From 6e7093d49c00150e48ebc264fb1a29de2004aeed Mon Sep 17 00:00:00 2001
From: Ian Jackson
Date: Sat, 14 Jul 2012 02:43:34 +0100
Subject: [PATCH] strategy: move traversal proofs inline

article.tex  2 ++
travalg.tex  97 +++++++++++++++++++++++++++++++++++++++++++++++++
travproofs.tex  102 
3 files changed, 93 insertions(+), 108 deletions()
diff git a/article.tex b/article.tex
index 2b54eec..6bbe082 100644
 a/article.tex
+++ b/article.tex
@@ 159,6 +159,8 @@
\newcommand{\qed}{\square}
\newcommand{\proofstarts}{{\it Proof:}}
\newcommand{\proof}[1]{\proofstarts #1 $\qed$}
+\newcommand{\commitproof}[1]{{\it Proof of commit generation conditions:}
+ #1 $\qed$}
\newcommand{\statement}[2]{\[\eqn{ #1 }{ #2 }\]}
diff git a/travalg.tex b/travalg.tex
index e56a8a9..c9647ad 100644
 a/travalg.tex
+++ b/travalg.tex
@@ 4,8 +4,10 @@
commit $C$ using one of the commit kind recipies, we update
$W \assign C$. In any such case where we say we're going to Merge
with $L = W$, if $R \ge W$ we do not Merge but instead simply set
$W \assign R$.)
+$W \assign R$.
+For each commit generation operation called for by the traversal
+algorithms, we prove that the commit generation preconditions are met.)
For each patch $\pc \in \allpatches$ in topological order by $\hasdep$,
lowest first:
@@ 44,6 +46,46 @@ such that:
\bigforall_{H \in \set H^{\pn}} \tipcn \ge H
}
+\subsection{Reachability and coverage}
+
+We ensure Tip Covers Reachable as follows:
+
+\begin{itemize}
+\item We do not generate any commits $\in \py$ other than
+ during $\alg{MergeTip}(\py)$;
+\item So at the start of $\alg{MergeTip}(\py)$,
+ $ \pendsof{\allreach}{\py} = \pendsof{\allsrcs}{\py} $
+\item $\alg{Mergetip}$ arranges that when it is done
+ $\tippy \ge \pendsof{\allreach}{\py}$  see below.
+\end{itemize}
+
+A corrolary is as follows:
+\statement{Tip Covers Superior Reachable} {
+ \bigforall_{\pd \isdep \pc}
+ \tipdy \ge \pendsof{\allreachof{\pcy}}{\pdy}
+}
+\proof{
+ No commits $\in \pdy$ are created other than during
+ $\alg{MergeTip}(\pd)$, which runs (and has thus completed)
+ before $\alg{MergeTip}(\pcy)$
+ So $\pendsof{\allreachof{\pcy}}{\pdy} =
+ \pendsof{\allreachof{\pdy}}{\pdy}$.
+}
+
+\subsection{Traversal Lemmas}
+
+\statement{Tip Correct Contents}{
+ \tipcy \haspatch \pa E
+ \equiv
+ \pa E = \pc \lor \pa E \isdep \pc
+}
+\proof{
+ For $\pc = \pa E$, Tip Own Contents suffices.
+ For $\pc \neq \pa E$, Exclusive Tip Contents
+ gives $D \isin \tipcy \equiv D \isin \baseof{\tipcy}$
+ which by Correct Base $\equiv D \isin \tipcn$.
+}
+
\subsection{$\alg{MergeBase}(\pc)$}
This algorithm attempts to construct a suitably updated version of the
@@ 63,6 +105,10 @@ to generate a perfect answer, whereas this algorithm might involve
merges and therefore might not produce a perfect answer if the
situation is complicated.
+For \alg{MergeBase} we do not prove that the preconditions are met.
+Instead, we check them at runtime. If they turn out not to be met, we
+abandon \alg{MergeBase} and resort to \alg{RecreateBase}.
+
Initially, set $W \iassign W^{\pcn}$.
\subsubsection{Bases and sources}
@@ 74,7 +120,6 @@ In some order, perhaps interleaving the two kinds of merge:
\item For each $\hasdep$maximal $\pd \isdirdep \pc$, find a merge base
$M \le W,\; \le \tipdy$ and merge $\tipdy$ into $W$.
That is, use $\alg{Merge}$ with $L = W,\; R = \tipdy$.
(Base Dependency Merge.)
\item For each $S \in S^{\pcn}_i$, merge it into $W$.
That is, use $\alg{Merge}$ with $L = W,\; R = S,\; M = M^{\pcn}_i$.
@@ 103,7 +148,17 @@ Choose a $\hasdep$maximal direct dependency $\pd$ of $\pc$.
\item
Use $\alg{Create Base}$ with $L$ = $\tipdy,\; \pq = \pc$ to generate $C$
and set $W \iassign C$. (Recreate Base Beginning.)
+and set $W \iassign C$.
+
+ \commitproof{
+ Create Acyclic: by Tip Correct Contents of $L$,
+ $L \haspatch \pa E \equiv \pa E = \pd \lor \pa E \isdep \pd$.
+ Now $\pd \isdirdep \pc$,
+ so by Coherence, and setting $\pa E = \pc$,
+ $L \nothaspatch \pc$. I.e. $L \nothaspatch \pq$. OK.
+
+ That's everything for Create Base.
+ }
\item
@@ 114,7 +169,16 @@ Execute the subalgorithm $\alg{RecreateRecurse}(\pc)$.
Declare that we contain all of the relevant information from the
sources. That is, use $\alg{PseudoMerge}$ with $L = W, \;
\set R = \{ W \} \cup \set S^{\pcn}$.
(Recreate Base Final Declaration.)
+
+ \commitproof{
+ Base Only: $\patchof{W} = \patchof{L} = \pn$. OK.
+
+ Unique Tips:
+ Want to prove that for any $\p \isin C$, $\tipdy$ is a suitable $T$.
+ WIP TODO
+
+ WIP TODO INCOMPLETE
+ }
\end{enumerate}
@@ 146,10 +210,31 @@ $L = W, \; R = \tipdy, \; M = \baseof{R} = \tipdn$.
\item TODO CHOOSE/REFINE W AND S as was done during Ranking for bases
\item $\alg{Merge}$ from $\tipcn$. That is, $L = W, \;
R = \tipcn$ and choose any suitable $M$. (Tip Base Merge.)
+R = \tipcn$ and choose any suitable $M$.
+
+ \commitproof{
+ $L = W$, $R = \tipcn$.
+ TODO TBD
+
+ Afterwards, $\baseof{W} = \tipcn$.
+ }
\item For each source $S \in \set S^{\pcy}$,
$\alg{Merge}$ with $L = W, \; R = S$ and any suitable $M$.
(Tip Source Merge.)
+
+ \commitproof{
+ In fact, we do this backwards: $L = S$, $R = W$.
+ Since $S \in \pcy$,
+ the resulting $C \in \pcy$ and the remaining properties of the Merge
+ commit construction are symmetrical in $L$ and $R$ so this is fine.
+
+ By the results of Tip Base Merge, $\baseof{W} = \tipcn$.
+
+ By Base Ends Supreme, $\tipcn \ge \baseof{S}$ i.e.
+ $\baseof{R} \ge \baseof{L}$.
+
+ Either $\baseof{L} = \baseof{M}$, or we must choose a different $M$ in
+ which case $M = \baseof{S}$ will suffice.
+ }
\end{enumerate}
diff git a/travproofs.tex b/travproofs.tex
index 421bb61..e69de29 100644
 a/travproofs.tex
+++ b/travproofs.tex
@@ 1,102 +0,0 @@
\section{Traversal phase  proofs}

For each operation called for by the traversal algorithms, we prove
that the commit generation preconditions are met.

\subsection{Reachability and coverage}

We ensure Tip Covers Reachable as follows:

\begin{itemize}
\item We do not generate any commits $\in \py$ other than
 during $\alg{MergeTip}(\py)$;
\item So at the start of $\alg{MergeTip}(\py)$,
 $ \pendsof{\allreach}{\py} = \pendsof{\allsrcs}{\py} $
\item $\alg{Mergetip}$ arranges that when it is done
 $\tippy \ge \pendsof{\allreach}{\py}$  see below.
\end{itemize}

A corrolary is as follows:
\statement{Tip Covers Superior Reachable} {
 \bigforall_{\pd \isdep \pc}
 \tipdy \ge \pendsof{\allreachof{\pcy}}{\pdy}
}
\proof{
 No commits $\in \pdy$ are created other than during
 $\alg{MergeTip}(\pd)$, which runs (and has thus completed)
 before $\alg{MergeTip}(\pcy)$
 So $\pendsof{\allreachof{\pcy}}{\pdy} =
 \pendsof{\allreachof{\pdy}}{\pdy}$.
}

\subsection{Traversal Lemmas}

\statement{Tip Correct Contents}{
 \tipcy \haspatch \pa E
 \equiv
 \pa E = \pc \lor \pa E \isdep \pc
}
\proof{
 For $\pc = \pa E$, Tip Own Contents suffices.
 For $\pc \neq \pa E$, Exclusive Tip Contents
 gives $D \isin \tipcy \equiv D \isin \baseof{\tipcy}$
 which by Correct Base $\equiv D \isin \tipcn$.
}

\subsection{Base Dependency Merge, Base Sibling Merge}

We do not prove that the preconditions are met. Instead, we check
them at runtime. If they turn out not to be met, we abandon
\alg{MergeBase} and resort to \alg{RecreateBase}.

TODO COMPLETE MERGEBASE STUFF

WIP WHAT ABOUT PROVING ALL THE TRAVERSAL RESULTS

\subsection{Recreate Base Beginning}

To recap we are executing Create Base with
$L = \tipdy$ and $\pq = \pc$.

\subsubsection{Create Acyclic}

By Tip Correct Contents of $L$,
$L \haspatch \pa E \equiv \pa E = \pd \lor \pa E \isdep \pd$.
Now $\pd \isdirdep \pc$,
so by Coherence, and setting $\pa E = \pc$,
$L \nothaspatch \pc$. I.e. $L \nothaspatch \pq$. OK.

That's everything for Create Base. $\qed$

\subsection{Recreate Base Final Declaration}

\subsubsection{Base Only} $\patchof{W} = \patchof{L} = \pn$. OK.

\subsubsection{Unique Tips}

Want to prove that for any $\p \isin C$, $\tipdy$ is a suitable $T$.

WIP

\subsection{Tip Base Merge}

$L = W$, $R = \tipcn$.

TODO TBD

Afterwards, $\baseof{W} = \tipcn$.

\subsection{Tip Source Merge}

In fact, we do this backwards: $L = S$, $R = W$. Since $S \in \pcy$,
the resulting $C \in \pcy$ and the remaining properties of the Merge
commit construction are symmetrical in $L$ and $R$ so this is fine.

By the results of Tip Base Merge, $\baseof{W} = \tipcn$.

By Base Ends Supreme, $\tipcn \ge \baseof{S}$ i.e.
$\baseof{R} \ge \baseof{L}$.

Either $\baseof{L} = \baseof{M}$, or we must choose a different $M$ in
which case $M = \baseof{S}$ will suffice.


2.1.4