Spec formula for Peterson algorithm
38 views
Skip to first unread message
Mursel Musabasic
Feb 26, 2020, 9:37:26 AM2/26/20
to tlaplus
Hi there,
I was looking for formal specification on Peterson algorithm and came across this publication (https://lamport.azurewebsites.net/pubs/tlaps.pdf) where it says, I quote:
"The temporal formula Spec is the complete
specification. It characterizes behaviors (ω-sequences of states) that start in a
state satisfying Init and where every pair of successive states either satisfies Next
or else leaves the values of the tuple vars unchanged."
I'm having problem with understanding of tuple vars in specified formula. Can anyone explain to me how these variables (turn, flag and pc) relate to tuple vars? I can understand that some variables stays unchanged during verification, but couldn't get it in final Spec temporal formula.
Best regards,
Mursel
Stephan Merz
Feb 26, 2020, 9:49:57 AM2/26/20
to tla...@googlegroups.com
Hello,
This is the idiomatic form of TLA+ specifications: the next-state relation allows stuttering steps in which the variables declared in the specification do not change their values.
the corresponding TLA+ module is contained in the distribution of the TLA Proof System [1] and also available from [2] (with the temporal reasoning steps omitted because TLAPS didn't support them at the time). In short, the module has the definitions
vars == << flag, turn, pc >>
Spec == Init /\ [][Next]_vars
This is the idiomatic form of TLA+ specifications: the next-state relation allows stuttering steps in which the variables declared in the specification do not change their values.
Stephan
--
You received this message because you are subscribed to the Google Groups "tlaplus" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tlaplus+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/tlaplus/b23791fe-5aa0-48b4-ae13-151105e94d3f%40googlegroups.com.
Mursel Musabasic
Mar 3, 2020, 7:04:47 PM3/3/20
to tlaplus
Thanks for quick explanation.
I'm reading this paper on Peterson's algorithm (https://tla.msr-inria.inria.fr/tlaps/doc/IFM2010/Peterson_IFM2010.pdf) and on page 4 it say's:
"Now we can define proc(self) as the fact that one of the previous actions is being accomplished:
proc(self) == \/ a0(self) \/ a1(self) \/ a2(self) \/ a3a(self)
\/ a3b(self) \/ cs(self) \/ a4(self)
Finally, we define the Next action, as the fact that either proc is accomplished for one of the
processes, or the algorithm has finished (to prevent deadlock on termination).
Next == \E self \in {0,1}: proc(self)"
I have a few questions:
1. When TLC will check proc(self) formula? Will this happen after it checks all previous formula's from a0 to a4?
2. Will proc(self) formula be satisfied when all previous formula's satisfied (a0 to a4)?
3. Next formula is satisfied if proc(self) is satisfied where self is element of 0 and 1 (process 0 or 1). Is this correct?
Thanks in advance!
To unsubscribe from this group and stop receiving emails from it, send an email to tla...@googlegroups.com.
Stephan Merz
Mar 4, 2020, 2:41:44 AM3/4/20
to tla...@googlegroups.com
The formula Spec (and its sub-formulas Init, Next etc.) express the algorithm as a TLA+ specification, and we then want to verify properties such as
Spec => []MutualExclusion
Therefore, Spec does not need to be checked, it can be assumed to hold (the implication is trivially true of state sequences that do not satisfy Spec). Concretely, TLC interprets Init and Next in order to construct the initial state(s) and the successor states of any states it has already constructed. For the latter, it considers the different disjuncts in the definition of Next: any successor state allowed by some of these formulas is allowed by Next. For details on how TLC interprets these formulas, please see Specifying Systems, and if you have not yet done so, watch the video lectures on TLA+.
Regards,
Stephan
To unsubscribe from this group and stop receiving emails from it, send an email to tlaplus+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/tlaplus/17e8cb76-2256-4f80-8b89-982187e33eda%40googlegroups.com.
Mursel Musabasic
Mar 4, 2020, 4:43:49 AM3/4/20
to tla...@googlegroups.com
So, the Next-state formula will not be satisfied (Spec will not be also satisfied) until all previous states/formulas are not satisfied/constructed?
Also what does it mean "formula is enabled" or "action is enabled" like here on page 4 and 5 in this document Auxiliary Variables in TLA+?
Stephan thanks a lot for your help.
To view this discussion on the web visit https://groups.google.com/d/msgid/tlaplus/17e8cb76-2256-4f80-8b89-982187e33eda%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages