Just to illustrate what is happening, I'm sharing 8 states out of the 17-state trace I got after verifying whether Spec satisfies Property (this time, with three nodes instead of two).

This trace is slightly edited for clarity, highlighting changed variables in green.

As a reminder, this is Property:

Property ==

[](

(/\ ThereIsAnElection

/\ []EveryoneStaysActiveDuringElection) =>

<>ElectionWorks

)

[](

(/\ ThereIsAnElection

/\ []EveryoneStaysActiveDuringElection) =>

<>ElectionWorks

)

According to the second condition in Property, state 8 shouldn't happen, because no element in 02_inElectionImpliesActive should be FALSE.

Alias 02_inElectionImpliesActive is defined as [ node \in NodeSet |-> InElection(node) => isActive[node] ],

whereas EveryoneStaysActiveDuringElection is defined as \A node \in NodeSet: InElection(node) => isActive[node].

1: <Initial predicate>

/\ 00_inElection = <<FALSE, FALSE, FALSE>>

/\ 01_someNodeInElection = FALSE

/\ 02_inElectionImpliesActive = <<TRUE, TRUE, TRUE>>

2: Fail

/\ 00_inElection = <<FALSE, FALSE, FALSE>>

/\ 01_someNodeInElection = FALSE

/\ 02_inElectionImpliesActive = <<TRUE, TRUE, TRUE>>

3: CheckCoordinator

/\ 00_inElection = <<FALSE, FALSE, FALSE>>

/\ 01_someNodeInElection = FALSE

/\ 02_inElectionImpliesActive = <<TRUE, TRUE, TRUE>>

4: Election0

/\ 00_inElection = <<FALSE, TRUE, FALSE>>

/\ 01_someNodeInElection = TRUE

/\ 02_inElectionImpliesActive = <<TRUE, TRUE, TRUE>>

5: Election1

/\ 00_inElection = <<FALSE, TRUE, FALSE>>

/\ 01_someNodeInElection = TRUE

/\ 02_inElectionImpliesActive = <<TRUE, TRUE, TRUE>>

6: Recover

/\ 00_inElection = <<FALSE, TRUE, FALSE>>

/\ 01_someNodeInElection = TRUE

/\ 02_inElectionImpliesActive = <<TRUE, TRUE, TRUE>>

7: Election2

/\ 00_inElection = <<TRUE, TRUE, FALSE>>

/\ 01_someNodeInElection = TRUE

/\ 02_inElectionImpliesActive = <<TRUE, TRUE, TRUE>>

8: Fail

/\ 00_inElection = <<TRUE, TRUE, FALSE>>

/\ 01_someNodeInElection = TRUE

/\ 02_inElectionImpliesActive = <<FALSE, TRUE, TRUE>>

/\ 00_inElection = <<FALSE, FALSE, FALSE>>

/\ 01_someNodeInElection = FALSE

/\ 02_inElectionImpliesActive = <<TRUE, TRUE, TRUE>>

2: Fail

/\ 00_inElection = <<FALSE, FALSE, FALSE>>

/\ 01_someNodeInElection = FALSE

/\ 02_inElectionImpliesActive = <<TRUE, TRUE, TRUE>>

3: CheckCoordinator

/\ 00_inElection = <<FALSE, FALSE, FALSE>>

/\ 01_someNodeInElection = FALSE

/\ 02_inElectionImpliesActive = <<TRUE, TRUE, TRUE>>

4: Election0

/\ 00_inElection = <<FALSE, TRUE, FALSE>>

/\ 01_someNodeInElection = TRUE

/\ 02_inElectionImpliesActive = <<TRUE, TRUE, TRUE>>

5: Election1

/\ 00_inElection = <<FALSE, TRUE, FALSE>>

/\ 01_someNodeInElection = TRUE

/\ 02_inElectionImpliesActive = <<TRUE, TRUE, TRUE>>

6: Recover

/\ 00_inElection = <<FALSE, TRUE, FALSE>>

/\ 01_someNodeInElection = TRUE

/\ 02_inElectionImpliesActive = <<TRUE, TRUE, TRUE>>

7: Election2

/\ 00_inElection = <<TRUE, TRUE, FALSE>>

/\ 01_someNodeInElection = TRUE

/\ 02_inElectionImpliesActive = <<TRUE, TRUE, TRUE>>

8: Fail

/\ 00_inElection = <<TRUE, TRUE, FALSE>>

/\ 01_someNodeInElection = TRUE

/\ 02_inElectionImpliesActive = <<FALSE, TRUE, TRUE>>

...

Interestingly, checking Property2 == [](ThereIsAnElection => <>ElectionWorks) against

Next2 == Next /\ EveryoneStaysActiveDuringElection'

Spec2 == Init /\ [][Next2]_vars /\ Fairness

works just fine. (Thanks again, Hillel!)

So there's a problem in my definition of Property that I cannot find.

Best regards, and thanks again, everyone,

Jones

