-
Notifications
You must be signed in to change notification settings - Fork 200
/
ACP_NB_WRONG_TLC.tla
121 lines (93 loc) · 4.83 KB
/
ACP_NB_WRONG_TLC.tla
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
--------------------------- MODULE ACP_NB_WRONG_TLC ----------------------------
\* Erroneous Non blocking Atomic Committment Protocol (ACP-NB)
\* The mistake is to deliver a broacast message locally *before* it has been
\* forwarded to other participants.
\* This protocol does not satisfy the consistency property AC1
EXTENDS ACP_SB
--------------------------------------------------------------------------------
\* Participants type is extended with a "forward" variable.
\* Coordinator type is unchanged.
TypeInvParticipantNB == participant \in [
participants -> [
vote : {yes, no},
alive : BOOLEAN,
decision : {undecided, commit, abort},
faulty : BOOLEAN,
voteSent : BOOLEAN,
forward : [ participants -> {notsent, commit, abort} ]
]
]
TypeInvNB == TypeInvParticipantNB /\ TypeInvCoordinator
--------------------------------------------------------------------------------
\* Initially, participants have not forwarded anything yet
InitParticipantNB == participant \in [
participants -> [
vote : {yes, no},
alive : {TRUE},
decision : {undecided},
faulty : {FALSE},
voteSent : {FALSE},
forward : [ participants -> {notsent} ]
]
]
InitNB == InitParticipantNB /\ InitCoordinator
--------------------------------------------------------------------------------
\* Participant statements that realize a better broadcast
\* forward(i,j): forwarding of the predecision from participant i to participant j
\* IF
\* particpant i is alive
\* participant i has received a decision and has decided (it shouldn't have decided yet)
\* participant i has not yet forwarded this decision to participant j
\* THEN
\* participant i forwards the decision to participant j
forward(i,j) == /\ i # j
/\ participant[i].alive
/\ participant[i].decision # notsent
/\ participant[i].forward[j] = notsent
/\ participant' = [participant EXCEPT ![i] =
[@ EXCEPT !.forward =
[@ EXCEPT ![j] = participant[i].decision]
]
]
/\ UNCHANGED<<coordinator>>
\* decideOnForward(i,j): participant i receives decision from participant j
\* IF
\* participant i is alive
\* participant i has yet to receive a decision
\* participant j has forwarded its decision to participant i
\* THEN
\* participant i decides in accordance with participant j's decision (it should only predecide)
decideOnForward(i,j) == /\ i # j
/\ participant[i].alive
/\ participant[i].decision = undecided
/\ participant[j].forward[i] # notsent
/\ participant' = [participant EXCEPT ![i] =
[@ EXCEPT !.decision = participant[j].forward[i]]
]
/\ UNCHANGED<<coordinator>>
\* abortOnTimeout(i): conditions for a timeout are simulated
\* IF
\* participant is alive and undecided and coordinator is not alive
\* coordinator died before sending decision to all participants who are alive
\* all dead participants died before forwarding decision to a participant who is alive
\* THEN
\* decide abort
abortOnTimeout(i) == /\ participant[i].alive
/\ participant[i].decision = undecided
/\ ~coordinator.alive
/\ \A j \in participants : participant[j].alive => coordinator.broadcast[j] = notsent
/\ \A j,k \in participants : ~participant[j].alive /\ participant[k].alive => participant[j].forward[k] = notsent
/\ participant' = [participant EXCEPT ![i] = [@ EXCEPT !.decision = abort]]
/\ UNCHANGED<<coordinator>>
---------------------------------------------------------------------------------
\* FOR N PARTICIPANTS
parProgNB(i,j) == \/ parProg(i)
\/ forward(i,j)
\/ decideOnForward(i,j)
\/ abortOnTimeout(i)
parProgNNB == \E i,j \in participants : parDie(i) \/ parProgNB(i,j)
progNNB == parProgNNB \/ coordProgN
fairnessNB == /\ \A i \in participants : WF_<<coordinator, participant>>(\E j \in participants : parProgNB(i,j))
/\ WF_<<coordinator, participant>>(coordProgB)
SpecNB == InitNB /\ [][progNNB]_<<coordinator, participant>> /\ fairnessNB
================================================================================