Applying a Theorem Prover to the Verification of Optimistic Replication Algorithms Abdessamad Imine and Micha¨ el Rusinowitch LORIA-INRIA Lorraine, France, {imine,rusi}@loria.fr Abstract. The Operational Transformation (OT) approach is a tech- nique for supporting optimistic replication in collaborative and mobile systems. It allows the users to concurrently update the shared data and exchange their updates in any order since the convergence of all replicas, i.e. the fact that all users view the same data, is ensured in all cases. However, designing algorithms for achieving convergence with the OT approach is a critical and challenging issue. In this paper, we address this issue for the important case where the shared data has a linear structure such as lists, texts, ordered XML trees, etc. We analyze the problem and we propose a generic solution with its formal analysis. We also show in this work how to support the formal design of an OT algo- rithm with a rewrite-based theorem prover. This theorem prover enables us to envisage the large number of cases required for the correctness proof of the algorithm. Since the manual proofs of all previously pub- lished algorithms were wrong, this shows the decisive advantage of using an automatic prover in this context. 1 Introduction Users involved in collaborative and mobile environments generally work on repli- cas of shared data. During disconnection periods, they can concurrently execute updates on replicas. This leads to potentially divergent replicas (i.e. different states). One of the main issues in such environments is to maintain consistency (or convergence) among replicas after reconnection. Originating from real-time groupware research [7], the Operational Transformation (OT) approach provides an interesting solution [8, 17] to this problem. Using this approach, after recon- nection, a user A might get an operation op previously executed during dis- connection by some other user B on a replica of the shared data. Rather than executing op “as is” on his replica, User A may have to execute a variant of op, say op ′ – called a transformation of op – that intuitively intends to achieve the same effect as op. When the transformed operations are executed, they create the illusion that all operations have been executed in the intended execution context and in the intended order. Compared to other replication systems [20], the advantages of the OT ap- proach are: (i) it enables an unconstrained concurrency, i.e. it does not require any global order on concurrent operations unlike traditional consistency criteria