-
Notifications
You must be signed in to change notification settings - Fork 200
/
README
32 lines (27 loc) · 1.19 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
This file contains three specifications:
Consensus
A specification of the consensus problem.
Voting
A specification of a very abstract consensus algorithm
with a high level (unchecked) TLA+ proof that it implements
the Consensus spec. I believe that this proof has been
expanded and checked with the TLAPS proof system by
Jean-Baptiste Tristan.
Paxos
A specification of a high-level version of the Paxos
algorithm, a distributed message-passing algorithm that
implements the Voting spec--and hence implements consensus.
It contains a "first attempt" at an inductive invariant
for the proof of implementation. Tristan, who wrote most
of a formal TLA+ proof of implementation, found that,
while the invariant is indeed an invariant, it is not
strong enough to be inductive. (Note: because when he
began the proof TLAPS did not handle records, Tristan
rewrote the algorithm in terms of tuples for his proof.)
MCConsensus
MCVoting
MCPaxos
Specifications that are used to model-check the corresponding
three specifications above. The Toolbox makes it unnecessary
for the user to write such specs, essentially producing them
itself from the models defined by the user.