Why does adding a new step collapse my model to a single state?
32 views
Skip to first unread message
Xavier Shay
Mar 28, 2019, 10:00:57 PM3/28/19
to tlaplus
Hello!
I'm a brand new TLA+ user. I've written a spec for a simple payments system: https://github.com/xaviershay/tla-sandbox/blob/master/payments.tla
This works! Hooray! It has 383 distinct states for 3 DCs. I'm now trying to modify it to allow for the case where a server "double handles" a request from a client by simply repeating the HandleRequest macro:
https://github.com/xaviershay/tla-sandbox/pull/1/files
The model now passes ... but it only has a single distinct state, so I'm pretty sure it's wrong. I can't come up with any hypotheses as to why this would happen. I used a similar approach in the Sync process and it worked fine there. (I get the same result using either to optionally run the repeated handler).
Any suggestions for fixes or further debugging welcome.
Apologies for not providing a more minimal case, but I don't yet know which aspects of my spec are relevant :(
Thanks,
Xavier
I'm a brand new TLA+ user. I've written a spec for a simple payments system: https://github.com/xaviershay/tla-sandbox/blob/master/payments.tla
This works! Hooray! It has 383 distinct states for 3 DCs. I'm now trying to modify it to allow for the case where a server "double handles" a request from a client by simply repeating the HandleRequest macro:
https://github.com/xaviershay/tla-sandbox/pull/1/files
The model now passes ... but it only has a single distinct state, so I'm pretty sure it's wrong. I can't come up with any hypotheses as to why this would happen. I used a similar approach in the Sync process and it worked fine there. (I get the same result using either to optionally run the repeated handler).
Any suggestions for fixes or further debugging welcome.
Apologies for not providing a more minimal case, but I don't yet know which aspects of my spec are relevant :(
Thanks,
Xavier
Stephan Merz
Mar 29, 2019, 3:44:30 AM3/29/19
to tla...@googlegroups.com
Hello,
I tried to reproduce your problem. Copying the module from your GitHub site and commenting out the second call of HandleRequest, TLC indeed generates 383 distinct states. With the second call, it generates 1419 distinct states (still for 3 data centers). I haven't tried to understand what the specification is about, but I'm afraid I cannot help you any further at this point.
Regards,
Stephan
> --
> You received this message because you are subscribed to the Google Groups "tlaplus" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to tlaplus+u...@googlegroups.com.
> To post to this group, send email to tla...@googlegroups.com.
> Visit this group at https://groups.google.com/group/tlaplus.
> For more options, visit https://groups.google.com/d/optout.
I tried to reproduce your problem. Copying the module from your GitHub site and commenting out the second call of HandleRequest, TLC indeed generates 383 distinct states. With the second call, it generates 1419 distinct states (still for 3 data centers). I haven't tried to understand what the specification is about, but I'm afraid I cannot help you any further at this point.
Regards,
Stephan
> You received this message because you are subscribed to the Google Groups "tlaplus" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to tlaplus+u...@googlegroups.com.
> To post to this group, send email to tla...@googlegroups.com.
> Visit this group at https://groups.google.com/group/tlaplus.
> For more options, visit https://groups.google.com/d/optout.
Markus Kuppe
Mar 29, 2019, 10:41:28 AM3/29/19
to tla...@googlegroups.com
On 29.03.19 00:44, Stephan Merz wrote:
> I tried to reproduce your problem. Copying the module from your GitHub site and commenting out the second call of HandleRequest, TLC indeed generates 383 distinct states. With the second call, it generates 1419 distinct states (still for 3 data centers). I haven't tried to understand what the specification is about, but I'm afraid I cannot help you any further at this point.
Hi Xavier,
> I tried to reproduce your problem. Copying the module from your GitHub site and commenting out the second call of HandleRequest, TLC indeed generates 383 distinct states. With the second call, it generates 1419 distinct states (still for 3 data centers). I haven't tried to understand what the specification is about, but I'm afraid I cannot help you any further at this point.
it's the same here, the modified spec has 1419 states.
If TLC reproducibly finds only a single state on your machine, please
privately share your spec, model, as well as environment information
with me and I will look into it.
Thanks
Markus
Xavier Shay
Mar 29, 2019, 5:32:12 PM3/29/19
to tlaplus
This got me thinking what could be different between our environments, and led me to a discovery:
This "collapsing" only happens when either (or both) VoidRedundantAuths or EventualCapture are added to the model as a temporal property to check. (I also have DistinctIds and NoDoubleCapture as invariants, they do not cause the issue.) I am suspicious of the `Success ~>` pattern I have used in those, it feels a bit weird, but am not sure why yet.
I'm using toolbox on Ubuntu 18.10. Here is a link to a zip of my payments.toolbox folder: https://drive.google.com/file/d/1qASlY0euOqg7VCd2QFKD68y86ieLICwf/view?usp=sharing
Thank you both for taking the time to assist!
Xavier
Markus Kuppe
Mar 29, 2019, 7:56:37 PM3/29/19
to tla...@googlegroups.com
On 29.03.19 14:32, Xavier Shay wrote:
> This got me thinking what could be different between our environments,
> and led me to a discovery:
>
> This "collapsing" only happens when either (or both) VoidRedundantAuths
> or EventualCapture are added to the model as a temporal property to
> check. (I also have DistinctIds and NoDoubleCapture as invariants, they
> do not cause the issue.) I am suspicious of the `Success ~>` pattern I
> have used in those, it feels a bit weird, but am not sure why yet.
>
> I'm using toolbox on Ubuntu 18.10. Here is a link to a zip of my
> payments.toolbox
> folder: https://drive.google.com/file/d/1qASlY0euOqg7VCd2QFKD68y86ieLICwf/view?usp=sharing
>
> Thank you both for taking the time to assist!
Hi Xavier,
> This got me thinking what could be different between our environments,
> and led me to a discovery:
>
> This "collapsing" only happens when either (or both) VoidRedundantAuths
> or EventualCapture are added to the model as a temporal property to
> check. (I also have DistinctIds and NoDoubleCapture as invariants, they
> do not cause the issue.) I am suspicious of the `Success ~>` pattern I
> have used in those, it feels a bit weird, but am not sure why yet.
>
> I'm using toolbox on Ubuntu 18.10. Here is a link to a zip of my
> payments.toolbox
> folder: https://drive.google.com/file/d/1qASlY0euOqg7VCd2QFKD68y86ieLICwf/view?usp=sharing
>
> Thank you both for taking the time to assist!
can you share a screenshot of the Result Page when it only displays a
single state? All MC.out files in the zip file - created by TLC running
in the Toolbox - show more than one distinct state.
Thanks
Markus
Xavier Shay
Mar 29, 2019, 8:40:48 PM3/29/19
to tla...@googlegroups.com
Is this what you were asking for? I can make a video later today of me actually running the model, in case there's something wrong I'm doing there. (I'm just pressing F11 though.)
Xavier
>
> Thanks
> Markus
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "tlaplus" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/tlaplus/VaH-MNxtcBQ/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
Markus Kuppe
Mar 29, 2019, 10:22:23 PM3/29/19
to tla...@googlegroups.com
On 29.03.19 17:40, Xavier Shay wrote:
> Attached two files - one showing the "single state", another ostensibly working - showing what I get with no properties checked.
>
> Is this what you were asking for? I can make a video later today of me actually running the model, in case there's something wrong I'm doing there. (I'm just pressing F11 though.)
Hi Xavier,
> Attached two files - one showing the "single state", another ostensibly working - showing what I get with no properties checked.
>
> Is this what you were asking for? I can make a video later today of me actually running the model, in case there's something wrong I'm doing there. (I'm just pressing F11 though.)
this looks strange, especially since it takes TLC 28 seconds to generate
a single distinct state. What output does the TLC console show (TLC
model checker > TLC console)? Lets take this discussion off-list though
to not further spam the group.
Thanks
Markus
Markus Kuppe
Mar 30, 2019, 12:01:04 PM3/30/19
to tla...@googlegroups.com
On 29.03.19 19:22, Markus Kuppe wrote:
> this looks strange, especially since it takes TLC 28 seconds to generate
> a single distinct state. What output does the TLC console show (TLC
> model checker > TLC console)? Lets take this discussion off-list though
> to not further spam the group.
For the record: Xavier and I traced the issue down to a bug in one of
> this looks strange, especially since it takes TLC 28 seconds to generate
> a single distinct state. What output does the TLC console show (TLC
> model checker > TLC console)? Lets take this discussion off-list though
> to not further spam the group.
the recent nightly Toolbox builds. The bug has already been fixed [2]
in the newest builds though. For those affected, an upgrade to the
newest Toolbox build solves the issue.
Thanks
Markus
[1] https://github.com/tlaplus/tlaplus/issues/236#issuecomment-475064081
[2]
https://github.com/tlaplus/tlaplus/commit/00df10c877494b16165da3bda12d20b2f1a20eb3
Reply all
Reply to author
Forward
0 new messages