refacto preuve crash
This commit is contained in:
Amaury JOLY
@@ -1,7 +1,6 @@
|
||||
We present below an example of implementation of Atomic Reliable Broadcast (\ARB) using a Reliable Broadcast (\RB) primitive and a DenyList (\DL) object according to the model and notations defined in Section 2.
|
||||
|
||||
\subsection{Algorithm}
|
||||
% granularité diff commentaire de code et paragraphe pre algo
|
||||
|
||||
\begin{definition}[Closed round]\label{def:closed-round}
|
||||
Given a \DL{} linearization $H$, a round $r\in\mathcal{R}$ is \emph{closed} in $H$ if $H$ contains an operation $\APPEND(r)$.
|
||||
@@ -29,29 +28,25 @@ We present below an example of implementation of Atomic Reliable Broadcast (\ARB
|
||||
\For{$r = 1, 2, \ldots$}{
|
||||
\textbf{wait until} $\mathit{unordered} \setminus \mathit{ordered} \neq \emptyset$\;
|
||||
$S \leftarrow (\mathit{unordered} \setminus \mathit{ordered})$\;\nllabel{code:Sconstruction}
|
||||
$\RBcast(S, r, i)$; $\PROVE(r)$; $\APPEND(r)$\;\nllabel{code:submit-proposition}
|
||||
$\RBcast(\texttt{PROP}, S, \langle r, i \rangle)$; $\PROVE(r)$; $\APPEND(r)$\;\nllabel{code:submit-proposition}
|
||||
|
||||
$\mathit{winners}_r \gets \{(j,r): (j,r) \in \READ()\}$\;
|
||||
\textbf{wait until} $\mathit{winners}_r \neq \emptyset$\;\nllabel{code:check-if-winners}
|
||||
$\mathit{winners}_r \gets \{ j : (j, r) \in \READ() \}$\;\nllabel{code:Wcompute}
|
||||
|
||||
$\APPEND(r)$\;\nllabel{code:append-read}
|
||||
$W_r \gets \{ j : (j, r) \in \READ() \}$\;\nllabel{code:Wcompute}
|
||||
\textbf{wait until} $\forall j \in \mathit{winners}_r,\ \mathit{prop}[r][j] \neq \bot$\;\nllabel{code:check-winners-ack}
|
||||
|
||||
\textbf{wait until} $\forall j \in W_r,\ \mathit{prop}[r][j] \neq \bot$\;\nllabel{code:check-winners-ack}
|
||||
|
||||
$M_r \gets \bigcup_{j \in W_r} \mathit{prop}[r][j]$\;\nllabel{code:Mcompute}
|
||||
$\mathit{ordered} \leftarrow \mathit{ordered} \cdot \ordered(M_r)$\;\nllabel{code:next-msg-extraction}
|
||||
$M \gets \bigcup_{j \in \mathit{winners}_r} \mathit{prop}[r][j]$\;\nllabel{code:Mcompute-dl}
|
||||
$\mathit{ordered} \leftarrow \mathit{ordered} \cdot \ordered(M)$\;\nllabel{code:next-msg-extraction}
|
||||
}
|
||||
|
||||
\vspace{0.3em}
|
||||
|
||||
\Upon{$\ABbroadcast(m)$}{
|
||||
$\mathit{unordered} \gets \mathit{unordered} \cup \{m\}$\;
|
||||
$\mathit{unordered} \gets \mathit{unordered} \cup \{m\}$\;\nllabel{code:abbroadcast-add}
|
||||
}
|
||||
|
||||
\vspace{0.3em}
|
||||
|
||||
\Upon{$\textsf{rdeliver}(S, r, j)$ from process $p_j$}{
|
||||
\Upon{$\textsf{rdeliver}(\texttt{PROP}, S, \langle r, j \rangle)$ from process $p_j$}{
|
||||
$\mathit{unordered} \leftarrow \mathit{unordered} \cup \{S\}$\;\nllabel{code:receivedConstruction}
|
||||
$\mathit{prop}[r][j] \leftarrow S$\;\nllabel{code:prop-set}
|
||||
}
|
||||
@@ -62,8 +57,8 @@ We present below an example of implementation of Atomic Reliable Broadcast (\ARB
|
||||
\If{$\mathit{ordered} \setminus \mathit{delivered} = \emptyset$}{
|
||||
\Return{$\bot$}
|
||||
}
|
||||
$m \gets (\mathit{ordered} \setminus \mathit{delivered})[0]$\;\nllabel{code:adeliver-extract}
|
||||
$\mathit{delivered} \gets \mathit{delivered} \cdot m$\;
|
||||
let $m$ be the first element in $\mathit{ordered} \setminus \mathit{delivered}$\;\nllabel{code:adeliver-extract}
|
||||
$\mathit{delivered} \gets \mathit{delivered} \cdot m$\;\nllabel{code:adeliver-mark}
|
||||
\Return{$m$}
|
||||
}
|
||||
|
||||
@@ -92,45 +87,17 @@ We present below an example of implementation of Atomic Reliable Broadcast (\ARB
|
||||
\end{lemma}
|
||||
|
||||
\begin{proof}
|
||||
\emph{Base.} For a closed round $r=0$, the set $\{r' \in \mathcal{R},\ r' < r\}$ is empty, hence the lemma is true.
|
||||
\emph{Base.} For a closed round $r=0$, the set $\{r' \in \mathcal{R} : r' < r\}$ is empty, so the claim holds.
|
||||
|
||||
\emph{Induction.} Assume the lemma is true for round $r\geq 0$, we prove it for round $r+1$.
|
||||
|
||||
\smallskip
|
||||
Assume $r+1$ is closed and by \cref{def:first-append} $\APPEND^{(\star)}(r+1)$ be the earliest $\APPEND(r+1)$ in the DL linearization $H$.
|
||||
By Lemma 1, after an $\APPEND(r)$ were in $H$, any later $\PROVE(r)$ will be invalid also, a process’s program order is preserved in $H$.
|
||||
|
||||
There are two possibilities for where $\APPEND^{(\star)}(r+1)$ is invoked.
|
||||
\emph{Induction step.} Assume $r+1$ is closed. By \cref{def:first-append}, there exists an earliest operation $\APPEND^{(\star)}(r+1)$ in the \DL linearization $H$. Let $p_j$ be the process that invokes this operation.
|
||||
|
||||
\begin{itemize}
|
||||
\item \textbf{Case Algorithm \ref{alg:arb-crash} :}
|
||||
Some process executes the loop at \ref{code:sumbited-check-loop} and invokes $\PROVE(r+1);\APPEND^{(\star)}(r+1)$ at line~\ref{code:submit-proposition}. Let $p_i$ be this process.
|
||||
Immediately before line~\ref{code:submit-proposition}, line~\ref{code:round-increment} sets $r\leftarrow r+1$, so the previous loop iteration targeted $r$. We consider two sub-cases.
|
||||
|
||||
\begin{itemize}
|
||||
\item \emph{(i) $p_i$ is not in its first loop iteration.}
|
||||
In the previous iteration, $p_i$ executed $\PROVE_i(r)$ at \ref{code:submit-proposition}, followed (in program order) by $\APPEND_i(r)$.
|
||||
If round $r$ wasn't closed when $p_i$ execute $\PROVE_i(r)$ at \ref{code:submit-proposition}, then the condition at \ref{code:sumbited-check-loop} would be true hence the tuple $(i, r)$ should be visible in P which implies that $p_i$ should leave the loop at round $r$, contradicting the assumption that $p_i$ is now executing another iteration.
|
||||
Since the tuple is not visible, the $\PROVE_i(r)$ was invalid which implies by definition that an $\APPEND(r)$ already exists in $H$. Thus in this case $r$ is closed.
|
||||
|
||||
\item \emph{(ii) $p_i$ is in its first loop iteration.}
|
||||
To compute the value $r_{max}$, $p_i$ must have observed one or many $(\_ , r+1)$ in $P$ at \ref{code:rmax-compute}, issued by some processes (possibly different from $p_i$). Let's call $p_j$ the issuer of the first $\PROVE_j(r+1)$ in the linearization $H$. \\
|
||||
When $p_j$ executed $P \gets \READ()$ at \ref{code:set-up-read} and compute $r_{max}$ at \ref{code:rmax-compute}, he observed no tuple $(\_,r+1)$ in $P$ because he's the issuer of the first one. So when $p_j$ executed the loop (\ref{code:sumbited-check-loop}), he run it for the round $r$, didn't seen any $(j,r)$ in $P$ at B6, and then executed the first $\PROVE_j(r+1)$ at \ref{code:submit-proposition} in a second iteration. \\
|
||||
If round $r$ wasn't closed when $p_j$ execute $\PROVE_j(r)$ at \ref{code:submit-proposition}, then the $(j, r)$ will be in $P$ and the condition at \ref{code:sumbited-check-loop} should be true which implies that $p_j$ sould leave the loop at round $r$, contradicting the assumption that $p_j$ is now executing $\PROVE_j(r+1)$. In this case $r$ is closed.
|
||||
\end{itemize}
|
||||
|
||||
\item \textbf{Case Algorithm \ref{alg:arb-crash} :}
|
||||
Some process invokes $\APPEND(r+1)$ at \ref{code:append-read}. Let $p_i$ be this process.
|
||||
Line~\ref{code:append-read} is guarded by the condition at \ref{code:check-if-winners}, which ensures that $p_i$ observed some $(\_,r+1)$ in $P$. Let $p_j$ be the issuer of the first $\PROVE_j(r+1)$ in the linearization $H$.
|
||||
When $p_j$ executed $\PROVE_j(r+1)$ at \ref{code:submit-proposition}, he observed no tuple $(\_,r+1)$ in $P$ at \ref{code:check-if-winners} because he's the issuer of the first one. By the same reasoning as in the Case Algorithm \ref{alg:arb-crash} (ii), $p_j$ must have observed that the round $r$ was closed.
|
||||
% Line C7 is guarded by the presence of $\PROVE(r)$ in $P$ with $r=r+1$ (C5).
|
||||
% Moreover, the local pointer $\textit{next}$ grow by increment of 1 and only advances after finishing the current round (C17), so if a process can reach $\textit{next}=r+1$ it implies that he has completed round $r$, which includes closing $r$ at C8 when $\PROVE(r)$ is observed.
|
||||
% Hence $\APPEND^\star(r+1)$ implies a prior $\APPEND(r)$ in $H$, so $r$ is closed.
|
||||
\end{itemize}
|
||||
|
||||
\smallskip
|
||||
In all cases, $r+1$ closed implies $r$ closed. By induction on $r$, if the lemma is true for a closed $r$ then it is true for a closed $r+1$.
|
||||
Therefore, the lemma is true for all closed rounds $r$.
|
||||
In Algorithm~\ref{alg:arb-crash}, the call to $\APPEND(\cdot)$ appears at line~\ref{code:submit-proposition}, inside the loop indexed by rounds $1,2,\ldots$. Therefore, if $p_j$ reaches line~\ref{code:submit-proposition} for round $r+1$, then in the previous loop iteration (round $r$) process order implies that $p_j$ has already invoked $\APPEND(r)$ at the same line.
|
||||
|
||||
Hence an $\APPEND(r)$ exists in $H$, so round $r$ is closed by \cref{def:closed-round}. We proved:
|
||||
\[
|
||||
(r+1\ \text{closed}) \Rightarrow (r\ \text{closed}).
|
||||
\]
|
||||
By repeated application, if some round $r$ is closed, then every round $r' < r$ is also closed.
|
||||
\end{proof}
|
||||
|
||||
\begin{definition}[Winner Invariant]\label{def:winner-invariant}
|
||||
@@ -154,55 +121,40 @@ We present below an example of implementation of Atomic Reliable Broadcast (\ARB
|
||||
\end{proof}
|
||||
|
||||
\begin{lemma}[Well-defined winners]\label{lem:winners}
|
||||
For any correct process $p_i$ and round $r$, if $p_i$ computes $W_r$ at line~\ref{code:Wcompute}, then :
|
||||
For any correct process $p_i$ and round $r$, if $p_i$ computes $\mathit{winners}_r$ at line~\ref{code:Wcompute}, then :
|
||||
\begin{itemize}
|
||||
\item $\Winners_r$ is defined;
|
||||
\item the computed $W_r$ is exactly $\Winners_r$.
|
||||
\item the computed $\mathit{winners}_r$ is exactly $\Winners_r$.
|
||||
\end{itemize}
|
||||
\end{lemma}
|
||||
|
||||
\begin{proof}
|
||||
Lets consider a correct process $p_i$ that reach line~\ref{code:Wcompute} to compute $W_r$. \\
|
||||
By program order, $p_i$ must have executed $\APPEND_i(r)$ at line~\ref{code:append-read} before, which implies by \Cref{def:closed-round} that round $r$ is closed at that point. So by \Cref{def:winner-invariant}, $\Winners_r$ is defined. \\
|
||||
By \Cref{lem:closure-view}, all correct processes eventually observe the same set of valid tuples $(\_,r)$ in their \DL view. Hence, when $p_i$ executes the $\READ()$ at line~\ref{code:append-read} after the $\APPEND_i(r)$, it observes a set $P$ that includes all valid tuples $(\_,r)$ such that
|
||||
Lets consider a correct process $p_i$ that reach line~\ref{code:Wcompute} to compute $\mathit{winners}_r$. \\
|
||||
By program order, $p_i$ must have executed $\APPEND_i(r)$ at line~\ref{code:submit-proposition} before, which implies by \Cref{def:closed-round} that round $r$ is closed at that point. So by \Cref{def:winner-invariant}, $\Winners_r$ is defined. \\
|
||||
By \Cref{lem:closure-view}, all correct processes eventually observe the same set of valid tuples $(\_,r)$ in their \DL view. Hence, when $p_i$ executes the $\READ()$ at line~\ref{code:Wcompute} after the $\APPEND_i(r)$, it observes a set $P$ that includes all valid tuples $(\_,r)$ such that
|
||||
\[
|
||||
W_r = \{ j : (j,r) \in P \} = \{j : \PROVE_j(r) \prec \APPEND^{(\star)}(r) \} = \Winners_r
|
||||
\mathit{winners}_r = \{ j : (j,r) \in P \} = \{j : \PROVE_j(r) \prec \APPEND^{(\star)}(r) \} = \Winners_r
|
||||
\]
|
||||
\end{proof}
|
||||
|
||||
\begin{lemma}[No APPEND without PROVE]\label{lem:append-prove}
|
||||
If some process invokes $\APPEND(r)$, then at least a process must have previously invoked $\PROVE(r)$.
|
||||
\begin{lemma}[Winners are non-empty]\label{lem:nonempty}
|
||||
For any closed round $r$, there exists at least one process $p_j$ that invoked $\PROVE_j(r) \prec \APPEND^\star(r)$, so $\Winners_r \neq \emptyset$.
|
||||
\end{lemma}
|
||||
|
||||
\begin{proof}[Proof]
|
||||
Consider the round $r$ such that some process invokes $\APPEND(r)$. There are two possible cases
|
||||
Let $r$ be a closed round. By \Cref{def:closed-round}, some $\APPEND(r)$ occurs in the \DL linearization $H$. Let $p_i$ be the process invoking the earliest such operation, $\APPEND^{(\star)}(r)$.
|
||||
|
||||
\begin{itemize}
|
||||
\item \textbf{Case (\ref{code:submit-proposition}) :}
|
||||
There exists a process $p_i$ who's the issuer of the earliest $\APPEND^{(\star)}(r)$ in the DL linearization $H$. By program order, $p_i$ must have previously invoked $\PROVE_i(r)$ before invoking $\APPEND^{(\star)}(r)$ at line~\ref{code:submit-proposition}. In this case, there is at least one $\PROVE(r)$ valid in $H$ issued by a correct process before $\APPEND^{(\star)}(r)$.
|
||||
|
||||
\item \textbf{Case (\ref{code:append-read}) :}
|
||||
There exists a process $p_i$ that invoked $\APPEND^{(\star)}(r)$ at . Line~\ref{code:append-read} is guarded by the condition at \ref{code:check-if-winners}, which ensures that $p$ observed some $(\_,r)$ in $P$. In this case, there is at least one $\PROVE(r)$ valid in $H$ issued by some process before $\APPEND^{(\star)}(r)$.
|
||||
\end{itemize}
|
||||
|
||||
In both cases, if some process invokes $\APPEND(r)$, then some process must have previously invoked $\PROVE(r)$.
|
||||
\end{proof}
|
||||
|
||||
\begin{lemma}[No empty winners]\label{lem:nonempty}
|
||||
Let $r$ be a closed round, then $\Winners_r \neq \emptyset$.
|
||||
\end{lemma}
|
||||
|
||||
\begin{proof}[Proof]
|
||||
By \Cref{def:closed-round}, some $\APPEND(r)$ occurs in the DL linearization. \\
|
||||
By \Cref{lem:append-prove}, at least one process must have invoked a valid $\PROVE(r)$ before $\APPEND^{(\star)}(r)$. Hence, there exists at least one $p_j$ such that $p_j$ invoked $\PROVE_j(r) \prec \APPEND^\star(r)$, so $\Winners_r \neq \emptyset$.
|
||||
By program order in Algorithm~\ref{alg:arb-crash}, the call to $\APPEND(\cdot)$ at line~\ref{code:submit-proposition} is immediately preceded by $\PROVE(r)$. Thus $p_i$ must have invoked $\PROVE_i(r)$ before $\APPEND^{(\star)}(r)$, and by the sequence of code at line~\ref{code:submit-proposition}, this $\PROVE_i(r)$ executes before $\APPEND^{(\star)}(r)$ in the linearization.
|
||||
|
||||
By \Cref{def:winner-invariant}, $p_i \in \Winners_r$. Hence $\Winners_r \neq \emptyset$.
|
||||
\end{proof}
|
||||
|
||||
\begin{lemma}[Winners must propose]\label{lem:winners-propose}
|
||||
For any closed round $r$, $\forall i \in \Winners_r$, process $p_i$ must have invoked a $\RBcast(S^{(i)}, r, i)$ and hence any correct will eventually set $\prop[r][i]$ to a non-$\bot$ value.
|
||||
For any closed round $r$, $\forall i \in \Winners_r$, process $p_i$ must have invoked a $\RBcast(PROP, S^{(i)}, \langle r, i \rangle)$ and hence any correct will eventually set $\prop[r][i]$ to a non-$\bot$ value.
|
||||
\end{lemma}
|
||||
|
||||
\begin{proof}[Proof]
|
||||
Fix a closed round $r$. By \Cref{def:winner-invariant}, for any $i \in \Winners_r$, there exist a valid $\PROVE_i(r)$ such that $\PROVE_i(r) \prec \APPEND^\star(r)$ in the DL linearization. By program order, if $i$ invoked a valid $\PROVE_i(r)$ at line~\ref{code:submit-proposition} he must have invoked $\RBcast(S^{(i)}, r, i)$ directly before.
|
||||
Fix a closed round $r$. By \Cref{def:winner-invariant}, for any $i \in \Winners_r$, there exist a valid $\PROVE_i(r)$ such that $\PROVE_i(r) \prec \APPEND^\star(r)$ in the DL linearization. By program order, if $i$ invoked a valid $\PROVE_i(r)$ at line~\ref{code:submit-proposition} he must have invoked $\RBcast(PROP, S^{(i)}, \langle r, i \rangle)$ directly before.
|
||||
|
||||
Let take a correct process $p_j$, by \RB \emph{Validity}, every correct process eventually receives $i$'s \RB message for round $r$, which sets $\prop[r][i]$ to a non-$\bot$ value at line~\ref{code:prop-set}.
|
||||
\end{proof}
|
||||
@@ -216,58 +168,62 @@ If some process invokes $\APPEND(r)$, then at least a process must have previous
|
||||
\end{definition}
|
||||
|
||||
\begin{lemma}[Eventual proposal closure]\label{lem:eventual-closure}
|
||||
If a correct process $p_i$ define $M_r$ at line~\ref{code:Mcompute}, then for every $j \in \Winners_r$, $\prop^{(i)}[r][j] \neq \bot$.
|
||||
If a correct process $p_i$ define $M$ at line~\ref{code:Mcompute-dl}, then for every $j \in \Winners_r$, $\prop^{(i)}[r][j] \neq \bot$.
|
||||
\end{lemma}
|
||||
|
||||
\begin{proof}[Proof]
|
||||
Let take a correct process $p_i$ that computes $M_r$ at line~\ref{code:Mcompute}. By \Cref{lem:winners}, $p_i$ computation is the winner set $\Winners_r$.
|
||||
Let take a correct process $p_i$ that computes $M$ at line~\ref{code:Mcompute-dl}. By \Cref{lem:winners}, $p_i$ computation is the winner set $\Winners_r$.
|
||||
|
||||
By \Cref{lem:nonempty}, $\Winners_r \neq \emptyset$. The instruction at line~\ref{code:Mcompute} where $p_i$ computes $M_r$ is guarded by the condition at line~\ref{code:check-winners-ack}, which ensures that $p_i$ has received all \RB messages from every winner $j \in \Winners_r$. Hence, $M_r = \bigcup_{j\in\Winners_r} \prop^{(i)}[r][j]$, we have $\prop^{(i)}[r][j] \neq \bot$ for all $j \in \Winners_r$.
|
||||
By \Cref{lem:nonempty}, $\Winners_r \neq \emptyset$. The instruction at line~\ref{code:Mcompute-dl} where $p_i$ computes $M$ is guarded by the condition at line~\ref{code:check-winners-ack}, which ensures that $p_i$ has received all \RB messages from every winner $j \in \Winners_r$. Hence, $M = \bigcup_{j\in\Winners_r} \prop^{(i)}[r][j]$, we have $\prop^{(i)}[r][j] \neq \bot$ for all $j \in \Winners_r$.
|
||||
\end{proof}
|
||||
|
||||
\begin{lemma}[Unique proposal per sender per round]\label{lem:unique-proposal}
|
||||
For any round $r$ and any process $p_i$, $p_i$ invokes at most one $\RBcast(S, r, i)$.
|
||||
For any round $r$ and any process $p_i$, $p_i$ invokes at most one $\RBcast(PROP, S, \langle r, i \rangle)$.
|
||||
\end{lemma}
|
||||
|
||||
\begin{proof}[Proof]
|
||||
By program order, any process $p_i$ invokes $\RBcast(S, r, i)$ at line~\ref{code:submit-proposition} must be in the loop \ref{code:sumbited-check-loop}. No matter the number of iterations of the loop, line~\ref{code:sumbited-check-loop} always uses the current value of $r$ which is incremented by 1 at each turn. Hence, in any execution, any process $p_i$ invokes $\RBcast(S, r, j)$ at most once for any round $r$.
|
||||
In Algorithm~\ref{alg:arb-crash}, the only place where a process $p_i$ can invoke $\RBcast(PROP, S, \langle r, i \rangle)$ is at line~\ref{code:submit-proposition}, which appears inside the main loop indexed by rounds $r = 1, 2, \ldots$.
|
||||
|
||||
Each iteration of this loop processes exactly one round value $r$, and within that iteration, line~\ref{code:submit-proposition} is executed at most once. Since the loop variable $r$ takes each value $1, 2, \ldots$ at most once during the execution, process $p_i$ invokes $\RBcast(PROP, S, \langle r, i \rangle)$ at most once for any given round $r$.
|
||||
\end{proof}
|
||||
|
||||
\begin{lemma}[Proposal convergence]\label{lem:convergence}
|
||||
For any round $r$, for any correct processes $p_i$ that execute line~\ref{code:Mcompute}, we have
|
||||
For any round $r$, for any correct processes $p_i$ that execute line~\ref{code:Mcompute-dl}, we have
|
||||
\[
|
||||
M_r^{(i)} = \Messages_r
|
||||
M^{(i)} = \Messages_r
|
||||
\]
|
||||
\end{lemma}
|
||||
|
||||
\begin{proof}[Proof]
|
||||
Let take a correct process $p_i$ that compute $M_r$ at line~\ref{code:Mcompute}. That implies that $p_i$ has defined $W_r$ at line~\ref{code:Wcompute}. It implies that, by \Cref{lem:winners}, $r$ is closed and $W_r = \Winners_r$. \\
|
||||
By \Cref{lem:eventual-closure}, for every $j \in \Winners_r$, $\prop^{(i)}[r][j] \neq \bot$. By \Cref{lem:unique-proposal}, each winner $j$ invokes at most one $\RBcast(S^{(j)}, r, j)$, so $\prop^{(i)}[r][j] = S^{(j)}$ is uniquely defined. Hence, when $p_i$ computes
|
||||
Let take a correct process $p_i$ that compute $M$ at line~\ref{code:Mcompute-dl}. That implies that $p_i$ has defined $\mathit{winners}_r$ at line~\ref{code:Wcompute}. It implies that, by \Cref{lem:winners}, $r$ is closed and $\mathit{winners}_r = \Winners_r$. \\
|
||||
By \Cref{lem:eventual-closure}, for every $j \in \Winners_r$, $\prop^{(i)}[r][j] \neq \bot$. By \Cref{lem:unique-proposal}, each winner $j$ invokes at most one $\RBcast(PROP, S^{(j)}, \langle r, j \rangle)$, so $\prop^{(i)}[r][j] = S^{(j)}$ is uniquely defined. Hence, when $p_i$ computes
|
||||
\[
|
||||
M_r^{(i)} = \bigcup_{j\in\Winners_r} \prop^{(i)}[r][j] = \bigcup_{j\in\Winners_r} S^{(j)} = \Messages_r.
|
||||
M^{(i)} = \bigcup_{j\in\Winners_r} \prop^{(i)}[r][j] = \bigcup_{j\in\Winners_r} S^{(j)} = \Messages_r.
|
||||
\]
|
||||
\end{proof}
|
||||
|
||||
\begin{lemma}[Inclusion]\label{lem:inclusion}
|
||||
If some correct process invokes $\ABbroadcast(m)$, then there exist a round $r$ and a process $j\in\Winners_r$ such that $p_j$ invokes
|
||||
\[
|
||||
\RBcast(S, r, j)\quad\text{for same S with}\quad m\in S.
|
||||
\RBcast(PROP, S, \langle r, j \rangle)\quad\text{for some S with}\quad m\in S.
|
||||
\]
|
||||
\end{lemma}
|
||||
|
||||
\begin{proof}
|
||||
Fix a correct process $p_i$ that invokes $\ABbroadcast(m)$ and eventually exits the loop (\ref{code:sumbited-check-loop}) at some round $r$. There are two possible cases.
|
||||
|
||||
Let $p_i$ be a correct process that invokes $\ABbroadcast(m)$. By the handler at line~\ref{code:abbroadcast-add}, $m$ is added to $\mathit{unordered}$. Since $p_i$ is correct, it continues executing the main loop.
|
||||
|
||||
Consider any iteration of the loop where $p_i$ executes line~\ref{code:Sconstruction} while $m \in (\mathit{unordered} \setminus \mathit{ordered})$. At that iteration, for some round $r$, process $p_i$ constructs $S$ containing $m$ and invokes $\RBcast(PROP, S, \langle r, i \rangle)$ at line~\ref{code:submit-proposition}.
|
||||
|
||||
We distinguish two cases:
|
||||
\begin{itemize}
|
||||
\item \textbf{Case 1:} $p_i$ exits the loop because $(i, r) \in P$. In this case, by \Cref{def:winner-invariant}, $p_i$ is a winner in round $r$. By program order, $p_i$ must have invoked $\RBcast(S, r, i)$ at \ref{code:submit-proposition} before invoking $\PROVE_i(r)$. By line~\ref{code:Sconstruction}, $m \in S$. Hence there exist a closed round $r$ and $p_i$ is a correct process such that $i\in\Winners_r$. Hence, $i$ invokes $\RBcast(S, r, i)$ with $m\in S$.
|
||||
\item \textbf{Case 1: $p_i$ is a winner.} If $p_i \in \Winners_r$ for this round $r$, then by \Cref{def:winner-invariant} and program order, $p_i$ has invoked $\RBcast(PROP, S, \langle r, i \rangle)$ with $m \in S$, and the lemma holds with $j = i$.
|
||||
|
||||
\item \textbf{Case 2:} $p_i$ exits the loop because $\exists j, r': (j, r') \in P \wedge m \in \prop[r'][j]$. In this case, by \Cref{lem:winners-propose} and \Cref{lem:unique-proposal} $p_j$ must have invoked a unique $\RBcast(S, r', j)$. Which set $\prop^{(i)}[r'][j] = S$ with $m \in S$.
|
||||
\item \textbf{Case 2: $p_i$ is not a winner.} If $p_i \notin \Winners_r$, then by the \RB \emph{Validity} property, all correct processes eventually \textsf{rdeliver} $p_i$'s message. By line~\ref{code:receivedConstruction}, each correct process $p_k$ adds $m$ to its own $\mathit{unordered}$ set. Hence every correct process will eventually attempt to broadcast $m$ in some subsequent round.
|
||||
|
||||
Since there are infinitely many rounds and finitely many processes, and by \Cref{lem:nonempty} every closed round has at least one winner, there must exist a round $r'$ and a correct process $p_j \in \Winners_{r'}$ such that $m \in (\mathit{unordered} \setminus \mathit{ordered})$ when $p_j$ constructs its proposal $S$ at line~\ref{code:Sconstruction} for round $r'$. Hence $p_j$ invokes $\RBcast(PROP, S, \langle r', j \rangle)$ with $m \in S$.
|
||||
\end{itemize}
|
||||
|
||||
In both cases, if some correct process invokes $\ABbroadcast(m)$, then there exist a round $r$ and a correct process $j\in\Winners_r$ such that $j$ invokes
|
||||
\[
|
||||
\RBcast(S, r, j)\quad\text{with}\quad m\in S.
|
||||
\]
|
||||
|
||||
In both cases, there exists a round and a winner whose proposal includes $m$.
|
||||
\end{proof}
|
||||
|
||||
\begin{lemma}[Broadcast Termination]\label{lem:bcast-termination}
|
||||
@@ -277,7 +233,7 @@ If some process invokes $\APPEND(r)$, then at least a process must have previous
|
||||
\begin{proof}[Proof]
|
||||
Consider a correct process $p_i$ that invokes $\ABbroadcast(m)$. The statement is true if $\exists r_1$ such that $r_1 \geq r_{max}$ and if $(i, r_1) \in P$; or if $\exists r_2$ such that $r_2 \geq r_{max}$ and if $\exists j: (j, r_2) \in P \wedge m \in \prop[r_2][j]$ (like guarded at B8).
|
||||
|
||||
Consider that there exists no round $r_1$ such that $p_i$ invokes a valid $\PROVE(r_1)$. In this case $p_i$ invokes infinitely many $\RBcast(S, \_, i)$ at line~\ref{code:submit-proposition} with $m \in S$ (line~\ref{code:Sconstruction}).\\
|
||||
Consider that there exists no round $r_1$ such that $p_i$ invokes a valid $\PROVE(r_1)$. In this case $p_i$ invokes infinitely many $\RBcast(PROP, S, \langle \_, i \rangle)$ at line~\ref{code:submit-proposition} with $m \in S$ (line~\ref{code:Sconstruction}).\\
|
||||
The assumption that no $\PROVE(r_1)$ invoked by $p$ is valid implies by \DL \emph{Validity} that for every round $r' \geq r_{max}$, there exists at least one $\APPEND(r')$ in the DL linearization, hence by \Cref{lem:nonempty} for every possible round $r'$ there at least a winner. Because there is an infinite number of rounds, and a finite number of processes, there exists at least one process $p_k$ that invokes infinitely many valid $\PROVE(r')$ and by extension infinitely many $\ABbroadcast(\_)$. By \RB \emph{Validity}, $p_k$ eventually receives $p_i$ 's \RB messages. Let call $t_0$ the time when $p_k$ receives $p_i$ 's \RB message. \\
|
||||
At $t_0$, $p_k$ executes Algorithm \ref{alg:arb-crash} and sets $\mathit{received} \leftarrow \mathit{received} \cup \{S\}$ with $m \in S$ (line~\ref{code:receivedConstruction}).
|
||||
For the first invocation of $\ABbroadcast(\_)$ by $p_k$ after the execution of \texttt{RReceived()}, $p_k$ must include $m$ in his proposal $S$ at line~\ref{code:Sconstruction} (because $m$ is pending in $j$'s $\received \setminus \delivered$ set). There exists a minimum round $r_2$ such that $p_k \in \Winners_{r_2}$ after $t_0$. By \Cref{lem:winners-propose}, eventually $\prop^{(i)}[r_2][k] \neq \bot$. By \Cref{lem:unique-proposal}, $\prop^{(i)}[r_2][k]$ is uniquely defined as the set $S$ proposed by $p_k$ at B6, which by \Cref{lem:inclusion} includes $m$. Hence eventually $m \in \prop^{(i)}[r_2][k]$ and $k \in \Winners_{r_2}$.
|
||||
@@ -292,14 +248,14 @@ If some process invokes $\APPEND(r)$, then at least a process must have previous
|
||||
\begin{proof}[Proof]
|
||||
Let $p_i$ a correct process that invokes $\ABbroadcast(m)$ and $p_q$ a correct process that infinitely invokes $\ABdeliver()$. By \Cref{lem:inclusion}, there exist a closed round $r$ and a correct process $j\in\Winners_r$ such that $p_j$ invokes
|
||||
\[
|
||||
\RBcast(S, r, j)\quad\text{with}\quad m\in S.
|
||||
\RBcast(PROP, S, \langle r, j \rangle)\quad\text{with}\quad m\in S.
|
||||
\]
|
||||
|
||||
By \Cref{lem:eventual-closure}, when $p_q$ computes $M_r$ at line~\ref{code:Mcompute}, $\prop[r][j]$ is non-$\bot$ because $j \in \Winners_r$. By \Cref{lem:unique-proposal}, $p_j$ invokes at most one $\RBcast(S, r, j)$, so $\prop[r][j]$ is uniquely defined. Hence, when $p_q$ computes
|
||||
By \Cref{lem:eventual-closure}, when $p_q$ computes $M$ at line~\ref{code:Mcompute-dl}, $\prop[r][j]$ is non-$\bot$ because $j \in \Winners_r$. By \Cref{lem:unique-proposal}, $p_j$ invokes at most one $\RBcast(PROP, S, \langle r, j \rangle)$, so $\prop[r][j]$ is uniquely defined. Hence, when $p_q$ computes
|
||||
\[
|
||||
M_r = \bigcup_{k\in\Winners_r} \prop[r][k],
|
||||
M = \bigcup_{k\in\Winners_r} \prop[r][k],
|
||||
\]
|
||||
we have $m \in \prop[r][j] = S$, so $m \in M_r$. By \Cref{lem:convergence}, $M_r$ is invariant so each computation of $M_r$ by a correct process includes $m$. At each invocation of $m' = \ABdeliver()$, $m'$ is added to $\delivered$ until $M_r \subseteq \delivered$. Once this happens we're assured that there exists an invocation of $\ABdeliver()$ which return $m$. Hence $m$ is well delivered.
|
||||
we have $m \in \prop[r][j] = S$, so $m \in M$. By \Cref{lem:convergence}, $M$ is invariant so each computation of $M$ by a correct process includes $m$. At each invocation of $m' = \ABdeliver()$, $m'$ is added to $\delivered$ until $M \subseteq \delivered$. Once this happens we're assured that there exists an invocation of $\ABdeliver()$ which return $m$. Hence $m$ is well delivered.
|
||||
\end{proof}
|
||||
|
||||
\begin{lemma}[No duplication]\label{lem:no-duplication}
|
||||
@@ -309,7 +265,7 @@ If some process invokes $\APPEND(r)$, then at least a process must have previous
|
||||
\begin{proof}
|
||||
Let consider two invokations of $\ABdeliver()$ made by the same correct process which returns $m$. Let call these two invocations respectively $\ABdeliver^{(A)}()$ and $\ABdeliver^{(B)}()$.
|
||||
|
||||
When $\ABdeliver^{(A)}()$ occurs, by program order and because it reached line C18 to return $m$, the process must have add $m$ to $\delivered$. Hence when $\ABdeliver^{(B)}()$ reached line~\ref{code:next-msg-extraction} to extract the next message to deliver, it can't be $m$ because $m \not\in (M_r \setminus \{..., m, ...\})$. So a $\ABdeliver^{(B)}()$ which delivers $m$ can't occur.
|
||||
When $\ABdeliver^{(A)}()$ occurs, by program order and because it reached line~\ref{code:adeliver-mark} to return $m$, the process must have add $m$ to $\delivered$. Hence when $\ABdeliver^{(B)}()$ reached line~\ref{code:adeliver-extract} to extract the next message to deliver, it can't be $m$ because $m \not\in (\mathit{ordered} \setminus \mathit{delivered})$. So a $\ABdeliver^{(B)}()$ which delivers $m$ can't occur.
|
||||
\end{proof}
|
||||
|
||||
\begin{lemma}[Total order]\label{lem:total-order}
|
||||
@@ -319,17 +275,17 @@ If some process invokes $\APPEND(r)$, then at least a process must have previous
|
||||
\begin{proof}
|
||||
Consider a correct process that delivers both $m_1$ and $m_2$. By \Cref{lem:validity}, there exists a closed rounds $r'_1$ and $r'_2$ and correct processes $k_1 \in \Winners_{r'_1}$ and $k_2 \in \Winners_{r'_2}$ such that
|
||||
\[
|
||||
\RBcast(S_1, r'_1, k_1)\quad\text{with}\quad m_1\in S_1,
|
||||
\RBcast(PROP, S_1, \langle r'_1, k_1 \rangle)\quad\text{with}\quad m_1\in S_1,
|
||||
\]
|
||||
\[
|
||||
\RBcast(S_2, r'_2, k_2)\quad\text{with}\quad m_2\in S_2.
|
||||
\RBcast(PROP, S_2, \langle r'_2, k_2 \rangle)\quad\text{with}\quad m_2\in S_2.
|
||||
\]
|
||||
|
||||
Let consider three cases :
|
||||
\begin{itemize}
|
||||
\item \textbf{Case 1:} $r_1 < r_2$. By program order, any correct process must have waited to append in $\delivered$ every messages in $M_{r_1}$ (which contains $m_1$) to increment $\current$ and eventually set $\current = r_2$ to compute $M_{r_2}$ and then invoke the $ m_2 = \ABdeliver()$. Hence, for any correct process that delivers both $m_1$ and $m_2$, it delivers $m_1$ before $m_2$.
|
||||
\item \textbf{Case 1:} $r_1 < r_2$. By program order, any correct process must have waited to append in $\delivered$ every messages in $M$ (which contains $m_1$) to increment $\current$ and eventually set $\current = r_2$ to compute $M$ and then invoke the $ m_2 = \ABdeliver()$. Hence, for any correct process that delivers both $m_1$ and $m_2$, it delivers $m_1$ before $m_2$.
|
||||
|
||||
\item \textbf{Case 2:} $r_1 = r_2$. By \Cref{lem:convergence}, any correct process that computes $M_{r_1}$ at line~\ref{code:Mcompute} computes the same set of messages $\Messages_{r_1}$. By line~\ref{code:next-msg-extraction} the messages are pull in a deterministic order defined by $\ordered(\_)$. Hence, for any correct process that delivers both $m_1$ and $m_2$, it delivers $m_1$ and $m_2$ in the deterministic order defined by $\ordered(\_)$.
|
||||
\item \textbf{Case 2:} $r_1 = r_2$. By \Cref{lem:convergence}, any correct process that computes $M$ at line~\ref{code:Mcompute-dl} computes the same set of messages $\Messages_{r_1}$. By line~\ref{code:next-msg-extraction} the messages are pull in a deterministic order defined by $\ordered(\_)$. Hence, for any correct process that delivers both $m_1$ and $m_2$, it delivers $m_1$ and $m_2$ in the deterministic order defined by $\ordered(\_)$.
|
||||
\end{itemize}
|
||||
|
||||
In all possible cases, any correct process that delivers both $m_1$ and $m_2$ delivers $m_1$ and $m_2$ in the same order.
|
||||
@@ -342,13 +298,13 @@ If some process invokes $\APPEND(r)$, then at least a process must have previous
|
||||
\begin{proof}
|
||||
Let take $m_1$ and $m_2$ broadcast by the same correct process $p_i$, with $p_i$ invoking $\ABbroadcast(m_1)$ before $\ABbroadcast(m_2)$. By \Cref{lem:validity}, there exist closed rounds $r_1$ and $r_2$ such that $r_1 \leq r_2$ and correct processes $k_1 \in \Winners_{r_1}$ and $k_2 \in \Winners_{r_2}$ such that
|
||||
\[
|
||||
\RBcast(S_1, r_1, k_1)\quad\text{with}\quad m_1\in S_1,
|
||||
\RBcast(PROP, S_1, \langle r_1, k_1 \rangle)\quad\text{with}\quad m_1\in S_1,
|
||||
\]
|
||||
\[
|
||||
\RBcast(S_2, r_2, k_2)\quad\text{with}\quad m_2\in S_2.
|
||||
\RBcast(PROP, S_2, \langle r_2, k_2 \rangle)\quad\text{with}\quad m_2\in S_2.
|
||||
\]
|
||||
|
||||
By program order, $p_i$ must have invoked $\RBcast(S_1, r_1, i)$ before $\RBcast(S_2, r_2, i)$. By \Cref{lem:unique-proposal}, any process invokes at most one $\RBcast(S, r, i)$ per round, hence $r_1 < r_2$. By \Cref{lem:total-order}, any correct process that delivers both $m_1$ and $m_2$ delivers them in a deterministic order.
|
||||
By program order, $p_i$ must have invoked $\RBcast(PROP, S_1, \langle r_1, i \rangle)$ before $\RBcast(PROP, S_2, \langle r_2, i \rangle)$. By \Cref{lem:unique-proposal}, any process invokes at most one $\RBcast(PROP, S, \langle r, i \rangle)$ per round, hence $r_1 < r_2$. By \Cref{lem:total-order}, any correct process that delivers both $m_1$ and $m_2$ delivers them in a deterministic order.
|
||||
|
||||
In all possible cases, any correct process that delivers both $m_1$ and $m_2$ delivers $m_1$ before $m_2$.
|
||||
\end{proof}
|
||||
|
||||
Binary file not shown.
Reference in New Issue
Block a user