A true concurrent model of smart contracts executions
aa r X i v : . [ c s . P L ] A p r A true concurrent model ofsmart contracts executions
Massimo Bartoletti , Letterio Galletta , and Maurizio Murgia University of Cagliari, Italy IMT School for Advanced Studies, Lucca, Italy University of Trento, Italy
Abstract.
The development of blockchain technologies has enabled thetrustless execution of so-called smart contracts , i.e. programs that reg-ulate the exchange of assets (e.g., cryptocurrency) between users. In adecentralized blockchain, the state of smart contracts is collaborativelymaintained by a peer-to-peer network of mutually untrusted nodes, whichcollect from users a set of transactions (representing the required actionson contracts), and execute them in some order. Once this sequence oftransactions is appended to the blockchain, the other nodes validate it,re-executing the transactions in the same order. The serial execution oftransactions does not take advantage of the multi-core architecture ofmodern processors, so contributing to limit the throughput. In this pa-per we propose a true concurrent model of smart contracts execution.Based on this, we show how static analysis of smart contracts can beexploited to parallelize the execution of transactions.
Smart contracts [20] are computer programs that transfer digital assets betweenusers without a trusted authority. Currently, smart contracts are supported byseveral blockchains, the first and most widespread one being Ethereum [8]. Usersinteract with a smart contract by sending transactions , which trigger state up-dates, and may possibly involve transfers of crypto-assets between the calledcontract and the users. The sequence of transactions on the blockchain deter-mines the state of each contract, and the balance of each user.The blockchain is maintained by a peer-to-peer network of nodes, which fol-low a consensus protocol to determine, at each turn, a new block of transactionsto be added to the blockchain. This protocol guarantees the correct execution ofcontracts also in the presence of (a minority of) adversaries in the network, andensures that all the nodes have the same view of their state. Nodes play the roleof miner or that of validator . Miners gather from the network sets of transac-tions sent by users, and execute them serially to determine the new state. Oncea block is appended to the blockchain, validators re-execute all its transactions,to update their local view of the contracts state and of the users’ balance. To dothis, validators process the transactions exactly in the same order in which theyoccur in the block, since choosing a different order could potentially result innconsistencies between the nodes (note that miners also act as validators, sincethey validate all the blocks received from the network).Although executing transactions in a purely sequential fashion is quite effec-tive to ensure the consistency of the blockchain state, in the age of multi-coreprocessors it fails to properly exploit the computational capabilities of nodes. Byenabling miners and validators to concurrently execute transactions, it would bepossible to improve the efficiency and the throughput of the blockchain.This paper exploits techniques from concurrency theory to provide a for-mal backbone for parallel executions of transactions. More specifically, our maincontributions can be summarised as follows: – As a first step, we formalise blockchains, giving their semantics as a functionwhich maps each contract to its state, and each user to her balance. Thissemantics reflects the standard implementation of nodes, where transactionsare evaluated in sequence, without any concurrency. – We introduce two notions of swappability of transactions. The first is purelysemantic: two adjacent transactions can be swapped if doing so preservesthe semantics of the blockchain. The second notion, called strong swappabil-ity, is more syntactical: it checks a simple condition (inspired by Bernstein’sconditions [6]) on static approximations of the variables read/written bythe transactions. Theorem 2 shows that strong swappability is strictly in-cluded in the semantic relation. Further, if we transform a blockchain byrepeatedly exchanging adjacent strongly swappable transactions, the result-ing blockchain is observationally equivalent to the original one (Theorem 4). – Building upon strong swappability, we devise a true concurrent model oftransactions execution. To this purpose, we transform a block of transactionsinto an occurrence net , describing exactly the partial order induced by theswappability relation. We model the concurrent executions of a blockchain interms of the step firing sequences (i.e. finite sequences of sets of transitions)of the associated occurrence net. Theorem 5 establishes that the concurrentexecutions and the serial one are semantically equivalent. – We describe how miners and validators can use our results to concurrentlyexecute transactions, exploiting the multi-core architecture available on theirnodes. Remarkably, our technique is compatible with the current implemen-tation of the Ethereum blockchain, while the other existing approaches toparallelize transactions execution would require a soft-fork. – We apply our technique to ERC-721 tokens, one of the most common kindsof contracts in Ethereum, showing them to be suitable for parallelization.The proofs of our results are in Appendix A.
In this section we introduce a general model of transactions and blockchains,abstracting from the actual smart contracts language. smart contract is a finite set of functions, i.e. terms of the form f ( x ) { S } ,where f is a function name, x is the sequence of formal parameters (omittedwhen empty), and S is the function body. We postulate that the functions in acontract have distinct names. We abstract from the actual syntax of S , and wejust assume that the semantics of function bodies is defined (see e.g. [5] for aconcrete instance of syntax and semantics of function bodies).Let Val be a set of values , ranged over by v, v ′ , . . . , let Const be a set of constant names x, y, . . . , and let
Addr be a set of addresses X , Y , . . . , partitionedinto account addresses A , B , . . . and contract addresses C , D , . . . . We assume amapping Γ from addresses to contracts.We assume that each contract has a key-value store, which we render asa partial function Val ⇀ Val from keys k ∈ Val to values. The state of theblockchain is a function σ : Addr → ( Val ⇀ Val ) from addresses to key-valuestores. We postulate that balance ∈ dom σ X for all X . A qualified key is aterm of the form X .k . We write σ ( X .k ) for σ X k ; when k dom σ X , we write σ ( X .k ) = ⊥ . We use p, q, . . . to range over qualified keys, P, Q, . . . to range oversets of them, and P to denote the set of all qualified keys.To have a uniform treatment of accounts and contracts, we assume that forall account addresses A , dom σ A = { balance } , and that the contract Γ ( A ) hasexactly one function, which just skips. In this way, the statement A . transfer ( n ),which transfers n currency units to A , can be rendered as a call to this function. State updates define how values associated with qualified keys are modified.
Definition 1 (State update). A state update π : Addr ⇀ ( Val ⇀ Val ) is afunction from qualified keys to values; we denote with { v / X .k } the state updatewhich maps X .k to v . We define keys( π ) as the set of qualified keys X .k suchthat X ∈ dom π and k ∈ dom π X . We apply updates to states as follows: ( σπ ) X = δ X where δ X k = ( π X k if X .k ∈ keys( π ) σ X k otherwise ⋄ We denote with J S K X σ,ρ the semantics of the statement S . This semantics iseither a blockchain state σ ′ , or it is undefined (denoted by ⊥ ). The semantics isparameterised over a state σ , an address X (the contract wherein S is evaluated),and an environment ρ : Const ⇀ Val , used to evaluate the formal parametersand the special names sender and value . These names represent, respectively,the caller of the function, and the amount of currency transferred along with thecall. We postulate that sender and value are not used as formal parameters.We define the auxiliary operators + and − on states as follows: σ ◦ ( X : n ) = σ { ( σ X balance ) ◦ n / X . balance } ( ◦ ∈ { + , −} )i.e., σ + X : n updates σ by increasing the balance of X of n currency units.A transaction T is a term of the form: A n −→ C : f ( v ) ( x ) { S } ∈ Γ ( C ) σ A balance ≥ n J S K C σ − A : n + C : n, { A / sender , n / value , v / x } = σ ′ J A n −→ C : f ( v ) K σ = σ ′ [Tx1] f ( x ) { S } ∈ Γ ( C ) (cid:18) σ A balance < n or J S K C σ − A : n + C : n, { A / sender , n / value , v / x } = ⊥ (cid:19) J A n −→ C : f ( v ) K σ = σ [Tx2] Fig. 1: Semantics of transactions.Intuitively, A is the address of the caller, C is the address of the called contract, f is the called function, n is the value transferred from A to C , and v is thesequence of actual parameters. We denote the semantics of T in σ as J T K σ , wherethe function J · K σ is defined in Figure 1, which we briefly comment.The semantics of a transaction T = A n −→ C : f ( v ), in a given blockchainstate σ , is a new state σ ′ . Rule [Tx1] handles the case where the transaction issuccessful: this happens when A ’s balance is at least n , and the function callterminates in a non-error state. Note that n units of currency are transferredto C before starting to execute f , and that the names sender and value arebound, respectively, to A and n . Rule [Tx2] applies either when A ’s balance isnot enough, or the execution of f fails. In these cases, T does not alter the state.A blockchain B is a finite sequence of transactions; we denote with ǫ theempty blockchain. The semantics of a blockchain is obtained by folding thesemantics of its transactions, starting from a given state σ : J ǫ K σ = σ J T B K σ = J B K J T K σ Note that erroneous transactions can occur within a blockchain, but they haveno effect on its semantics (as rule [Tx2] makes them identities w.r.t. the appendoperation). We assume that in the initial state of the blockchain, denoted by σ ⋆ ,each address X has a balance n ⋆ X ≥
0, while all the other keys are unbound.We write J B K for J B K σ ⋆ , where σ ⋆ X = { n ⋆ X / balance } . We say that a state σ is reachable if σ = J B K for some B . Example 1.
Consider the following functions of a contract at address C : f () { x :=1 } f () { if x = 0 then B . transfer (1) } f () { B . transfer (1) } Let σ be a state such that σ A balance ≥
2, and let B = T T T , where: T = A −→ C : f () T = A −→ C : f () T = A −→ C : f ()By applying rule [Tx1] three times, we have that: J T K σ = J x :=1 K C σ, { A / sender , / value } = σ { / C .x } = σ ′ J T K σ ′ = J if x = 0 then B . transfer (1) K C σ ′ − A :1+ C :1 , { A / sender , / value } = σ ′ − A : 1 + C : 1 = σ ′′ J T K σ ′′ = J B . transfer (1) K C σ ′′ − A :1+ C :1 , { A / sender , / value } = σ ′′ − A : 1 + B : 1Summing up, J B K σ = σ { / C .x } − A : 2 + B : 1 + C : 1. ⋄ Swapping transactions
We define two blockchain states to be observationally equivalent when they agreeon the values associated to all the qualified keys. Our formalisation is parame-terised on a set of qualified keys P over which we require the agreement. Definition 2 (Observational equivalence).
For all P ⊆ P , we define σ ∼ P σ ′ iff ∀ p ∈ P : σp = σ ′ p . We say that σ and σ ′ are observationally equivalent , insymbols σ ∼ σ ′ , when σ ∼ P σ ′ holds for all P . ⋄ Lemma 1.
For all
P, Q ⊆ P : (i) ∼ P is an equivalence relation; (ii) if σ ∼ P σ ′ and Q ⊆ P , then σ ∼ Q σ ′ ; (iii) ∼ = ∼ P . ⋄ We extend the equivalence relations above to blockchains, by passing throughtheir semantics. For all P , we define B ∼ P B ′ iff J B K σ ∼ P J B ′ K σ holds for allreachable σ (note that all the definitions and results in this paper apply toreachable states, since the unreachable ones do not represent actual contractexecutions). We write B ∼ B ′ when B ∼ P B ′ holds for all P . The relation ∼ isa congruence with respect to the append operation, i.e. if B ∼ B ′ then we canreplace B with B ′ in a larger blockchain, preserving its semantics. Lemma 2. B ∼ B ′ = ⇒ ∀ B , B : B BB ∼ B B ′ B . ⋄ Two transactions are swappable when exchanging their order preserves ob-servational equivalence.
Definition 3 (Swappability).
Two transactions T = T ′ are swappable , insymbols T ⇄ T ′ , when TT ′ ∼ T ′ T . ⋄ Example 2.
Recall the transactions in Example 1. We have that T ⇄ T and T ⇄ T , but T ⇄ T (see Figure 5 in Appendix A). ⋄ We shall use the theory of trace languages originated from Mazurkiewicz’sworks [16] to study observational equivalence under various swapping relations.Below, we fix the alphabet of trace languages as the set Tx of all transactions. Definition 4 (Mazurkiewicz equivalence).
Let I be a symmetric and ir-reflexive relation on Tx . The Mazurkiewicz equivalence ≃ I is the least congru-ence in the free monoid Tx ∗ such that: ∀ T , T ′ ∈ Tx : T I T ′ = ⇒ TT ′ ≃ I T ′ T . Theorem 1 below states that the Mazurkiewicz equivalence constructed onthe swappability relation ⇄ is an observational equivalence. Therefore, we cantransform a blockchain into an observationally equivalent one by a finite numberof exchanges of adjacent swappable transactions. Theorem 1. ≃ ⇄ ⊆ ∼ . ⋄ Example 3.
We can rearrange the transactions in Example 1 as T T T ∼ T T T ∼ T T T . Instead, T T T T T T (e.g., starting from a state σ such that σ A balance = 2 and σ C x = 0, see Figure 6 in Appendix A). ⋄ Note that the converse of Theorem 1 does not hold: indeed, B ≃ ⇄ B ′ requiresthat B and B ′ have the same length, while B ∼ B ′ may also hold for blockchainsof different length (e.g., B ′ = B T , where T does not alter the state). afe approximations of read/written keys Note that the relation ⇄ isundecidable whenever the contract language is Turing-equivalent. So, to detectswappable transactions we follow a static approach, consisting of two steps.First, we over-approximate the set of keys read and written by transactions, bystatically analysing the code of the called functions. We then check a simplecondition on these approximations (Definition 7), to detect if two transactionscan be swapped. Since static analyses to over-approximate read and written vari-ables are quite standard [17], here we just rely on such approximations, by onlyassuming their safety. In Definition 5 we state that a set P safely approximatesthe keys written by T , when T does not alter the state of the keys not in P .Defining set of read keys is a bit trickier: intuitively, we require that if we executethe transaction starting from two states that agree on the values of the keys inthe read set, then these executions should be equivalent, in the sense that theydo not introduce new differences between the resulting states (with respect tothe difference already existing before). Definition 5 (Safe approximation of read/written keys).
Given a set ofqualified keys P and a transaction T , we define: P | = w T iff ∀ Q : Q ∩ P = ∅ = ⇒ T ∼ Q ǫP | = r T iff ∀ B , B ′ , Q : B ∼ P B ′ ∧ B ∼ Q B ′ = ⇒ B T ∼ Q B ′ T ⋄ Example 4.
Let T = A −→ C : f (), where f () { B . transfer (1) } is a function of C .The execution of T affects the balance of A , B and C ; however, C . balance isfirst incremented and then decremented, and so its value remains unchanged.Then, { A . balance , B . balance } | = w T , and it is the smallest safe approximationof the keys written by T . To prove that P = { A . balance } | = r T , assume twoblockchains B and B ′ and a set of keys Q such that B ∼ P B ′ and B ∼ Q B ′ .If J B K A balance <
1, then by [Tx2] we have J B T K = J B K . Since B ∼ P B ′ ,then also J B ′ K A balance <
1, and so by [Tx2] we have J B ′ T K = J B ′ K . Then, B T ∼ Q B ′ T . Otherwise, if J B K A balance = n ≥
1, then by [Tx1] the executionof T transfers one unit of currency from A to B , so the execution of T affectsexactly A . balance and B . balance . So, it is enough to show that B ∼ { q } B ′ implies B T ∼ { q } B ′ T for q ∈ { A . balance , B . balance } . For q = A . balance ,we have that J B ′ T K A balance = n − J B T K A balance . For q = B . balance ,we have that J B ′ T K B balance = J B ′ K B balance + 1 = J B K B balance + 1 = J B T K B balance . Therefore, we conclude that P | = r T . ⋄ Widening a safe approximation (either of read or written keys) preserves itssafety; further, the intersection of two safe write approximations is still safe (seeLemma 6 in Appendix A). From this, it follows that there exists a least safeapproximation of the keys written by a transaction.
Strong swappability
We use safe approximations of the read/written keys todetect when two transactions are swappable. To achieve that, we check whethertwo transactions T and T ′ operate on disjoint portions of the blockchain state.ore specifically, we recast in our setting Bernstein’s conditions [6] for the par-allel execution of processes: it suffices to check that the set of keys written by T is disjoint from those written or read by T ′ , and vice versa. When this happenswe say that the two transactions are strongly swappable . Definition 6 (Strong swappability).
We say that two transactions T = T ′ are strongly swappable , in symbols T T ′ , when there exist W, W ′ , R, R ′ ⊆ P such that W | = w T , W ′ | = w T ′ , R | = r T , R ′ | = r T ′ , and: (cid:0) R ∪ W (cid:1) ∩ W ′ = ∅ = (cid:0) R ′ ∪ W ′ (cid:1) ∩ W ⋄ Example 5.
Let f () { skip } and f ( x ) { x. transfer ( value ) } be functions of thecontracts C and C , respectively, and consider the following transactions: T = A −→ C : f () T = B −→ C : f ( F )where A , B , and F are account addresses. To prove that T T , consider thefollowing safe approximations of the written/read keys of T and T , respectively: W = { A . balance , C . balance } | = w T R = { A . balance } | = r T W = { B . balance , F . balance } | = w T R = { B . balance } | = r T Since ( W ∪ R ) ∩ W = ∅ = ( W ∪ R ) ∩ W , the two transactions are stronglyswappable. Now, let: T = B −→ C : f ( A )and consider the following safe approximations W and R : W = { B . balance , A . balance } | = w T R = { B . balance } | = r T Since W ∩ W = ∅ 6 = W ∩ W , then ¬ ( T T ) and ¬ ( T T ). ⋄ The following theorem ensures the soundness of our approximation, i.e. thatif two transactions are strongly swappable, then they are also swappable. Theconverse implication does not hold, as witnessed by Example 6.
Theorem 2. T T ′ = ⇒ T ⇄ T ′ . ⋄ Example 6 (Swappable transactions, not strongly).
Consider the following func-tions and transactions of a contract at address C : f () { if sender = A && k = 0 then k :=1 else throw } T = A −→ C : f () f () { if sender = B && k = 0 then k :=1 else throw } T = B −→ C : f ()We prove that T ⇄ T . First, consider a state σ such that σ A balance > σ B balance > σ C balance = n , σ C k = 0 and σ C k = 0. We have that: J T T K σ = σ { / C .k , / C .k , n +2 / C . balance } = J T T K σ n the second case, let σ be such that σ A balance <
1, or σ B balance < σ C k = 0, or σ C k = 0. It is not possible that the guards in f and f are both true, so T or T raise an exception, leaving the state unaffected.Then, also in this case we have that J T T K σ = J T T K σ , and so T and T are swappable. However, they are not strongly swappable if there existreachable states σ, σ ′ such that σ C k = 0 = σ ′ C k . To see why, let W = { A . balance , C . balance , C .k } . From the code of f we see that W is the leastsafe over-approximation of the written keys of T ( W | = w T ). This meansthat every safe approximation of T must include the keys of W . Similarly, W = { B . balance , C . balance , C .k } is the least safe over-approximation of thewritten keys of T ( W | = w T ). Since the least safe approximations of the keyswritten by T and T are not disjoint, T T does not hold. ⋄ Theorem 3 states that the Mazurkiewicz equivalence ≃ is stricter than ≃ ⇄ .Together with Theorem 1, if B is transformed into B ′ by exchanging adjacentstrongly swappable transactions, then B and B ′ are observationally equivalent. Theorem 3. ≃ ⊆ ≃ ⇄ . ⋄ Note that if the contract language is Turing-equivalent, then finding approx-imations which satisfy the disjointness condition in Definition 6 is not com-putable, and so the relation
Parameterised strong swappability
Strongly swappability abstracts fromthe actual static analysis used to obtain the safe approximations: it is sufficientthat such an analysis exists. Definition 7 below parameterises strong swappabilityover a static analysis, which we represent as a function from transactions to setsof qualified keys, just requiring it to be a safe approximation. Formally, we saythat W is a static analysis of written keys when W ( T ) | = w T , for all T ; similarly, R is a static analysis of read keys when R ( T ) | = r T , for all T . Definition 7 (Parameterised strong swappability).
Let W and R be staticanalyses of written/read keys. We say that T , T ′ are strongly swappable w.r.t. W and R , in symbols T WR T ′ , if: (cid:0) R ( T ) ∪ W ( T ) (cid:1) ∩ W ( T ′ ) = ∅ = (cid:0) R ( T ′ ) ∪ W ( T ′ ) (cid:1) ∩ W ( T ) ⋄ Note that an effective procedure for computing W and R gives an effectiveprocedure to determine whether two transactions are (strongly) swappable. Lemma 3.
For all static analyses W and R : (i) WR ⊆ ; (ii) if W and R arecomputable, then WR is decidable. ⋄ From the inclusion in item (i) of Lemma 3 and from Theorem 3 we obtain:
Theorem 4. ≃ WR ⊆ ≃ ⊆ ≃ ⇄ . ⋄ True concurrency for blockchains
Given a swappability relation R , we transform a sequence of transactions B intoan occurrence net N R ( B ), which describes the partial order induced by R . Anyconcurrent execution of the transactions in B which respects this partial orderis equivalent to the serial execution of B (Theorem 5). From blockchains to occurrence nets
We start by recapping the notion ofPetri net [18]. A
Petri net is a tuple N = ( P , Tr , F , m ), where P is a set of places , Tr is a set of transitions (with P ∩ Tr = ∅ ), and F : ( P × Tr ) ∪ ( Tr × P ) → N is a weight function . The state of a net is a marking , i.e. a multiset m : P → N defining how many tokens are contained in each place; we denote with m theinitial marking. The behaviour of a Petri net is specified as a transition relationbetween markings: intuitively, a transition t is enabled at m when each place p has at least F ( p , t ) tokens in m . When an enabled transition t is fired, it consumes F ( p , t ) tokens from each p , and produces F ( t , p ′ ) tokens in each p ′ . Formally,given x ∈ P ∪ Tr , we define the preset • x and the postset x • as multisets: • x ( y ) = F ( y, x ), and x • ( y ) = F ( x, y ). A transition t is enabled at m when • t ⊆ m . The transition relation between markings is defined as m t −→ m − • t + t • ,where t is enabled. We say that t · · · t n is a firing sequence from m to m ′ when m t −→ · · · t n −→ m ′ , and in this case we say that m ′ is reachable from m . We saythat m ′ is reachable when it is reachable from m .An occurrence net [7] is a Petri net such that: (i) | p • | ≤ p ; (ii) | • p | = 1if p m , and | • p | = 0 if p ∈ m ; (iii) F is a relation, i.e. F ( x, y ) ≤ x, y ; (iv) F ∗ is a acyclic, i.e. ∀ x, y ∈ P ∪ Tr : ( x, y ) ∈ F ∗ ∧ ( y, x ) ∈ F ∗ = ⇒ x = y (where F ∗ is the reflexive and transitive closure of F ).In Figure 2 we transform a blockchain B = T · · · T n into a Petri net N R ( B ),where R is an arbitrary relation between transactions. Although any relation R ensures that N R ( B ) is an occurrence net (Lemma 4 below), our main resultshold when R is a strong swappability relation. The transformation works as fol-lows: the i -th transaction in B is rendered as a transition ( T i , i ) in N R ( B ), andtransactions related by R are transformed into concurrent transitions. Techni-cally, this concurrency is specified as a relation < between transitions, such that( T i , i ) < ( T j , j ) whenever i < j , but T i and T j are not related by R . The places,the weight function, and the initial marking of N R ( B ) are chosen to ensure thatthe firing ot transitions respects the relation < . Example 7.
Consider the following transactions and functions of a contract C : T f = A −→ C : f () f () { if x = 0 then y :=1 else throw } T g = A −→ C : g () g () { if y = 0 then x :=1 else throw } T h = A −→ C : h () h () { z :=1 } Let P w f = P r g = { C .y } , P r f = P w g = { C .x } , P w h = { C .z } , P r h = ∅ . It is easy tocheck that these sets are safe approximations of their transactions (e.g., P w f safely r = { ( T i , i ) | ≤ i ≤ n } P = { ( ∗ , t ) | t ∈ Tr } ∪ { ( t , ∗ ) | t ∈ Tr } ∪ (cid:8) ( t , t ′ ) (cid:12)(cid:12) t < t ′ (cid:9) where ( T , i ) < ( T ′ , j ) , ( i < j ) ∧ ¬ ( T R T ′ ) F ( x, y ) = y = t and (cid:0) x = ( ∗ , t ) or x = ( t ′ , t ) (cid:1) x = t and (cid:0) y = ( t , ∗ ) or y = ( t , t ′ ) (cid:1) m ( p ) = ( p = ( ∗ , t )0 otherwise Fig. 2: Construction of a Petri net from a blockchain B = T · · · T n . ( ∗ , t f ) ( ∗ , t h )( ∗ , t g )( t f , ∗ ) ( t h , ∗ )( t g , ∗ )( t f , t g ) t f t h t g Fig. 3: Occurrence net for Example 7.approximates the keys written by T f ). By Definition 6 we have that T f T h , T g T h , but ¬ ( T f T g ). We display N ( T f T h T g ) in Figure 3, where t f = ( T f , t h = ( T h , t g = ( T g , t g can only be fired after t f , while t h can be fired independently from t f and t g . This is coherent with the fact that T h is swappable with both T f and T g , while T f and T g are not swappable. ⋄ Lemma 4. N R ( B ) is an occurrence net, for all R and B . Step firing sequences
Theorem 5 below establishes a correspondence betweenconcurrent and serial execution of transactions. Since the semantics of serial exe-cutions is given in terms of blockchain states σ , to formalise this correspondencewe use the same semantics domain also for concurrent executions. This is ob-tained in two steps. First, we define concurrent executions of B as the step firingsequences (i.e. finite sequences of sets of transitions) of N ( B ). Then, we give asemantics to step firing sequences, in terms of blockchain states.We denote finite sets of transitions, called steps , as U , U ′ , . . . . Their presetand postset are defined as • U = P p ∈ U • p and U • = P p ∈ U p • , respectively. Wesay that U is enabled at m when • U ≤ m , and in this case firing U results in themove m U −→ m − • U + U • . Let U = U · · · U n be a finite sequence of steps. Wesay that U is a step firing sequence from m to m ′ if m U −→ · · · U n −−→ m ′ , and inthis case we write m U −→ m ′ . Concurrent execution of transactions
We now define how to execute trans-actions in parallel. The idea is to execute transactions in isolation , and thenmerge their changes, whenever they are mutually disjoint. The state updatedresulting from the execution of a transaction are formalised as in Definition 1.n update collector is a function Π that, given a state σ and a transaction T , gives an update π = Π ( σ, T ) which maps (at least) the updated qualifiedkeys to their new values. In practice, update collectors can be obtained by in-strumenting the run-time environment of smart contracts, so to record the statechanges resulting from the execution of transactions. We formalise update col-lectors abstracting from the implementation details of such an instrumentation: Definition 8 (Update collector).
We say that a function Π is an updatecollector when J T K σ = σ ( Π ( σ, T )) , for all σ and T . ⋄ There exists a natural ordering of collectors, which extends the orderingbetween state updates (i.e., set inclusion, when interpreting them as sets ofsubstitutions): namely, Π ⊑ Π ′ holds when ∀ σ, T : Π ( σ, T ) ⊆ Π ′ ( σ, T ). Thefollowing lemma characterizes the least update collector w.r.t. this ordering. Lemma 5 (Least update collector).
Let Π ⋆ ( σ, T ) = J T K σ − σ , where we de-fine σ ′ − σ as S σ ′ p = σp { σ ′ p / p } . Then, Π ⋆ is the least update collector. ⋄ The merge of two state updates is the union of the corresponding substi-tutions; to avoid collisions, we make the merge operator undefined when thedomains of the two updates overlap.
Definition 9 (Merge of state updates).
Let π , π be state updates. When keys( π ) ∩ keys( π ) = ∅ , we define π ⊕ π as follows: ( π ⊕ π ) p = π p if p ∈ keys( π ) π p if p ∈ keys( π ) ⊥ otherwise ⋄ The merge operator enjoys the commutative monoidal laws, and can thereforebe extended to (finite) sets of state updates.We now associate step firing sequences with state updates. The semantics ofa step U = { ( T , , . . . , ( T n , n ) } in σ is obtained by applying to σ the mergeof the updates Π ( σ, T i ), for all i ∈ ..n — whenever the merge is defined. Thesemantics of a step firing sequence is then obtained by folding that of its steps. Definition 10 (Semantics of step firing sequences).
We define the seman-tics of step firing sequences, given Π and σ , as: J ǫ K Πσ = σ J U U K Πσ = J U K Πσ ′ where σ ′ = J U K Πσ = σ M ( T ,i ) ∈ U Π ( σ, T ) ⋄ Example 8.
Let t f , t g , and t h be as in Example 7, and let σ C x = σ C y = 0. Since Π ⋆ ( σ, T f ) = { / C .y } , Π ⋆ ( σ, T g ) = { / C .x } , and Π ⋆ ( σ, T h ) = { / C .z } , we have: J { t f , t h } K Π ⋆ σ = σ ( { / C .y } ⊕ { / C .z } ) = σ { / C .y , / C .z } J { t g , t h } K Π ⋆ σ = σ ( { / C .x } ⊕ { / C .z } ) = σ { / C .x , / C .z } J { t f , t g } K Π ⋆ σ = ( σ { / C .y } ⊕ { / C .x } ) = σ { / C .y , / C .x } ote that, for all σ : J T f T h K σ = J T h T f K σ = σ { / C .y , / C .z } = J { t f , t h } K Π ⋆ σ J T g T h K σ = J T h T g K σ = σ { / C .x , / C .z } = J { t g , t h } K Π ⋆ σ So, the serial execution of T f and T h (in both orders) is equal to their concurrentexecution (similarly for T g and T h ). Instead, for all σ such that σ C x = σ C y = 0: J T f T g K σ = σ { / C .y } J T g T f K σ = σ { / C .x } J { t f , t g } K Π ⋆ σ = σ { / C .y , / C .x } So, concurrent executions of T f and T g may differ from serial ones. This iscoherent with the fact that, in Figure 3, t f and t g are not concurrent. ⋄ Concurrent execution of blockchains
Theorem 5 relates serial executionsof transactions to concurrent ones (which are rendered as step firing sequences).Item (a) establishes a confluence property: if two step firing sequences lead to thesame marking, then they also lead to the same blockchain state. Item (b) ensuresthat the blockchain, interpreted as a sequence of transitions, is a step firingsequence, and it is maximal (i.e., there is a bijection between the transactionsin the blockchain and the transitions of the corresponding net). Finally, item (c)ensures that executing maximal step firing sequences is equivalent to executingserially the blockchain.
Theorem 5.
Let B = T · · · T n . Then, in N ( B ) :(a) if m U −→ m and m U ′ −→ m , then J U K Π ⋆ σ = J U ′ K Π ⋆ σ , for all reachable σ ;(b) { ( T , } · · · { ( T n , n ) } is a maximal step firing sequence;(c) for all maximal step firing sequences U , for all reachable σ , J U K Π ⋆ σ = J B K σ . Remarkably, the implications of Theorem 5 also apply to N WR ( B ). Example 9.
Recall B = T f T h T g and N ( B ) from Example 7, let U = { t f , t h }{ t g } ,and let σ be such that σ C x = σ C y = 0. As predicted by item (c) of Theorem 5: J B K σ = σ { / C .y }{ / C .z } = J U K Π ⋆ σ Let U ′ = { t f }{ t g , t h } . We have that U and U ′ lead to the same marking, wherethe places ( t f , ∗ ), ( t g , ∗ ) and ( t h , ∗ ) contain one token each, while the other placeshave no tokens. By item (a) of Theorem 5 we conclude that J U K Π ⋆ σ = J U ′ K Π ⋆ σ .Now, let U ′′ = { t h }{ t f , t g } . Note that, although U ′′ is maximal, it is not a stepfiring sequence, since the second step is not enabled (actually, t f and t g are notconcurrent, as pointed out in Example 8). Therefore, the items of Theorem 5do not apply to U ′′ , coherently with the fact that U ′′ does not represent anysequential execution of B . ⋄ Case study: ERC-721 token
We now apply our theory to an archetypal Ethereum smart contract, which im-plements a “non-fungible token” following the standard ERC-721 interface [13,14].This contract defines the functions to transfer tokens between users, and to del-egate their trade to other users. Currently, token transfers involve ∼
50% of thetransactions on the Ethereum blockchain [1], with larger peaks due to popularcontracts like Cryptokitties [21].We sketch below the implementation of the
Token contract, using Solidity,the main high-level smart contract language in Ethereum (see Appendix B forthe full implementation).The contract state is defined by the following mappings: mapping ( uint256 => address ) owner ; mapping ( uint256 => bool ) exists ; mapping ( address => uint256 ) balance ; mapping ( address => mapping ( address => bool )) operatorApprovals ;
Each token is uniquely identified by an integer value (of type uint256 ), whileusers are identified by an address . The mapping owner maps tokens to theirowners’ addresses (the zero address is used to denote a dummy owner). Themapping exists tells whether a token has been created or not, while balance gives the number of tokens owned by each user. The mapping operatorApprovals allows a user to delegate the transfer of all her tokens to third parties.The function transferFrom transfers a token from the owner to another user.The require assertion rules out some undesirable cases, e.g., if the token doesnot exist, or it is not owned by the from user, or the user attempts to transferthe token to himself. Once all these checks are passed, the transfer succeeds ifthe sender of the transaction owns the token, or if he has been delegated by theowner. The mappings owner and balance are updated as expected. function transferFrom( address from , address to , uint256 id)external {require ( exists [ id] && from == owner [id ]&& from != to && to != address (0) ); if ( from == msg . sender || operatorApprovals [ from ][ msg . sender ]) {owner [id ] = to ;balance [ from ] -= 1;balance [ to] += 1;}} The function setApprovalForAll delegates the transfers of all the tokens ofthe sender to the operator when the boolean isApproved is true, otherwise itrevokes the delegation. function setApprovalForAll ( address operator , bool isApproved )external {operatorApprovals [ msg . sender ][ operator ] = isApproved ;} t t t Fig. 4: Occurrence net for the blockchain B = T T T T of the ERC-721 token.Assume that user A owns two tokens, identified by the integers 1 and 2, andconsider the following transactions: T = A −→ Token : transferFrom ( A , P , T = A −→ Token : setApprovalForAll ( B , true ) T = B −→ Token : transferFrom ( A , Q , T = P −→ Token : transferFrom ( P , B , T T , T T , and T T (this can be proved e.g. by usingthe static approximations in Appendix B), while the other combinations arenot swappable. Let B = T T T T . The resulting occurrence net is displayedin Figure 4. For instance, let U = { T , T }{ T , T } , i.e. T and T are executedconcurrently, as well as T and T . From item (c) of Theorem 5 we have thatthis concurrent execution is equivalent to the serial one.Although this example deals with the marginal case where the sender and thereceiver of tokens overlap, in practice the large majority of transactions in a blockeither involves distinct users, or invokes distinct ERC-721 interfaces, making itpossible to increase the degree of concurrency of transferFrom transactions. We have proposed a static approach to improve the performance of blockchainsby concurrently executing transactions. We have started by introducing a modelof transactions and blockchains. We have defined two transactions to be swap-pable when inverting their order does not affect the blockchain state. We havethen introduced a static approximation of swappability, based on a static analy-sis of the sets of keys read/written by transactions. We have rendered concurrentexecutions of a sequence of transactions as step firing sequences in the associ-ated occurrence net. Our main technical result, Theorem 5, shows that theseconcurrent executions are semantically equivalent to the sequential one.We can exploit our results in practice to improve the performances of minersand validators. Miners should perform the following steps to mine a block:. gather from the network a set of transactions, and put them in an arbitrarylinear order B , which is the mined block;2. compute the relation WR on B , using a static analysis of read/written keys;3. construct the occurrence net N WR ( B );4. execute transactions concurrently according to the occurrence net, exploitingthe available parallelism.The behaviour of validators is almost identical to that of miners, except thatin step (1), rather than choosing the order of transactions, they should adhereto the ordering of the mined block B . Note that in the last step, validators canexecute any maximal step firing sequence which is coherent with their degreeof parallelism: item (c) of Theorem 5 ensures that the resulting state is equalto the state obtained by the miner. The experiments in [11] suggest that paral-lelization may lead to a significant improvement of the performance of nodes: thebenchmarks on a selection of representative contracts show an overall speedupof 1.33x for miners and 1.69x for validators, using only three cores.Note that malevolent users could attempt a denial-of-service attack by pub-lishing contracts which are hard to statically analyse, and therefore are notsuitable for parallelization. This kind of attacks can be mitigated by adopting amining strategy that gives higher priority to parallelizable transactions. Applying our approach to Ethereum
Applying our theory to Ethereumwould require a static analysis of read/written keys at the level of EVM bytecode.As far as we know, the only tool implementing such an analysis is ES-ETH [15].However, the current version of the tool has several limitations, like e.g. thecompile-time approximation of dictionary keys and of values shorter than 32bytes, which make ES-ETH not directly usable to the purposes of our work.In general, precise static analyses at the level of the Ethereum bytecode aredifficult to achieve, since the language has features like dynamic dispatching andpointer aliasing which are notoriously a source of imprecision for static analysis.However, coarser approximations of read/written keys may be enough to speed-up the execution of transactions. For instance, in Ethereum, blocks typicallycontain many transactions which transfer tokens between participants, and manyof them involve distinct senders and receivers. A relatively simple analysis of thecode of token contracts (which is usually similar to that in Section 5) may beenough to detect that these transactions are swappable.Aiming at minimality, our model does not include the gas mechanism , whichis used in Ethereum to pay miners for executing contracts. The sender of atransaction deposits into it some crypto-currency, to be paid to the miner whichappends the transaction to the blockchain. Each instruction executed by theminer consumes part of this deposit; when the deposit reaches zero, the minerstops executing the transaction. At this point, all the effects of the transaction(except the payment to the miner) are rolled back. Our transaction model couldbe easily extended with a gas mechanism, by associating a cost to statementsand recording the gas consumption in the environment. Remarkably, adding gasdoes not invalidate approximations of read/written keys which are correct whileeglecting gas. However, a gas-aware analysis may be more precise of a gas-oblivious one: for instance, in the statement if k then f long (); x :=1 else y :=1(where f long is a function which exceeds the available gas) a gas-aware analysiswould be able to detect that x is not written. Related work
A few works study how to optimize the execution of smartcontracts on Ethereum, using dynamic techniques adopted from software trans-actional memory [4,11,12]. These works are focussed on empirical aspects (e.g.,measuring the speedup obtained on a given benchmark), while we focus on thetheoretical counterpart. In [11,12], miners execute a set of transactions specula-tively in parallel, using abstract locks and inverse logs to dynamically discoverconflicts and to recover from inconsistent states. The obtained execution is guar-anteed to be equivalent to a serial execution of the same set of transactions. Thework [4] proposes a conceptually similar technique, but based on optimistic soft-ware transactional memory. Since speculative execution is non-deterministic, inboth approaches miners need to communicate the chosen schedule of transac-tions to validators, to allow them to correctly validate the block. This schedulemust be embedded in the mined block: since Ethereum does not support thiskind of block metadata, these approaches would require a “soft-fork” of theblockchain to be implemented in practice. Instead, our approach is compatiblewith the current Ethereum, since miners only need to append transactions tothe blockchain. Compared to [11,4], where conflicts are detected dynamically,our approach relies on a static analysis to detect potential conflicts. Since soft-ware transactional memory introduces a run-time overhead, in principle a statictechnique could allow for faster executions, at the price of a preprocessing phase.Saraph and Herlihy [19] study the effectiveness of speculatively executing smartcontracts in Ethereum. They sample past blocks of transactions (from July 2016to December 2017), replay them by using a speculative execution engine, andmeasure the speedup obtained by parallel execution. Their results show thatsimple speculative strategies yield non-trivial speed-ups. Further, they note thatmany of the data conflicts (i.e. concurrent read/write accesses to the same statelocation) arise in periods of high traffic, and they are caused by a small numberof popular contracts, like e.g. tokens.In the permissioned setting, Hyperledger Fabric [3] follows the “execute firstand then order” paradigm: transactions are executed speculatively, and thentheir ordering is checked for correctness [2]. In this paradigm, appending a trans-action requires a few steps. First, a client proposes a transaction to a set of “en-dorsing” peers, which simulate the transaction without updating the blockchain.The output of the simulation includes the state updates of the transaction ex-ecution, and the sets of read/written keys. These sets are then signed by theendorsing peers, and returned to the client, which submits them to the “or-dering” peers. These nodes order transactions in blocks, and send them to the“committing” peers, which validate them. A block T · · · T n is valid when, if akey k is read by transaction T i , then k has not been written by a transaction T j with j < i . Finally, validated blocks are appended to the blockchain. Our modelis coherent with Ethereum, which does not support speculative execution. uture works A relevant line of research is the design of domain-specific lan-guages for smart contracts that are directly amenable to techniques that, likeours, increase the degree of concurrency of executions. For this purpose, the lan-guage should support static analyses of read/written keys, like the one we use todefine the strong swappability relation. Although the literature describes variousstatic analyses of smart contracts, most of them are focussed on finding securityvulnerabilities, rather than enhancing concurrency.Outside the realm of smart contracts, a few papers propose static analyses ofread/written variables. The paper [10] describes an analysis based on separationlogic, and applies it to resolve conflicts in the setting of snapshot isolation fortransactional memory in Java. When a conflict is detected, the read/write setsare used to determine how the code can be modified to resolve it. The paper [9]presents a static analysis to infer read and write locations in a C-like languagewith atomic sections. The analysis is used to translate atomic sections into stan-dard lock operations. The design of new smart contract languages could takeadvantage of these analyses.
Acknowledgements
Massimo Bartoletti is partially supported by Aut. Reg.Sardinia projects “Smart collaborative engineering” and “Sardcoin” . LetterioGalletta is partially supported by IMT Lucca project “PAI VeriOSS” and byMIUR project PRIN 2017FTXR7S “Methods and Tools for Trustworthy SmartSystems” . Maurizio Murgia is partially supported by MIUR PON “DistributedLedgers for Secure Open Communities” . References
1. Ethereum token dynanics, https://stat.bloxy.info/superset/dashboard/tokens
2. Hyperledger Fabric: Read-write set semantics. https://hyperledger-fabric.readthedocs.io/en/release-1.4/readwrite.html
3. Androulaki, E., Barger, A., Bortnikov, V., Cachin, C., Christidis, K., Caro, A.D.,Enyeart, D., Ferris, C., Laventman, G., Manevich, Y., Muralidharan, S., Murthy,C., Nguyen, B., Sethi, M., Singh, G., Smith, K., Sorniotti, A., Stathakopoulou,C., Vukolic, M., Cocco, S.W., Yellick, J.: Hyperledger Fabric: a distributed op-erating system for permissioned blockchains. In: EuroSys. pp. 30:1–30:15 (2018).https://doi.org/10.1145/3190508.31905384. Anjana, P.S., Kumari, S., Peri, S., Rathor, S., Somani, A.: An efficient frameworkfor optimistic concurrent execution of smart contracts. In: PDP. pp. 83–92 (2019).https://doi.org/10.1109/EMPDP.2019.86716375. Bartoletti, M., Galletta, L., Murgia, M.: A minimal core calculus for Solidity con-tracts. In: Cryptocurrencies and Blockchain Technology. LNCS, vol. 11737, pp.233–243. Springer (2019). https://doi.org/10.1007/978-3-030-31500-9 156. Bernstein, A.J.: Analysis of programs for parallel processing.IEEE Trans. on Electronic Computers
EC-15 (5), 757–763 (1966).https://doi.org/10.1109/PGEC.1966.2645657. Best, E., Devillers, R.R.: Sequential and concurrent behaviourin petri net theory. Theor. Comput. Sci. (1), 87–136 (1987).https://doi.org/10.1016/0304-3975(87)90090-9. Buterin, V.: Ethereum: a next generation smart contract and decentralized appli-cation platform. https://github.com/ethereum/wiki/wiki/White-Paper (2013)9. Cherem, S., Chilimbi, T.M., Gulwani, S.: Inferring locks foratomic sections. In: ACM SIGPLAN PLDI. pp. 304–315 (2008).https://doi.org/10.1145/1375581.137561910. Dias, R.J., Louren¸co, J.M., Pregui¸ca, N.M.: Efficient and correct transactionalmemory programs combining snapshot isolation and static analysis. In: USENIXConf. on Hot topics in Parallelism (HotPar) (2011)11. Dickerson, T.D., Gazzillo, P., Herlihy, M., Koskinen, E.: Adding con-currency to smart contracts. In: ACM PODC. pp. 303–312 (2017).https://doi.org/10.1145/3087801.308783512. Dickerson, T.D., Gazzillo, P., Herlihy, M., Koskinen, E.: Adding concurrency tosmart contracts. Bulletin of the EATCS (2018)13. Entriken, W., Shirley, D., Evans, J., Sachs, N.: EIP 721: ERC-721 non-fungibletoken standard, https://eips.ethereum.org/EIPS/eip-721
14. Fr¨owis, M., Fuchs, A., B¨ohme, R.: Detecting token systems on Ethereum. In: Fi-nancial Cryptography and Data Security. LNCS, vol. 11598, pp. 93–112. Springer(2019). https://doi.org/10.1007/978-3-030-32101-7 715. Marcia, D.: ES-ETH: Ethereum state change examiner. https://github.com/DiegoMarcia/ES-ETH (2019)16. Mazurkiewicz, A.W.: Basic notions of trace theory. In: Linear Time, BranchingTime and Partial Order in Logics and Models for Concurrency. LNCS, vol. 354,pp. 285–363. Springer (1988). https://doi.org/10.1007/BFb001302517. Nielson, F., Nielson, H.R., Hankin, C.: Principles of program analysis. Springer(1999). https://doi.org/10.1007/978-3-662-03811-618. Reisig, W.: Petri Nets: An Introduction, Monographs in Theoreti-cal Computer Science. An EATCS Series, vol. 4. Springer (1985).https://doi.org/10.1007/978-3-642-69968-919. Saraph, V., Herlihy, M.: An empirical study of speculative concur-rency in Ethereum smart contracts. CoRR abs/1901.01376 (2019), http://arxiv.org/abs/1901.01376
20. Szabo, N.: Formalizing and securing relationshipson public networks. First Monday (9) (1997), http://firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/548
21. Young, J.: CryptoKitties sales hit $
12 mil-lion, could be Ethereum’s killer app after all. https://cointelegraph.com/news/cryptokitties-sales-hit-12-million-could-be-ethereums-killer-app-after-all (2017) ′ = σ − A : 1 + B : 1 σ σ { / C .x } σ ′ { / C .x } σ σ { / C .x } T T σ A balance ≥ T T σ A balance < σ A balance ≥ T σ A balance < T T (a) Proof of T ⇄ T . σ ′ = σ − A : 1 + B : 1 σ ′ { / C .x } σ σ C x = 0 σ A balance ≥ σ { / C .x } σ { / C .x } − A : 1 + C : 1 T / T T T (b) Proof of T ⇄ T . Fig. 5: Proofs for Example 2. A transition T from σ can be taken only if theguard below the arrow is satisfied in σ . σ ′′ − A : 1 + B : 1 σ σ ′ σ ′′ σ ′′ − A : 1 + C : 1 / T T T T T σ ′ = σ − A : 1 + B : 1 σ ′′ = σ ′ { / C .x } Fig. 6: Proof of T T T T T T for Example 3. A Proofs
Lemma 1.
For all
P, Q ⊆ P : (i) ∼ P is an equivalence relation; (ii) if σ ∼ P σ ′ and Q ⊆ P , then σ ∼ Q σ ′ ; (iii) ∼ = ∼ P . ⋄ Proof.
Items (i) and (ii) are trivial. The inclusion ∼ P ⊆ ∼ is trivial, and ∼ ⊆ ∼ P ,follows from item (ii). ⊓⊔ Lemma 2. B ∼ B ′ = ⇒ ∀ B , B : B BB ∼ B B ′ B . ⋄ Proof.
Direct from the fact that semantics of statements is a function, and itonly depends on the blockchain states after the execution of B and B ′ , whichare equal in any σ since B ∼ B ′ . ⊓⊔ Theorem 1. ≃ ⇄ ⊆ ∼ . ⋄ Proof.
By definition, ≃ ⇄ is the least equivalence relation closed under the rules: ǫ ≃ ⇄ ǫ [ ≃ T ≃ ⇄ T [ ≃ T ⇄ T ′ TT ′ ≃ ⇄ T ′ T [ ≃ B ≃ ⇄ B ′ B ≃ ⇄ B ′ B B ≃ ⇄ B ′ B ′ [ ≃ Let B ≃ ⇄ B ′ . We have to show B ∼ B ′ . We proceed by induction on the rulesabove. The case for rules [ ≃ and [ ≃ follows by the fact that ∼ is an equivalenceelation (Lemma 1) and hence reflexive. The case for rule [ ≃ follows immediatelyby Definition 3. For rule [ ≃ , first note that B = B B and B ′ = B ′ B ′ . By theinduction hypothesis it follows that: B ∼ B ′ and B ∼ B ′ Therefore, by two applications of Lemma 2: B = B B ∼ B B ′ ∼ B ′ B ′ = B ′ ⊓⊔ Lemma 6.
Let • ∈ { r, w } . Then:(a) if P | = • T and P ⊆ P ′ , then P ′ | = • T ;(b) if P | = w T and Q | = w T , then P ∩ Q | = w T .Proof. Item (a). For the case • = w , let P | = w T and P ⊆ P ′ . Let Q be such that Q ∩ P ′ = ∅ . We have to show that T ∼ Q ǫ . Since P ⊆ P ′ , it must be Q ∩ P = ∅ .Then, since P | = w T , it must be T ∼ Q ǫ , as required. For the case • = r , let P | = r T and P ⊆ P ′ . We have to show that, for all B , B , if B ∼ P ′ B and B ∼ Q B , then B T ∼ Q B T . But this follows immediately by the fact that P ⊆ P ′ and P | = r T .Item (b). Let R be such that R ∩ ( P ∩ Q ) = ∅ . Since P | = w T and ( R \ P ) ∩ P = ∅ , it must be: T ∼ R \ P ǫ Similarly, since Q | = w T and ( R \ Q ) ∩ Q = ∅ , we have that: T ∼ R \ Q ǫ By assumption R ∩ ( P ∩ Q ) = ∅ , then ( R \ P ) ∪ ( R \ Q ) = R . By Definition 2,we conclude that: T ∼ R T ∼ ( R \ P ) ∪ ( R \ Q ) ǫ ⊓⊔ The following example shows that part (b) of Lemma 6 does not hold forread approximations.
Example 10.
Let C be a contract with exactly two procedures: f ( x ) { k := x ; k ′ := x } g () { if k = A then B . transfer ( balance ) else skip } and let T = A −→ C : g (). Note that, in any reachable state σ , it must be σ C k = σ C k ′ . Let Q be such that B ∼ Q B ′ , and let σ = J B K , σ ′ = J B ′ K , n = σ C balance , and n ′ = σ ′ C balance . Appending T to B and B ′ will result in: J T K σ = ( σ − C : n + B : n if σ C k = A σ otherwise J T K σ ′ = ( σ ′ − C : n ′ + B : n ′ if σ ′ C k = A σ ′ otherwisef B ∼ { k } B ′ , then the conditions σ C k = A and σ ′ C k = A are equivalent.Therefore, J B T K = J T K σ ∼ Q J T K σ ′ = J B ′ T K , and so we have proved that { k } | = r T . Similarly, we obtain that { k ′ } | = r T , since k and k ′ are always bound tothe same value. Note however that { k } ∩ { k ′ } = ∅ is not a safe approximationof the keys read by T . For instance, if σ C k = A = σ ′ C k ′ and σ C balance = σ ′ C balance , then appending T to B or to B ′ results in states which differ in thebalance of C . ⊓⊔ Lemma 7.
Let P w T | = w T , P w T ′ | = w T ′ , and P r T | = r T . Then: P w T ′ ∩ P r T = ∅ = P w T ∩ S w T ′ = ⇒ T ∼ P w T T ′ T Proof.
Since P w T ′ | = w T ′ and P w T ′ ∩ P w T = ∅ , by Definition 5 we have T ′ ∼ P w T ǫ .We prove that T ′ ∼ P r T ǫ . By contradiction, assume that T ′ p ǫ for some p ∈ P r T .Since P w T ′ | = w T ′ , it must be p ∈ P w T ′ — contradiction, since P w T ′ ∩ P r T = ∅ . Since P r T | = r T , by Definition 5 we conclude that T ′ T ∼ P w T T . ⊓⊔ Lemma 8. T WR T = ⇒ T T ∼ W ( T ) T T Proof.
By Definition 7, it must be: W ( T ) ∩ W ( T ) = ∅ So, since W ( T ) | = w T , by Definition 5 we have: ǫ ∼ W ( T ) T and so, since ∼ W ( T ) is a congruence: T ∼ W ( T ) T T By Definition 7, it must be: W ( T ) ∩ R ( T ) = ∅ = W ( T ) ∩ W ( T )Then, by Lemma 7: T ∼ W ( T ) T T By simmetry and transitivity of ∼ (Lemma 1), we conclude: T T ∼ W ( T ) T T ⊓⊔ Lemma 9. T WR T = ⇒ T ⇄ T Proof.
By applying Lemma 8 twice: T T ∼ W ( T ) T T T T ∼ W ( T ) T T Let P = P \ ( W ( T ) ∪ W ( T )). Since P ∩ W ( T ) = ∅ = P ∩ W ( T ), by apply-ing Definition 5 twice: ǫ ∼ P T ǫ ∼ P T hen, since ∼ P is a congruence: T T ∼ P T T Summing up: T T ∼ P ∪ ( W ( T ) ∪ W ( T )) T T from which we obtain the thesis, since ∼ P = ∼ . ⊓⊔ Lemma 10. T T = ⇒ ∃ W, R : T WR T Proof.
Straightforward from Definition 6 and Definition 7. ⊓⊔ Theorem 2. T T ′ = ⇒ T ⇄ T ′ . ⋄ Proof.
By Lemma 10 and Lemma 9. ⊓⊔ Lemma 3.
For all static analyses W and R : (i) WR ⊆ ; (ii) if W and R arecomputable, then WR is decidable. ⋄ Proof.
Trivial. ⊓⊔ Theorem 3. ≃ ⊆ ≃ ⇄ . ⋄ Proof.
Straightforward by Theorem 2. ⊓⊔ Lemma 11. B ≃ B ′ = ⇒ B ∼ B ′ Proof.
Direct by Theorems 1 and 3. ⊓⊔ Lemma 12. ⊕ is commutative and associative, with λp. ⊥ as neutral element.Proof. Trivial. ⊓⊔ Lemma 13. If π ⊕ π = π , then π = π π .Proof. Since π ⊕ π is defined, it must be keys( π ) ∩ keys( π ) = ∅ . Let p be aqualified key. We have two cases: – p ∈ keys( π ). Since keys( π ) = keys( π ) ∪ keys( π ), we have two subcases: • p ∈ keys( π ). Then, πp = π p . By disjointness, p keys( π ), and hence π π p = π p . • p ∈ keys( π ). Then, πp = π p = π π p . – p keys( π ). Then, p keys( π ), p keys( π ), and so πp = ⊥ = π π p . ⊓⊔ Lemma 14. If B ⊳ T and B ⊳ T , then B B ⊳ ( T ∪ T ) .Proof. By induction on | B | . For the base case, it must be B = ǫ and hence T = ∅ . Then, B B = B and T ∪ T = T . Therefore, the thesis coincides withthe first hypothesis. For the induction case, it must be B = B ′ T , with | B ′ | = n .Furthermore, it must be T = { T } ∪ T ′ , for some T ′ such that B ′ ⊳ T ′ . Bythe induction hypothesis: B B ′ ⊳ ( T ∪ T ′ )Then: B B ′ T = B B ⊳ ( { T } ∪ T ∪ T ′ ) = T ∪ T ⊓⊔ emma 15. Let B and T be such that B = B T ′ B = ⇒ T WR T ′ . Then, forall B ′ , J B ′ K ∼ R ( T ) J B KJ B ′ K and J B ′ K ∼ W ( T ) J B KJ B ′ K .Proof. A simple induction on | B | , using Definition 5 for the induction case. ⊓⊔ Lemma 16. If T WR T ′ for all T ′ ∈ T and B ⊳ T then, B = B T ′ B = ⇒ T WR T ′ .Proof. A simple induction on | T | . ⊓⊔ Lemma 17. If p | = r T , B ∼ p B and B ∼ q B , then J B T K ∼ q J B K Π ( J B K , T ) .Proof. Let π = Π ( J B K , T ) and π = Π ( J B K , T ). By Definition 8, J B T K = J B K π . Let p ∈ Q . We have two cases: – p ∈ keys( π ). J B K π p = π p = J B K π p = J B T K p = J B T K p – p keys( π ). J B K π p = J B K p = J B K p = J B K π p = J B T K p ⊓⊔ Definition 11.
Let Π be a state updater, and let W be such that ∀ T : W ( T ) | = w T . We say that Π and W are compatible when ∀ σ, T : keys( Π ( σ, T )) ⊆ W ( T ) . We extend the semantics of transactions to finite multisets of transactions.Hereafter, we denote with [] the empty multiset, with [ T , . . . , T n ] the multisetcontaining T , . . . , T n , and with A + B the sum between multisets, i.e. ( A + B )( x ) = A ( x ) + B ( x ) for all x . Definition 12 (Semantics of multisets of transactions).
We denote the se-mantics of a multiset of transactions T , in a state σ and an update collector Π , as J T K Πσ , where the partial function J · K Πσ is defined as: J T K Πσ = σ L T ∈ T Π ( σ, T ) . Hereafter, we say that a multiset T is strongly swappable w.r.t. WR if ∀ T ∈ T , ∀ T ′ ∈ T \ [ T ] : T WR T ′ . Lemma 18. If T is strongly swappable w.r.t. WR , B ⊳ T and Π is compatiblewith W then, for all B : J T K Π J B K = J B KJ B K .Proof. By induction on | B | . For the base case, it must be B = ǫ and T = ∅ , andhence J ∅ K Π J B K = J B K = J ǫ KJ B K . For the induction case, it must be B = B ′ T ,with | B ′ | = n . Clearly, T = { T } ∪ T ′ for some T ′ such that B ′ ⊳ T ′ . Let Π ( J B K , T ) = π T . By the induction hypothesis: J T ′ K Π J B K = J B ′ KJ B K (1)ote that: J T ′ K Π J B K = J B K π ′ (2)Where π ′ L T ′ ∈ T ′ Π ( J B K , T ′ )). Let Π ( J B K , T ) = π T . Since T is strongly swap-pable w.r.t. WR and Π is compatible with W , it must be keys( π ′ ) ∩ keys( π T ) = ∅ ,and hence ( π ′ ⊕ π T ) is defined. Then, it must be: J T K Π J B K = J B K ( π ′ ⊕ π T )= J B K π ′ π T By Lemma 13= J T ′ K Π J B K π T By Equation (2)= J B ′ KJ B K π T By Equation (1) (3)We have that: J B KJ B K = J B ′ T KJ B K = J B ′ KJ B K π ′ T Where π ′ T = Π ( J B ′ KJ B K , T ). As keys( π T ) ⊆ W ( T ) and keys( π T ) ⊆ W ( T ), itfollows immediately that J B ′ KJ B K π T ∼ p J B KJ B K for all p W ( T ). It remainsto show that J B ′ KJ B K π T ∼ W ( T ) J B KJ B K . First note that, by Lemmas 15 and 16: J B K ∼ R ( T ) J B ′ KJ B K J B K ∼ W ( T ) J B ′ KJ B K Then, by Lemma 17: J B ′ KJ B K π T ∼ W ( T ) J B KJ B K And hence: J B ′ KJ B K π T = J B KJ B K (4)The thesis J T K Π J B K = J B KJ B K follows by Equations (3) and (4). ⊓⊔ Lemma 19.
Every W is compatible with Π ⋆ .Proof. Trivial. ⊓⊔ We now formalize when a blockchain B is a serialization of a multiset oftransactions T . Definition 13 (Serialization of multisets of transactions).
We define therelation ⊳ between blockchains and multisets of transactions as follows: ǫ ⊳ [] B ⊳ T B T ⊳ ([ T ] + T )The following theorem ensures that the parallel execution of strongly swap-pable transactions is equivalent to any sequential execution of them. Hereafter,we say that a multiset T is strongly swappable if ∀ T ∈ T , ∀ T ′ ∈ T − [ T ] : T T ′ . heorem 6. If T is strongly swappable and B ⊳ T , then, for all reachable σ : J T K Π ⋆ σ = J B K σ .Proof. Direct by Lemmas 18 and 19. ⊓⊔ A parellelized blockchain B is a finite sequence of multisets of transactions;we denote with ǫ the empty sequence. We extend the semantics of multisets(Definition 12) to parallelized blockchains as follows. Definition 14 (Semantics of parallelized blockchains).
The semantics ofparallelized blockchains is defined as follows: J ǫ K Πσ = σ J TB K Πσ = J B K Π J T K Πσ We write J B K Π for J B K Πσ ⋆ , where σ ⋆ is the initial state. We also extend the serialization relation ⊳ (Definition 13) to parallelizedblockchains. Definition 15 (Serialization of parallelized blockchains).
We define therelation ⊳ between blockchains and parallelized blockchains as follows: ǫ ⊳ ǫ B ⊳ T B ⊳ B B B ⊳ TB The following theorem states that our technique to parallelize the transac-tions in a blockchain preserves its semantics.
Theorem 7.
If each multiset in B is strongly swappable and B ⊳ B , then, forall reachable σ : J B K Π ⋆ σ = J B K σ .Proof. By induction on the rule used for deriving B ⊳ B . – Rule: ǫ ⊳ ǫ .The thesis follows trivially, since: J ǫ K σ = σ = J ǫ K Π ⋆ σ – Rule: B ⊳ T B ⊳ B B B ⊳ TB .By Theorem 6, for some reachable σ ′ : J B K σ = σ ′ = J T K Π ⋆ σ By the induction hypothesis: J B K σ ′ = J B K Π ⋆ σ ′ The thesis then follows by: J B K σ ′ = J B B K σ J B K Π ⋆ σ ′ = J TB K Π ⋆ σ ⊓⊔ emma 20. Let N R ( T · · · T n ) = ( P , Tr , F , m ) . Then ( Tr , < ∗ ) is a partial order.Proof. Transitivity and reflexivity hold by definition. For antisymmetricity, as-sume that ( T i , i ) < ∗ ( T j , j ) and ( T j , j ) < ∗ ( T i , i ). Then, it is easy to verify that i ≤ j and j ≤ i , and so i = j . Since T i and T j are uniquely determined by i and j , we have that T i = T j . Therefore, ( T i , i ) = ( T j , j ), as required. ⊓⊔ Lemma 4. N R ( B ) is an occurrence net, for all R and B .Proof. By Figure 2, the first three conditions of the definition of occurrencenet are easy to verify. To prove that F ∗ is acyclic, we proceed by contradiction.Assume that there is a sequence x = x , x , . . . x m such that ( x i , x i +1 ) ∈ F for all0 ≤ i < m , and x = x m with m >
0. Note that the above sequence alternatesbetween transitions and places, and so, since m >
0, at least one place and onetransition occur in x . Further, a place between two transitions t = t ′ can existonly if t < t ′ . Therefore, if t , t ′ occur in x , it must be t < ∗ t ′ and t ′ < ∗ t . So,if x contains at least two transitions, by Lemma 20, we have a contradiction. Ifonly one transition t = ( T , i ) occurs in x , then there is a place of the form ( t , t )occuring in x . Therefore, t < t , which implies i < i — contradiction. ⊓⊔ Lemma 21.
Let N = ( P , Tr , F , m ) be an occurrence net. For all t , t ′ ∈ Tr , if t = t ′ then • t ∩ • t ′ = ∅ .Proof. By contradiction, assume that p ∈ • t ∩ • t ′ with t = t ′ . Then, { t , t ′ } ⊆ p • ,and hence | p • | ≥ ⊓⊔ Lemma 22.
Let m be a reachable marking of an occurrence net N . Then:1. If m t −→ m ′ and m t −→ m ′′ , then m ′ = m ′′ (determinism).2. If m t −→ m ′ , m t ′ −→ m ′′ and t = t ′ , then there exists m ′′′ such that m ′ t ′ −→ m ′′′ and m ′′ t −→ m ′′′ (diamond property).3. If m t −→ −→ ∗ t ′ −→ then t = t ′ (linearity).4. If m t −→ ∗ m then | t | = 0 (acyclicity).Proof. For Item 1, by definition of the firing of transitions of Petri Nets it mustbe m ′ = m − • t + t • = m ′′ .For Item 2, since m t −→ m ′ and m t ′ −→ m ′′ , it must be: • t ⊆ m m ′ = m − • t + t •• t ′ ⊆ m m ′′ = m − • t ′ + t ′• By Lemma 21 it follows that t ′ is enabled at m ′ , and t is enabled at m ′′ . Then,by definition of firing: m ′ t ′ −→ m ′ − • t ′ + t ′• and m ′′ t −→ m ′′ − • t + t • hen: m ′ − • t ′ + t ′• = ( m − • t + t • ) − • t ′ + t ′• = ( m − • t ′ + t ′• ) − • t + t • (as • t ′ ⊆ m )= m ′′ − • t + t • Hence, the thesis follows by choosing m ′′′ = m ′ − • t ′ + t ′• .Item 3 follows directly by induction on the lenght of the reduction −→ ∗ , exploitingthe fact that F ∗ is a partial order.Item 4 follows by the fact that F ∗ is a partial order. ⊓⊔ Lemma 23.
Let N = ( P , Tr , F , m ) be an occurrence net, and let m be a reach-able marking, such that, for some t , m ′ , m ′′ : m n +1 m ′ m ′′ t / t Then, m ′′ −→ n m ′ .Proof. By induction on n . For the base case, it must be m −→ m ′ , and hence m t ′ −→ m ′ for some t ′ . Since m t −→ m ′′ , by the contrapositive of item 2 of Lemma 22(diamond property) it follows t = t ′ , and so, by item 1 of Lemma 22 (determin-ism) we have that m ′ = m ′′ . Clearly: m ′′ −→ m ′ For the inductive case, let n = m + 1, for some m . Then, for some t ′ , m ′′′ : m t ′ −→ m ′′′ −→ m +1 m ′ If t = t ′ , then by item 1 of Lemma 22 (determinism) it follows that m ′′′ = m ′′ ,and so we have the thesis m ′′ −→ n m ′ . Otherwise, if t = t ′ , by item 2 of Lemma 22(diamond property), there must exists m such that: m ′′ t ′ −→ m and m ′′′ t −→ m We are in the following situation: m ′′′ m +1 m ′ m t / t ince m + 1 = n , by the induction hypothesis: m −→ m m ′ Therefore, we have the thesis m ′′ t ′ −→ m −→ m m ′ ⋄ Lemma 24.
Let ( T , i ) , ( T ′ , j ) be transitions of N WR ( B ) , and let m be a reach-able marking. Then: ( T , i ) < ( T ′ , j ) and m ( T ,i ) −−−→ = ⇒ m ( T ′ ,j ) −−−→ Proof.
By the construction in Figure 2, since ( T , i ) < ( T ′ , j ), then p = (( T , i ) , ( T ′ , j ))is a place of the occurrence net, and F (( T , i ) , p ) = 1 and F ( p , ( T ′ , j )) = 1. ⊓⊔ Definition 16 (Independency).
Let N be an occurrence net. We say that twotransitions t and t ′ are independent , in symbols t I t ′ , if t = t ′ and there existsa reachable marking m such that: m t −→ and m t ′ −→ We define the relation ≃ as the least congruence in the monoid Tr ∗ such that,for all t , t ′ ∈ Tr : t I t ′ = ⇒ tt ′ ≃ t ′ t . Lemma 25.
Let N be an occurrence net, with a reachable marking m . If m U −→ then t I t ′ , for all t = t ′ ∈ U .Proof. Since m U −→ , then m t −→ for all t ∈ U . ⊓⊔ Lemma 26.
Let N be an occurrence net, and let m be a reachable marking. If m t −→ ∗ m ′ and m t −→ ∗ m ′ , then t ≃ t .Proof. We proceed by induction on the length of the longest reduction among m t −→ ∗ m ′ and m t −→ ∗ m ′ . For the base case, the thesis is trivial as both t and t are empty. For the inductive case, assume that t is longer or equal to t (theother case is symmetric). Let t = t t ′ . We first show that t is not empty. Bycontradiction, if t is empty, then m = m ′ . But then, by item 4 of Lemma 22(acyclicity) it follows that t is empty as well: contradiction. Therefore, t = t t ′ for some t and t ′ . Clearly, t is longer than t ′ and t ′ . Let m t −→ m and m t −→ m . We have two subcases. – If t = t , by determinism (Lemma 22) it follows that m = m . Let m ′′ = m .By the hypothesis of the lemma, we have m ′′ t ′ −→ ∗ m ′ and m ′′ t ′ −→ ∗ m ′ . Then,by the induction hypothesis we have t ′ ≃ t ′ , and so the thesis t t ′ ≃ t t ′ follows since ≃ is a congruence. If t = t , then by Definition 16 it must be t I t . By the diamond property(Lemma 22), there exists m ′′ such that m −→ m ′′ and m −→ m ′′ . By linearity(item 3 of Lemma 22), m ′ t −−→ and m ′ t −−→ . By Lemma 23, applied on m ,there exists t such that m ′′ t −→ ∗ m ′ and | t | + 1 = | t ′ | . So, we are in thefollowing situation: m ′ m m m ′′ m m ′ / t t ′ t t t t t t ′ / t Therefore, we have that: m −→ t −→ ∗ m ′ and m t ′ −→ ∗ m ′ m −→ t −→ ∗ m ′ and m t ′ −→ ∗ m ′ Note that | t t | = | t t | = | t | + 1 = | t ′ | ≤ | t ′ | < | t | . Hence, by applying theinduction hypothesis twice: t t ≃ t ′ and t t ≃ t ′ Then, since ≃ is a congruence: t t t ≃ t t ′ and t t t ≃ t t ′ Since t I t , then t t t ≃ t t t . By transitivity of ≃ : t = t t ′ ≃ t t t ≃ t t t ≃ t t ′ = t ⊓⊔ Definition 17.
For all sequences of transitions t , we define the set tr ( t ) of thetransitions in t as: tr ( t ) = { t | ∃ t , t : t = t t t } and we extend tr to step firing sequences U as follows:tr ( U ) = [ { U | ∃ U , U : U = U U U } Lemma 27. If t ≃ t ′ then tr ( t ) = tr ( t ′ ) .roof. Trivial by Definition 16. ⊓⊔ Lemma 28.
Let N be an occurrence net, and let m be a reachable marking. If m U −−→ m , m U −−→ m and tr ( U ) = tr ( U ) , then m = m .Proof. Since m U −−→ m and m U −−→ m , there exist sequentialisation t of U and t of U such that m t −→ m and m t −→ m . Since by hypothesis tr ( U ) = tr ( U ),then tr ( t ) = tr ( t ). We proceed by induction on the lenght of t . The base caseis trivial, as m = m = m . For the inductive case, suppose t = t t ′ , with | t ′ | = n . By determinism, there exists a unique marking m ′ such that m t −→ m ′ (a single step). Since tr ( U ) = tr ( U ), it must be t = t t ′ , with | t ′ | = n . Let m ′ be the unique marking such that m t −→ m ′ (a single step).There are two subcases. – If t = t , it must be m ′ = m ′ , and hence the thesis follows immediately bythe induction hypothesis. – If t = t , by the diamond property (item 1 of Lemma 22), there exists m ′ such that m ′ −→ m ′ and m ′ −→ m ′ . Since t ∈ tr ( t ′ ), by linearity (item 3of Lemma 22) it follows that m t −−→ , and hence, by applying Lemma 23 on m ′ we obtain m ′ t ′′ −→ m for some t ′′ . Summing up, we have that: m ′ t ′ −→ m and m ′ t ′′ −−−→ m Then, by Lemma 26, t ′ ≃ t t ′′ , and hence: t = t t ′ ≃ t t t ′′ By Lemma 27: tr ( t ) = tr ( t t t ′′ )Similarly, we can conclude that m ′ t ′′ −→ m for some t ′′ and that: tr ( t ) = tr ( t t t ′′ )Since tr ( t ) = tr ( t ), we can conclude: tr ( t ′′ ) = tr ( t ′′ )Since | t ′′ | = n − < n + 1 = | t | , the thesis follows by the inductionhypothesis. ⊓⊔ Lemma 29.
Let ( T , i ) and ( T ′ , j ) be transitions of N WR ( B ) . Then: ( T , i ) I ( T ′ , j ) = ⇒ T WR T ′ roof. By Definition 16, ( T , i ) I ( T ′ , j ) implies that ( T , i ) = ( T ′ , j ) and thereexists some reachable marking m such that m ( T ,i ) −−−→ and m ( T ′ ,j ) −−−→ . By contradic-tion, assume that ¬ ( T WR T ′ ). Then, since i < j or j > i , by Figure 2 we wouldhave that ( T , i ) < ( T ′ , j ) or ( T ′ , j ) < ( T , i ). Then, by Lemma 24 we obtain acontradiction. ⊓⊔ Definition 18.
Let N R ( B ) = ( P , Tr , F , m ) . We define the function α : Tr → Tx as α ( T , i ) = T . We then extend α to a function from steps to multisets oftransactions as follows: α ( ∅ ) = [] α ( U ∪ { t } ) = [ α ( t )] + α ( U ) Finally, we extend α to finite sequences of steps as follows: α ( ǫ ) = ǫ α ( U U ) = α ( U ) α ( U ) Lemma 30.
Let N R ( B ) = ( P , Tr , F , m ) , and let U be a step firing sequence.Then, for all Π, σ : J U K Πσ = J α ( U ) K Πσ Lemma 31. If t ≃ t ′ in N WR ( B ) , then α ( t ) ≃ WR α ( t ′ ) .Proof. Define: ≃ ′ = n ( t , t ′ ) (cid:12)(cid:12)(cid:12) α ( t ) ≃ WR α ( t ′ ) o It suffice to show that ≃ ⊆ ≃ ′ . Note that ≃ ′ is a congruence satisfying: T WR T ′ = ⇒ ( T , i )( T ′ , j ) ≃ ′ ( T ′ , j )( T , i )But then, by Lemma 29, it follows that ≃ ′ also satisfies:( T , i ) I ( T ′ , j ) = ⇒ ( T , i )( T ′ , j ) ≃ ′ ( T ′ , j )( T , i ) (5)Since ≃ is the smallest congruence satisfying eq. (5), we have that ≃ ⊆ ≃ ′ , asrequired. ⊓⊔ Theorem 5.
Let B = T · · · T n . Then, in N ( B ) :(a) if m U −→ m and m U ′ −→ m , then J U K Π ⋆ σ = J U ′ K Π ⋆ σ , for all reachable σ ;(b) { ( T , } · · · { ( T n , n ) } is a maximal step firing sequence;(c) for all maximal step firing sequences U , for all reachable σ , J U K Π ⋆ σ = J B K σ .Proof. For item (a), assume that m U −→ m and m U ′ −→ m . A standard resultfrom Petri nets theory ensures that there exists sequentializations t of U and t ′ of U ′ such that: m t −→ m and m t ′ −→ m By Lemma 26, it must be t ≃ t ′ . Then, by Lemma 31: α ( t ) ≃ α ( t ′ )y Lemma 11: J α ( t ) K σ = J α ( t ′ ) K σ By Lemmas 25 and 29, it follows that all multisets of transactions in α ( U ), aswell as those in α ( U ′ ), are strongly swappable. Therefore, by Theorem 7: J α ( U ) K Π ⋆ σ = J α ( U ′ ) K Π ⋆ σ Then, by Lemma 30: J U K Π ⋆ σ = J U ′ K Π ⋆ σ For item (c), let U ′ = [ t ] . . . [ t n ], where n = | B | . It is trivial to see that U ′ ismaximal and that B ⊳ α ( U ′ ). By Theorem 7: J α ( U ′ ) K Π ⋆ σ = J B K σ Since U and U ′ are both maximal, by Lemma 28 and by item (a), it followsthat: J U ′ K Π ⋆ σ = J U K Π ⋆ σ Since J U ′ K Π ⋆ σ = J α ( U ′ ) K Π ⋆ σ (by Lemma 30), and so: J U K Π ⋆ σ = J B K σ ⊓⊔ Full implementation of the ERC721 Token pragma solidity >= 0.4.2; contract
Token { mapping ( uint256 => address ) owner ; mapping ( uint256 => address ) approved ; mapping ( uint256 => bool ) exists ; mapping ( address => uint256 ) balance ; mapping ( address => mapping ( address => bool ))operatorApprovals ; function ownerOf ( uint256 tokenId ) external view returns (address ) {require ( exists [ tokenId ]) ;require ( owner [ tokenId ] != address (0) ); return owner [ tokenId ];} function balanceOf ( address addr ) external view returns (uint256 ) {require ( addr != address (0) ); return balance [ addr ];} function approve ( address addr , uint256 tokenId ) external {require ( exists [ tokenId ]);require ( owner [ tokenId ] == msg . sender && addr != msg . sender );approved [ tokenId ] = addr ;} function setApprovalForAll ( address operator , bool isApproved )external {operatorApprovals [ msg . sender ][ operator ] = isApproved ;} function getApproved ( uint256 tokenId ) external view returns (address ) {require ( exists [ tokenId ]) ; return approved [ tokenId ];} function isApprovedForAll ( address addr , address operator )external view returns ( bool ) { return operatorApprovals [ addr ][ operator ];} function transferFrom( address from , address to , uint256tokenId ) external {require ( exists [ tokenId ]) ;require ( from == owner [ tokenId ] && from != to );require (to != address (0) ); f ( from == msg . sender || operatorApprovals [ from ][ msg . sender ] || approved [ tokenId ] == msg . sender ) {owner [ tokenId ] = to;approved [ tokenId ] = address (0) ;balance [ from ] -= 1;balance [to ] += 1;}} function mint ( address to , uint256 tokenId ) external {require (! exists [ tokenId ]);require (to != address (0) );exists [ tokenId ] = true ;owner [ tokenId ] = to ;balance [to ] += 1;}} We have the following safe approximations of read/written keys of the