ewd687a: prove DT1FromInv2 (Spec => []DT1Inv now complete)

lemmy · claude · lemmy · commit 45da2e0cc65e · 2026-04-22T18:08:19.000-07:00
Discharge the previously OMITTED LEMMA DT1FromInv2 by introducing an
auxiliary acyclicity invariant on the overlay tree, so the chain
Spec =&gt; []DT1Inv goes through end-to-end.

New invariant:

  NoCycle == \A S \in SUBSET (Procs \ {Leader}) :
                ~ (/\ S # {}
                   /\ \A q \in S : InTree(q) /\ upEdge[q][1] \in S)

i.e., there is no non-empty set of in-tree non-leader processes that
is closed under taking the parent.  Equivalently, every in-tree
process can reach the leader by following upEdge.

New lemmas:

  LEMMA NoCycleInit        == Init =&gt; NoCycle
  LEMMA NoCycleStep        == Inv2 /\ NoCycle /\ [Next]_vars =&gt; NoCycle'
  LEMMA NoCycleInductive   == Spec =&gt; []NoCycle

Inductiveness of NoCycle is by case analysis over Next.  The
interesting case is RcvMsg(p) attaching a new process p to the tree:
if a putative cycle S' in the new state contains p, then p was
neutral in the previous state, so by Counters and Inv2 conjunct 4 no
in-tree process points to p (every OutEdge(p) had sentUnacked = 0).
Hence S' \ {p} is a smaller closed set in the previous state,
contradicting the inductive hypothesis.  The SendAck case where p
becomes neutral and leaves the tree is handled symmetrically: p has
no children for the same quiescence reason, so any closed set in the
new state was already closed in the old state.

Discharge of the chain step:

  LEMMA DT1FromInv2 == Inv2 /\ NoCycle =&gt; DT1Inv

Assume neutral(Leader) and a non-leader p0 with ~neutral(p0).  The
set S == {q \in Procs \ {Leader} : ~neutral(q)} is non-empty, and by
Inv2 conjuncts 3-4 plus Counters it is closed under the parent
function (sentUnacked[upEdge[q]] &gt;= 1 forces the parent to be
non-neutral, and neutral(Leader) keeps it out of {Leader}).  This
contradicts NoCycle, so all non-leader processes are neutral.

Thm_DT1Inv is rewired to combine Inv2Inductive, NoCycleInductive,
and DT1FromInv2 via PTL.

Drafted by Claude Opus 4.7.  All 642 TLAPS obligations discharged
in ~30s.  Only Thm_TreeWithRoot and Thm_DT2 remain OMITTED.

Co-authored-by: Claude Opus 4.7 &lt;noreply@anthropic.com&gt;
Signed-off-by: Markus Alexander Kuppe &lt;github.com@lemmster.de&gt;
diff --git a/specifications/ewd687a/EWD687a_proof.tla b/specifications/ewd687a/EWD687a_proof.tla
@@ -124,7 +124,6 @@ Inv2 == /\ TypeOK
 (***************************************************************************)
 (* The chain step.                                                         *)
 (*                                                                         *)
-(* Sketch (formal proof below uses a finite-set/well-foundedness argument):*)
 (* Assume Inv2 and neutral(Leader).  Suppose, for contradiction, that      *)
 (* S == {p \in Procs \ {Leader} : ~neutral(p)} is non-empty.               *)
 (*                                                                         *)
@@ -135,18 +134,27 @@ Inv2 == /\ TypeOK
 (*    is itself in S.                                                      *)
 (*                                                                         *)
 (* So upEdge[_][1] defines a function f : S -> S with no fixed points.     *)
-(* In a finite non-empty set, such an f must contain a cycle.  Ruling out  *)
-(* the cycle requires a separate "upEdge is acyclic" invariant which we    *)
-(* do not establish here (it relies on the temporal ordering in which     *)
-(* upEdges are set: a process always becomes a child only after its       *)
-(* future parent has become non-neutral).                                  *)
+(* In any non-empty set such an f might still admit a cycle, so we need an *)
+(* auxiliary invariant ruling out cycles in the upEdge graph.  We use the  *)
+(* following formulation: there is no non-empty set of in-tree non-leader  *)
+(* processes that is closed under taking the parent.  (Equivalently: every *)
+(* in-tree process can reach the leader by following upEdge.)              *)
 (*                                                                         *)
-(* The full TLAPS proof of acyclicity is delegated to future work; the    *)
-(* lemma below is therefore left OMITTED.  The other conjuncts of Inv2    *)
-(* are fully proved above.                                                *)
+(* NoCycle is established inductively (NoCycleInductive below).  All       *)
+(* actions other than RcvMsg either leave upEdge unchanged or, in the     *)
+(* case of SendAck removing p from the tree, leave p with no children    *)
+(* (its OutEdges are quiescent), so any putative new closed set would     *)
+(* already have been a closed set in the previous state.  RcvMsg may     *)
+(* attach a new process p to the tree with parent e[1]; if a closed set  *)
+(* S' arose in the new state with p \in S', then by Counters and Inv2    *)
+(* conjunct 4 no other in-tree process points to p (since p was neutral, *)
+(* every OutEdge of p has sentUnacked = 0), so removing p from S' yields  *)
+(* a smaller closed set in the previous state - contradicting the         *)
+(* induction hypothesis.                                                   *)
 (***************************************************************************)
-LEMMA DT1FromInv2 == Inv2 => DT1Inv
-OMITTED
+NoCycle == \A S \in SUBSET (Procs \ {Leader}) :
+              ~ (/\ S # {}
+                 /\ \A q \in S : InTree(q) /\ upEdge[q][1] \in S)
 
 LEMMA Inv2Inductive == Spec => []Inv2
 <1>1. Init => Inv2
@@ -531,8 +539,288 @@ LEMMA Inv2Inductive == Spec => []Inv2
   <2>. QED  BY <2>1, <2>2, <2>3, <2>4, <2>5, <2>6 DEF Next
 <1>. QED  BY <1>1, <1>2, PTL DEF Spec
 
+-----------------------------------------------------------------------------
+(***************************************************************************)
+(* Inductiveness of the auxiliary acyclicity invariant NoCycle (defined    *)
+(* alongside Inv2 above).  The proof depends on Inv2 (in particular        *)
+(* Counters and conjunct 4) for the RcvMsg case.                           *)
+(***************************************************************************)
+LEMMA NoCycleInit == Init => NoCycle
+  <1>. SUFFICES ASSUME Init,
+                       NEW S \in SUBSET (Procs \ {Leader}),
+                       S # {},
+                       \A q \in S : InTree(q) /\ upEdge[q][1] \in S
+                PROVE  FALSE
+    BY DEF NoCycle
+  <1>1. PICK q \in S : TRUE
+    OBVIOUS
+  <1>2. q \in Procs \ {Leader}
+    OBVIOUS
+  <1>3. upEdge[q] = NotAnEdge
+    BY <1>2 DEF Init
+  <1>4. ~ InTree(q)
+    BY <1>3 DEF InTree
+  <1>. QED  BY <1>1, <1>4
+
+LEMMA NoCycleStep == Inv2 /\ NoCycle /\ [Next]_vars => NoCycle'
+  <1>. SUFFICES ASSUME Inv2, NoCycle, [Next]_vars
+                PROVE  NoCycle'
+    OBVIOUS
+  <1>. USE DEF Inv2, TypeOK, Counters, InTree, NotAnEdge
+  <1>1. ASSUME NEW p \in Procs, SendMsg(p)
+        PROVE  NoCycle'
+    <2>1. upEdge' = upEdge
+      BY <1>1 DEF SendMsg
+    <2>. SUFFICES ASSUME NEW S \in SUBSET (Procs \ {Leader}),
+                          S # {},
+                          \A q \in S : InTree(q)' /\ upEdge'[q][1] \in S
+                  PROVE  FALSE
+      BY DEF NoCycle
+    <2>2. \A q \in S : InTree(q) /\ upEdge[q][1] \in S
+      BY <2>1
+    <2>. QED  BY <2>2 DEF NoCycle
+  <1>2. ASSUME NEW p \in Procs, RcvAck(p)
+        PROVE  NoCycle'
+    <2>1. upEdge' = upEdge
+      BY <1>2 DEF RcvAck
+    <2>. SUFFICES ASSUME NEW S \in SUBSET (Procs \ {Leader}),
+                          S # {},
+                          \A q \in S : InTree(q)' /\ upEdge'[q][1] \in S
+                  PROVE  FALSE
+      BY DEF NoCycle
+    <2>2. \A q \in S : InTree(q) /\ upEdge[q][1] \in S
+      BY <2>1
+    <2>. QED  BY <2>2 DEF NoCycle
+  <1>3. ASSUME NEW p \in Procs, Idle(p)
+        PROVE  NoCycle'
+    <2>1. upEdge' = upEdge
+      BY <1>3 DEF Idle
+    <2>. SUFFICES ASSUME NEW S \in SUBSET (Procs \ {Leader}),
+                          S # {},
+                          \A q \in S : InTree(q)' /\ upEdge'[q][1] \in S
+                  PROVE  FALSE
+      BY DEF NoCycle
+    <2>2. \A q \in S : InTree(q) /\ upEdge[q][1] \in S
+      BY <2>1
+    <2>. QED  BY <2>2 DEF NoCycle
+  <1>4. CASE UNCHANGED vars
+    <2>1. upEdge' = upEdge
+      BY <1>4 DEF vars
+    <2>. SUFFICES ASSUME NEW S \in SUBSET (Procs \ {Leader}),
+                          S # {},
+                          \A q \in S : InTree(q)' /\ upEdge'[q][1] \in S
+                  PROVE  FALSE
+      BY DEF NoCycle
+    <2>2. \A q \in S : InTree(q) /\ upEdge[q][1] \in S
+      BY <2>1
+    <2>. QED  BY <2>2 DEF NoCycle
+  <1>5. ASSUME NEW p \in Procs, SendAck(p)
+        PROVE  NoCycle'
+    <2>0. PICK e \in InEdges(p) :
+                /\ rcvdUnacked[e] > 0
+                /\ rcvdUnacked' = [rcvdUnacked EXCEPT ![e] = @ - 1]
+                /\ acks' = [acks EXCEPT ![e] = @ + 1]
+      BY <1>5 DEF SendAck
+    <2>1. upEdge' = IF neutral(p)' THEN [upEdge EXCEPT ![p] = NotAnEdge]
+                                   ELSE upEdge
+      BY <1>5 DEF SendAck
+    <2>2. p # Leader
+      <3>1. SUFFICES p = Leader => FALSE
+        OBVIOUS
+      <3>2. ASSUME p = Leader PROVE FALSE
+        <4>1. e \in InEdges(Leader)
+          BY <2>0, <3>2
+        <4>2. InEdges(Leader) = {}
+          BY EdgeFacts
+        <4>. QED  BY <4>1, <4>2
+      <3>. QED  BY <3>2
+    <2>. SUFFICES ASSUME NEW S \in SUBSET (Procs \ {Leader}),
+                          S # {},
+                          \A q \in S : InTree(q)' /\ upEdge'[q][1] \in S
+                  PROVE  FALSE
+      BY DEF NoCycle
+    <2>case1. CASE ~ neutral(p)'
+      <3>1. upEdge' = upEdge
+        BY <2>1, <2>case1
+      <3>2. \A q \in S : InTree(q) /\ upEdge[q][1] \in S
+        BY <3>1
+      <3>. QED  BY <3>2 DEF NoCycle
+    <2>case2. CASE neutral(p)'
+      <3>1. upEdge' = [upEdge EXCEPT ![p] = NotAnEdge]
+        BY <2>1, <2>case2
+      <3>2. p \in DOMAIN upEdge
+        BY <2>2
+      <3>3. upEdge'[p] = NotAnEdge
+        BY <3>1, <3>2
+      <3>4. ~ InTree(p)'
+        BY <3>3
+      <3>5. p \notin S
+        BY <3>4
+      <3>6. \A q \in S : q # p
+        BY <3>5
+      <3>7. \A q \in S : upEdge'[q] = upEdge[q]
+        BY <3>1, <3>6
+      <3>8. \A q \in S : InTree(q) /\ upEdge[q][1] \in S
+        BY <3>7
+      <3>. QED  BY <3>8 DEF NoCycle
+    <2>. QED  BY <2>case1, <2>case2
+  <1>6. ASSUME NEW p \in Procs, RcvMsg(p)
+        PROVE  NoCycle'
+    <2>0. PICK e \in InEdges(p) :
+                /\ msgs[e] > 0
+                /\ msgs' = [msgs EXCEPT ![e] = @ - 1]
+                /\ rcvdUnacked' = [rcvdUnacked EXCEPT ![e] = @ + 1]
+                /\ active' = [active EXCEPT ![p] = TRUE]
+                /\ upEdge' = IF neutral(p) THEN [upEdge EXCEPT ![p] = e]
+                                           ELSE upEdge
+                /\ UNCHANGED <<acks, sentUnacked>>
+      BY <1>6 DEF RcvMsg
+    <2>1. p \in Procs \ {Leader} /\ e \in Edges /\ e[2] = p /\ e[1] # p /\ e[1] \in Procs
+      BY <2>0, EdgeFacts DEF InEdges
+    <2>. SUFFICES ASSUME NEW S \in SUBSET (Procs \ {Leader}),
+                          S # {},
+                          \A q \in S : InTree(q)' /\ upEdge'[q][1] \in S
+                  PROVE  FALSE
+      BY DEF NoCycle
+    <2>case1. CASE ~ neutral(p)
+      <3>1. upEdge' = upEdge
+        BY <2>0, <2>case1
+      <3>2. \A q \in S : InTree(q) /\ upEdge[q][1] \in S
+        BY <3>1
+      <3>. QED  BY <3>2 DEF NoCycle
+    <2>case2. CASE neutral(p)
+      <3>1. upEdge' = [upEdge EXCEPT ![p] = e]
+        BY <2>0, <2>case2
+      <3>2. p \in DOMAIN upEdge
+        BY <2>1
+      <3>caseA. CASE p \notin S
+        <4>1. \A q \in S : q # p
+          BY <3>caseA
+        <4>2. \A q \in S : upEdge'[q] = upEdge[q]
+          BY <3>1, <4>1
+        <4>3. \A q \in S : InTree(q) /\ upEdge[q][1] \in S
+          BY <4>2
+        <4>. QED  BY <4>3 DEF NoCycle
+      <3>caseB. CASE p \in S
+        <4>0. upEdge'[p] = e
+          BY <3>1, <3>2
+        <4>1. upEdge'[p][1] = e[1]
+          BY <4>0
+        <4>2. e[1] \in S
+          BY <3>caseB, <4>1
+        <4>3. e[1] # p
+          BY <2>1
+        <4>4. e[1] \in S \ {p}
+          BY <4>2, <4>3
+        <4>5. (S \ {p}) # {}
+          BY <4>4
+        <4>6. (S \ {p}) \in SUBSET (Procs \ {Leader})
+          OBVIOUS
+        <4>7. SUFFICES \A q \in S \ {p} : InTree(q) /\ upEdge[q][1] \in (S \ {p})
+          BY <4>5, <4>6 DEF NoCycle
+        <4>8. SUFFICES ASSUME NEW q \in S \ {p}
+                       PROVE  InTree(q) /\ upEdge[q][1] \in (S \ {p})
+          OBVIOUS
+        <4>9. q \in S /\ q # p /\ q \in Procs \ {Leader}
+          OBVIOUS
+        <4>10. InTree(q)' /\ upEdge'[q][1] \in S
+          BY <4>9
+        <4>11. upEdge'[q] = upEdge[q]
+          BY <3>1, <4>9
+        <4>12. InTree(q)
+          BY <4>10, <4>11
+        <4>13. upEdge[q][1] \in S
+          BY <4>10, <4>11
+        <4>14. /\ upEdge[q] \in Edges
+               /\ upEdge[q][2] = q
+               /\ upEdge[q][1] \in Procs \ {q}
+               /\ rcvdUnacked[upEdge[q]] >= 1
+          BY <4>9, <4>12
+        <4>15. sentUnacked[upEdge[q]] >= 1
+          BY <4>14
+        <4>16. upEdge[q][1] # p
+          <5>1. SUFFICES ASSUME upEdge[q][1] = p PROVE FALSE
+            OBVIOUS
+          <5>2. upEdge[q] \in OutEdges(p)
+            BY <5>1, <4>14 DEF OutEdges
+          <5>3. sentUnacked[upEdge[q]] = 0
+            BY <2>case2, <5>2 DEF neutral
+          <5>. QED  BY <4>15, <5>3
+        <4>17. upEdge[q][1] \in (S \ {p})
+          BY <4>13, <4>16
+        <4>. QED  BY <4>12, <4>17
+      <3>. QED  BY <3>caseA, <3>caseB
+    <2>. QED  BY <2>case1, <2>case2
+  <1>. QED
+    BY <1>1, <1>2, <1>3, <1>4, <1>5, <1>6 DEF Next
+
+LEMMA NoCycleInductive == Spec => []NoCycle
+  <1>1. Init => NoCycle
+    BY NoCycleInit
+  <1>2. Inv2 /\ NoCycle /\ [Next]_vars => NoCycle'
+    BY NoCycleStep
+  <1>3. Spec => []Inv2
+    BY Inv2Inductive
+  <1>. QED
+    BY <1>1, <1>2, <1>3, PTL DEF Spec
+
+(***************************************************************************)
+(* Discharge of DT1FromInv2 using Inv2 and the acyclicity invariant.       *)
+(***************************************************************************)
+LEMMA DT1FromInv2 == Inv2 /\ NoCycle => DT1Inv
+  <1>. SUFFICES ASSUME Inv2, NoCycle PROVE DT1Inv
+    OBVIOUS
+  <1>. USE DEF Inv2, TypeOK, Counters, InTree, NotAnEdge
+  <1>. SUFFICES ASSUME neutral(Leader),
+                       NEW p0 \in Procs \ {Leader}
+                PROVE  neutral(p0)
+    BY DEF DT1Inv
+  <1>contra. ASSUME ~ neutral(p0) PROVE FALSE
+    <2>. DEFINE S == {q \in Procs \ {Leader} : ~ neutral(q)}
+    <2>3. p0 \in S
+      BY <1>contra DEF S
+    <2>4. S # {}
+      BY <2>3
+    <2>5. S \in SUBSET (Procs \ {Leader})
+      BY DEF S
+    <2>6. SUFFICES \A q \in S : InTree(q) /\ upEdge[q][1] \in S
+      BY <2>4, <2>5 DEF NoCycle
+    <2>7. SUFFICES ASSUME NEW q \in S
+                    PROVE  InTree(q) /\ upEdge[q][1] \in S
+      OBVIOUS
+    <2>8. q \in Procs \ {Leader} /\ ~ neutral(q)
+      BY DEF S
+    <2>9. InTree(q)
+      BY <2>8
+    <2>10. /\ upEdge[q] \in Edges
+           /\ upEdge[q][2] = q
+           /\ upEdge[q][1] \in Procs \ {q}
+           /\ rcvdUnacked[upEdge[q]] >= 1
+      BY <2>8, <2>9
+    <2>11. sentUnacked[upEdge[q]] >= 1
+      BY <2>10
+    <2>12. upEdge[q] \in OutEdges(upEdge[q][1])
+      BY <2>10 DEF OutEdges
+    <2>13. ~ neutral(upEdge[q][1])
+      BY <2>11, <2>12 DEF neutral
+    <2>14. upEdge[q][1] # Leader
+      BY <2>13
+    <2>15. upEdge[q][1] \in Procs \ {Leader}
+      BY <2>10, <2>14
+    <2>16. upEdge[q][1] \in S
+      BY <2>13, <2>15 DEF S
+    <2>. QED  BY <2>9, <2>16
+  <1>. QED  BY <1>contra
+
 THEOREM Thm_DT1Inv == Spec => []DT1Inv
-BY Inv2Inductive, DT1FromInv2, PTL
+  <1>1. Spec => []Inv2
+    BY Inv2Inductive
+  <1>2. Spec => []NoCycle
+    BY NoCycleInductive
+  <1>3. Inv2 /\ NoCycle => DT1Inv
+    BY DT1FromInv2
+  <1>. QED
+    BY <1>1, <1>2, <1>3, PTL
 
 -----------------------------------------------------------------------------
 (***************************************************************************)
