Proofs for Barrier Optimization

To ease the proof of Theorem 5, we first provide several lemmas. Lemmas 4 and 5 provide two properties of a barrier action.

Lemma 4. Let TS (N ) = (S, A, →, s0, AP , L)be an action-deterministic transition system. For each 1 ≤ i ≤ 2|Rule|, for all sw ∈ Switches, barrier (sw )iis independent of A\Barrier . Proof. It is straightforward to check the correctness of this lemma by using the defini- tion of independence between actions.

Lemma 5. Let TS (N ) = (S, A, →, s0, AP , L)be an action-deterministic transition system and an SDN specification φ. For each 1 ≤ i ≤ 2|Rule|and sw ∈ Switches, barrier (sw )iis a stutter action w.r.t. φ.

Proof. φ is a proposition over packets that have been forwarded by some switch at least once, or over control states. Since barrier (sw )idoes not change packets or control states, barrier (sw )iis a stutter action.

Lemma6shows the definition of ample set in TS (N ) satisfies three conditions.

Lemma 6. ample(s) satisfies the following conditions.

1. ∅ 6= ample(s) ⊆ A(s). 2. Let s −→ sβ1 1

β2

−→ . . . −→ sβn n −→ t be a finite execution in TS (N ). If α ∈ A\ample(s)α depends on ample(s), βi ∈ ample(s) for some 0 < i ≤ n.

3. If ample(s) 6= A(s) then any α ∈ ample(s) is a stutter action. Proof. Conditions (1) and (3) are straightforward to verify.

Let us prove condition (2) by contradiction. Suppose (2) does not hold. Then there is a finite execution ρ = s −→ sβ1 ₁ β2

−→ . . . βn

−→ s_n −→ t in TS (N ) such that for anyα 1 ≤ i ≤ n, βi6∈ ample(s) and α depends on ample(s).

If ample(s) = A(s), then β1 ∈ ample(s), which leads to a contradiction. Otherwise ample(s) = {barrier (sw )i | 1 ≤ i ≤ b(s, sw ) ∧ sw has a barrier in s}. Since α depends on ample(s), by Lemma 4, α can only be a barrier action. Since for any 1 ≤ i ≤ n, βi 6∈ ample(s), βiis not a barrier action. Hence α ∈ A(s). By the definition of ample(s), α ∈ ample(s), which leads to a contradiction. Therefore condition (2) holds.

Lemma6implies the following three lemmas from7to9.

Lemma 7. Let s be a state in TS (N ). If α ∈ ample(s), then α is independent of A(s)\ample(s).

Proof. Suppose not. Then there is an action β ∈ A(s)\ample(s) such that α and β are dependent. Since β ∈ A(s), then s −→ sβ ₁ is a finite execution in TS (N ). However it violates the condition (2) in Lemma6.

Lemmas8and9explain two ways to obtain a stutter equivalent execution.

Lemma 8. Let ρ be a finite execution in TS (N ) of the form s −→ sβ1 1 β2

−→ . . . −→ sβn n −→ tα

where βi 6∈ ample(s), for 0 < i ≤ n, and α ∈ ample(s). There exists a finite execution ρ0 of the form s=⇒ tα 0

β1

−→ . . .−−−→ tβn−1 n−1 βn

−→ t and ρ , ρ0. Proof. We prove it by induction on i ≥ 1.

Base case (i = 1): Then ρ = s −→ sβ1 1 α

−→ t. Since β1 6∈ ample(s) and α ∈ ample(s) by Lemma7, we have β1and α are independent. Hence we can permute them and get ρ0 = s−→ tα ₁ β1

−→ t. Since α ∈ ample(s), we have ρ0_{= s=⇒ t}α 1

β1

−→ t. Moreover, since α is a barrier action and it is a stutter action, we have ρ , ρ0.

Induction step (i = n): Let ρ = s −→ sβ1 ₁ β2

−→ . . . βn

−→ s_n −−−→ sβn+1 _n+1 −→ t. Sinceα βn+1 6∈ ample(s) and α ∈ ample(s), by Lemma7, βn+1 and α are independent. Hence we have ˆρ = s −→ sβ1 1

β2

−→ . . . −→ sβn n −→ tα n βn+1

−−−→ t. Since α is a stutter action, ρ , ˆ

ρ. Let ˆρ(n) = s −→ sβ1 1 β2

−→ s2. . . βn

−→ sn −→ tα n. By induction hypothesis, there is a ρ0(n) = s =⇒ tα 0 β1 −→ t1. . . βn−1 −−−→ tn−1 βn

−→ tn such that ˆρ(n) , ρ0(n). Then we have ρ0 = s=⇒ tα 0 β1 −→ t1. . . βn−1 −−−→ tn−1 βn −→ tn βn+1 −−−→ t and ρ0 , ˆρ , ρ. Lemma 9. Let ρ = s−→ sβ1 ₁ β2

−→ . . . be an infinite execution in TS (N ) where βi 6∈ ample(s), for i > 0. There exists an execution ρ0 of the form s=⇒ tα ₀ β1

−→ t₁ β2

−→ . . . where α ∈ ample(s) and ρ , ρ0.

Proof. Since for all i > 0, βi 6∈ ample(s) and α ∈ ample(s), by Lemma7, βi and α are independent. Hence we have ρ0 = s=⇒ tα 0

β1

−→ t1 β2

−→ . . . where for each i > 0, α(si) = ti. Since α is a stutter action, for each i > 0, L(si) = L(ti) and L(s) = L(t0). Hence ρ , ρ0.

The transition system cTS has the following property in Lemma10.

Lemma 10. For any infinite execution ρ in cTS, there are infinitely many state s in ρ such that ample(s) = A(s).

Proof. Suppose not. Without loss of generality, assume that from the k-th state skon, all the states after skin ρ are such that ample(s) 6= A(s). Then we have for all i > k, the action taken from si is a barrier action. However, skhas finitely many barriers, which implies that ρ cannot be infinite. Contradiction.

Finally, we prove our main theorem for the barrier optimization:

Theorem 11. Let TS (N ) be an action-deterministic transition system. TS (N ) , cTS. Proof. By the definition of ⇒, we know that every execution in cTS is also an execution in TS (N ), and hence cTS E TS (N ).

We now prove that TS (N ) E cTS, that is, for any initial infinite execution ρ in TS (N ), there is an initial infinite execution ρ0 in cTS such that ρ , ρ0. The idea is the following. Let ρ be an infinite initial execution in TS (N ) that is not in cTS. Let l be the minimal index in ρ such that for all 1 ≤ i ≤ l, the transition si−1 µi

−→ si is also a transition si−1=⇒ sµi iin cTS, that is,

ρ = s0 µ1 =⇒ . . . µl =⇒ s β1 −→ s₁ β2 −→ s₂. . . | {z } ρ0

Let ρ0 be an execution in TS (N ) which starts in state s and is induced by the action sequence β1β2β3. . . where β1 6∈ ample(s). The execution ρ0 is successively replaced with stutter-equivalent executions ρm, m = 1, 2, 3, ..., by means of the transforma- tions indicated in Lemmas 8and9. Each of these executions ρm starts in state s and is based on an action sequence of the form α1. . . αmβ1γ1γ2γ3. . . The action sequence α1. . . αm contains the actions of the ample sets, which are newly inserted according to Lemma 9, and all actions βn, which were shifted forward according to Lemma 8. γ1γ2γ3. . .denotes the remaining subsequence of β1, β2, β3, . . .. Thus, ρmis of the form s α1 =⇒ t₁ α2 =⇒ . . . αm ==⇒ t_m β1 −→ tm 0 γ1 −→ tm 1 γ2 −→ tm 2 γ3

−→ . . . where α1, . . . αm are stutter actions. By Lemma 10, β1 ∈ ample(t_m)for some m ≥ 1. Then s =α⇒ t1 ₁ α2

=⇒ . . . αm

==⇒ t_m β1

=⇒ tm 0 becomes an execution in cTS. By repeating this reasoning to the rest of the execu- tion tm0 γ1 −→ tm 1 γ2 −→ tm 2 γ3

−→ . . ., we obtain an execution ρ00 in cTS (as the “limit” of ρm, ρm+1, . . .), where the induced action sequence contains all actions that occur in ρ0 (in TS ).

Let us assume that ρ has the form s0 −→ sξ1 1 ξ2

−→ . . . and let 0 = k0 < k1 < k2 < . . . such that ξk1, ξk2, . . . results from ξ1, ξ2, . . . by omitting all stutter actions in ξ1, ξ2, . . ..

Then, trace(ρ) has the form A+₀A+₁A+₂ . . ., where Aiis the label L(sk)of all states skwith ki ≤ k < ki+1. Since each of the nonstutter actions ξki is eventually processed, when

wi of the form A+₀A+₁ . . . A+_i and some index li such that the traces of the executions ρj for all j ≥ li start with wi. In particular, wi is a proper prefix of wi+1 and wi are prefixes of the trace associated with the limit execution ρ0. Hence, trace(ρ0) has the form A+₀A+₁A+₂ . . ., and ρ , ρ0.

Theorem 12. Given an SDN N and a safety property φ, TS (N ) satisfies φ iff TS2satisfies φ.

Proof. If TS (N ) does not satisfy φ, then there is an execution s0 −→ . . .α1 −α−→ sn n in TS (N )such that L(sn)does not satisfy φ. Since TS (N ) E TS2, there is an execution s0 −→β1 2 . . .

βm

−−→2 tm in TS2 such that L(tm) = L(sn). Hence L(tm)does not satisfy φ either. Hence TS2does not satisfy φ.

We can prove the other direction analogously.