-
Notifications
You must be signed in to change notification settings - Fork 200
/
Consensus.tla
58 lines (49 loc) · 2.67 KB
/
Consensus.tla
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
----------------------------- MODULE Consensus ------------------------------
EXTENDS Naturals, FiniteSets, TLAPS, FiniteSetTheorems
CONSTANT Value
(*************************************************************************)
(* The set of all values that can be chosen. *)
(*************************************************************************)
VARIABLE chosen
(*************************************************************************)
(* The set of all values that have been chosen. *)
(*************************************************************************)
(***************************************************************************)
(* The type-correctness invariant. *)
(***************************************************************************)
TypeOK == /\ chosen \subseteq Value
/\ IsFiniteSet(chosen)
(***************************************************************************)
(* The initial predicate and next-state relation. *)
(***************************************************************************)
Init == chosen = {}
Next == /\ chosen = {}
/\ \E v \in Value : chosen' = {v}
(***************************************************************************)
(* The complete spec. *)
(***************************************************************************)
Spec == Init /\ [][Next]_chosen
-----------------------------------------------------------------------------
(***************************************************************************)
(* Safety: At most one value is chosen. *)
(***************************************************************************)
Inv == /\ TypeOK
/\ Cardinality(chosen) \leq 1
THEOREM Invariance == Spec => []Inv
<1>1. Init => Inv
BY FS_EmptySet DEF Init, Inv, TypeOK
<1>2. Inv /\ [Next]_chosen => Inv'
<2>1. Inv /\ Next => Inv'
BY FS_Singleton DEF Inv, TypeOK, Next
<2>2. Inv /\ UNCHANGED chosen => Inv'
BY DEF Inv, TypeOK
<2>. QED BY <2>1, <2>2
<1>3. QED BY <1>1, <1>2, PTL DEF Spec
-----------------------------------------------------------------------------
(***************************************************************************)
(* Liveness: A value is eventually chosen. *)
(***************************************************************************)
Success == <>(chosen # {})
LiveSpec == Spec /\ WF_chosen(Next)
THEOREM LivenessTheorem == LiveSpec => Success
=============================================================================