-
Notifications
You must be signed in to change notification settings - Fork 200
/
MultiPaxos_MC.tla
75 lines (58 loc) · 2.27 KB
/
MultiPaxos_MC.tla
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
---- MODULE MultiPaxos_MC ----
EXTENDS MultiPaxos
(****************************)
(* TLC config-related defs. *)
(****************************)
ConditionalPerm(set) == IF Cardinality(set) > 1
THEN Permutations(set)
ELSE {}
SymmetricPerms == ConditionalPerm(Replicas)
\cup ConditionalPerm(Writes)
\cup ConditionalPerm(Reads)
ConstMaxBallot == 2
----------
(*************************)
(* Type check invariant. *)
(*************************)
TypeOK == /\ \A m \in msgs: m \in Messages
/\ \A s \in Replicas: node[s] \in NodeStates
/\ Len(pending) =< NumCommands
/\ Cardinality(Range(pending)) = Len(pending)
/\ \A c \in Range(pending): c \in Commands
/\ Len(observed) =< 2 * NumCommands
/\ Cardinality(Range(observed)) = Len(observed)
/\ Cardinality(reqsMade) >= Cardinality(acksRecv)
/\ \A e \in Range(observed): e \in ClientEvents
THEOREM Spec => []TypeOK
----------
(*******************************)
(* Linearizability constraint. *)
(*******************************)
ReqPosOfCmd(c) == CHOOSE i \in 1..Len(observed):
/\ observed[i].type = "Req"
/\ observed[i].cmd = c
AckPosOfCmd(c) == CHOOSE i \in 1..Len(observed):
/\ observed[i].type = "Ack"
/\ observed[i].cmd = c
ResultOfCmd(c) == observed[AckPosOfCmd(c)].val
OrderIdxOfCmd(order, c) == CHOOSE j \in 1..Len(order): order[j] = c
LastWriteBefore(order, j) ==
LET k == CHOOSE k \in 0..(j-1):
/\ (k = 0 \/ order[k] \in Writes)
/\ \A l \in (k+1)..(j-1): order[l] \in Reads
IN IF k = 0 THEN "nil" ELSE order[k]
IsLinearOrder(order) ==
/\ {order[j]: j \in 1..Len(order)} = Commands
/\ \A j \in 1..Len(order):
ResultOfCmd(order[j]) = LastWriteBefore(order, j)
ObeysRealTime(order) ==
\A c1, c2 \in Commands:
(AckPosOfCmd(c1) < ReqPosOfCmd(c2))
=> (OrderIdxOfCmd(order, c1) < OrderIdxOfCmd(order, c2))
Linearizability ==
terminated =>
\E order \in [1..NumCommands -> Commands]:
/\ IsLinearOrder(order)
/\ ObeysRealTime(order)
THEOREM Spec => Linearizability
====