Nuprl Lemma : Paxos-spec6-Collect-invariant

[Info:Type]

es:EO+(Info).

failset:Id List.

[T:Type]

f:

.

acceptors:Id List.

Reserve,NoProposal,NewBallot:EClass(

).

VoteState:EClass(AcceptorState).

Proposal:EClass(

T).

AcceptOrReject:EClass(

T

).

leader:

Id.

Decide,Input:EClass(T).

Vote:EClass(Id

).

Collect:EClass(

T).
        (Paxos-spec6-body{i:l}(Info;es;T;f;acceptors;
                               Reserve;VoteState;Proposal;
                               AcceptOrReject;leader;Decide;
                               Vote;Input;Collect;NoProposal;
                               NewBallot;failset)

(

c:E(Collect)
((loc(c) = (leader (fst(Collect(c)))))

(

L:{a:Id| (a

acceptors)}  List
                  ((||L|| = (f + 1))

no_repeats(Id;L)

(

a

L.

r:E(Reserve). ((loc(r) = a)

r c

c

((fst(Collect(c))) = Reserve(r))))))

(

nb:E(NewBallot). ((nb <loc c)

((fst(Collect(c))) = NewBallot(nb)))))))

Proof not projected

Definitions occuring in Statement : Paxos-spec6-body: Paxos-spec6-body, paxos-acceptor-state: AcceptorState, es-E-interface: E(X), eclass-val: X(e), eclass: EClass(A[eo; e]), event-ordering+: EO+(Info), es-causle: e c

e', es-locl: (e <loc e'), es-loc: loc(e), Id: Id, length: ||as||, bool:

, nat_plus:

, nat:

, uall:

[x:A]. B[x], pi1: fst(t), all:

x:A. B[x], exists:

x:A. B[x], implies: P

Q, and: P

Q, set: {x:A| B[x]} , apply: f a, function: x:A

B[x], product: x:A

B[x], list: type List, add: n + m, natural_number: $n, int:

, universe: Type, equal: s = t, l_all: (

x

L.P[x]), no_repeats: no_repeats(T;l), l_member: (x

l)
Definitions : null: null(as), set_blt: a <

b, grp_blt: a <

b, dcdr-to-bool: [d]

, bl-all: (

x

L.P[x])_b, bl-exists: (

x

L.P[x])_b, b-exists: (

i<n.P[i])_b, eq_type: eq_type(T;T'), qeq: qeq(r;s), q_less: q_less(r;s), q_le: q_le(r;s), deq-disjoint: deq-disjoint(eq;as;bs), deq-all-disjoint: deq-all-disjoint(eq;ass;bs), eq_str: Error :eq_str, eq_id: a = b, eq_lnk: a = b, es-eq-E: e = e', es-bless: e <loc e', es-ble: e

loc e', bimplies: p

q, bor: p

q, IdLnk: IdLnk, limited-type: LimitedType, eq_knd: a = b, fpf-dom: x

dom(f), unit: Unit, int_eq: if a=b then c else d, intensional-universe: IType, isl: isl(x), can-apply: can-apply(f;x), atom_eq: atomeqn def, so_apply: x[s], append: as @ bs, locl: locl(a), Knd: Knd, atom: Atom$n, record: record(x.T[x]), sqequal: s ~ t, id-deq: IdDeq, deq-member: deq-member(eq;x;L), paxos-state-info: Info(s), es-tagged-true-class: Tagged_tt(X), MaxVote: MaxVote(es;T;Vote;e;s), paxos-state-name: Name(s), paxos-state-value: Value(s), minus: -n, paxos-state-ballot: Ballot(s), list-max: list-max(x.f[x];L), spread: spread def, eq_bool: p =b q, band: p

q, bnot:

b, bfalse: ff, pi2: snd(t), pi1: fst(t), es-prior-val: (X)', fpf: a:A fp-> B[a], strong-subtype: strong-subtype(A;B), infix_ap: x f y, es-causl: (e < e'), grp_car: |g|, filter: filter(P;l), axiom: Ax, es-loc: loc(e), let: let, es-first-at: e is first@ i s.t. e.P[e], guard: {T}, lt_int: i <z j, inr: inr x , inl: inl x , le_int: i

z j, spreadn: spread3, es-filter-image: f[X], btrue: tt, sq_type: SQType(T), ge: i

j , uiff: uiff(P;Q), true: True, multiply: n * m, add: n + m, cand: A c

B, decide: case b of inl(x) => s[x] | inr(y) => t[y], uimplies: b supposing a, alle-lt:

e<e'.P[e], es-le: e

loc e' , pair: <a, b>, or: P

Q, rev_implies: P

Q, iff: P

Q, es-class-causal-mrel-fail: es-class-causal-mrel-fail, es-class-def: es-class-def, es-class-causal-rel-fail: es-class-causal-rel-fail, void: Void, false: False, not:

A, le: A

B, real:

, rationals:

, prop:

, bool:

, paxos-acceptor-state: AcceptorState, union: left + right, subtype: S

T, subtype_rel: A

r B, atom: Atom, apply: f a, es-base-E: es-base-E(es), token: "$token", ifthenelse: if b then t else f fi , record-select: r.x, es-E: E, dep-isect: Error :dep-isect, eq_atom: x =a y, eq_atom: eq_atom$n(x;y), record+: record+, member: t

T, universe: Type, nat_plus:

, so_lambda:

x y.t[x; y], eclass: EClass(A[eo; e]), Paxos-spec6-body: Paxos-spec6-body, l_member: (x

l), list: type List, no_repeats: no_repeats(T;l), Id: Id, es-causle: e c

e', l_all: (

x

L.P[x]), int:

, set: {x:A| B[x]} , top: Top, es-E-interface: E(X), event-ordering+: EO+(Info), event_ordering: EO, es-locl: (e <loc e'), nat:

, equal: s = t, exists:

x:A. B[x], isect:

x:A. B[x], uall:

[x:A]. B[x], so_lambda:

x.t[x], implies: P

Q, all:

x:A. B[x], function: x:A

B[x], product: x:A

B[x], and: P

Q, MaAuto: Error :MaAuto, CollapseTHEN: Error :CollapseTHEN, RepeatFor: Error :RepeatFor, CollapseTHENA: Error :CollapseTHENA, Auto: Error :Auto, Complete: Error :Complete, D: Error :D, it:

, THENM: Error :THENM, Unfold: Error :Unfold, es-interface-predecessors:

(X)(e), eclass-val: X(e), paxos-state-reservation: Reservation(s), eq_int: (i =

j), lambda:

x.A[x], mapfilter: mapfilter(f;P;L), length: ||as||, natural_number: $n, less_than: a < b, AssertBY: Error :AssertBY, RepUR: Error :RepUR, ExRepD: Error :ExRepD, in-eclass: e

X, assert:

b, squash:

T, nil: [], inject: Inj(A;B;f), firstn: firstn(n;as), cons: [car / cdr], int_seg: {i..j

}, remove-repeats: remove-repeats(eq;L), select: l[i], is_list_splitting: is_list_splitting(T;L;LL;L2;f), is_accum_splitting: is_accum_splitting(T;A;L;LL;L2;f;g;x), req: x = y, rnonneg: rnonneg(r), rleq: x

y, i-member: r

I, partitions: partitions(I;p), modulus-of-ccontinuity: modulus-of-ccontinuity(omega;I;f), fpf-sub: f

g, sq_stable: SqStable(P), es-init: es-init(es;e), es-pred: pred(e), es-fix: f**(e), es-p-le: e p

e', es-p-locl: e p< e', causal-predecessor: causal-predecessor(es;p), uni_sat: a = !x:T. Q[x], inv_funs: InvFuns(A;B;f;g), eqfun_p: IsEqFun(T;eq), refl: Refl(T;x,y.E[x; y]), urefl: UniformlyRefl(T;x,y.E[x; y]), sym: Sym(T;x,y.E[x; y]), usym: UniformlySym(T;x,y.E[x; y]), trans: Trans(T;x,y.E[x; y]), utrans: UniformlyTrans(T;x,y.E[x; y]), anti_sym: AntiSym(T;x,y.R[x; y]), uanti_sym: UniformlyAntiSym(T;x,y.R[x; y]), connex: Connex(T;x,y.R[x; y]), uconnex: uconnex(T; x,y.R[x; y]), coprime: CoPrime(a,b), ident: Ident(T;op;id), assoc: Assoc(T;op), comm: Comm(T;op), inverse: Inverse(T;op;id;inv), bilinear: BiLinear(T;pl;tm), bilinear_p: IsBilinear(A;B;C;+a;+b;+c;f), action_p: IsAction(A;x;e;S;f), dist_1op_2op_lr: Dist1op2opLR(A;1op;2op), fun_thru_1op: fun_thru_1op(A;B;opa;opb;f), fun_thru_2op: FunThru2op(A;B;opa;opb;f), cancel: Cancel(T;S;op), monot: monot(T;x,y.R[x; y];f), monoid_p: IsMonoid(T;op;id), group_p: IsGroup(T;op;id;inv), monoid_hom_p: IsMonHom{M1,M2}(f), grp_leq: a

b, integ_dom_p: IsIntegDom(r), prime_ideal_p: IsPrimeIdeal(R;P), value-type: value-type(T), !hyp_hide: x, es-before: before(e), es-le-before:

loc(e), map: map(f;as), hd: hd(l), last: last(L), MaName: MaName, consensus-state3: consensus-state3(T), consensus-rcv: consensus-rcv(V;A), runEvents: runEvents(r), divides: b | a, assoced: a ~ b, set_leq: a

b, set_lt: a <p b, grp_lt: a < b, l_contains: A

B, reducible: reducible(a), prime: prime(a), l_exists: (

x

L. P[x]), fun-connected: y is f*(x), qle: r

s, qless: r < s, q-rel: q-rel(r;x), i-finite: i-finite(I), i-closed: i-closed(I), p-outcome: Outcome, fset-member: a

s, f-subset: xs

ys, fset-closed: (s closed under fs), l_disjoint: l_disjoint(T;l1;l2), cs-not-completed: in state s, a has not completed inning i, cs-archived: by state s, a archived v in inning i, cs-passed: by state s, a passed inning i without archiving a value, cs-inning-committed: in state s, inning i has committed v, cs-inning-committable: in state s, inning i could commit v , cs-archive-blocked: in state s, ws' blocks ws from archiving v in inning i, cs-precondition: state s may consider v in inning i, existse-before:

e<e'.P[e], existse-le:

e

e'.P[e], alle-le:

e

e'.P[e], alle-between1:

e

[e1,e2).P[e], existse-between1:

e

[e1,e2).P[e], alle-between2:

e

[e1,e2].P[e], existse-between2:

e

[e1,e2].P[e], existse-between3:

e

(e1,e2].P[e], es-fset-loc: i

locs(s), es-r-immediate-pred: es-r-immediate-pred(es;R;e';e), same-thread: same-thread(es;p;e;e'), collect-event: collect-event(es;X;n;v.num[v];L.P[L];e), cut-order: a

(X;f) b, path-goes-thru: x-f*-y thru i, lg-edge: lg-edge(g;a;b), ses-action: Action(e), ses-legal-sequence: Legal(pas) given prvt, decidable: Dec(P), tl: tl(l), tag-by: z

T, ldag: LabeledDAG(T), labeled-graph: LabeledGraph(T), fset: FSet{T}, isect2: T1

T2, b-union: A

B, fpf-cap: f(x)?z, imax-class: (maximum f[v]

lb with v from X), es-prior-class-when: (X'?d) when Y, map-class: (f[v] where v from X), es-interface-at: X@i
Lemmas : es-causl_transitivity1, atom2_subtype_base, l_all_cons, no_repeats_cons, and_functionality_wrt_uiff2, decidable_wf, decidable__not, decidable__l_member, decidable__equal_Id, cons_member, member-interface-predecessors, l_member-settype, es-causle_weakening_locl, es-causle_transitivity, set_subtype_base, member-mapfilter, property-from-l_member, sq_stable_wf, sq_stable__equal, es-causl_wf, es-le-causle, es-le_wf, es-causle-le, sq_stable__assert, member_filter, select_wf, es-interface-predecessors-no_repeats, no_repeats_filter, no_repeats_map, no_repeats-settype, inject_wf, list-set-type2, es-E-interface-subtype_rel, l_all_wf2, paxos-state-name_wf, int_subtype_base, pi1_wf, pi1_wf_top, uall_wf, nat_plus_wf, Id_wf, eclass_wf, nat_wf, Paxos-spec6-body_wf, es-E-interface_wf, l_member_wf, no_repeats_wf, l_all_wf, es-causle_wf, es-locl_wf, event-ordering+_wf, es-E_wf, es-base-E_wf, subtype_rel_self, event-ordering+_inc, paxos-acceptor-state_wf, bool_wf, nat_plus_properties, le_wf, nat_plus_inc, member_wf, es-interface-top, assert_wf, false_wf, ifthenelse_wf, in-eclass_wf, true_wf, subtype_base_sq, bool_subtype_base, assert_elim, length_wf_nat, assert_witness, es-interface-predecessors_wf, filter_wf, length_wf1, es-loc_wf, eq_int_wf, eclass-val_wf, paxos-state-reservation_wf, subtype_rel_wf, es-prior-val_wf, top_wf, length-map, list-subtype, filter_type, iff_weakening_uiff, uiff_inversion, assert-eq-id, nat_properties, intensional-universe_wf, mapfilter_wf, list-max_wf, paxos-state-ballot_wf, btrue_wf, bfalse_wf, unit_wf, es-interface-val_wf2, list-max-property2, paxos-state-value_wf, not_wf, no_repeats_witness, uiff_transitivity, eqtt_to_assert, assert_of_eq_int, eqff_to_assert, assert_of_bnot, not_functionality_wrt_uiff, bnot_wf

\mforall{}[Info:Type] \mforall{}es:EO+(Info). \mforall{}failset:Id List. \mforall{}[T:Type] \mforall{}f:\mBbbN{}\msupplus{}. \mforall{}acceptors:Id List. \mforall{}Reserve,NoProposal,NewBallot:EClass(\mBbbN{}). \mforall{}VoteState:EClass(AcceptorState). \mforall{}Proposal:EClass(\mBbbN{} \mtimes{} T). \mforall{}AcceptOrReject:EClass(\mBbbN{} \mtimes{} T \mtimes{} \mBbbB{}). \mforall{}leader:\mBbbN{} {}\mrightarrow{} Id. \mforall{}Decide,Input:EClass(T). \mforall{}Vote:EClass(Id \mtimes{} \mBbbN{} \mtimes{} \mBbbB{}). \mforall{}Collect:EClass(\mBbbN{} \mtimes{} \mBbbZ{} \mtimes{} T). (Paxos-spec6-body\{i:l\}(Info;es;T;f;acceptors; Reserve;VoteState;Proposal; AcceptOrReject;leader;Decide; Vote;Input;Collect;NoProposal; NewBallot;failset) {}\mRightarrow{} (\mforall{}c:E(Collect) ((loc(c) = (leader (fst(Collect(c))))) \mwedge{} (\mexists{}L:\{a:Id| (a \mmember{} acceptors)\} List ((||L|| = (f + 1)) \mwedge{} no\_repeats(Id;L) \mwedge{} (\mforall{}a\mmember{}L.\mexists{}r:E(Reserve) ((loc(r) = a) \mwedge{} r c\mleq{} c \mwedge{} ((fst(Collect(c))) = Reserve(r)))))) \mwedge{} (\mexists{}nb:E(NewBallot). ((nb <loc c) \mwedge{} ((fst(Collect(c))) = NewBallot(nb))))))) Date html generated: 2011_10_20-PM-04_37_38 Last ObjectModification: 2011_06_18-PM-02_02_47 Home Index