Adding Barrier synchronization and Auxiliary Variable examples #177
Conversation
|
Thank you for the contributions! Could you please greatly expand both of the READMEs? It should be very clear what each spec is about. |
muenchnerkindl
left a comment
muenchnerkindl
left a comment
There was a problem hiding this comment.
Thanks for these contributions. In particular, the one that constructs a refinement from the two-process lock algorithm to Peterson shows how TLA+ can be used for proving trace equivalence between a high-level and a low-level spec. Although I appreciate your use of TLAPS throughout the developments, I'd suggest to include a few more sanity checks using TLC. Also, morally one assumption should be turned into a theorem (and it is actually true).
Finally, did you try to add your examples to manifest.json and to the top-level README.md? (If you find it too tricky, we can do it for you.)
specifications/barriers/README.md
Outdated
| A refinement towards an abstract Barrier specification is proven with TLAPS. | ||
|
|
||
| The main invariant `Inv` is verified in the provided model for $N = 7$ | ||
| processes. |
There was a problem hiding this comment.
Barriers.tla proves other invariants as well, perhaps they could be included in the configuration? And the proof in Barriers.tla culminates in verifying refinement between the two specifications, TLC could also be used to check this for a finite instance.
specifications/barriers/README.md
Outdated
|
|
||
| ## Barrier.tla | ||
|
|
||
| A specification of an abstract Barrier. No model is provided. No newline at end of file |
There was a problem hiding this comment.
Wouldn't it make sense to have TLC check a basic property of that specification as well?
| VARIABLE s | ||
| INSTANCE Stuttering | ||
|
|
||
| ASSUME AltStutterConstantCondition(1..2, 1, LAMBDA j : j-1) |
There was a problem hiding this comment.
Why is this an assumption? The predicate boils down to
ReachBot[{1}] = 1 .. 2
(with ReachBot defined in the definition of the predicate) and indeed a quick calculation shows that
ReachBot[{1}] = ReachBot[{1,2}] = {1,2}
so the condition holds, so this should really be a theorem. The TLAPS proof of that theorem may be tricky because it involves a recursive function (which, moreover, is defined inside a LET), if you have trouble with it, I can have a try at it.
There was a problem hiding this comment.
I could not write a proof for this property, as my knowledge of recursive definitions in TLA+ are lacking.
I would gladly accept some help for this.
| ## Peterson.tla | ||
|
|
||
| The specification of Peterson's algorithm in PlusCal, and the refinement proof | ||
| towards `Lock!Spec` |
There was a problem hiding this comment.
This refinement could also be checked using TLC.
|
|
||
| The extension of `Lock.tla` using a history variable `h_turn` and a stutter | ||
| variable `s`, provided by the `Stuttering.tla` module. | ||
| A refinement proof towards `Peterson!Spec` is presented within. |
There was a problem hiding this comment.
Again, it would make sense to use TLC for checking the different theorems proved in this module?
|
I tried to improve the READMEs and the different models. Concerning manifest.json, the sheer size of the manifest-schema makes me reticent to try and modify it myself. |
muenchnerkindl
left a comment
muenchnerkindl
left a comment
There was a problem hiding this comment.
Thanks for your changes in reply to my previous comments! I added a few final suggestions: some possible additional explanations and perhaps remove the "MC..." module (and integrate the checks into the corresponding base models) whose purpose is not clear to me. It's really up to you if you want to take up these suggestions or not.
| @@ -0,0 +1,6 @@ | |||
| ------------------------------- MODULE MCBarriers ------------------------------ | |||
There was a problem hiding this comment.
Why do you really need this module? Usually "MC..." modules are introduced for specializing definitions or introducing additional bounds for model checking, but this is not done here. It looks like you could just add the definition to Barriers.tla and the property to Barriers.cfg?
|
|
||
| (** | ||
| --algorithm Barrier { | ||
| variables |
There was a problem hiding this comment.
It would help the reader if you could add comments describing the purpose of these variables and the basic structure of the algorithm.
|
|
||
| TypeOK == | ||
| /\ pc \in [ProcSet -> {"b0", "b1"}] | ||
|
|
There was a problem hiding this comment.
Perhaps it would make sense to add the property
[][\A p,q \in ProcSet : pc[p] = "b0" /\ pc[q] = "b1" => pc'[q] = "b1"]_vars
that describes the idea of the barrier?
specifications/barriers/README.md
Outdated
| A model `MCBarriers.cfg` and its companion `MCBarriers.tla` verifies if | ||
| `B!Spec` (the abstract Barrier specification) holds for `Spec` | ||
|
|
||
| ## Barrier.tla |
There was a problem hiding this comment.
I think it would make sense to talk about Barrier.tla before Barriers.tla – in particular since you mention it in the "Refinement" section.
specifications/barriers/README.md
Outdated
|
|
||
| The usual typing invariant is defined. | ||
|
|
||
| A model with the same amount of processes as above is provided. No newline at end of file |
There was a problem hiding this comment.
amount -> number (counted, not weighed)
| @@ -0,0 +1,7 @@ | |||
| ------------------------------- MODULE MCLockHS ------------------------------- | |||
There was a problem hiding this comment.
Again, I wonder why you choose to introduce a separate module for this, given that you already use the model checker on the base LockHS module.
| @@ -0,0 +1,6 @@ | |||
| ------------------------------ MODULE MCPeterson ------------------------------ | |||
There was a problem hiding this comment.
Same question here: I'd remove this module and include the check in the base Peterson.cfg model.
| VARIABLE s | ||
| INSTANCE Stuttering | ||
|
|
||
| THEOREM StutterConstantCondition(1..2, 1, LAMBDA j : j-1) |
There was a problem hiding this comment.
Perhaps add a comment saying that this theorem justifies the introduction of s as a stuttering variable in action l1HS below?
|
This repository requires DCO signoff on all commits. |
|
I opened PR JarodDif#1 which should add these specs to CI validation. |
|
To avoid other weird merge conflicts it's fine to merge this with .ciignore entries in place then I'll add the specs to CI validation later. The specs will have to be removed from the README table for now. |
|
Would this suffice ? |
|
Yes, the CI will probably now pass. You still need to add DCO signoff to all your commits (see instructions provided by github here: https://github.com/tlaplus/Examples/pull/177/checks?check_run_id=47140681764) and expand the READMEs. |
Signed-off-by: JarodDif <[email protected]>
Signed-off-by: JarodDif <[email protected]>
Signed-off-by: JarodDif <[email protected]>
Signed-off-by: JarodDif <[email protected]>
Signed-off-by: JarodDif <[email protected]>
Co-authored-by: Stephan Merz <[email protected]> Signed-off-by: JarodDif <[email protected]>
Signed-off-by: JarodDif <[email protected]>
Adding descriptions Signed-off-by: JarodDif <[email protected]>
Signed-off-by: JarodDif <[email protected]>
Signed-off-by: JarodDif <[email protected]>
Signed-off-by: JarodDif <[email protected]>
|
Looks good! Just clear up that sentence fragment in the barriers README and I will merge. |
Signed-off-by: JarodDif <[email protected]>
|
This should fix the incomplete sentence. Thank you for your time and help. |
|
Thank you for the wonderful examples! |
Specs were added in tlaplus#177 Signed-off-by: Andrew Helwer <[email protected]>
Specs were added in tlaplus#177 Signed-off-by: Andrew Helwer <[email protected]>
Specs were added in tlaplus#177 Signed-off-by: Andrew Helwer <[email protected]>
Specs were added in #177 Signed-off-by: Andrew Helwer <[email protected]>
4 participants
This PR contains two specifications created for my Master's thesis that could interest the community.
The specifications have not been added to the CI.