Skip to content

formal: relax the pending set to cover over-warning; intra-round compaction lemmas#779

Merged
frankmcsherry merged 2 commits into
TimelyDataflow:master-nextfrom
frankmcsherry:reduce-model-refinements
Jul 2, 2026
Merged

formal: relax the pending set to cover over-warning; intra-round compaction lemmas#779
frankmcsherry merged 2 commits into
TimelyDataflow:master-nextfrom
frankmcsherry:reduce-model-refinements

Conversation

@frankmcsherry

Copy link
Copy Markdown
Member

Two generalizations of the model in formal/Differential/Model.lean, following up on #777. Both bring the model closer to what reduce.rs actually does; neither changes the goal theorems, which remain proven with no sorry and only the three standard axioms.

Relaxed pending set. Step's exact pending_eq becomes three fields: the new pending set must contain the deferred and carried times (pending_super), stay beyond the frontier (pending_confined), and be finite (pending_finite). The implementation warns about more times than the truncated closure defers — joins with already-finalized times it keeps around "to scare future times", and synthetic times from cancelled batch updates — and over-warning is harmless: a warned time that owes nothing evaluates to an empty correction when it comes due. The invariant proof only ever used one inclusion or the other, never exactness, so the change is mechanical; Step.of_pending_eq recovers the exact choice (TARGETS2.md step 4 as originally written) and the sanity scenarios use it. TARGETS2.md gets a dated amendment note.

Intra-round compaction is invisible. reduce.rs also compacts within a round, advancing its input and output buffers by the meet of every time still to be examined. Two lemmas (acc_mapDomain_sup, sup_advance_eq — TARGETS2.md's join preservation, specialized to a one-element frontier) say this is invisible at the model's granularity: the compacted buffer yields the same accumulation at every remaining evaluation point and the same join against every remaining seed as the uncompacted history would, so the intra-round compaction needs no adversary move at all.

🤖 Generated with Claude Code

frankmcsherry and others added 2 commits July 2, 2026 13:59
…action lemmas

Two generalizations matching the implementation more closely:

* Step's pending_eq (exact) becomes pending_super/pending_confined/
  pending_finite: the new pending set need only CONTAIN the deferred and
  carried times, staying beyond the frontier.  reduce.rs warns about more
  times than the truncated closure defers (joins with already-finalized
  times kept "to scare future times"); over-warning is harmless, and the
  theorem now covers it.  Step.of_pending_eq recovers the exact choice
  (TARGETS2.md step 4 as written), used by the scenarios.

* acc_mapDomain_sup and sup_advance_eq: TARGETS2.md's join preservation,
  specialized to the one-element frontier used by reduce.rs's intra-round
  buffer compaction.  Advancing buffer times by the meet of everything
  still to be examined changes no accumulation the round still reads and
  no join it still generates, so the intra-round compaction needs no
  adversary move at the model's granularity.

No sorries; goal theorems unchanged and still depend only on the three
standard axioms.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Four observations, separable from the Lean: the debt has no memory
(compacted input + output determine it; the output is the receipt that
makes re-derivation possible); debt is created only above the seeds;
seeding on new times and closing against stored times IS the full join
closure restricted to where debt can live (absorption); pends are
resumption tokens for the suspended closure, carrying no other content.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@frankmcsherry frankmcsherry merged commit e52e1dc into TimelyDataflow:master-next Jul 2, 2026
6 checks passed
@frankmcsherry frankmcsherry deleted the reduce-model-refinements branch July 2, 2026 19:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant