Distributed Data Structures in Coq

Transcript

1. DISTRIBUTED DATA STRUCTURES IN COQ Christopher Meiklejohn @cmeik Tuesday, May

   14, 13

2. Tuesday, May 14, 13

3. COQ Tuesday, May 14, 13

4. CRDTs Tuesday, May 14, 13

5. G-COUNTERS Tuesday, May 14, 13

6. Vector Clocks Credit: http://en.wikipedia.org/wiki/File:Vector_Clock.svg Tuesday, May 14, 13

7. CLOCKS Tuesday, May 14, 13

8. IMPLEMENTATION Tuesday, May 14, 13

9. 1 2 3 4 5 6 7 8 9 10

   11 12 13 14 15 16 17 18 Module ClockMap := FMapWeakList.Make (Nat_as_Legacy_OT). Module ClockMapFacts := FMapFacts.Facts (ClockMap). Tuesday, May 14, 13

10. 1 2 3 4 5 6 7 8 9 10

    11 12 13 14 15 16 17 18 Definition Clock_merge (n1 n2 : option nat) := match n1, n2 with | None, None => None | Some n, None => Some n | None, Some n => Some n | Some n1', Some n2' => Some (max n1' n2') end. Definition Clock_compare (n1 n2 : option nat) := match n1, n2 with | None, None => None | Some n, None => Some false | None, Some n => Some true | Some n1', Some n2' => Some (leb n1' n2') end. Tuesday, May 14, 13

11. PROOFS Tuesday, May 14, 13

12. 1 2 3 4 5 6 7 8 9 10

    11 12 13 14 15 16 17 18 Lemma Clock_merge_comm : forall n1 n2, Clock_merge n1 n2 = Clock_merge n2 n1. Proof. intros. destruct n1; destruct n2; auto. simpl. f_equal. apply Max.max_comm. Qed. Tuesday, May 14, 13

13. 1 2 3 4 5 6 7 8 9 10

    11 12 13 14 15 16 17 18 Lemma Clock_merge_idempotent : forall n1, Clock_merge n1 n1 = n1. Proof. intros. destruct n1; auto; simpl. f_equal. apply Max.max_idempotent. Qed. Tuesday, May 14, 13

14. 1 2 3 4 5 6 7 8 9 10

    11 12 13 14 15 16 17 18 Lemma Clock_merge_assoc : forall n1 n2 n3, Clock_merge n1 (Clock_merge n2 n3) = Clock_merge (Clock_merge n1 n2) n3. Proof. intros. destruct n1; destruct n2; destruct n3; auto. unfold Clock_merge. f_equal. apply Max.max_assoc. Qed. Tuesday, May 14, 13

15. G-COUNTERS Tuesday, May 14, 13

16. IMPLEMENTATION Tuesday, May 14, 13

17. 1 2 3 4 5 6 7 8 9 10

    11 12 13 14 15 16 17 18 Definition G_Counter := ClockMap.t nat. Definition G_Counter_init : G_Counter := ClockMap.empty nat. Tuesday, May 14, 13

18. 1 2 3 4 5 6 7 8 9 10

    11 12 13 14 15 16 17 18 Definition G_Counter_incr actor clocks := match ClockMap.find actor clocks with | None => ClockMap.add actor 1 clocks | Some count => (ClockMap.add actor (S count) clocks) end. Tuesday, May 14, 13

19. 1 2 3 4 5 6 7 8 9 10

    11 12 13 14 15 16 17 18 Definition G_Counter_reveal clocks := ClockMap.fold (fun key elt acc => (plus acc elt)) clocks 0. Tuesday, May 14, 13

20. 1 2 3 4 5 6 7 8 9 10

    11 12 13 14 15 16 17 18 Definition G_Counter_merge c1 c2 := ClockMap.map2 Clock_merge c1 c2. Tuesday, May 14, 13

21. 1 2 3 4 5 6 7 8 9 10

    11 12 13 14 15 16 17 18 Definition G_Counter_equal (c1 c2 : G_Counter) := ClockMap.Equal c1 c2. Tuesday, May 14, 13

22. 1 2 3 4 5 6 7 8 9 10

    11 12 13 14 15 16 17 18 Definition G_Counter_compare (c1 c2 : G_Counter) := ClockMap.Equal (ClockMap.map2 Clock_compare c1 c2) (ClockMap.map2 Clock_true c1 c2). Tuesday, May 14, 13

23. PROOFS Tuesday, May 14, 13

24. 1 2 3 4 5 6 7 8 9 10

    11 12 13 14 15 16 17 18 Theorem G_Counter_merge_comm : forall c1 c2, G_Counter_equal (G_Counter_merge c1 c2) (G_Counter_merge c2 c1). Proof. intros; unfold G_Counter_merge. unfold ClockMap.Equal; intro. repeat rewrite ClockMapFacts.map2_1bis; auto. apply Clock_merge_comm. Qed. Tuesday, May 14, 13

25. 1 2 3 4 5 6 7 8 9 10

    11 12 13 14 15 16 17 18 Theorem G_Counter_merge_idempotent : forall clocks, G_Counter_equal (G_Counter_merge clocks clocks) clocks. Proof. intros; unfold G_Counter_merge. unfold ClockMap.Equal; intro. repeat rewrite ClockMapFacts.map2_1bis; auto. apply Clock_merge_idempotent. Qed. Tuesday, May 14, 13

26. 1 2 3 4 5 6 7 8 9 10

    11 12 13 14 15 16 17 18 Theorem G_Counter_merge_assoc : forall c1 c2 c3, G_Counter_equal (G_Counter_merge c1 (G_Counter_merge c2 c3)) (G_Counter_merge (G_Counter_merge c1 c2) c3). Proof. intros; unfold G_Counter_merge. unfold ClockMap.Equal; intro. repeat rewrite ClockMapFacts.map2_1bis; auto. repeat rewrite <- Clock_merge_assoc; reflexivity. Qed. Tuesday, May 14, 13

27. 1 2 3 4 5 6 7 8 9 10

    11 12 13 14 15 16 17 18 Theorem G_Counter_incr_mono : forall clocks actor, G_Counter_compare clocks (G_Counter_incr actor clocks). Proof. intros; unfold G_Counter_compare; unfold ClockMap.Equal; intro. repeat rewrite ClockMapFacts.map2_1bis; auto. elim (eq_nat_dec actor y); intro. subst. unfold Clock_compare, Clock_true. unfold G_Counter_incr. simpl. destruct (ClockMap.find y clocks). rewrite ClockMapFacts.add_eq_o. f_equal. induction n; auto. reflexivity. reflexivity. unfold G_Counter_incr. destruct (ClockMap.find actor clocks) eqn:factor. rewrite ClockMapFacts.add_neq_o; auto. apply Clock_compare_refl. rewrite ClockMapFacts.add_neq_o; auto. apply Clock_compare_refl. Qed. Tuesday, May 14, 13

28. 1 2 3 4 5 6 7 8 9 10

    11 12 13 14 15 16 17 18 Theorem G_Counter_merge_mono : forall c1 c2, G_Counter_compare c1 (G_Counter_merge c1 c2). Proof. intros; unfold G_Counter_compare. unfold ClockMap.Equal; intro. unfold Clock_compare, Clock_true, G_Counter_merge. repeat rewrite ClockMapFacts.map2_1bis; auto. destruct (ClockMap.find y c1); destruct (ClockMap.find y c2); simpl; f_equal. apply leb_max_mono. rewrite leb_correct; auto. Qed.   Tuesday, May 14, 13

29. NEXT STEPS Tuesday, May 14, 13

30. PN-COUNTERS Tuesday, May 14, 13

31. MORE DATA STRUCTURES Tuesday, May 14, 13

32. GITHUB.COM CMEIKLEJOHN/DISTRIBUTED-DATA-STRUCTURES Tuesday, May 14, 13

33. QED Tuesday, May 14, 13