 74 00:03:25,610 --> 00:03:29,050 So let's think about formalizing this as a state machine 75 00:03:29,050 --> 00:03:30,160 to see what's going on. 76 00:03:30,160 --> 00:03:35,360 So but first of all, to understand the specification 77 00:03:35,360 --> 00:03:36,460 informally. 78 00:03:36,460 --> 00:03:41,190 What there is a three gallon jug and a five gallon jug 79 00:03:41,190 --> 00:03:44,160 that's capable of holding water, and an unlimited supply 80 00:03:44,160 --> 00:03:47,700 of water that you can get from the fountain. 81 00:03:47,700 --> 00:03:51,760 And the basic moves that you can make-- 82 00:03:51,760 --> 00:03:54,800 So with this set up, the kind of moves that you can make 83 00:03:54,800 --> 00:03:59,060 would be, say you fill up the three gallon jug with water, 84 00:03:59,060 --> 00:04:01,350 and then you could pour the three gallon jug 85 00:04:01,350 --> 00:04:02,464 into the five gallon jugs. 86 00:04:02,464 --> 00:04:03,880 And the three gallon jug was empty 87 00:04:03,880 --> 00:04:06,951 and the five gallon jug you knew had exactly three gallons 88 00:04:06,951 --> 00:04:07,450 in it. 89 00:04:09,960 --> 00:04:14,440 And then you can do other things like empty a jug and fill a jug 90 00:04:14,440 --> 00:04:15,820 and empty them into each other. 91 00:04:15,820 --> 00:04:19,246 So let's model this as a state machine. 92 00:04:19,246 --> 00:04:20,829 And the first decision we need to make 93 00:04:20,829 --> 00:04:23,020 is what's the state going to be. 94 00:04:23,020 --> 00:04:25,950 Well, the state-- the obvious model for the state 95 00:04:25,950 --> 00:04:28,050 is the amount of water in each of the jugs. 96 00:04:28,050 --> 00:04:30,480 So b is the amount in the big jug 97 00:04:30,480 --> 00:04:32,210 and l is the amount the little jug. 98 00:04:32,210 --> 00:04:34,630 And what we know about b and l is 99 00:04:34,630 --> 00:04:38,090 that they're going to be some amount between 0 and 5 for b, 100 00:04:38,090 --> 00:04:41,537 and 0 and 3 for l. 101 00:04:41,537 --> 00:04:43,120 We're going to quickly realize that we 102 00:04:43,120 --> 00:04:45,230 need them to be integers, but off hand we 103 00:04:45,230 --> 00:04:47,420 can allow them to be real numbers. 104 00:04:47,420 --> 00:04:49,930 Because after all, you could just 105 00:04:49,930 --> 00:04:52,406 pour some arbitrary amount of water 106 00:04:52,406 --> 00:04:54,030 into the big jug, any amount that it'll 107 00:04:54,030 --> 00:04:56,440 hold between 0 and 5. 108 00:04:56,440 --> 00:04:58,900 Although, that'll be dangerous, because as soon as 109 00:04:58,900 --> 00:05:01,620 you do that, you're going to lose track of exactly how 110 00:05:01,620 --> 00:05:03,700 much is in there and you won't know when 111 00:05:03,700 --> 00:05:06,000 you have four gallons or not. 112 00:05:06,000 --> 00:05:10,180 So let's formalize the possible moves that we can have. 113 00:05:10,180 --> 00:05:12,290 So first of all, the start state is 0,0, 114 00:05:12,290 --> 00:05:14,700 because we start with both jugs empty. 115 00:05:14,700 --> 00:05:17,960 And then what are the possible transitions 116 00:05:17,960 --> 00:05:19,500 of how b and l moves? 117 00:05:19,500 --> 00:05:21,260 Well, let's see. 118 00:05:21,260 --> 00:05:23,320 The fill the little jug move amounts 119 00:05:23,320 --> 00:05:27,160 to saying that if you have an amount of b in big 120 00:05:27,160 --> 00:05:30,020 and l in little, then you can make a transition called 121 00:05:30,020 --> 00:05:34,260 fill the little jug into b, and big is still unchanged, 122 00:05:34,260 --> 00:05:37,890 and 3 in little for l less than 3. 123 00:05:37,890 --> 00:05:40,740 I'm going to forbid the vacuous move where 124 00:05:40,740 --> 00:05:43,950 the little jug is already full and you try to fill it. 125 00:05:43,950 --> 00:05:46,920 That doesn't count, so l has to be less than 3, 126 00:05:46,920 --> 00:05:49,390 you can make it 3 by filling the little jug. 127 00:05:49,390 --> 00:05:52,610 Similarly, you could fill the big jug if b is less than 5. 128 00:05:52,610 --> 00:05:55,470 Then you can turn it into 5 by filling it. 129 00:05:55,470 --> 00:05:58,170 And then you can empty the little jug, which is easy. 130 00:05:58,170 --> 00:06:01,034 If you go from b, l you go to b, 0. 131 00:06:01,034 --> 00:06:02,700 And likewise, you can empty the big jug. 132 00:06:02,700 --> 00:06:04,610 Those are the easy moves. 133 00:06:04,610 --> 00:06:07,450 A slightly more complicated move is pour the big jug 134 00:06:07,450 --> 00:06:09,190 into the little jug. 135 00:06:09,190 --> 00:06:11,500 Well if there's no overflow, what that means 136 00:06:11,500 --> 00:06:14,810 is that there's l in the little jug and b in the big job. 137 00:06:14,810 --> 00:06:17,900 And after you've poured the big jug into the little jug, 138 00:06:17,900 --> 00:06:19,730 there's b plus l in the little one, 139 00:06:19,730 --> 00:06:21,930 and nothing in the big one. 140 00:06:21,930 --> 00:06:24,300 But let's be careful here about what exactly-- 141 00:06:24,300 --> 00:06:26,659 we're doing math, we're not sort of-- we're 142 00:06:26,659 --> 00:06:28,200 trying to get away from the metaphor. 143 00:06:28,200 --> 00:06:29,580 So what is no overflow means? 144 00:06:29,580 --> 00:06:31,630 It simply means that b plus l will fit. 145 00:06:31,630 --> 00:06:34,390 b plus l is less than or equal to 3. 146 00:06:34,390 --> 00:06:35,140 All right. 147 00:06:35,140 --> 00:06:38,210 What's the other case of pouring the big jug 148 00:06:38,210 --> 00:06:39,230 into the little jug? 149 00:06:39,230 --> 00:06:43,670 Well that's when b plus l won't fit, in which case, 150 00:06:43,670 --> 00:06:45,900 you pour into the little jug. 151 00:06:45,900 --> 00:06:49,880 It's got l, so you pour in 3 minus l to fill it up. 152 00:06:49,880 --> 00:06:54,574 And then what's left in b is b minus the 3 minus little l 153 00:06:54,574 --> 00:06:55,240 that you poured. 154 00:06:55,240 --> 00:06:59,290 So that the other wise case, when there is overflow. 155 00:06:59,290 --> 00:07:03,040 And similarly, there are moves for pouring the little jug 156 00:07:03,040 --> 00:07:04,590 into the big jug. 157 00:07:04,590 --> 00:07:07,786 So that then is a formal specification 158 00:07:07,786 --> 00:07:10,557 of the Die Hard machine and the moves 159 00:07:10,557 --> 00:07:11,640 that we're going to allow. 160 00:07:11,640 --> 00:07:13,880 Now, you could allow other moves like randomly 161 00:07:13,880 --> 00:07:16,070 pouring out a little water, or randomly filling 162 00:07:16,070 --> 00:07:16,970 up a little water. 163 00:07:16,970 --> 00:07:18,470 But if you did that, again, you lose 164 00:07:18,470 --> 00:07:20,730 track of how much water is in the jug. 165 00:07:20,730 --> 00:07:22,910 So these are the only safe moves. 166 00:07:22,910 --> 00:07:25,570 And they're the only ones we're going to model. 167 00:07:25,570 --> 00:07:26,070 All right. 168 00:07:26,070 --> 00:07:28,320 So let's go back to Simon's challenge. 169 00:07:28,320 --> 00:07:31,500 He wants to disarm the bomb by getting exactly four 170 00:07:31,500 --> 00:07:36,250 gallons of water in the jug and measure it on the scale, 171 00:07:36,250 --> 00:07:38,640 or things will blow up. 172 00:07:38,640 --> 00:07:41,030 And how do you do it? 173 00:07:41,030 --> 00:07:44,670 Well, why don't you take a moment 174 00:07:44,670 --> 00:07:47,800 to think about it before I proceed 175 00:07:47,800 --> 00:07:50,510 to the next set of slides or before you let me proceed. 176 00:07:50,510 --> 00:07:52,680 But just to understand the rules again, 177 00:07:52,680 --> 00:07:55,770 watch the work here's how. 178 00:07:55,770 --> 00:07:59,800 We're going to start off with both jugs empty. 179 00:07:59,800 --> 00:08:02,970 So we start off in state 0,0, and the first move 180 00:08:02,970 --> 00:08:05,360 is going to be to fill the big jug, which 181 00:08:05,360 --> 00:08:08,170 takes us to state 5, 0. 182 00:08:08,170 --> 00:08:11,850 Where the big jug has 5 and the little jug is still empty. 183 00:08:11,850 --> 00:08:15,340 Then we're going to pour from the big into the little. 184 00:08:15,340 --> 00:08:18,460 So now, the little jug has 3. 185 00:08:18,460 --> 00:08:20,000 We're filling up the little one. 186 00:08:20,000 --> 00:08:23,104 That leaves two in the big jug. 187 00:08:23,104 --> 00:08:24,770 Now we're going to empty the little one, 188 00:08:24,770 --> 00:08:27,750 we still have 2 left in the big one. 189 00:08:27,750 --> 00:08:30,180 And now we're going to pour from the big one 190 00:08:30,180 --> 00:08:33,539 into the little one, so the little one has 2 gallons 191 00:08:33,539 --> 00:08:35,860 and the big one is empty. 192 00:08:35,860 --> 00:08:39,750 Now, we fill the big jug, and there's still 193 00:08:39,750 --> 00:08:43,010 2 gallons in the little one and 5 gallons of the big one. 194 00:08:43,010 --> 00:08:48,240 Now we pour off from the five gallon jug until the one gallon 195 00:08:48,240 --> 00:08:52,820 jug is full, that's removing the 1 gallon that the 3 gallon jug 196 00:08:52,820 --> 00:08:54,610 still has capacity for. 197 00:08:54,610 --> 00:08:57,600 We reduced to full 2 gallons in the little jug, 198 00:08:57,600 --> 00:09:02,000 and four gallons, our target in the big jug. 199 00:09:02,000 --> 00:09:04,430 So we've accomplished it. 200 00:09:04,430 --> 00:09:05,730 And we're done. 201 00:09:05,730 --> 00:09:07,310 So the bomb doesn't go off. 202 00:09:07,310 --> 00:09:08,140 All right. 203 00:09:08,140 --> 00:09:10,730 So the point of this exercise is really just 204 00:09:10,730 --> 00:09:13,690 to practice how the moves work and what the states are, 205 00:09:13,690 --> 00:09:15,700 but the questions I want to raise 206 00:09:15,700 --> 00:09:20,600 is suppose that we want to have a Die Hard once 207 00:09:20,600 --> 00:09:22,640 and for all scenario, in which we're 208 00:09:22,640 --> 00:09:24,960 tired of the remakes of these movies. 209 00:09:24,960 --> 00:09:28,450 And we proposed that in the next movie, 210 00:09:28,450 --> 00:09:30,730 that Simon, if he's still around, 211 00:09:30,730 --> 00:09:33,220 offers an alternative challenge, where 212 00:09:33,220 --> 00:09:35,700 instead of a three gallon and a five gallon jug, 213 00:09:35,700 --> 00:09:39,620 there's a three gallon jug and a nine gallon jug. 214 00:09:39,620 --> 00:09:44,020 And now the question is, can you get four gallons 215 00:09:44,020 --> 00:09:48,340 into the big jug by pouring back and forth with rules 216 00:09:48,340 --> 00:09:50,910 like these, or can't you? 217 00:09:50,910 --> 00:09:53,430 And can you prove it? 218 00:09:53,430 --> 00:09:55,880 Well my guess is that you probably 219 00:09:55,880 --> 00:10:00,450 can figure out what's going on, because what's happening 220 00:10:00,450 --> 00:10:04,050 is if you start off with nothing in either jug, 221 00:10:04,050 --> 00:10:06,990 and you do these moves of filling up a jug 222 00:10:06,990 --> 00:10:09,130 and pouring one jug into another, 223 00:10:09,130 --> 00:10:13,650 you'll discover that the amount of water in any jug 224 00:10:13,650 --> 00:10:16,340 is always divisible by 3. 225 00:10:16,340 --> 00:10:18,540 This is a preserved invariant. 226 00:10:18,540 --> 00:10:22,340 Any state that you can get to, starting off from 0,0, 227 00:10:22,340 --> 00:10:26,526 3 will divide the number of gallons in each jug. 228 00:10:26,526 --> 00:10:27,650 We could state it this way. 229 00:10:27,650 --> 00:10:31,230 There's a property of states, property of b and l, 230 00:10:31,230 --> 00:10:34,240 which is the state, which is that 3 divides 231 00:10:34,240 --> 00:10:37,540 b-- that vertical line is a shorthand 232 00:10:37,540 --> 00:10:38,990 for the symbol divides. 233 00:10:38,990 --> 00:10:41,630 So three divides b, or b is a multiple of 3. 234 00:10:41,630 --> 00:10:42,990 3 divides l. 235 00:10:42,990 --> 00:10:45,110 Synonym, l is a multiple of 3. 236 00:10:45,110 --> 00:10:49,390 And the claim is that that's always going to be true. 237 00:10:49,390 --> 00:10:51,470 So in case that's not obvious, you 238 00:10:51,470 --> 00:10:53,450 might not have all the rules in your head. 239 00:10:53,450 --> 00:10:56,300 Let's just take a look at one of the more complicated rules. 240 00:10:56,300 --> 00:10:58,730 This was the rule where you're pouring 241 00:10:58,730 --> 00:11:01,370 the big jug into the little jug up 242 00:11:01,370 --> 00:11:04,420 until the little jug is full. 243 00:11:04,420 --> 00:11:07,897 And that transition is that if you're in state b, 244 00:11:07,897 --> 00:11:12,550 l, you move to b minus 3 minus l, and 3. 245 00:11:12,550 --> 00:11:17,660 And if you look at this now, clearly if 3 divides both b 246 00:11:17,660 --> 00:11:19,820 and l, both components of the state 247 00:11:19,820 --> 00:11:21,730 you're at, then in the new state, 248 00:11:21,730 --> 00:11:23,600 well 3 obviously divides the contents 249 00:11:23,600 --> 00:11:25,590 of the little jug, which is 3. 250 00:11:25,590 --> 00:11:27,810 But three also divides the contents 251 00:11:27,810 --> 00:11:31,160 of the big jug, which is a multiple of 3, namely b 252 00:11:31,160 --> 00:11:34,120 minus 3, which is a multiple of 3 minus w, 253 00:11:34,120 --> 00:11:35,760 which is a multiple of 3. 254 00:11:35,760 --> 00:11:38,940 When you take a linear combination of multiples of 3, 255 00:11:38,940 --> 00:11:40,171 you get a multiple of 3. 256 00:11:40,171 --> 00:11:41,920 And you look at all the other transitions, 257 00:11:41,920 --> 00:11:43,580 and they check equally well. 258 00:11:43,580 --> 00:11:45,670 If you're in a state b, l, and you 259 00:11:45,670 --> 00:11:51,340 move to a new state b prime, l prime, if 3 divides b and l, 260 00:11:51,340 --> 00:11:54,310 then 3 divides b prime and l prime. 261 00:11:54,310 --> 00:11:57,295 So this is what's called a preserved invariant. 262 00:12:00,050 --> 00:12:03,480 And of course the corollary is that in the Die Hard once 263 00:12:03,480 --> 00:12:06,370 and for all game with the 3 gallon jug and the 9 264 00:12:06,370 --> 00:12:10,380 gallon jug, you can't get to any state of the form 4, x, 265 00:12:10,380 --> 00:12:14,610 because 4 is not divisible by 3, and therefore Bruce 266 00:12:14,610 --> 00:12:17,110 is going to die. 267 00:12:17,110 --> 00:12:20,070 Now what we've illustrated here is an argument 268 00:12:20,070 --> 00:12:23,020 that's known as Floyd's Invariant Principle, 269 00:12:23,020 --> 00:12:25,440 and it's really nothing but induction reformulated 270 00:12:25,440 --> 00:12:26,930 for state machines. 271 00:12:26,930 --> 00:12:29,760 The statement of what is invariant principle 272 00:12:29,760 --> 00:12:33,400 is that we're going to define a preserved invariant 273 00:12:33,400 --> 00:12:35,372 as a property of states. 274 00:12:35,372 --> 00:12:36,830 And a preserved invariants means it 275 00:12:36,830 --> 00:12:40,820 has the property that if you're in a state that has property p, 276 00:12:40,820 --> 00:12:45,740 and it's possible to make a single transition to state r, 277 00:12:45,740 --> 00:12:48,290 then r will also have property p. 278 00:12:48,290 --> 00:12:49,990 This is just like the induction step. 279 00:12:49,990 --> 00:12:54,000 We have to prove that p n implies p of n plus 1. 280 00:12:54,000 --> 00:12:58,080 So if you have a preserved invariant, 281 00:12:58,080 --> 00:13:03,700 then if the property holds at the start state, 282 00:13:03,700 --> 00:13:07,170 then it's obvious that the property 283 00:13:07,170 --> 00:13:11,100 will hold for all of the states that you can possibly get to. 284 00:13:11,100 --> 00:13:13,252 That p of r will hold for all reachable states. 285 00:13:13,252 --> 00:13:14,710 And you can prove this by induction 286 00:13:14,710 --> 00:13:16,210 on the number of states, but I think 287 00:13:16,210 --> 00:13:19,320 it's clear that if you have a property that you begin with, 288 00:13:19,320 --> 00:13:21,060 and it doesn't change making a step, 289 00:13:21,060 --> 00:13:22,670 it's never going to change. 290 00:13:22,670 --> 00:13:25,960 And that's all that Floyd's invariant principle states. 291 00:13:25,960 --> 00:13:29,620 So in particular, since the property p 292 00:13:29,620 --> 00:13:31,690 holds in all reachable states, if there 293 00:13:31,690 --> 00:13:34,990 is any final state which the machine reaches, 294 00:13:34,990 --> 00:13:38,010 then p is going to hold in that state. 295 00:13:38,010 --> 00:13:42,010 And what we saw was-- we're using the word preserved 296 00:13:42,010 --> 00:13:45,260 invariant to distinguish the definition here 297 00:13:45,260 --> 00:13:48,770 from another usage that's co-opted the word 298 00:13:48,770 --> 00:13:53,580 invariant to mean a property that's true in all states. 299 00:13:53,580 --> 00:13:56,010 And while it's nice to know that some property is 300 00:13:56,010 --> 00:13:58,450 true in all states, the way you prove 301 00:13:58,450 --> 00:14:00,360 that is by having a preserved invariance. 302 00:14:00,360 --> 00:14:01,750 You want to distinguish the two. 303 00:14:01,750 --> 00:14:04,005 Technically if you look at this, the predicate 304 00:14:04,005 --> 00:14:07,150 that's always false is a preserved invariant. 305 00:14:07,150 --> 00:14:10,790 Because of the condition, as usual the way implication 306 00:14:10,790 --> 00:14:11,290 works. 307 00:14:11,290 --> 00:14:15,490 If the antecedent is false, then the entire implication is true. 308 00:14:15,490 --> 00:14:18,750 So if you're always false, then it's always the case 309 00:14:18,750 --> 00:14:22,860 that if false held in a state, which it never does, then 310 00:14:22,860 --> 00:14:25,030 it has to hold in any state you can get to, 311 00:14:25,030 --> 00:14:27,450 so that implication is true. 312 00:14:27,450 --> 00:14:30,970 So just remember that preserved invariants that are constantly 313 00:14:30,970 --> 00:14:34,960 false exist, they are good preserved in variance. 314 00:14:34,960 --> 00:14:37,790 But they're not what other people would call an invariant. 315 00:14:37,790 --> 00:14:41,630 We use preserved invariance to prove that a property is 316 00:14:41,630 --> 00:14:43,184 true in all states. 317 00:14:43,184 --> 00:14:43,975 It's a methodology. 318 00:14:47,350 --> 00:14:49,770 So let's do one more example to wrap this up. 319 00:14:49,770 --> 00:14:54,180 Suppose I have a robot on a grid, the integer grid, 320 00:14:54,180 --> 00:14:55,910 and we can think then of the coordinates 321 00:14:55,910 --> 00:14:59,240 of the integer as a pair of-- the coordinates of the robot 322 00:14:59,240 --> 00:15:02,080 as the coordinates of the square that it's in, 323 00:15:02,080 --> 00:15:04,950 a pair of non-negative integers. 324 00:15:04,950 --> 00:15:07,440 Now the way that this robot can move 325 00:15:07,440 --> 00:15:10,100 is we can make a diagonal move in one step. 326 00:15:10,100 --> 00:15:14,190 So it could move one step to the northeast or southeast 327 00:15:14,190 --> 00:15:16,365 or northwest or southwest and that's it. 328 00:15:16,365 --> 00:15:18,960 And the question I want to ask is, 329 00:15:18,960 --> 00:15:23,030 suppose you start the robot off at the origin, at 0,0. 330 00:15:23,030 --> 00:15:25,310 Is there some way that it can wander around, 331 00:15:25,310 --> 00:15:28,380 following its moves, and get to a next state 332 00:15:28,380 --> 00:15:29,780 where it's moved 1 square over? 333 00:15:29,780 --> 00:15:36,860 That is, it gets to the square 0,1. 334 00:15:36,860 --> 00:15:40,080 The answer to that is settled again by a preserved invariant. 335 00:15:40,080 --> 00:15:42,740 I don't know whether it's obvious to you yet, 336 00:15:42,740 --> 00:15:44,400 but it will be in a moment. 337 00:15:44,400 --> 00:15:47,390 I'm claiming you can't get to the square 0,1, 338 00:15:47,390 --> 00:15:51,650 and the reason is that there's are preserved invariant 339 00:15:51,650 --> 00:15:54,260 of that set of robot moves, namely 340 00:15:54,260 --> 00:15:58,105 the sum of the coordinates is even is an invariant. 341 00:15:58,105 --> 00:16:01,910 If the sum of the coordinates is even, it stays even. 342 00:16:01,910 --> 00:16:02,940 And why is that? 343 00:16:02,940 --> 00:16:07,960 Well, any move adds plus or minus 1 344 00:16:07,960 --> 00:16:12,410 to the coordinates of both x and y. 345 00:16:12,410 --> 00:16:16,560 Maybe x and y both go up by 1, in which 346 00:16:16,560 --> 00:16:19,170 case, the sum of x and y increases by 2. 347 00:16:19,170 --> 00:16:20,690 So if it was even, it stays even, 348 00:16:20,690 --> 00:16:23,370 or they both go down by 1, or maybe one goes up 349 00:16:23,370 --> 00:16:25,460 and the other goes down, in which case, the sum 350 00:16:25,460 --> 00:16:29,060 doesn't change in every case. 351 00:16:29,060 --> 00:16:31,250 If x plus y was even, it stays even. 352 00:16:31,250 --> 00:16:34,550 As a matter of fact, if it was odd, it stays odd. 353 00:16:34,550 --> 00:16:37,280 Moves actually preserve the parity of x plus y. 354 00:16:37,280 --> 00:16:42,020 But the invariant is that x plus y is even. 355 00:16:42,020 --> 00:16:43,850 Now, what else is the case. 356 00:16:43,850 --> 00:16:49,740 Well 0,0-- 0 plus 0 is 0, which is even. 357 00:16:49,740 --> 00:16:53,220 And so we're in Floyd invariant principal case, 358 00:16:53,220 --> 00:16:58,450 where all the positions you can get to from the origin 0,0, 359 00:16:58,450 --> 00:17:02,360 which has an even sum, have to have an even sum. 360 00:17:02,360 --> 00:17:10,740 And since 1 plus 0 is odd, you can't get to that square, 1,0. 361 00:17:10,740 --> 00:17:12,730 It's not reachable. 362 00:17:15,390 --> 00:17:18,910 So the parity invariant of the diagonally moving robot 363 00:17:18,910 --> 00:17:24,369 will set us up for an analysis of the 15 puzzle game. 364 00:17:24,369 --> 00:17:27,740 That's this logo that we've had on every slide in 6042 365 00:17:27,740 --> 00:17:31,490 so far with 6 blank, 4, 2, on the diagonal. 366 00:17:31,490 --> 00:17:34,660 This is a game where there are these little numbered 367 00:17:34,660 --> 00:17:37,390 tiles that slide into the blank square, 368 00:17:37,390 --> 00:17:39,960 and the question is how to permute-- 369 00:17:39,960 --> 00:17:44,140 how to get from one permutations of the numbers to another. 370 00:17:44,140 --> 00:17:46,150 It turns out that the analysis of that game 371 00:17:46,150 --> 00:17:49,010 depends on a parity invariant reminiscent 372 00:17:49,010 --> 00:17:52,210 of a slightly more sophisticated than the diagonally 373 00:17:52,210 --> 00:17:54,100 moving robot. 374 00:17:54,100 --> 00:17:58,480 Let's look at one more example of using the invariant 375 00:17:58,480 --> 00:18:01,170 to verify a little algorithm that actually will be quite 376 00:18:01,170 --> 00:18:03,610 important as the course progresses, 377 00:18:03,610 --> 00:18:05,720 and that is fast exponentiation. 378 00:18:05,720 --> 00:18:08,060 So in this set up, a is a real number 379 00:18:08,060 --> 00:18:10,020 and b is a non-negative integer. 380 00:18:10,020 --> 00:18:11,750 I want to compute the b power of a. 381 00:18:11,750 --> 00:18:18,250 Let's say b was 128, and I want to compute the 128th power 382 00:18:18,250 --> 00:18:20,350 of some real number a. 383 00:18:20,350 --> 00:18:24,330 Well, I can multiply a by itself 127 times, that would work 384 00:18:24,330 --> 00:18:25,230 fine. 385 00:18:25,230 --> 00:18:29,120 But you think about it, suppose I square a and then I square it 386 00:18:29,120 --> 00:18:33,930 again, and I square it again, then in about eight squarings, 387 00:18:33,930 --> 00:18:36,680 instead of 99 multiplications, I'm 388 00:18:36,680 --> 00:18:40,310 going to get to 8 of the 128th. 389 00:18:40,310 --> 00:18:44,040 Now if b is not a power of two, you adjust it slightly, 390 00:18:44,040 --> 00:18:50,220 and using that idea, you can compute the bth power of a much 391 00:18:50,220 --> 00:18:52,180 more rapidly than if you just naively 392 00:18:52,180 --> 00:18:54,490 multiplied out b minus 1 times. 393 00:18:54,490 --> 00:18:57,640 So let's look at the pseudocode for this algorithm. 394 00:18:57,640 --> 00:19:05,420 Here, XYZ in our temporary registers y and z, hold-- y, z, 395 00:19:05,420 --> 00:19:06,560 and r all hold integers. 396 00:19:06,560 --> 00:19:09,430 And x holds this real number a. 397 00:19:09,430 --> 00:19:12,610 And you can read the code if you wish 398 00:19:12,610 --> 00:19:14,840 but in fact, I'm going to immediately jump 399 00:19:14,840 --> 00:19:16,850 to the slightly more abstract and easier 400 00:19:16,850 --> 00:19:19,540 to understand version of it as a state machine. 401 00:19:19,540 --> 00:19:22,900 So what matters about this fast exponentiation algorithm 402 00:19:22,900 --> 00:19:26,240 as a state machine is that first of all, 403 00:19:26,240 --> 00:19:29,670 there are three states to real numbers, 404 00:19:29,670 --> 00:19:34,830 and a non-negative integer. 405 00:19:34,830 --> 00:19:38,850 And the start state is going to be that the number a is 406 00:19:38,850 --> 00:19:42,300 in the first register, or in the first location, 407 00:19:42,300 --> 00:19:44,150 first coordinate of the states. 408 00:19:44,150 --> 00:19:46,920 1 is the real number in the second coordinate, 409 00:19:46,920 --> 00:19:51,320 and b the target exponent, is the non-negative integer 410 00:19:51,320 --> 00:19:54,600 in the third component. 411 00:19:54,600 --> 00:19:56,460 The transitions are going to be as follows. 412 00:19:56,460 --> 00:19:58,240 Here's a simple one. 413 00:19:58,240 --> 00:20:02,700 If I have an amount x in the first location, y 414 00:20:02,700 --> 00:20:08,430 in the second location, z in the third, then if z is positive 415 00:20:08,430 --> 00:20:13,210 and even, then I'm going to square x, leave y 416 00:20:13,210 --> 00:20:17,170 alone, and divide z by 2. 417 00:20:17,170 --> 00:20:18,930 And that's the new state that I get. 418 00:20:18,930 --> 00:20:22,830 On the other hand, if z is odd and positive, 419 00:20:22,830 --> 00:20:27,840 then I'm going to square x, multiply y by x, 420 00:20:27,840 --> 00:20:33,010 and again take the quotient of z, divide z by 2. 421 00:20:33,010 --> 00:20:33,930 OK. 422 00:20:33,930 --> 00:20:36,955 Why does this state machine do fast exponentiation, 423 00:20:36,955 --> 00:20:38,280 why is it correct? 424 00:20:38,280 --> 00:20:41,130 And the insight is that there's a preserved invariant 425 00:20:41,130 --> 00:20:42,290 of this machine. 426 00:20:42,290 --> 00:20:46,500 And the preserved invariant is that y times x to the z 427 00:20:46,500 --> 00:20:49,240 is always a to the b. 428 00:20:49,240 --> 00:20:53,900 SO let's see how to verify that, that yx to the z 429 00:20:53,900 --> 00:20:56,900 is equal to a to the b. 430 00:20:56,900 --> 00:21:00,290 Let's just look at maybe the slightly more interesting 431 00:21:00,290 --> 00:21:01,900 of the two transition rules, which 432 00:21:01,900 --> 00:21:07,060 is when z is positive and odd, the xyz state 433 00:21:07,060 --> 00:21:10,040 moves to a new state, indicated in green. 434 00:21:10,040 --> 00:21:12,950 Where the new value of x is x squared, the new value of y 435 00:21:12,950 --> 00:21:17,560 is xy, and the new value of z is z minus 1 over 2. 436 00:21:17,560 --> 00:21:20,400 Remember, you went to the quotient of z divided by 2, 437 00:21:20,400 --> 00:21:23,360 and when z is odd, that means z minus-- it's literally 438 00:21:23,360 --> 00:21:25,130 z minus 1 over 2. 439 00:21:25,130 --> 00:21:28,480 Well, do the new values satisfy the invariant 440 00:21:28,480 --> 00:21:32,950 if I plug-in the green values of x squared for y and xy 441 00:21:32,950 --> 00:21:38,650 for x-- I'm sorry, x squared for x, xy for y, 442 00:21:38,650 --> 00:21:40,210 and z minus 1 over 2 for z? 443 00:21:40,210 --> 00:21:42,700 Well let's see what happens. 444 00:21:42,700 --> 00:21:49,060 If I take the new value of y, which is xy, 445 00:21:49,060 --> 00:21:53,020 and I multiply it by the new value of x, which is x squared, 446 00:21:53,020 --> 00:21:57,420 raised to the new value of z, which is z minus 1 over 2. 447 00:21:57,420 --> 00:22:00,420 Let's do a little algebraic simplification of that. 448 00:22:00,420 --> 00:22:02,930 Well, the x squared to the z minus 1 over 2 449 00:22:02,930 --> 00:22:05,520 becomes x to the z minus 1. 450 00:22:05,520 --> 00:22:08,600 And I'm just carrying over the xy. 451 00:22:08,600 --> 00:22:14,020 And then that simplifies to simply y times x times x 452 00:22:14,020 --> 00:22:18,180 to the z minus 1, or yz to the z, which we assumed 453 00:22:18,180 --> 00:22:22,050 was equal to a to the b, so sure enough, the new values of x, y, 454 00:22:22,050 --> 00:22:24,170 and z satisfy the invariant. 455 00:22:24,170 --> 00:22:27,260 It's a preserved invariant, and an even simpler argument 456 00:22:27,260 --> 00:22:31,910 applies to the other transition, when z is positive and even. 457 00:22:31,910 --> 00:22:35,740 So we verified that this is a preserved invariant. 458 00:22:35,740 --> 00:22:41,900 Now at the start, remember, we start off with the real number 459 00:22:41,900 --> 00:22:46,060 a in register x, the real number b in z, and the real number 460 00:22:46,060 --> 00:22:49,840 1 in y, which is the accumulator. 461 00:22:49,840 --> 00:22:52,990 And 1 times a to b is equal to a to b. 462 00:22:52,990 --> 00:22:55,260 So this is a-- this preserved invariant 463 00:22:55,260 --> 00:22:57,420 is true of the start state. 464 00:22:57,420 --> 00:23:00,020 That means by Floyd's Invariant Principle, 465 00:23:00,020 --> 00:23:03,550 that it is true at this the final state, 466 00:23:03,550 --> 00:23:05,410 if and when the thing stops. 467 00:23:05,410 --> 00:23:07,670 Well, when does this machine stop? 468 00:23:07,670 --> 00:23:10,400 As long as z is positive, it can keep moving. 469 00:23:10,400 --> 00:23:13,610 So it gets stuck when z is 0? 470 00:23:13,610 --> 00:23:16,710 What happens if it ever gets to z is 0? 471 00:23:16,710 --> 00:23:22,490 If it gets stuck, then the invariant says that yx to the 0 472 00:23:22,490 --> 00:23:24,640 has to equal a to the b. 473 00:23:24,640 --> 00:23:27,940 But of course, yx to the 0 is nothing but y. 474 00:23:27,940 --> 00:23:30,630 And what we conclude is, that sure enough, 475 00:23:30,630 --> 00:23:34,310 this machine leaves the desired exponential value 476 00:23:34,310 --> 00:23:37,850 in the register y, which is where we get the answer. 477 00:23:37,850 --> 00:23:42,970 And that's why this algorithm is correct. 478 00:23:42,970 --> 00:23:47,720 Now another aspect of what's going on here 479 00:23:47,720 --> 00:23:50,430 is proving that the algorithm does terminate. 480 00:23:50,430 --> 00:23:55,080 So let me just say a word that Floyd distinguished 481 00:23:55,080 --> 00:23:57,400 sort of these two aspects of program correctness 482 00:23:57,400 --> 00:23:58,390 that typically come up. 483 00:23:58,390 --> 00:24:01,140 One is showing that if you get an answer, it's correct, 484 00:24:01,140 --> 00:24:02,690 and that's what we just did. 485 00:24:02,690 --> 00:24:06,080 If this machine stops, if it ever gets to the case 486 00:24:06,080 --> 00:24:09,700 where z is 0, then y has the right answer. 487 00:24:09,700 --> 00:24:11,790 But we haven't proved that it stops. 488 00:24:11,790 --> 00:24:14,020 So we've shown that it's partially 489 00:24:14,020 --> 00:24:16,770 correct like a partial function. 490 00:24:16,770 --> 00:24:18,230 It might not be defined everywhere, 491 00:24:18,230 --> 00:24:20,313 we haven't shown that yet, but when it is defined, 492 00:24:20,313 --> 00:24:21,520 if gives the right answer. 493 00:24:21,520 --> 00:24:24,580 The other aspect of correctness is termination, 494 00:24:24,580 --> 00:24:27,050 showing in effect, that the function is total, 495 00:24:27,050 --> 00:24:29,280 that the program always does stop. 496 00:24:29,280 --> 00:24:30,920 Well in this case, there's an easy way 497 00:24:30,920 --> 00:24:32,780 to see why it always stops. 498 00:24:32,780 --> 00:24:37,875 Because at every transition, z is being halved or more. 499 00:24:37,875 --> 00:24:44,080 z is a non-negative integer valued variable. 500 00:24:44,080 --> 00:24:47,260 And since we're halving it, or making 501 00:24:47,260 --> 00:24:50,460 it even smaller than half of it at every step, 502 00:24:50,460 --> 00:24:55,100 it means that since it starts with the value z, 503 00:24:55,100 --> 00:24:59,300 it can't get smaller, more than log to the base 2 of b times, 504 00:24:59,300 --> 00:25:01,500 because by then, it would have hit 0. 505 00:25:01,500 --> 00:25:03,870 And so we can be sure that this machine 506 00:25:03,870 --> 00:25:08,000 makes it most log to the base 2 of b transitions. 507 00:25:08,000 --> 00:25:11,000 And then it has to get stuck at the only place it 508 00:25:11,000 --> 00:25:14,620 can get stuck, which is when z equals 0. 509 00:25:14,620 --> 00:25:19,950 And there is a picture of my friend, an early colleague, 510 00:25:19,950 --> 00:25:24,290 Bob Floyd, whom I met at the very beginning of my career 511 00:25:24,290 --> 00:25:26,820 at Carnegie Mellon University. 512 00:25:26,820 --> 00:25:28,390 We worked together for about one year 513 00:25:28,390 --> 00:25:30,330 before he went off to Stanford. 514 00:25:30,330 --> 00:25:33,730 And you can read much more about his life 515 00:25:33,730 --> 00:25:38,620 in a warm and detailed eulogy written 516 00:25:38,620 --> 00:25:42,030 by his best friend, Don Knuth. 517 00:25:42,030 --> 00:25:46,820 Floyd won the Turing Award for his major contributions, 518 00:25:46,820 --> 00:25:51,100 both to program correctness and to programming language 519 00:25:51,100 --> 00:25:52,650 parsing.