That the basic algorithm provides means for ensuring liveness is easy to see, since new rounds of any type can always be started and a classic round has the same live- ness requirements as Classic Paxos. The discussion in Section3.4.7extends Multico- ordinated Paxos in this sense and sketches its liveness conditions. We now prove that the extended Multicoordinated Paxos algorithm presented in Section3.4.7satisfies
the Liveness property of Generalized Consensus, given that its liveness condition is eventually satisfied. We refer to the algorithm as EMCP.
Proposition 12 If there is a proposer p, a coordinator c, a learner l , a quorum of
acceptors Q , and a non-empty set of coordinators C such that the liveness condition MCLiv(p, l, c, Q, C) holds at some time t0 and then forever, then l eventually learns a c-struct containing the command v proposed by p.
PROOF: The proof is divided into the following steps:
1. No coordinator other than c executes action Phase1a after t0
By the definition of MCLiv(p, l, c, Q, C), only c believes to be leader after instant t0. Since this is a pre-condition for executing action Phase1a in the extended algorithm, only c does so.
2. There is a time t1≥ t0 after which crnd[c] does not change
PROOF SKETCH: The proof is divided in two steps. First we prove that only a finite
number rounds may be started by coordinated recovery and then that the same holds true for rounds started in action Phase1a.
2.1. There is a time t10≥ t0 after which no coordinated recovery is performed PROOF: Let i− 1 be the highest-numbered round in which some message was
sent before t0. If the coordinators of i− 1 perceive a conflict in i − 1 then they may perform coordinated recovery to start round i by sending “2a” messages with different c-structs and, hence, another conflict might happen in round i . Due to MCLiv(p, l, c, Q, C), after t0 all functional coordinators receive all mes- sages in the same order in i and, by the determinism of the protocol, they perceive the same conflicts in i and choose the same c-struct to send in the “2a” message of round i+1, if performing another coordinated recovery. Therefore, no conflict happens in round i+ 1 or in any bigger round and no more coordi- nated recoveries are executed. Hence, there is a time t0
1≥ t0 after round round i+ 1 started after which no coordinated recoveries are performed.
2.2. There is a time t100≥ t0
1 after which action Phase1a is not executed anymore PROOF: By step 2.1, coordinated recovery will not be executed after time t10 and
by MCLiv(p, l, c, Q, C), uncoordinated recovery can only be executed a limited amount of times. Hence, there is a time t1000 ≥ t0
1 after which no recovery is performed.
Due to step 1 there is a finite number of rounds that have been started before t0 by coordinators different from c and by the previous paragraph there is a time after which no coordinated or uncoordinated recovery is performed and, therefore, there is a time t10000≥ t1000after which c has will receive no more “skip” messages informing about rounds bigger than its current one. Hence, c will not start any bigger round unless it suspects that there are no coord-quorums for round crnd[c] whose all coordinators are alive. By MCLiv(p, l, c, Q, C), after
t0, c will only start rounds whose coordinators do not fail. Hence, there is a time t100000 ≥ t0000
1 after which c does not start any round due to suspecting that coord-quorums are not available for its current round.
If t100is bigger than or equal to t100000, then Phase1a is not executed after t100. 2.3. ASSUME: 1. There is a time t10 ≥ t0 after which no coordinated recovery is
performed.
2. There is a time t100≥ t10after which action Phase1a is not executed anymore
PROVE: There is a time t1 ≥ t100 after which action Phase2Start(c, i) is ex-
ecuted, where i the highest-numbered round for which c executed action Phase1a
PROOF: By the definition of the extended algorithm, c keeps retransmitting the
“1a” message for round i to all acceptors. By assumption, acceptors in Q do not crash after t0and, therefore, receive such “1a” messages. After they execute action Phase1b for round i , they keep re-sending their 1b messages and c will eventually execute Phase2Start .
2.4. Q.E.D.
PROOF: crnd[c] can only be changed by executing action Phase2Start or by
performing coordinated or uncoordinated recovery, and Phase2Start can only be executed for a round after Phase1a has been executed for the same round. By steps 2.1 and 2.2 there is a time t00
0 after which no recovery or Phase1a actions is executed. By step 2.3, c eventually executes action Phase2Start for the highest-numbered round for which it has executed action Phase1a at some instant t1≥ t00
1.
3. There is a time t2 ≥ t1 after which action Phase2Start(d, crnd[c]) will have been executed by every coordinator d of round crnd[c].
PROOF: By the same reasoning of step 2.
4. There is a time t3 ≥ t2 after which the command v ∈ u {cval[d] : d is a coordi- nator of round crnd[c]}.
PROOF: By steps 2 and 3, there is a time t30 after which all coordinators of round
crnd[c] can execute action Phase2aClassic. By assumption, all conflicting propos- als received in crnd[c] are received in the same order and, therefore, added to cval[d] in the same order by every acceptor d. Hence, these c-structs are com- patible.
By the protocol specification, proposer p retransmits v and all coordinators of round crnd[c] eventually receive it. Therefore, there is a time t3≥ t0
3 after which v is part of cval[d] of any coordinator d of round crnd[c]. Since they are all compatible, by CS4, v is contained in their greatest lower bound.
5. There is a time t4 ≥ t3 after which v ∈ u {vval[a] : a ∈ Q} and vrnd[a] = crnd[c], a ∈ Q.
PROOF: By step 2, no new rounds are created after some time t1≥ t0. Hence, no ac-
ceptor can accept any value in a round bigger than crnd[c] after t1. By step 4, all c-structs sent to acceptors in “2a” messages are compatible and because coordina- tors keep retransmitting their “2a” messages, all acceptors in Q eventually receive one containing v from every acceptor in some coord-quorum for round crnd[c]. Hence, by the definition of the algorithm, every acceptor a eventually accepts some c-struct containing v that is compatible with the c-structs accepted by the other acceptors. Hence, there is a time t4≥ t3after which v ∈ u{vval[a] : a ∈ Q} and vrnd[a] = crnd[c], a ∈ Q.
6. Eventually l learns a c-struct containing v
PROOF: By steps 5 and 2 and the specification of EMCF, learners eventually re-
ceived compatible c-structs from all acceptors in Q in round crnd[c] containing v. Hence, l eventually learns a c-struct containing v .