[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlaplus] Re: [noob] Liveness property not violated as expected



Actually, i have one tiny problem left, my fairness specification doesn't work, and my spec fails due to stuttering. The fairness spec is as simple as it can get:

variables == <<msgQueue, proc1Queue, resultQueue>>

FairnessSpec == WF_<<variables>>(Callback)\*Same Callback as in the code above

However, in the counterexample produced by TLC, Callback is never called. I am not entirely sure what the variables in weak fairness spec do, and i havent been able to find any information on it, but i have tried setting it to all the variables in the spec, just the variables modified by Callback and the variables not modified by Callback, all with the same result. What could be the issue? If its not visible to the naked eye i can provide the full specification.

Sorry for wasting your time with all these easy questions, i wish TLA+ was more popular on StackOverflow, its such an amazing tool!

On Friday, April 5, 2019 at 2:17:53 PM UTC+2, Michael Chonewicz wrote:
Thank you, that makes perfect sense. My problem here was that i was confusing liveness properties and fairness, and that i didn't really understand how the ~> operator works. I thought of it as "left action being called leads to right action being called" instead of "the right condition being true leads to the left condition being true". Thanks a lot for the help! 

On Thursday, April 4, 2019 at 3:00:26 PM UTC+2, Stephan Merz wrote:
You could keep a history of messages that the system has seen at some point and add a precondition to the message input action that requires the message not to be an element of that message history.

However, I speculate (without having seen your spec) that this is not necessary for what you are trying to verify: presumably there is no fairness condition for inputting a new message (since it would constrain the environment rather than the system that you are specifying), so the execution in which m1 is input and then lost (and in which m1 never reappears) is a valid counter-example that should be found by TLC.

Stephan

On 3 Apr 2019, at 13:59, Michael Chonewicz <wawrzync...@xxxxxxxxx> wrote:

Yes, thank you, it does help. I think i can implement this, but i still have one doubt. 

As i mentioned before, technically, every Message is unique throughout the entire lifetime of the system. I dont know how to specify my model value messages like that. I suspect, that what might happen is for example: The system receives message m1, then looses it, which would violate the liveness property. But then after a while, TLC inputs m1 again, which this time is not lost, thus satisfying the liveness property in the end. Can i somehow prevent that from happening? Is that even an issue?

On Tuesday, April 2, 2019 at 5:18:32 PM UTC+2, Stephan Merz wrote:
Stepping back a bit, it appears to me that you'd like to check a property of the form

  A ~> B

where A and B are both actions. Such a formula is not syntactically well-formed in TLA (although it is indeed stuttering invariant). TLA allows such a formula to be written only if A and B are temporal formulas, including state predicates. You can work around this limitation by adding variables done_A and done_B that are initialized to FALSE and set to true whenever A and B happen. Then check the property

  done_A ~> done_B

(Since your actual actions take parameters the details are a bit more complicated and you may need to use functions but I think you get the idea.)

In practice, you won't actually need to introduce these helper variables because the system state probably already contains enough information to tell you when A and B occurred. The overall idea is to replace the actions by suitable state predicates.

Hope this helps,
Stephan

On 2 Apr 2019, at 16:57, Michael Chonewicz <wawrzync...@gmail.com> wrote:

Yes, they are both TRUE. My understanding was that ReceiveCallback(msg) ~> ResultCallback(result) assures that a call to the ReceiveCallback will eventually lead to ResultCallback. But it doesn't matter what i do with the message inside of these actions, so I just return TRUE. My thinking was that if ResultCallback never gets called, it cannot be TRUE, thus failing the liveness condition. 

This does seem sketchy now that you have pointed it out, but I dont really know what i could put in there, since the only purpose of those actions was to use them in the LivenessSpec. Maybe you know how else i could solve this?

On Tuesday, April 2, 2019 at 3:43:29 PM UTC+2, Jay Parlar wrote:


On Tuesday, 2 April 2019 05:50:36 UTC-4, Michael Chonewicz wrote:
Ah, so thats what it was! Thank you. I have modified ReceiveMsg to look like this:

ReceiveCallback(msg) ==
    TRUE
And used ReceiveCallback in the liveness instead of ReceiveMsg:

LivenessSpec ==
    
/\ \A msg \in Message :
        
\E result \in ResultssForMsg(msg) : 
            
ReceiveCallback(msg) ~> ResultCallback(result)

The ResultCallback already looked like ReceiveCallback above. This fixed the compile issue. Then i removed the old LivenessSpec from my Spec completely(not even fairness is left):

If I'm understanding correctly, you're saying that `ReceiveCallback` and `ResultCallback` are _both_ just equivalent to TRUE?

If that's the case, then the temporal property is trivially satisfied for every behaviour. It comes down to `TRUE -> TRUE`.

Or have I misunderstood?

Jay P.


-- 
You received this message because you are subscribed to the Google Groups "tlaplus" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tla...@googlegroups.com.
To post to this group, send email to tla...@googlegroups.com.
Visit this group at https://groups.google.com/group/tlaplus.
For more options, visit https://groups.google.com/d/optout.


-- 
You received this message because you are subscribed to the Google Groups "tlaplus" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tla...@xxxxxxxxxxxxxxxx.
To post to this group, send email to tla...@xxxxxxxxxxxxxxxx.
Visit this group at https://groups.google.com/group/tlaplus.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "tlaplus" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tlaplus+unsubscribe@xxxxxxxxxxxxxxxx.
To post to this group, send email to tlaplus@xxxxxxxxxxxxxxxx.
Visit this group at https://groups.google.com/group/tlaplus.
For more options, visit https://groups.google.com/d/optout.