@@ -270,90 +270,104 @@ module _ (_⊢_⇀⟦_⟧_ : C → S → Sig → S → Type) where
270270 Γ ⊢ s ⇀⟦ sig ∷ sigs ⟧* s''
271271```
272272
273- \subsection{ Computational}
273+ ## Computational
274274
275275Since all such state machines need to be evaluated by the nodes and all
276276nodes should compute the same states, the relations specified by them
277277should be computable by functions. This can be captured by the
278- definition in \cref{fig: computational } which is parametrized
279- over the state transition relation.
278+ definition in [ Computational relations] ( Ledger.Introduction.md#computational-relations )
279+ which is parametrized over the state transition relation.
280+
281+
282+ ### Computational relations
283+
284+
285+ ``` agda
280286
281- \begin{figure* }[ htb]
282- \begin{AgdaMultiCode}
283- \begin{code}
284287record Computational (_⊢_⇀⦇_,X⦈_ : C → S → Sig → S → Type) : Type where
285288 field
286289 compute : C → S → Sig → Maybe S
287290 ≡-just⇔STS : compute Γ s b ≡ just s' ⇔ Γ ⊢ s ⇀⦇ b ,X⦈ s'
288291
289292 nothing⇒∀¬STS : compute Γ s b ≡ nothing → ∀ s' → ¬ Γ ⊢ s ⇀⦇ b ,X⦈ s'
290- \end{code}
291- \end{AgdaMultiCode}
292- \caption{Computational relations}
293- \label{fig : computational }
294- \end{figure * }
295- \begin{code} [ hide ]
293+ ```
294+
295+ < div class = " agda-hidden-source " >
296+
297+ ``` agda
298+
296299 nothing⇒∀¬STS comp≡nothing s' h rewrite ≡-just⇔STS .Equivalence.from h =
297300 case comp≡nothing of λ ()
298- \end{code}
301+ ```
302+
303+ </div >
304+
299305
300- Unpacking this, we have a \ compute{ } function that computes a final
301- state from a given environment, state and signal. The second piece is
302- correctness: \ compute{ } succeeds with some final state if and only if
303- that final state is in relation to the inputs.
306+ Unpacking this, we have a ` compute ` {.agdafield } function that computes a
307+ final state from a given environment, state and signal. The second piece
308+ is correctness: ` compute ` {.agdafield } succeeds with some final state if
309+ and only if that final state is in relation to the inputs.
304310
305311This has two further implications:
306312
307- \begin{itemize}
308- \item Since \compute{} is a function, the state transition relation is necessarily
309- a (partial) function; i.e., there is at most one possible final state for each
310- input data. Otherwise, we could prove that \ compute{ } could evaluates to
311- two different states on the same inputs, which is impossible since it
312- is a function.
313- \item The actual definition of \ compute{ } is irrelevant--- any two
314- implementations of \ compute{ } have to produce the same result on any
315- input. This is because we can simply chain the equivalences for two
316- different \ compute{ } functions together.
317- \end{itemize}
318-
319- What this all means in the end is that if we give a \Computational{}
320- instance for every relation defined in the ledger, we also have an
321- executable version of the rules which is guaranteed to be
322- correct. This is indeed something we have done, and the same source
323- code that generates this document also generates a Haskell library
324- that lets anyone run this code.
325-
326- \subsection{ Sets \ &
327- \label{sec : sets-maps }
328- The ledger heavily uses set theory. For various reasons it was
329- necessary to implement our own set theory (there will be a paper on this
330- some time in the future). Crucially, the set theory is completely
331- abstract (in a technical sense--- Agda has an abstract keyword) meaning
332- that implementation details of the set theory are
333- irrelevant. Additionally, all sets in this specification are finite.
313+ - Since ` compute ` {.agdafield} is a function, the state transition
314+ relation is necessarily a (partial) function; i.e., there is at most
315+ one possible final state for each input data. Otherwise, we could
316+ prove that ` compute ` {.agdafield } could evaluates to two different
317+ states on the same inputs, which is impossible since it is a function.
318+
319+ - The actual definition of ` compute ` {.agdafield } is irrelevant— any two
320+ implementations of ` compute ` {.agdafield } have to produce the same
321+ result on any input. This is because we can simply chain the
322+ equivalences for two different ` compute ` {.agdafield } functions
323+ together.
324+
325+ What this all means in the end is that if we give a
326+ ` Computational ` {.agdarecord} instance for every relation defined in the
327+ ledger, we also have an executable version of the rules which is
328+ guaranteed to be correct. This is indeed something we have done, and the
329+ same source code that generates this document also generates a Haskell
330+ library that lets anyone run this code.
331+
332+ ## Sets & Maps {#sec : sets-maps }
333+
334+ The ledger heavily uses set theory. For various reasons it was necessary
335+ to implement our own set theory (there will be a paper on this some time
336+ in the future). Crucially, the set theory is completely abstract (in a
337+ technical sense— Agda has an abstract keyword) meaning that
338+ implementation details of the set theory are irrelevant. Additionally,
339+ all sets in this specification are finite.
334340
335341We use this set theory to define maps as seen below, which are used in
336- many places. We usually think of maps as partial functions
337- (i.e., functions not necessarily defined everywhere---equivalently, "left-unique"
338- relations) and we use the harpoon arrow \AgdaFunction{⇀} to
339- distinguish such maps from standard Agda functions which use \AgdaSymbol{→}.
340- The figure below also gives notation for the powerset operation, \PowerSet{},
341- used to form a type of sets with elements in a given type,
342- as well as the subset relation and the equality relation for sets.
343-
344- When we need to convert a list \AgdaBound{l} to its set of elements,
345- we write \fromList{}~ \AgdaBound{l}.
346- \begin{figure* }[ h]
347- \begin{code}[ hide]
342+ many places. We usually think of maps as partial functions (i.e.,
343+ functions not necessarily defined everywhere—equivalently, "left-unique"
344+ relations) and we use the harpoon arrow to distinguish such maps from
345+ standard Agda functions which use . The code below also gives notation
346+ for the powerset operation, ` PowerSet ` {.agdafunction}, used to form a
347+ type of sets with elements in a given type, as well as the subset
348+ relation and the equality relation for sets.
349+
350+ When we need to convert a list to its set of elements, we write
351+ ` fromList ` {.agdafunction} .
352+
353+
354+ <div class =" agda-hidden-source " >
355+
356+ ``` agda
357+
348358open Theory th using (_∈_) renaming (Set to ℙ)
349359private variable
350360 a c : Level
351361 A : Type a
352362Σ-syntax' : (A : Type a) → (A → Type c) → Type _
353363Σ-syntax' = Σ
354364syntax Σ-syntax' A (λ x → B) = x ∈ A ﹐ B
355- \end{code}
356- \begin{code}
365+ ```
366+
367+ </div >
368+
369+ ``` agda
370+
357371_⊆_ : {A : Type} → ℙ A → ℙ A → Type
358372X ⊆ Y = ∀ {x} → x ∈ X → x ∈ Y
359373
@@ -368,24 +382,25 @@ left-unique R = ∀ {a b b'} → (a , b) ∈ R → (a , b') ∈ R → b ≡ b'
368382
369383_⇀_ : Type → Type → Type
370384A ⇀ B = r ∈ Rel A B ﹐ left-unique r
371- \end{code}
372- \end{figure* }
373-
374- \subsection{Propositions as Types, Properties and Relations}
375- \label{sec: prop-as-types }
376- In type theory we represent propositions as types and proofs of a proposition as
377- elements of the corresponding type.
378- A unary predicate is a function that takes each \AgdaBound{x} (of some type \AgdaBound{A}) and
379- returns a proposition \AgdaFunction{P}(\AgdaBound{x}). Thus, a predicate is a function of type
380- \AgdaBound{A}~ \AgdaSymbol{→}~ \Type{}.
381- A \textit{binary relation} \AgdaFunction{R} between \AgdaBound{A} and \AgdaBound{B} is a
382- function that takes a pair of values \AgdaBound{x} and \AgdaBound{y} and returns a proposition
383- asserting that the relation \AgdaFunction{R} holds between \AgdaBound{x} and \AgdaBound{y}.
384- Thus, such a relation is a function of type
385- \AgdaBound{A}~ \AgdaFunction{×}~ \AgdaBound{B}~ \AgdaSymbol{→}~ \Type{}
386- or \AgdaBound{A}~ \AgdaSymbol{→}~ \AgdaBound{B}~ \AgdaSymbol{→}~ \Type{}.
385+ ```
387386
387+
388+ ## Propositions as Types, Properties and Relations {#sec: prop-as-types }
389+
390+ In type theory we represent propositions as types and proofs of a
391+ proposition as elements of the corresponding type. A unary predicate is
392+ a function that takes each ` x ` {.agdabound} (of some type ` A ` {.agdabound})
393+ and returns a proposition ` P ` {.agdafunction}(` x ` {.agdabound}).
394+ Thus, a predicate is a function of type ` A ` {.agdabound} → ` Type ` {.agdaprimitive}.
395+ A * binary relation* ` R ` {.agdafunction} between ` A ` {.agdabound} and ` B ` {.agdabound} is
396+ a function that takes a pair of values ` x ` {.agdabound} and ` y ` {.agdabound} and
397+ returns a proposition asserting that the relation ` R ` {.agdafunction} holds between
398+ ` x ` {.agdabound} and ` y ` {.agdabound}. Thus, such a relation is a function of type
399+ ` A ` {.agdabound} ` × ` {.agdafunction} ` B ` {.agdabound} → ` Type ` {.agdaprimitive} or
400+ ` A ` {.agdabound} → ` B ` {.agdabound} → ` Type ` {.agdaprimitive}.
388401These relations are typically required to be decidable, which means
389402that there is a boolean-valued function that computes whether the
390403predicate holds or not. This means that it is generally safe to think
391404of predicates simply returning a boolean value instead.
405+
406+
0 commit comments