Skip to content

Commit

Permalink
Assert (postcondition) that all debug invariants equal true in at lea…
Browse files Browse the repository at this point in the history
…st one state.

Signed-off-by: Markus Alexander Kuppe <github.com@lemmster.de>
  • Loading branch information
lemmy committed Oct 2, 2024
1 parent beddbe6 commit 67aaf98
Show file tree
Hide file tree
Showing 2 changed files with 36 additions and 1 deletion.
5 changes: 4 additions & 1 deletion tla/consensus/MCccfraft.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,10 @@ CHECK_DEADLOCK
FALSE

POSTCONDITION
WriteStatsFile
PostConditions

CONSTRAINTS
CoverageExpressions

_PERIODIC
SerializeCoverage
Expand Down
32 changes: 32 additions & 0 deletions tla/consensus/MCccfraft.tla
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,38 @@ DebugNotTooManySigsInv ==
\A i \in Servers:
FoldSeq(LAMBDA e, count: IF e.contentType = TypeSignature THEN count + 1 ELSE count, 0, log[i]) < 8

----

\* Initialize the counters for the Debug invariants to 0.
ASSUME TLCSet(0, [ DebugInvLeaderCannotStepDown |-> 0,
DebugInvSuccessfulCommitAfterReconfig |-> 0,
DebugInvRetirementReachable |-> 0,
DebugAppendEntriesRequests |-> 0,
DebugCommittedEntriesTermsInv |-> 0,
DebugNotTooManySigsInv |-> 0,
DebugAllReconfigurationsReachableInv |-> 0 ])

\* A TLC state constraint that is always TRUE. As a side-effect, it increments the counter for the given Debug invariant.
CoverageExpressions ==
/\ DebugInvLeaderCannotStepDown => TLCSet(0, [ TLCGet(0) EXCEPT !.DebugInvLeaderCannotStepDown = @ + 1 ] )
/\ DebugInvSuccessfulCommitAfterReconfig => TLCSet(0, [ TLCGet(0) EXCEPT !.DebugInvSuccessfulCommitAfterReconfig = @ + 1 ] )
/\ DebugInvRetirementReachable => TLCSet(0, [ TLCGet(0) EXCEPT !.DebugInvRetirementReachable = @ + 1 ] )
/\ DebugAppendEntriesRequests => TLCSet(0, [ TLCGet(0) EXCEPT !.DebugAppendEntriesRequests = @ + 1 ] )
/\ DebugCommittedEntriesTermsInv => TLCSet(0, [ TLCGet(0) EXCEPT !.DebugCommittedEntriesTermsInv = @ + 1 ] )
/\ DebugNotTooManySigsInv => TLCSet(0, [ TLCGet(0) EXCEPT !.DebugNotTooManySigsInv = @ + 1 ] )
/\ DebugAllReconfigurationsReachableInv => TLCSet(0, [ TLCGet(0) EXCEPT !.DebugAllReconfigurationsReachableInv = @ + 1 ] )

\* AreAllCovered is a postcondition that will be violated if any of the CoverageExpressions above are uncovered, i.e., they
\* are *never* TRUE.
AreAllCovered ==
\E s \in DOMAIN TLCGet(0) : TLCGet(0)[s] = 0 => Print(<<"Debug Invariant violations: ", ToString(TLCGet(0))>>, FALSE)

----

PostConditions ==
/\ WriteStatsFile
/\ AreAllCovered

----
\* Refinement

Expand Down

0 comments on commit 67aaf98

Please sign in to comment.