V erication 1 Objectives of this Lecture Induction on ! - PowerPoint PPT Presentation

V eri�cation 1 Objectives of this Lecture � Induction on ! � Induction on 6! � F o rmal p ro of of the vecto r clo ck algo rithm � Vija c y K. Ga rg Distributed Systems Sp ring 96

V eri�cation 2 Causally p recedes and its complem ent �� �� �� �� - - - s s s s 3 1 2 4 �� �� �� �� �� �� �� �� - - - t t t t 1 2 3 4 �� �� �� �� k � ! relation used fo r induction on ! . F o r k > 0 , 4 k s ! t = ml ( s; t ) = k k Thus s ! t if and only if s ! t and the longest chain from s to t has length k . � Vija c y K. Ga rg Distributed Systems Sp ring 96

; V eri�cation 3 Induction on ! ; k Lemma 1 s ! t , ( 9 k : k > 0 : s ! t ) 1 Lemma 2 s ! t ) s � t _ s t Is Con v erse true ? 1 Pro of : 1 s ! t k ) ml ( s; t ) = 1 f defn of ! g ) 9 c : f ir st ( c ) = s ^ l ast ( c ) = t ^ l en ( c ) = 1 ) s � t ^ s t f defn of a chain g 1 k � 1 k 1 Lemma 3 ( s ! t ) ^ ( k > 1) ) ( 9 u :: s ! u ^ u ! t ) Pro of : k ( s ! t ) ^ ( k > 1) k ) ( ml ( s; t ) = k ) ^ ( k > 1) f defn of ! g ) ( 9 u :: ml ( s; u ) = k � 1 ^ ml ( u; t ) = 1) f chain lemma g k � 1 1 k ) ( 9 u :: s ! u ^ u ! t ) f defn of ! g � Vija c y K. Ga rg Distributed Systems Sp ring 96

V eri�cation 4 The relation 6! �� �� �� �� - - - s s s s 3 1 2 4 �� �� �� �� �� �� �� �� - - - t t t t 1 2 3 4 �� �� �� �� De�ne fo r k � 0 : k 4 s 6! t = s 6! t ^ ml ( I nit; t ) = k k Thus s 6! t if and only if s 6! t and the longest chain from some initial state to t has length k . � Vija c y K. Ga rg Distributed Systems Sp ring 96

V eri�cation 5 Induction on 6! k Lemma 4 s 6! t , ( 9 k : k � 0 : s 6! t ) Pro of : s 6! t , ( s 6! t ) ^ ( ml ( I nit; t ) � 0) f b y defn of ml ( I nit; t ) g k k , ( 9 k : k � 0 : s 6! t ) f defn of ! g 0 Lemma 5 s 6! t , I nit ( t ) � Vija c y K. Ga rg Distributed Systems Sp ring 96

V eri�cation 6 Induction on 6! [Contd.] Lemma 6 j k ( k > 0) ^ ( s 6! t ) ^ ( u ! t ) ) ( 9 j : 0 � j < k : s 6! u ) Pro of : k k > 0 ^ s 6! t ^ u ! t k ) k > 0 ^ s 6! u ^ s 6! t f otherwise s ! t g k ) k > 0 ^ s 6! u ^ ml ( I nit; t ) = k f defn of 6! g ) k > 0 ^ s 6! u ^ ml ( I nit; u ) < k f otherwise ml ( I nit; t ) > k g j j ) ( 9 j : 0 � j < k : s 6! u ) f defn of 6! g � Vija c y K. Ga rg Distributed Systems Sp ring 96

V eri�cation 7 A va riant of the vecto r clo ck algo rithm � vecto r comp onents incremented less frequently; it maintains: ( 8 s; t : s:p 6 = t:p : s:v < t:v , s ! t ) F o r any initial state s : ( 8 i : i 6 = s:p : s:v [ i ] = 0) ^ ( s:v [ s:p ] = 1) Rule fo r a send event ( s; snd; t ) : t:v := s:v ; t:v [ t:p ] + +; Rule fo r a receive event ( s; r cv ( u ) ; t ) : t:v := max ( s:v ; u:v ); Rule fo r an internal event ( s; int; t ) : t:v := s:v ; � Vija c y K. Ga rg Distributed Systems Sp ring 96

V eri�cation 8 Pro of � ( 8 s; t : s:p 6 = t:p : s:v < t:v , s ! t ) . accomplished b y s:p 6 = t:p ^ s ! t ) s:v < t:v (1) s:p 6 = t:p ^ s:v < t:v ) s ! t (2) Lemma 7 s ! t ) s:v � t:v � Vija c y K. Ga rg Distributed Systems Sp ring 96

; V eri�cation 9 ; Pro of [Contd.] k Pro of : Su�cient to sho w that 8 k > 0 : s ! t ) s:v � t:v Base ( k = 1) : 1 s ! t ) s � t _ s t f lemma 2 g 1 ) ( s; int; t ) _ ( s; snd; t ) _ ( 9 u :: ( s; r cv ( u ) ; t )) _ ( 9 u :: ( u; r cv ( s ) ; t )) f expand s � t and s t g ) ( s:v = t:v ) _ ( s:v < t:v ) _ ( s:v � t:v ) _ ( s:v � t:v ) f Snd, Rcv, and Int rules g ) s:v � t:v f simplify g Induction : ( k > 1) k s ! t ^ ( k > 1) k � 1 1 ) ( 9 u :: s ! u ^ u ! t ) f lemma 3 g ) ( 9 u :: s:v � u:v ^ u:v � t:v ) f induction hyp othesis g ) s:v � t:v f simplify g � Vija c y K. Ga rg Distributed Systems Sp ring 96

V eri�cation 10 k Use of induction on 6! [Base Case] Contrap ositive of 2: 8 s; t : s:p 6 = t:p : s 6! t ) : ( s:v < t:v ) : Lemma 8 ( 8 s; t : s:p 6 = t:p : s 6! t ) t:v [ s:p ] < s:v [ s:p ]) Pro of Base ( k = 0) : 0 s 6! t ^ s:p 6 = t:p ) I nit ( t ) ^ s:p 6 = t:p f lemma 7 g ) I nit ( t ) ^ s:p 6 = t:p ^ f let u b e initial state in s:p g ( 9 u : I nit ( u ) ^ u:p = s:p : u = s _ u ! s ) ) I nit ( t ) ^ s:p 6 = t:p ^ f lemma 7 g ( 9 u : I nit ( u ) ^ u:p = s:p : u:v = s:v _ u:v � s:v ) ) t:v [ s:p ] = 0 ^ f Init rule g ( 9 u : u:v [ s:p ] = 1 : u:v = s:v _ u:v � s:v ) ) t:v [ s:p ] < s:v [ s:p ] f simplify g � Vija c y K. Ga rg Distributed Systems Sp ring 96

V eri�cation 11 Pro of [Induction Case] Induction: ( k > 0) k s 6! t ^ s:p 6 = t:p ^ k > 0 ) f let u satisfy u � t , u exists since : I nit ( t ) g 1 k s 6! t ^ s:p 6 = t:p ^ u:p = t:p ^ u � t 1 ) f lemma 6 g j s 6! u ^ 0 � j < k ^ u:p 6 = s:p ^ u � t 1 ) f inductive hyp othesis g u:v [ s:p ] < s:v [ s:p ] ^ u � t 1 ) f expand u � t g 1 u:v [ s:p ] < s:v [ s:p ] ^ (( u; int; t ) _ ( u; snd; t ) _ ( u; r cv ( w ) ; t )) Consider each disjunct sepa rately . � Vija c y K. Ga rg Distributed Systems Sp ring 96

V eri�cation 12 Pro of of Inductive Case [Contd.] Case 1: ( u; int; t ) u:v [ s:p ] < s:v [ s:p ] ^ ( u; int; t ) ) u:v [ s:p ] < s:v [ s:p ] ^ t:v = u:v f Int rule g ) t:v [ s:p ] < s:v [ s:p ] f simplify g Case 2: ( u; snd; t ) u:v [ s:p ] < s:v [ s:p ] ^ ( u; snd; t ) ) u:v [ s:p ] < s:v [ s:p ] ^ t:v [ s:p ] = u:v [ s:p ] f Snd rule, s:p 6 = t:p g ) t:v [ s:p ] < s:v [ s:p ] f simplify g Case 3: ( u; r cv ( w ) ; t ) u:v [ s:p ] < s:v [ s:p ] ^ ( u; r cv ( w ) ; t ) ) u:v [ s:p ] < s:v [ s:p ] ^ ( u; r cv ( w ) ; t ) ^ f Rcv rule g ( t:v [ s:p ] = u:v [ s:p ] _ t:v [ s:p ] = w :v [ s:p ]) ) ( t:v [ s:p ] < s:v [ s:p ]) _ f simplify g (( u; r cv ( w ) ; t ) ^ t:v [ s:p ] = w :v [ s:p ]) It su�ces to p rove the t w o cases: w :p = s:p and w :p 6 = s:p . � Vija c y K. Ga rg Distributed Systems Sp ring 96

; V eri�cation 13 Pro of of Inductive Case [Contd.] Case 3A: w :p = s:p t:v [ s:p ] = w :v [ s:p ] ^ ( u; r cv ( w ) ; t ) 8 9 > > > > > > > > > let x satisfy w � x , > > > > > > > > > < = ) t:v [ s:p ] = w :v [ s:p ] ^ ( w ; snd; x ) x exists since w t > > > > > > > > > > > > > > > > > > : implies : F inal ( w ) ; ) t:v [ s:p ] = w :v [ s:p ] ^ ( w ; snd; x ) f otherwise s ! t g ^ w ! s ) t:v [ s:p ] = w :v [ s:p ] ^ ( w ; snd; x ) f since w � x g ^ ( x = s _ x ! s ) ) t:v [ s:p ] = w :v [ s:p ] ^ w :v [ s:p ] < x:v [ s:p ] ^ ( x = s _ x ! s ) f Snd rule g ) t:v [ s:p ] = w :v [ s:p ] ^ w :v [ s:p ] < x:v [ s:p ] ^ ( x:v � s:v ) f lemma 7 g ) t:v [ s:p ] < s:v [ s:p ] f simplify g � Vija c y K. Ga rg Distributed Systems Sp ring 96

V eri�cation 14 Pro of of Inductive Case [Contd.] Case 3B: w :p 6 = s:p t:v [ s:p ] = w :v [ s:p ] ^ ( u; r cv ( w ) ; t ) ^ w :p 6 = s:p k ) f use s 6! t , k > 0 , and lemma 6 g j t:v [ s:p ] = w :v [ s:p ] ^ w :p 6 = s:p ^ s 6! w ^ 0 � j < k ) f inductive hyp othesis g t:v [ s:p ] = w :v [ s:p ] ^ w :v [ s:p ] < s:v [ s:p ] ) f simplify g t:v [ s:p ] < s:v [ s:p ] � Vija c y K. Ga rg Distributed Systems Sp ring 96

V eri�cation 15 ; Converse Eqn 2 : s:p 6 = t:p ^ s:v < t:v ) s ! t Lemma 9 ( 8 s; t : s:p 6 = t:p : s ! t ) s:v < t:v ) Pro of Base ( k = 1) : 1 s ! t ^ s:p 6 = t:p 1 ) s t ^ s:p 6 = t:p f defn of ! and lemma 2 g ) s:p 6 = u:p ^ ( u; r cv ( s ) ; t ) f let u satisfy u � t g 8 9 > > > > > > > > < otherwise t ! s (since there is only one = ) > > > > > > > > : event b et w een u and t ) ; u 6! s ^ s:p 6 = u:p ^ ( u; r cv ( s ) ; t ) ) s:v [ u:p ] < u:v [ u:p ] f lemma 8 and rcv rule g ^ ( 8 i :: t:v [ i ] = max ( u:v [ i ] ; s:v [ i ])) ) s:v < t:v � Vija c y K. Ga rg Distributed Systems Sp ring 96