Rollback #
This module formalises rollback of an event on a configuration: a maximal sub-configuration omitting the chosen event. It shows the canonical rollback (removing the future of the event) is the unique rollback, proves redoability and causal safety, and—given a finite representation—correctness (the original configuration is reachable from the rollback) and minimality.
A rollback of event e on configuration c is a maximal configuration m
with m ⊆ c and e ∉ m.
Equations
- EventStructures.Rollback.isRollback es c e m = (↑m ⊆ ↑c ∧ e ∉ ↑m ∧ ∀ (m' : EventStructures.Conf es), ↑m' ⊆ ↑c → e ∉ ↑m' → ↑m ⊆ ↑m' → ↑m' ⊆ ↑m)
Instances For
The set of all rollbacks of event e on configuration c.
Equations
- EventStructures.Rollback.Rollbacks es c e = {m : EventStructures.Conf es | EventStructures.Rollback.isRollback es c e m}
Instances For
Candidate configurations for rollback.
Equations
- EventStructures.Rollback.RollbackCandidates es c e = {m : EventStructures.Conf es | ↑m ⊆ ↑c ∧ e ∉ ↑m}
Instances For
Removing the future of e from a configuration keeps it a configuration.
The canonical rollback configuration: remove all events causally after e.
Instances For
Redoability: e is enabled in rollback(c,e) when e ∈ c.
Causal safety: Rollback removes exactly the causal consequences of e.
The canonical rollback is a rollback for c and e.
Any rollback coincides with the canonical rollback.
Rollbacks are unique when they exist.
The rollback is the maximum element among rollback candidates.
Helper: An event in the future that is not yet in a partial configuration is enabled there, provided the partial configuration contains its strict past and is consistent.
Constructive: given a Finset representation cF of the underlying configuration c,
there is an executable list from the rollback configuration to c.
Uses decidable equality and decidable strict order on events.
Correctness: the original configuration c is reachable from rollback(c,e)
when c.1 admits a Finset representation.
Minimality of Rollback - Any path from a redo-candidate configuration c' to c is at
least as long as the number of events in c causally after e.