[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlaplus] TLA+ model of OneThirdRule algorithm from "A Reduction Theorem" paper

Hello Stephan,

Thanks so much for your clarification! After excluding heardof from state view I got exactly those results stated in the table.

> Anyway, we only included these experiments in order to demonstrate the interest of the theorem shown earlier in the paper
As far as I understand, the main idea of the paper is that an algorithm expressed in HO model can be model-checked with respect to
'local property' in coarse-grained model without loosing any meaningful states compared to fine-grained model.

Not sure if this forum is a right place for such a side note but anyway:

As far as I understand HO model by some reasons is especially well-suited for consensus algorithms, but as for some mutual exclusion algorithms it is not so.
I was wondering if HO model can be extended with N, number of alive processes as seen by environment fault detector on the current round, as a parameter giving
more expressive power to the model.

It may resemble RRFD by Gafni, but actually it still abstracts concrete set of suspected/alive processes into just a number.
Potentially this could lead to a bigger class of algorithms checkable/provable in a reasonable time with a help of (extended) reduction theorem.
It is then takes its place somewhere in the middle between rather concrete RRFD and rather abstract HO.

Maybe you have investigated something similar towards this line of thought?

вторник, 18 апреля 2017 г., 19:59:11 UTC+3 пользователь Stephan Merz написал:
Hi Evgeniy,

thanks for your interest in this paper. The modules that I used are attached to this message, and I think they are equivalent to what you have, modulo comments, renaming, and some auxiliary definitions. The difference in performance comes from the fact that I used a VIEW specification so that TLC identifies any two states that only differ in the value of the auxiliary (history) variable heardof, as indicated in the last sentence of section 4 of the paper (p.13): this variable is useful essentially for interpreting counter-examples displayed by TLC but does not affect the behavior of the algorithm. In particular, it is not referred to by any predicate that is used in the specification. I am sorry if the explanation/hint in the paper is a little cryptic.

Anyway, we only included these experiments in order to demonstrate the interest of the theorem shown earlier in the paper: they are extremely naive as far as model checking fault-tolerant algorithms goes. If you really want to learn about model checking this kind of algorithm, I suggest that you look at the recent work by Igor Konnov et al. [1].

Best regards,


[1] http://forsyte.at/people/konnov/