Event Graph Convergence Proof

distributed-systemsconvergenceproof
σ1,σ2TopoSorts(G):replay(G,σ1)=replay(G,σ2)\forall \sigma_1, \sigma_2 \in \text{TopoSorts}(G): \text{replay}(G, \sigma_1) = \text{replay}(G, \sigma_2)

Statement

Theorem (Convergence). Let G=(E,)G = (E, \rightarrow) be a valid event graph and let σ1,σ2\sigma_1, \sigma_2 be any two topological sorts of GG. Then:

replay(G,σ1)=replay(G,σ2)\text{replay}(G, \sigma_1) = \text{replay}(G, \sigma_2)

That is, the document state produced by eg-walker is independent of the processing order, provided that order respects causality.

Definitions

Definition 1 (Event Graph). An event graph G=(E,)G = (E, \rightarrow) is a finite, transitively-reduced DAG where each node eEe \in E carries an operation op(e){Insert(i,c),Delete(i)}\text{op}(e) \in \{\text{Insert}(i,c), \text{Delete}(i)\} and a unique identifier id(e)\text{id}(e).

Definition 2 (Version). The version of GG is its frontier:

Version(G)={eGeG:ee}\text{Version}(G) = \{e \in G \mid \nexists\, e' \in G : e \rightarrow e'\}

Definition 3 (Replay). replay(G)\text{replay}(G) processes events in some topological sort order, using the advance/retreat mechanism to align the prepare version with each event's parents before applying it. The output is the final document string.

Definition 4 (Strong Eventual Consistency). A replicated system is strongly eventually consistent if:

  1. Convergence: replicas that have delivered the same set of events are in the same state
  2. Eventual delivery: every event generated at one correct replica is eventually delivered to all correct replicas

Proof Structure

The proof proceeds by showing that swapping two adjacent concurrent events in a topological sort does not change the output.

Lemma 1 (Adjacent Swap)

If eaebe_a \| e_b and σ=(,ea,eb,)\sigma = (\ldots, e_a, e_b, \ldots) is a valid topological sort, then σ=(,eb,ea,)\sigma' = (\ldots, e_b, e_a, \ldots) produces the same document state.

Proof sketch. Since eaebe_a \| e_b, neither is an ancestor of the other. When processing ebe_b after eae_a in σ\sigma:

  • The retreat mechanism undoes eae_a from the prepare version (since eaEvents(eb.parents)e_a \notin \text{Events}(e_b.\text{parents}))
  • The effect version includes both eae_a and ebe_b

When processing eae_a after ebe_b in σ\sigma':

  • The retreat mechanism undoes ebe_b from the prepare version
  • The effect version again includes both eae_a and ebe_b

In both cases, the final effect version after processing both events is identical. The transformed operations emitted may differ, but their composition produces the same document. \square

Lemma 2 (Topological Sort Reachability)

Any topological sort σ1\sigma_1 can be transformed into any other topological sort σ2\sigma_2 by a sequence of adjacent transpositions of concurrent events.

Proof. Standard result from partial order theory: two linear extensions of a partial order are connected by a sequence of adjacent transpositions of incomparable elements. \square

Main Theorem

By Lemma 2, any two topological sorts are connected by adjacent swaps of concurrent events. By Lemma 1, each swap preserves the document state. By transitivity, all topological sorts produce the same document. \square

Visualization

Two replicas processing the same three events in different orders:

graph LR
    subgraph "Replica A processes: e₁, e₂, e₃"
        A1["apply(e₁)"] --> A2["apply(e₂)"]
        A2 --> A3["retreat(e₂), apply(e₃)"]
    end

    subgraph "Replica B processes: e₁, e₃, e₂"
        B1["apply(e₁)"] --> B3["apply(e₃)"]
        B3 --> B2["retreat(e₃), apply(e₂)"]
    end

Despite different orderings, both replicas arrive at the same document state because the effect version accumulates the same set of events {e1,e2,e3}\{e_1, e_2, e_3\}.

The Strong List Specification

Eg-walker satisfies the strong list specification (Attiya et al., 2016), which requires:

  1. Insert-validity: an inserted element appears in the list at the specified position relative to the inserter's observed state
  2. Delete-validity: a deleted element was present at the specified position in the deleter's observed state
  3. Convergence: all replicas observing the same events agree on list contents and order
  4. Non-interleaving: concurrent sequences of insertions at the same position are not interleaved
replicas r1,r2:Events(r1)=Events(r2)    doc(r1)=doc(r2)\forall\, \text{replicas } r_1, r_2: \quad \text{Events}(r_1) = \text{Events}(r_2) \implies \text{doc}(r_1) = \text{doc}(r_2)

Critical Versions

Definition (Critical Version). A version VV of graph GG is critical iff it partitions GG into G1=Events(V)G_1 = \text{Events}(V) and G2=GG1G_2 = G \setminus G_1 such that:

e1G1,  e2G2:e1e2\forall\, e_1 \in G_1,\; \forall\, e_2 \in G_2: \quad e_1 \rightarrow e_2

Critical versions act as barriers — events before and after can be processed independently. This enables:

  • Discarding internal state up to critical versions
  • Partial replay from the most recent critical version
  • Garbage collection of tombstones

Connections

The convergence result relies on the Advance and Retreat MechanismAdvance and Retreat MechanismVpretreat(e)Vp{e}advance(e)Vp{e}V_p \xrightarrow{\text{retreat}(e)} V_p \setminus \{e\} \xrightarrow{\text{advance}(e')} V_p \cup \{e'\}How eg-walker navigates the causal graph by advancing and retreating individual events to simulate each operation's original context.Read more → correctly maintaining the two-version internal state. The Internal State MachineInternal State Machinesp{NotInsertedYet,Ins,Del1,Del2,}s_p \in \{\text{NotInsertedYet}, \text{Ins}, \text{Del}_1, \text{Del}_2, \ldots\}The per-character state machine that tracks insertion/deletion across prepare and effect versions in eg-walker.Read more → ensures that retreat/advance transitions are reversible. Concurrent insert ordering (via YATA/RGA) provides the deterministic tie-breaking needed for the non-interleaving property.

References

  • Gentle & Kleppmann (2025), Appendix C: Formal proof of convergence
  • Attiya, H. et al. (2016). Specification and Complexity of Collaborative Text Editing. PODC.