Nuprl Lemma : Paxos-spec6-Proposal-invariant

[Info:Type]

es:EO+(Info).

failset:Id List.

[T:Type]

f:

.

acceptors:Id List.

Reserve,NoProposal,NewBallot:EClass(

).

VoteState:EClass(AcceptorState).

Proposal:EClass(

T).

AcceptOrReject:EClass(

T

).

leader:

Id.

Decide,Input:EClass(T).

Vote:EClass(Id

).

Collect:EClass(

T).
        (Paxos-spec6-body{i:l}(Info;es;T;f;acceptors;
                               Reserve;VoteState;Proposal;
                               AcceptOrReject;leader;Decide;
                               Vote;Input;Collect;NoProposal;
                               NewBallot;failset)

(

p:E(Proposal)
((

np:E(NoProposal). (

((fst(Proposal(p))) = NoProposal(np))))

(loc(p) = (leader (fst(Proposal(p)))))

(

L:{a:Id| (a

acceptors)}  List
                  ((||L|| = (f + 1))

no_repeats(Id;L)

(

a

L.

r:E(Reserve). ((loc(r) = a)

r c

p

((fst(Proposal(p))) = Reserve(r))))))

(

nb:E(NewBallot). ((nb <loc p)

((fst(Proposal(p))) = NewBallot(nb)))))))

Proof not projected

Definitions occuring in Statement : Paxos-spec6-body: Paxos-spec6-body, paxos-acceptor-state: AcceptorState, es-E-interface: E(X), eclass-val: X(e), eclass: EClass(A[eo; e]), event-ordering+: EO+(Info), es-causle: e c

e', es-locl: (e <loc e'), es-loc: loc(e), Id: Id, length: ||as||, bool:

, nat_plus:

, nat:

, uall:

[x:A]. B[x], pi1: fst(t), all:

x:A. B[x], exists:

x:A. B[x], not:

A, implies: P

Q, and: P

Q, set: {x:A| B[x]} , apply: f a, function: x:A

B[x], product: x:A

B[x], list: type List, add: n + m, natural_number: $n, int:

, universe: Type, equal: s = t, l_all: (

x

L.P[x]), no_repeats: no_repeats(T;l), l_member: (x

l)
Definitions : bag_only_single: bag_only_single{bag_only_single_compseq_tag_def:o}(x), bag_size_single: bag_size_single{bag_size_single_compseq_tag_def:o}(x), axiom: Ax, bag-only: only(bs), bag-size: bag-size(bs), fpf: a:A fp-> B[a], bag_size_empty: bag_size_empty{bag_size_empty_compseq_tag_def:o}, limited-type: LimitedType, bfalse: ff, eq_bool: p =b q, le_int: i

z j, eq_int: (i =

j), null: null(as), set_blt: a <

b, grp_blt: a <

b, dcdr-to-bool: [d]

, bl-all: (

x

L.P[x])_b, bl-exists: (

x

L.P[x])_b, b-exists: (

i<n.P[i])_b, eq_type: eq_type(T;T'), qeq: qeq(r;s), q_less: q_less(r;s), q_le: q_le(r;s), deq-member: deq-member(eq;x;L), deq-disjoint: deq-disjoint(eq;as;bs), deq-all-disjoint: deq-all-disjoint(eq;ass;bs), eq_id: a = b, eq_lnk: a = b, es-eq-E: e = e', es-bless: e <loc e', es-ble: e

loc e', bimplies: p

q, band: p

q, bor: p

q, bnot:

b, unit: Unit, eclass-compose1: f o X, grp_car: |g|, atom: Atom, es-base-E: es-base-E(es), token: "$token", cand: A c

B, guard: {T}, btrue: tt, sq_type: SQType(T), strong-subtype: strong-subtype(A;B), ge: i

j , uiff: uiff(P;Q), subtype_rel: A

r B, true: True, decide: case b of inl(x) => s[x] | inr(y) => t[y], uimplies: b supposing a, alle-lt:

e<e'.P[e], es-le: e

loc e' , union: left + right, or: P

Q, rev_implies: P

Q, iff: P

Q, es-class-causal-mrel-fail: es-class-causal-mrel-fail, es-class-def: es-class-def, es-class-causal-rel-fail: es-class-causal-rel-fail, le: A

B, real:

, rationals:

, dep-isect: Error :dep-isect, eq_atom: x =a y, eq_atom: eq_atom$n(x;y), record+: record+, bag: bag(T), record-select: r.x, infix_ap: x f y, es-causl: (e < e'), prop:

, subtype: S

T, es-E: E, natural_number: $n, add: n + m, length: ||as||, apply: f a, es-loc: loc(e), bool:

, paxos-acceptor-state: AcceptorState, member: t

T, void: Void, false: False, universe: Type, nat_plus:

, so_lambda:

x y.t[x; y], Paxos-spec6-body: Paxos-spec6-body, not:

A, l_member: (x

l), list: type List, no_repeats: no_repeats(T;l), Id: Id, es-causle: e c

e', l_all: (

x

L.P[x]), int:

, set: {x:A| B[x]} , top: Top, es-E-interface: E(X), event-ordering+: EO+(Info), event_ordering: EO, es-locl: (e <loc e'), exists:

x:A. B[x], isect:

x:A. B[x], uall:

[x:A]. B[x], so_lambda:

x.t[x], implies: P

Q, all:

x:A. B[x], function: x:A

B[x], Try: Error :Try, CollapseTHEN: Error :CollapseTHEN, MaAuto: Error :MaAuto, CollapseTHENA: Error :CollapseTHENA, D: Error :D, RepeatFor: Error :RepeatFor, empty-bag: {}, pair: <a, b>, single-bag: {x}, lt_int: i <z j, ifthenelse: if b then t else f fi , spreadn: spread3, lambda:

x.A[x], es-filter-image: f[X], nat:

, product: x:A

B[x], eclass: EClass(A[eo; e]), equal: s = t, eclass-val: X(e), pi1: fst(t), pi2: snd(t), less_than: a < b, and: P

Q, in-eclass: e

X, assert:

b, AssertBY: Error :AssertBY, THENM: Error :THENM, permutation: permutation(T;L1;L2), quotient: x,y:A//B[x; y], squash:

T, it:

, IdLnk: IdLnk, proper-iseg: L1 < L2, iseg: l1

l2, l_exists: (

x

L. P[x]), gt: i > j, map: map(f;as), eq_knd: a = b, fpf-dom: x

dom(f), intensional-universe: IType, nil: [], list_ind: list_ind def, int_eq: if a=b then c else d, atom_eq: atomeqn def, sqequal: s ~ t, so_apply: x[s], append: as @ bs, locl: locl(a), Knd: Knd, atom: Atom$n, id-deq: IdDeq, paxos-state-info: Info(s), es-tagged-true-class: Tagged_tt(X), MaxVote: MaxVote(es;T;Vote;e;s), paxos-state-name: Name(s), paxos-state-value: Value(s), minus: -n, spread: spread def, es-prior-val: (X)', filter: filter(P;l), paxos-state-reservation: Reservation(s), paxos-state-ballot: Ballot(s), es-interface-predecessors:

(X)(e), mapfilter: mapfilter(f;P;L), list-max: list-max(x.f[x];L), let: let, multiply: n * m, es-first-at: e is first@ i s.t. e.P[e], record: record(x.T[x])
Lemmas : squash_wf, length_wf1, es-first-at-unique, es-loc_wf, paxos-state-reservation_wf, es-interface-predecessors_wf, mapfilter_wf, paxos-state-ballot_wf, list-max_wf, pos_length2, length_wf_nat, list-subtype, uiff_wf, assert-eq-id, nat_properties, btrue_wf, bfalse_wf, unit_wf, intensional-universe_wf, es-interface-val_wf2, pos-length, equal-nil-sq-nil, filter_wf, length-map, filter_type, list-max-property2, es-prior-val_wf, paxos-state-value_wf, bag_wf, assert_of_eq_int, not_functionality_wrt_uiff, bag-only_wf, permutation_wf, bnot_of_le_int, Id_wf, eclass_wf, Paxos-spec6-body_wf, es-E-interface_wf, not_wf, nat_wf, l_member_wf, no_repeats_wf, l_all_wf, es-causle_wf, es-locl_wf, event-ordering+_wf, uall_wf, nat_plus_wf, Paxos-spec6-Collect-invariant, es-E_wf, event-ordering+_inc, paxos-acceptor-state_wf, bool_wf, nat_plus_properties, le_wf, nat_plus_inc, member_wf, es-interface-top, assert_wf, false_wf, ifthenelse_wf, in-eclass_wf, true_wf, subtype_base_sq, bool_subtype_base, assert_elim, pi1_wf_top, eclass-val_wf, top_wf, es-base-E_wf, subtype_rel_self, pi2_wf, eqtt_to_assert, uiff_transitivity, eqff_to_assert, assert_of_bnot, bnot_wf, subtype_rel_wf, pi1_wf, eq_int_wf, bag-size_wf, assert_of_lt_int, assert_functionality_wrt_uiff, bnot_of_lt_int, assert_of_le_int, le_int_wf, lt_int_wf, set_subtype_base, int_subtype_base

\mforall{}[Info:Type] \mforall{}es:EO+(Info). \mforall{}failset:Id List. \mforall{}[T:Type] \mforall{}f:\mBbbN{}\msupplus{}. \mforall{}acceptors:Id List. \mforall{}Reserve,NoProposal,NewBallot:EClass(\mBbbN{}). \mforall{}VoteState:EClass(AcceptorState). \mforall{}Proposal:EClass(\mBbbN{} \mtimes{} T). \mforall{}AcceptOrReject:EClass(\mBbbN{} \mtimes{} T \mtimes{} \mBbbB{}). \mforall{}leader:\mBbbN{} {}\mrightarrow{} Id. \mforall{}Decide,Input:EClass(T). \mforall{}Vote:EClass(Id \mtimes{} \mBbbN{} \mtimes{} \mBbbB{}). \mforall{}Collect:EClass(\mBbbN{} \mtimes{} \mBbbZ{} \mtimes{} T). (Paxos-spec6-body\{i:l\}(Info;es;T;f;acceptors; Reserve;VoteState;Proposal; AcceptOrReject;leader;Decide; Vote;Input;Collect;NoProposal; NewBallot;failset) {}\mRightarrow{} (\mforall{}p:E(Proposal) ((\mforall{}np:E(NoProposal). (\mneg{}((fst(Proposal(p))) = NoProposal(np)))) \mwedge{} (loc(p) = (leader (fst(Proposal(p))))) \mwedge{} (\mexists{}L:\{a:Id| (a \mmember{} acceptors)\} List ((||L|| = (f + 1)) \mwedge{} no\_repeats(Id;L) \mwedge{} (\mforall{}a\mmember{}L.\mexists{}r:E(Reserve) ((loc(r) = a) \mwedge{} r c\mleq{} p \mwedge{} ((fst(Proposal(p))) = Reserve(r)))))) \mwedge{} (\mexists{}nb:E(NewBallot). ((nb <loc p) \mwedge{} ((fst(Proposal(p))) = NewBallot(nb))))))) Date html generated: 2011_10_20-PM-04_38_53 Last ObjectModification: 2011_06_18-PM-02_03_33 Home Index