New system state resulting from a
(store-next val cert systate) → new-systate
The
The certificate is added to the DAG and removed from the buffer.
Furthermore, if the validator has previously endorsed that certificate, the author-round pair is removed from the set of pairs, because the certificate is now in the DAG. The set deletion has no effect if the set does not have the pair, so we remove the element unconditionally.
In addition, if the certificate's round number is
greater than the current round number plus one,
the current round number is fast-forwarded to
the certificate's round number minus one.
The idea is that, if there are certificates,
such as the one being stored in the DAG,
which must necessarily come from another validator,
which are two or more rounds ahead of the validator
that is storing the certificate into the DAG,
it indicates that this validator is behind.
Note that, as required in store-possiblep,
the DAG must contain all the previous certificates,
which must form a quorum;
thus, if the validator's round is advanced to the certificate's round,
the validator can immediately generate its own new certificate
for that round in our model (or a proposal in a more detailed model).
This aspect of the protocol needs further study,
along with the logic for
round advancement in
If we advance the round, we also reset the timer, by setting it to `running'. Although the timer also needs further study, its purpose appears to be that a validator does not spend excessive time in a round, regardless of certificates received. In that case, it seems appropriate to reset the timer every time the round is advanced.
The network is unaffected.
Function:
(defun store-next (val cert systate) (declare (xargs :guard (and (addressp val) (certificatep cert) (system-statep systate)))) (declare (xargs :guard (store-possiblep val cert systate))) (let ((__function__ 'store-next)) (declare (ignorable __function__)) (b* (((certificate cert) cert) ((validator-state vstate) (get-validator-state val systate)) (new-dag (insert (certificate-fix cert) vstate.dag)) (new-buffer (delete (certificate-fix cert) vstate.buffer)) (new-endorsed (delete (make-address+pos :address cert.author :pos cert.round) vstate.endorsed)) ((mv new-round new-timer) (if (> cert.round (1+ vstate.round)) (mv (1- cert.round) (timer-running)) (mv vstate.round vstate.timer))) (new-vstate (change-validator-state vstate :round new-round :dag new-dag :buffer new-buffer :endorsed new-endorsed :timer new-timer)) (systate (update-validator-state val new-vstate systate))) systate)))
Theorem:
(defthm system-statep-of-store-next (b* ((new-systate (store-next val cert systate))) (system-statep new-systate)) :rule-classes :rewrite)
Theorem:
(defthm correct-addresses-of-store-next (implies (store-possiblep val cert systate) (b* ((?new-systate (store-next val cert systate))) (equal (correct-addresses new-systate) (correct-addresses systate)))))
Theorem:
(defthm validator-state->round-of-store-next (implies (store-possiblep val cert systate) (b* ((?new-systate (store-next val cert systate))) (equal (validator-state->round (get-validator-state val1 new-systate)) (if (and (equal (address-fix val1) (address-fix val)) (> (certificate->round cert) (1+ (validator-state->round (get-validator-state val systate))))) (1- (certificate->round cert)) (validator-state->round (get-validator-state val1 systate)))))))
Theorem:
(defthm validator-state->dag-of-store-next (implies (and (in val1 (correct-addresses systate)) (store-possiblep val cert systate)) (b* ((?new-systate (store-next val cert systate))) (equal (validator-state->dag (get-validator-state val1 new-systate)) (if (equal val1 (address-fix val)) (insert (certificate-fix cert) (validator-state->dag (get-validator-state val1 systate))) (validator-state->dag (get-validator-state val1 systate)))))))
Theorem:
(defthm validator-state->buffer-of-store-next (implies (and (in val1 (correct-addresses systate)) (store-possiblep val cert systate)) (b* ((?new-systate (store-next val cert systate))) (equal (validator-state->buffer (get-validator-state val1 new-systate)) (if (equal val1 (address-fix val)) (delete (certificate-fix cert) (validator-state->buffer (get-validator-state val1 systate))) (validator-state->buffer (get-validator-state val1 systate)))))))
Theorem:
(defthm validator-state->endorsed-of-store-next (implies (store-possiblep val cert systate) (b* ((?new-systate (store-next val cert systate))) (equal (validator-state->endorsed (get-validator-state val1 new-systate)) (if (equal (address-fix val1) (address-fix val)) (delete (make-address+pos :address (certificate->author cert) :pos (certificate->round cert)) (validator-state->endorsed (get-validator-state val systate))) (validator-state->endorsed (get-validator-state val1 systate)))))))
Theorem:
(defthm validator-state->last-of-store-next (implies (store-possiblep val cert systate) (b* ((?new-systate (store-next val cert systate))) (equal (validator-state->last (get-validator-state val1 new-systate)) (validator-state->last (get-validator-state val1 systate))))))
Theorem:
(defthm validator-state->blockchain-of-store-next (implies (store-possiblep val cert systate) (b* ((?new-systate (store-next val cert systate))) (equal (validator-state->blockchain (get-validator-state val1 new-systate)) (validator-state->blockchain (get-validator-state val1 systate))))))
Theorem:
(defthm validator-state->committed-of-store-next (implies (store-possiblep val cert systate) (b* ((?new-systate (store-next val cert systate))) (equal (validator-state->committed (get-validator-state val1 new-systate)) (validator-state->committed (get-validator-state val1 systate))))))
Theorem:
(defthm validator-state->timer-of-store-next (implies (store-possiblep val cert systate) (b* ((?new-systate (store-next val cert systate))) (equal (validator-state->timer (get-validator-state val1 new-systate)) (if (and (equal (address-fix val1) (address-fix val)) (> (certificate->round cert) (1+ (validator-state->round (get-validator-state val systate))))) (timer-running) (validator-state->timer (get-validator-state val1 systate)))))))
Theorem:
(defthm get-network-state-of-store-next (b* nil (equal (get-network-state (store-next val cert systate)) (get-network-state systate))))
Theorem:
(defthm store-next-of-address-fix-val (equal (store-next (address-fix val) cert systate) (store-next val cert systate)))
Theorem:
(defthm store-next-address-equiv-congruence-on-val (implies (address-equiv val val-equiv) (equal (store-next val cert systate) (store-next val-equiv cert systate))) :rule-classes :congruence)
Theorem:
(defthm store-next-of-certificate-fix-cert (equal (store-next val (certificate-fix cert) systate) (store-next val cert systate)))
Theorem:
(defthm store-next-certificate-equiv-congruence-on-cert (implies (certificate-equiv cert cert-equiv) (equal (store-next val cert systate) (store-next val cert-equiv systate))) :rule-classes :congruence)
Theorem:
(defthm store-next-of-system-state-fix-systate (equal (store-next val cert (system-state-fix systate)) (store-next val cert systate)))
Theorem:
(defthm store-next-system-state-equiv-congruence-on-systate (implies (system-state-equiv systate systate-equiv) (equal (store-next val cert systate) (store-next val cert systate-equiv))) :rule-classes :congruence)