├── LICENSE ├── README.md ├── specs ├── DieHard.tla ├── DieHard_incomplete.tla ├── SimpleProgram.tla ├── SimpleProgram2.tla ├── TCommit.tla ├── TwoPhase.tla └── TwoPhase_incomplete.tla ├── tla_cheatsheet.pdf ├── tla_workshop.pdf ├── tla_workshop.zip └── tla_workshop_math_prep.pdf /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License 2 | 3 | Copyright (c) 2019, Jay Parlar 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | 1. Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | 2. Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | 3. Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # tla_workshop 2 | 3 | This is the complete set of materials for my rax.io TLA+ workshop. 4 | 5 | The contents of this workshop are generally based on Leslie Lamport's [video series](http://lamport.azurewebsites.net/video/videos.html). My thought there was that if we don't finish the workshop in the three hours we have, you'll have a fantastically produced video series with which to continue learning. 6 | 7 | The complete workshop slides are available in their original Keynote format, zipped into `tla_workshop.zip`. A PDF version of the slides is available at `tla_workshop.pdf`. This was generated by turning every slide transition/animation into a separate page in the PDF. 8 | 9 | The cheat sheet with common TLA+ idioms and syntax (as covered in the workshop) is in `tla_cheatsheet.pdf`. Please note that this cheat sheet does not cover _all_ of TLA+, just the material in this workshop. Leslie Lamport's "official" cheat sheet can be found at [http://lamport.azurewebsites.net/tla/summary.pdf](http://lamport.azurewebsites.net/tla/summary.pdf). 10 | 11 | The TLA+ spec files used in the workshop can be found in the `specs/` directory. These are all from Lamport's video series, with either minor or no modifications. 12 | -------------------------------------------------------------------------------- /specs/DieHard.tla: -------------------------------------------------------------------------------- 1 | \* This code originally comes from Leslie Lamport's video series 2 | \* http://lamport.azurewebsites.net/video/videos.html 3 | ------------------------------ MODULE DieHard ------------------------------ 4 | 5 | EXTENDS Integers 6 | VARIABLES small, big 7 | 8 | TypeOK == /\ small \in 0..3 9 | /\ big \in 0..5 10 | 11 | Init == /\ big = 5 12 | /\ small = 0 13 | 14 | FillSmall == /\ small' = 3 15 | /\ big' = big 16 | 17 | FillBig == /\ big' = 5 18 | /\ small' = small 19 | 20 | EmptySmall == /\ small' = 0 21 | /\ big' = big 22 | 23 | EmptyBig == /\ big' = 0 24 | /\ small' = small 25 | 26 | SmallToBig == IF big + small =< 5 27 | THEN /\ big' = big + small 28 | /\ small' = 0 29 | ELSE /\ big' = 5 30 | /\ small' = small - (5 - big) 31 | 32 | BigToSmall == IF big + small =< 3 33 | THEN /\ big' = 0 34 | /\ small' = big + small 35 | ELSE /\ big' = small - (3 - big) 36 | /\ small' = 3 37 | 38 | Next == \/ FillSmall \/ FillBig 39 | \/ EmptySmall \/ EmptyBig 40 | \/ SmallToBig \/ BigToSmall 41 | 42 | ============================================================================= 43 | \* Modification History 44 | \* Last modified Mon Sep 18 12:00:23 EDT 2017 by jay1512 45 | \* Created Thu Sep 14 14:05:46 EDT 2017 by jay1512 46 | -------------------------------------------------------------------------------- /specs/DieHard_incomplete.tla: -------------------------------------------------------------------------------- 1 | \* This code originally comes from Leslie Lamport's video series 2 | \* http://lamport.azurewebsites.net/video/videos.html 3 | ------------------------------ MODULE DieHard ------------------------------ 4 | EXTENDS Integers 5 | 6 | VARIABLES small, big 7 | 8 | TypeOK == /\ small \in 0..3 9 | /\ big \in 0..5 10 | 11 | Init == /\ big = 0 12 | /\ small = 0 13 | 14 | FillSmall == /\ small' = 3 15 | /\ big' = big 16 | 17 | FillBig == 18 | 19 | EmptySmall == /\ small' = 0 20 | /\ big' = big 21 | 22 | EmptyBig == 23 | 24 | SmallToBig == IF big + small =< 5 25 | THEN /\ big' = big + small 26 | /\ small' = 0 27 | ELSE /\ big' = 5 28 | /\ small' = small - (5 - big) 29 | 30 | BigToSmall == 31 | 32 | Next == \/ FillSmall 33 | \/ FillBig 34 | \/ EmptySmall 35 | \/ EmptyBig 36 | \/ SmallToBig 37 | \/ BigToSmall 38 | 39 | ============================================================================= 40 | \* Modification History 41 | \* Last modified Thu Sep 14 14:06:27 EDT 2017 by jay1512 42 | \* Created Thu Sep 14 14:05:46 EDT 2017 by jay1512 43 | -------------------------------------------------------------------------------- /specs/SimpleProgram.tla: -------------------------------------------------------------------------------- 1 | \* This code originally comes from Leslie Lamport's video series 2 | \* http://lamport.azurewebsites.net/video/videos.html 3 | --------------------------- MODULE SimpleProgram --------------------------- 4 | EXTENDS Integers 5 | VARIABLES i, pc 6 | 7 | Init == (pc="start") /\ (i=0) 8 | 9 | Next == 10 | \/ /\ pc = "start" 11 | /\ i' \in 1..1000 12 | /\ pc' = "middle" 13 | \/ /\ pc = "middle" 14 | /\ i' = i + 1 15 | /\ pc' = "done" 16 | 17 | 18 | ============================================================================= 19 | \* Modification History 20 | \* Last modified Thu Sep 14 13:08:41 EDT 2017 by jay1512 21 | \* Created Thu Sep 14 13:08:37 EDT 2017 by jay1512 22 | -------------------------------------------------------------------------------- /specs/SimpleProgram2.tla: -------------------------------------------------------------------------------- 1 | \* This code originally comes from Leslie Lamport's video series 2 | \* http://lamport.azurewebsites.net/video/videos.html 3 | --------------------------- MODULE SimpleProgram2 --------------------------- 4 | EXTENDS Integers 5 | VARIABLES i, pc 6 | 7 | Init == (pc="start") /\ (i=0) 8 | 9 | Pick == 10 | /\ pc = "start" 11 | /\ i' \in 1..1000 12 | /\ pc' = "middle" 13 | 14 | Add == 15 | /\ pc = "middle" 16 | /\ i' = i + 1 17 | /\ pc' = "done" 18 | 19 | Next == Pick \/ Add 20 | 21 | ============================================================================= 22 | \* Modification History 23 | \* Last modified Thu Sep 14 13:32:00 EDT 2017 by jay1512 24 | \* Created Thu Sep 14 13:08:37 EDT 2017 by jay1512 25 | -------------------------------------------------------------------------------- /specs/TCommit.tla: -------------------------------------------------------------------------------- 1 | \* This code originally comes from Leslie Lamport's video series 2 | \* http://lamport.azurewebsites.net/video/videos.html 3 | ------------------------------ MODULE TCommit ------------------------------ 4 | (***************************************************************************) 5 | (* This specification is explained in "Transaction Commit", Lecture 5 of *) 6 | (* the TLA+ Video Course. *) 7 | (***************************************************************************) 8 | CONSTANT RM \* The set of participating resource managers 9 | 10 | VARIABLE rmState \* rmState[rm] is the state of resource manager r. 11 | ----------------------------------------------------------------------------- 12 | TCTypeOK == 13 | (*************************************************************************) 14 | (* The type-correctness invariant *) 15 | (*************************************************************************) 16 | rmState \in [RM -> {"working", "prepared", "committed", "aborted"}] 17 | 18 | TCInit == rmState = [r \in RM |-> "working"] 19 | (*************************************************************************) 20 | (* The initial predicate. *) 21 | (*************************************************************************) 22 | 23 | canCommit == \A r \in RM : rmState[r] \in {"prepared", "committed"} 24 | (*************************************************************************) 25 | (* True iff all RMs are in the "prepared" or "committed" state. *) 26 | (*************************************************************************) 27 | 28 | notCommitted == \A r \in RM : rmState[r] # "committed" 29 | (*************************************************************************) 30 | (* True iff no resource manager has decided to commit. *) 31 | (*************************************************************************) 32 | ----------------------------------------------------------------------------- 33 | (***************************************************************************) 34 | (* We now define the actions that may be performed by the RMs, and then *) 35 | (* define the complete next-state action of the specification to be the *) 36 | (* disjunction of the possible RM actions. *) 37 | (***************************************************************************) 38 | Prepare(r) == /\ rmState[r] = "working" 39 | /\ rmState' = [rmState EXCEPT ![r] = "prepared"] 40 | 41 | Decide(r) == \/ /\ rmState[r] = "prepared" 42 | /\ canCommit 43 | /\ rmState' = [rmState EXCEPT ![r] = "committed"] 44 | \/ /\ rmState[r] \in {"working", "prepared"} 45 | /\ notCommitted 46 | /\ rmState' = [rmState EXCEPT ![r] = "aborted"] 47 | 48 | TCNext == \E r \in RM : Prepare(r) \/ Decide(r) 49 | (*************************************************************************) 50 | (* The next-state action. *) 51 | (*************************************************************************) 52 | ----------------------------------------------------------------------------- 53 | TCConsistent == 54 | (*************************************************************************) 55 | (* A state predicate asserting that two RMs have not arrived at *) 56 | (* conflicting decisions. It is an invariant of the specification. *) 57 | (*************************************************************************) 58 | \A r1, r2 \in RM : ~ /\ rmState[r1] = "aborted" 59 | /\ rmState[r2] = "committed" 60 | ----------------------------------------------------------------------------- 61 | (***************************************************************************) 62 | (* The following part of the spec is not discussed in Video Lecture 5. It *) 63 | (* will be explained in Video Lecture 8. *) 64 | (***************************************************************************) 65 | TCSpec == TCInit /\ [][TCNext]_rmState 66 | (*************************************************************************) 67 | (* The complete specification of the protocol written as a temporal *) 68 | (* formula. *) 69 | (*************************************************************************) 70 | 71 | THEOREM TCSpec => [](TCTypeOK /\ TCConsistent) 72 | (*************************************************************************) 73 | (* This theorem asserts the truth of the temporal formula whose meaning *) 74 | (* is that the state predicate TCTypeOK /\ TCInvariant is an invariant *) 75 | (* of the specification TCSpec. Invariance of this conjunction is *) 76 | (* equivalent to invariance of both of the formulas TCTypeOK and *) 77 | (* TCConsistent. *) 78 | (*************************************************************************) 79 | 80 | ============================================================================= 81 | \* Modification History 82 | \* Last modified Thu Sep 14 22:04:45 EDT 2017 by jay1512 83 | \* Created Thu Sep 14 22:04:25 EDT 2017 by jay1512 84 | -------------------------------------------------------------------------------- /specs/TwoPhase.tla: -------------------------------------------------------------------------------- 1 | \* This code originally comes from Leslie Lamport's video series 2 | \* http://lamport.azurewebsites.net/video/videos.html 3 | ------------------------------ MODULE TwoPhase ------------------------------ 4 | (***************************************************************************) 5 | (* This specification is discussed in "Two-Phase Commit", Lecture 6 of the *) 6 | (* TLA+ Video Course. It describes the Two-Phase Commit protocol, in *) 7 | (* which a transaction manager (TM) coordinates the resource managers *) 8 | (* (RMs) to implement the Transaction Commit specification of module *) 9 | (* TCommit. In this specification, RMs spontaneously issue Prepared *) 10 | (* messages. We ignore the Prepare messages that the TM can send to the *) 11 | (* RMs. *) 12 | (* *) 13 | (* For simplicity, we also eliminate Abort messages sent by an RM when it *) 14 | (* decides to abort. Such a message would cause the TM to abort the *) 15 | (* transaction, an event represented here by the TM spontaneously deciding *) 16 | (* to abort. *) 17 | (***************************************************************************) 18 | CONSTANT RM \* The set of resource managers 19 | 20 | VARIABLES 21 | rmState, \* rmState[r] is the state of resource manager r. 22 | tmState, \* The state of the transaction manager. 23 | tmPrepared, \* The set of RMs from which the TM has received "Prepared" 24 | \* messages. 25 | msgs 26 | (***********************************************************************) 27 | (* In the protocol, processes communicate with one another by sending *) 28 | (* messages. For simplicity, we represent message passing with the *) 29 | (* variable msgs whose value is the set of all messages that have been *) 30 | (* sent. A message is sent by adding it to the set msgs. An action *) 31 | (* that, in an implementation, would be enabled by the receipt of a *) 32 | (* certain message is here enabled by the presence of that message in *) 33 | (* msgs. For simplicity, messages are never removed from msgs. This *) 34 | (* allows a single message to be received by multiple receivers. *) 35 | (* Receipt of the same message twice is therefore allowed; but in this *) 36 | (* particular protocol, that's not a problem. *) 37 | (***********************************************************************) 38 | 39 | Messages == 40 | (*************************************************************************) 41 | (* The set of all possible messages. Messages of type "Prepared" are *) 42 | (* sent from the RM indicated by the message's rm field to the TM. *) 43 | (* Messages of type "Commit" and "Abort" are broadcast by the TM, to be *) 44 | (* received by all RMs. The set msgs contains just a single copy of *) 45 | (* such a message. *) 46 | (*************************************************************************) 47 | [type : {"Prepared"}, rm : RM] \union [type : {"Commit", "Abort"}] 48 | 49 | TPTypeOK == 50 | (*************************************************************************) 51 | (* The type-correctness invariant *) 52 | (*************************************************************************) 53 | /\ rmState \in [RM -> {"working", "prepared", "committed", "aborted"}] 54 | /\ tmState \in {"init", "done"} 55 | /\ tmPrepared \subseteq RM 56 | /\ msgs \subseteq Messages 57 | 58 | TPInit == 59 | (*************************************************************************) 60 | (* The initial predicate. *) 61 | (*************************************************************************) 62 | /\ rmState = [r \in RM |-> "working"] 63 | /\ tmState = "init" 64 | /\ tmPrepared = {} 65 | /\ msgs = {} 66 | ----------------------------------------------------------------------------- 67 | (***************************************************************************) 68 | (* We now define the actions that may be performed by the processes, first *) 69 | (* the TM's actions, then the RMs' actions. *) 70 | (***************************************************************************) 71 | TMRcvPrepared(r) == 72 | (*************************************************************************) 73 | (* The TM receives a "Prepared" message from resource manager r. We *) 74 | (* could add the additional enabling condition r \notin tmPrepared, *) 75 | (* which disables the action if the TM has already received this *) 76 | (* message. But there is no need, because in that case the action has *) 77 | (* no effect; it leaves the state unchanged. *) 78 | (*************************************************************************) 79 | /\ tmState = "init" 80 | /\ [type |-> "Prepared", rm |-> r] \in msgs 81 | /\ tmPrepared' = tmPrepared \union {r} 82 | /\ UNCHANGED <> 83 | 84 | TMCommit == 85 | (*************************************************************************) 86 | (* The TM commits the transaction; enabled iff the TM is in its initial *) 87 | (* state and every RM has sent a "Prepared" message. *) 88 | (*************************************************************************) 89 | /\ tmState = "init" 90 | /\ tmPrepared = RM 91 | /\ tmState' = "done" 92 | /\ msgs' = msgs \union {[type |-> "Commit"]} 93 | /\ UNCHANGED <> 94 | 95 | TMAbort == 96 | (*************************************************************************) 97 | (* The TM spontaneously aborts the transaction. *) 98 | (*************************************************************************) 99 | /\ tmState = "init" 100 | /\ tmState' = "done" 101 | /\ msgs' = msgs \union {[type |-> "Abort"]} 102 | /\ UNCHANGED <> 103 | 104 | RMPrepare(r) == 105 | (*************************************************************************) 106 | (* Resource manager r prepares. *) 107 | (*************************************************************************) 108 | /\ rmState[r] = "working" 109 | /\ rmState' = [rmState EXCEPT ![r] = "prepared"] 110 | /\ msgs' = msgs \union {[type |-> "Prepared", rm |-> r]} 111 | /\ UNCHANGED <> 112 | 113 | RMChooseToAbort(r) == 114 | (*************************************************************************) 115 | (* Resource manager r spontaneously decides to abort. As noted above, r *) 116 | (* does not send any message in our simplified spec. *) 117 | (*************************************************************************) 118 | /\ rmState[r] = "working" 119 | /\ rmState' = [rmState EXCEPT ![r] = "aborted"] 120 | /\ UNCHANGED <> 121 | 122 | RMRcvCommitMsg(r) == 123 | (*************************************************************************) 124 | (* Resource manager r is told by the TM to commit. *) 125 | (*************************************************************************) 126 | /\ [type |-> "Commit"] \in msgs 127 | /\ rmState' = [rmState EXCEPT ![r] = "committed"] 128 | /\ UNCHANGED <> 129 | 130 | RMRcvAbortMsg(r) == 131 | (*************************************************************************) 132 | (* Resource manager r is told by the TM to abort. *) 133 | (*************************************************************************) 134 | /\ [type |-> "Abort"] \in msgs 135 | /\ rmState' = [rmState EXCEPT ![r] = "aborted"] 136 | /\ UNCHANGED <> 137 | 138 | TPNext == 139 | \/ TMCommit \/ TMAbort 140 | \/ \E r \in RM : 141 | TMRcvPrepared(r) \/ RMPrepare(r) \/ RMChooseToAbort(r) 142 | \/ RMRcvCommitMsg(r) \/ RMRcvAbortMsg(r) 143 | ----------------------------------------------------------------------------- 144 | (***************************************************************************) 145 | (* The material below this point is not discussed in Video Lecture 6. It *) 146 | (* will be explained in Video Lecture 8. *) 147 | (***************************************************************************) 148 | 149 | TPSpec == TPInit /\ [][TPNext]_<> 150 | (*************************************************************************) 151 | (* The complete spec of the Two-Phase Commit protocol. *) 152 | (*************************************************************************) 153 | 154 | THEOREM TPSpec => []TPTypeOK 155 | (*************************************************************************) 156 | (* This theorem asserts that the type-correctness predicate TPTypeOK is *) 157 | (* an invariant of the specification. *) 158 | (*************************************************************************) 159 | ----------------------------------------------------------------------------- 160 | (***************************************************************************) 161 | (* We now assert that the Two-Phase Commit protocol implements the *) 162 | (* Transaction Commit protocol of module TCommit. The following statement *) 163 | (* imports all the definitions from module TCommit into the current *) 164 | (* module. *) 165 | (***************************************************************************) 166 | INSTANCE TCommit 167 | 168 | THEOREM TPSpec => TCSpec 169 | (*************************************************************************) 170 | (* This theorem asserts that the specification TPSpec of the Two-Phase *) 171 | (* Commit protocol implements the specification TCSpec of the *) 172 | (* Transaction Commit protocol. *) 173 | (*************************************************************************) 174 | (***************************************************************************) 175 | (* The two theorems in this module have been checked with TLC for six *) 176 | (* RMs, a configuration with 50816 reachable states, in a little over a *) 177 | (* minute on a 1 GHz PC. *) 178 | (***************************************************************************) 179 | 180 | ============================================================================= 181 | \* Modification History 182 | \* Last modified Tue Sep 19 16:44:17 EDT 2017 by jay1512 183 | \* Created Tue Sep 19 09:27:57 EDT 2017 by jay1512 184 | -------------------------------------------------------------------------------- /specs/TwoPhase_incomplete.tla: -------------------------------------------------------------------------------- 1 | \* This code originally comes from Leslie Lamport's video series 2 | \* http://lamport.azurewebsites.net/video/videos.html 3 | ------------------------------ MODULE TwoPhase ------------------------------ 4 | (***************************************************************************) 5 | (* This specification is discussed in "Two-Phase Commit", Lecture 6 of the *) 6 | (* TLA+ Video Course. It describes the Two-Phase Commit protocol, in *) 7 | (* which a transaction manager (TM) coordinates the resource managers *) 8 | (* (RMs) to implement the Transaction Commit specification of module *) 9 | (* TCommit. In this specification, RMs spontaneously issue Prepared *) 10 | (* messages. We ignore the Prepare messages that the TM can send to the *) 11 | (* RMs. *) 12 | (* *) 13 | (* For simplicity, we also eliminate Abort messages sent by an RM when it *) 14 | (* decides to abort. Such a message would cause the TM to abort the *) 15 | (* transaction, an event represented here by the TM spontaneously deciding *) 16 | (* to abort. *) 17 | (***************************************************************************) 18 | CONSTANT RM \* The set of resource managers 19 | 20 | VARIABLES 21 | rmState, \* rmState[r] is the state of resource manager r. 22 | tmState, \* The state of the transaction manager. 23 | tmPrepared, \* The set of RMs from which the TM has received "Prepared" 24 | \* messages. 25 | msgs 26 | (***********************************************************************) 27 | (* In the protocol, processes communicate with one another by sending *) 28 | (* messages. For simplicity, we represent message passing with the *) 29 | (* variable msgs whose value is the set of all messages that have been *) 30 | (* sent. A message is sent by adding it to the set msgs. An action *) 31 | (* that, in an implementation, would be enabled by the receipt of a *) 32 | (* certain message is here enabled by the presence of that message in *) 33 | (* msgs. For simplicity, messages are never removed from msgs. This *) 34 | (* allows a single message to be received by multiple receivers. *) 35 | (* Receipt of the same message twice is therefore allowed; but in this *) 36 | (* particular protocol, that's not a problem. *) 37 | (***********************************************************************) 38 | 39 | Messages == 40 | (*************************************************************************) 41 | (* The set of all possible messages. Messages of type "Prepared" are *) 42 | (* sent from the RM indicated by the message's rm field to the TM. *) 43 | (* Messages of type "Commit" and "Abort" are broadcast by the TM, to be *) 44 | (* received by all RMs. The set msgs contains just a single copy of *) 45 | (* such a message. *) 46 | (*************************************************************************) 47 | [type : {"Prepared"}, rm : RM] \union [type : {"Commit", "Abort"}] 48 | 49 | TPTypeOK == 50 | (*************************************************************************) 51 | (* The type-correctness invariant *) 52 | (*************************************************************************) 53 | /\ rmState \in [RM -> {"working", "prepared", "committed", "aborted"}] 54 | /\ tmState \in {"init", "done"} 55 | /\ tmPrepared \subseteq RM 56 | /\ msgs \subseteq Messages 57 | 58 | TPInit == 59 | (*************************************************************************) 60 | (* The initial predicate. *) 61 | (*************************************************************************) 62 | /\ rmState = [r \in RM |-> "working"] 63 | /\ tmState = "init" 64 | /\ tmPrepared = {} 65 | /\ msgs = {} 66 | ----------------------------------------------------------------------------- 67 | (***************************************************************************) 68 | (* We now define the actions that may be performed by the processes, first *) 69 | (* the TM's actions, then the RMs' actions. *) 70 | (***************************************************************************) 71 | TMRcvPrepared(r) == 72 | (*************************************************************************) 73 | (* The TM receives a "Prepared" message from resource manager r. We *) 74 | (* could add the additional enabling condition r \notin tmPrepared, *) 75 | (* which disables the action if the TM has already received this *) 76 | (* message. But there is no need, because in that case the action has *) 77 | (* no effect; it leaves the state unchanged. *) 78 | (*************************************************************************) 79 | /\ tmState = "init" 80 | /\ [type |-> "Prepared", rm |-> r] \in msgs 81 | /\ tmPrepared' = tmPrepared \union {r} 82 | /\ UNCHANGED <> 83 | 84 | TMCommit == 85 | (*************************************************************************) 86 | (* The TM commits the transaction; enabled iff the TM is in its initial *) 87 | (* state and every RM has sent a "Prepared" message. *) 88 | (*************************************************************************) 89 | /\ UNCHANGED <> 90 | 91 | TMAbort == 92 | (*************************************************************************) 93 | (* The TM spontaneously aborts the transaction. *) 94 | (*************************************************************************) 95 | /\ UNCHANGED <> 96 | 97 | RMPrepare(r) == 98 | (*************************************************************************) 99 | (* Resource manager r prepares. *) 100 | (*************************************************************************) 101 | /\ rmState[r] = "working" 102 | /\ rmState' = [rmState EXCEPT ![r] = "prepared"] 103 | /\ msgs' = msgs \union {[type |-> "Prepared", rm |-> r]} 104 | /\ UNCHANGED <> 105 | 106 | RMChooseToAbort(r) == 107 | (*************************************************************************) 108 | (* Resource manager r spontaneously decides to abort. As noted above, r *) 109 | (* does not send any message in our simplified spec. *) 110 | (*************************************************************************) 111 | /\ UNCHANGED <> 112 | 113 | RMRcvCommitMsg(r) == 114 | (*************************************************************************) 115 | (* Resource manager r is told by the TM to commit. *) 116 | (*************************************************************************) 117 | /\ UNCHANGED <> 118 | 119 | RMRcvAbortMsg(r) == 120 | (*************************************************************************) 121 | (* Resource manager r is told by the TM to abort. *) 122 | (*************************************************************************) 123 | /\ UNCHANGED <> 124 | 125 | TPNext == 126 | \/ TMCommit \/ TMAbort 127 | \/ \E r \in RM : 128 | TMRcvPrepared(r) \/ RMPrepare(r) \/ RMChooseToAbort(r) 129 | \/ RMRcvCommitMsg(r) \/ RMRcvAbortMsg(r) 130 | ----------------------------------------------------------------------------- 131 | (***************************************************************************) 132 | (* The material below this point is not discussed in Video Lecture 6. It *) 133 | (* will be explained in Video Lecture 8. *) 134 | (***************************************************************************) 135 | 136 | TPSpec == TPInit /\ [][TPNext]_<> 137 | (*************************************************************************) 138 | (* The complete spec of the Two-Phase Commit protocol. *) 139 | (*************************************************************************) 140 | 141 | THEOREM TPSpec => []TPTypeOK 142 | (*************************************************************************) 143 | (* This theorem asserts that the type-correctness predicate TPTypeOK is *) 144 | (* an invariant of the specification. *) 145 | (*************************************************************************) 146 | ----------------------------------------------------------------------------- 147 | (***************************************************************************) 148 | (* We now assert that the Two-Phase Commit protocol implements the *) 149 | (* Transaction Commit protocol of module TCommit. The following statement *) 150 | (* imports all the definitions from module TCommit into the current *) 151 | (* module. *) 152 | (***************************************************************************) 153 | INSTANCE TCommit 154 | 155 | THEOREM TPSpec => TCSpec 156 | (*************************************************************************) 157 | (* This theorem asserts that the specification TPSpec of the Two-Phase *) 158 | (* Commit protocol implements the specification TCSpec of the *) 159 | (* Transaction Commit protocol. *) 160 | (*************************************************************************) 161 | (***************************************************************************) 162 | (* The two theorems in this module have been checked with TLC for six *) 163 | (* RMs, a configuration with 50816 reachable states, in a little over a *) 164 | (* minute on a 1 GHz PC. *) 165 | (***************************************************************************) 166 | 167 | ============================================================================= 168 | \* Modification History 169 | \* Last modified Tue Sep 19 16:44:17 EDT 2017 by jay1512 170 | \* Created Tue Sep 19 09:27:57 EDT 2017 by jay1512 171 | -------------------------------------------------------------------------------- /tla_cheatsheet.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/parlarjb/tla_workshop/7dffede194c85bd9c43037134d9ec855598cf4ab/tla_cheatsheet.pdf -------------------------------------------------------------------------------- /tla_workshop.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/parlarjb/tla_workshop/7dffede194c85bd9c43037134d9ec855598cf4ab/tla_workshop.pdf -------------------------------------------------------------------------------- /tla_workshop.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/parlarjb/tla_workshop/7dffede194c85bd9c43037134d9ec855598cf4ab/tla_workshop.zip -------------------------------------------------------------------------------- /tla_workshop_math_prep.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/parlarjb/tla_workshop/7dffede194c85bd9c43037134d9ec855598cf4ab/tla_workshop_math_prep.pdf --------------------------------------------------------------------------------