Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Assert (postcondition) that all "debug invariants" equal true in at least one state. #6517

Merged
merged 3 commits into from
Oct 2, 2024
Merged

Assert (postcondition) that all "debug invariants" equal true in at least one state. #6517

merged 3 commits into from
Oct 2, 2024

Conversation

lemmy
Copy link
Contributor

@lemmy lemmy commented Oct 2, 2024

@lemmy
Prevent bogus violations if there is only one configuration.
beddbe6 
Signed-off-by: Markus Alexander Kuppe <github.com@lemmster.de>
@lemmy
Assert (postcondition) that all debug invariants equal true in at lea…
67aaf98 
…st one state.

Signed-off-by: Markus Alexander Kuppe <github.com@lemmster.de>
@lemmy lemmy added tla TLA+ specifications run-long-verification Run Long Verification jobs labels Oct 2, 2024
@lemmy lemmy marked this pull request as ready for review October 2, 2024 03:25
@lemmy lemmy requested a review from a team as a code owner October 2, 2024 03:25
@lemmy
Copy link
Contributor Author

lemmy commented Oct 2, 2024

This works fine. tlaplus/tlaplus#860 could make it more elegant eventually.

heidihoward
heidihoward approved these changes Oct 2, 2024
View reviewed changes
Copy link
Member

@heidihoward heidihoward left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice. Assuming their isn't much performance overhead for the exhaustive model checking, let's merge (and repeat for the consistency spec)

@lemmy
Copy link
Contributor Author

lemmy commented Oct 2, 2024

Nice. Assuming their isn't much performance overhead for the exhaustive model checking, let's merge (and repeat for the consistency spec)

Evaluating the debug invariants doesn't come for free. For some invariants, it is linear in the size of the log, network, .... On the other hand, setting TLC's register using TLCSet has constant time. The AreAllCovered definition is evaluated only once, after the model checking process is complete.

Eventually, we should verify that the liveness properties LeaderMatchingProp and LeaderProp hold -- likely at the level of a higher-level spec like abs.

@lemmy lemmy added this pull request to the merge queue Oct 2, 2024
Merged via the queue into microsoft:main with commit 0ab6408 Oct 2, 2024
18 of 19 checks passed
@lemmy lemmy deleted the mku-debuginvariants branch October 2, 2024 13:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@heidihoward heidihoward heidihoward approved these changes

@achamayou achamayou achamayou approved these changes

Assignees
No one assigned
Labels
run-long-verification Run Long Verification jobs tla TLA+ specifications
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lemmy @heidihoward @achamayou