lemmy
commented
3 years ago Note that related to the last item, TLC has a simulator/generator mode.
Open fhackett opened 3 years ago
lemmy
commented
3 years ago Note that related to the last item, TLC has a simulator/generator mode.
bestchai
commented
3 years ago @lemmy, thanks for the quick comment. Is it possible to influence/direct TLC during simulator mode -- i.e., to push it along a concrete path that we are checking?
lemmy
commented
3 years ago @bestchai The simulator honors state and action constraints. https://github.com/lemmy/PageQueue/blob/master/Schedules.tla is an example of how to make TLC follow a specific schedule.
Related to #122, this is an idea about how to verify that PGo-generated code actually does what the model says it does.
Key idea: encoded into an MPCal model, there exists a mapping from reads/writes involving archetype resources to a form of model state. This mapping is either an identity mapping, or it is one of the mapping macro forms.
Therefore, TLC model state can be (almost) deterministically reconstructed from an ordered log of the archetype resource reads and writes performed by every critical section involved in a system's operation. PGo-generated code can be instrumented to generate such information automatically, and it seems plausible that a close-to-automatic process could then convert this information to a graph of TLC states, at which point conformance checking against the original MPCal model might be performed.
Success of such a check on a collection of real execution traces would go a long way toward indicating that an implementation really does match a specification, and, with the right API, this use case might not be limited to systems generated by PGo.
Additional comments: