|
| 1 | +------------------------------ MODULE TCommit ------------------------------ |
| 2 | +(***************************************************************************) |
| 3 | +(* This specification is explained in "Transaction Commit", Lecture 5 of *) |
| 4 | +(* the TLA+ Video Course. *) |
| 5 | +(***************************************************************************) |
| 6 | +CONSTANT RM \* The set of participating resource managers |
| 7 | + |
| 8 | +VARIABLE rmState \* rmState[rm] is the state of resource manager r. |
| 9 | +----------------------------------------------------------------------------- |
| 10 | +TCTypeOK == |
| 11 | + (*************************************************************************) |
| 12 | + (* The type-correctness invariant *) |
| 13 | + (*************************************************************************) |
| 14 | + rmState \in [RM -> {"working", "prepared", "committed", "aborted"}] |
| 15 | + |
| 16 | +TCInit == rmState = [r \in RM |-> "working"] |
| 17 | + (*************************************************************************) |
| 18 | + (* The initial predicate. *) |
| 19 | + (*************************************************************************) |
| 20 | + |
| 21 | +canCommit == \A r \in RM : rmState[r] \in {"prepared", "committed"} |
| 22 | + (*************************************************************************) |
| 23 | + (* True iff all RMs are in the "prepared" or "committed" state. *) |
| 24 | + (*************************************************************************) |
| 25 | + |
| 26 | +notCommitted == \A r \in RM : rmState[r] # "committed" |
| 27 | + (*************************************************************************) |
| 28 | + (* True iff no resource manager has decided to commit. *) |
| 29 | + (*************************************************************************) |
| 30 | +----------------------------------------------------------------------------- |
| 31 | +(***************************************************************************) |
| 32 | +(* We now define the actions that may be performed by the RMs, and then *) |
| 33 | +(* define the complete next-state action of the specification to be the *) |
| 34 | +(* disjunction of the possible RM actions. *) |
| 35 | +(***************************************************************************) |
| 36 | +Prepare(r) == /\ rmState[r] = "working" |
| 37 | + /\ rmState' = [rmState EXCEPT ![r] = "prepared"] |
| 38 | + |
| 39 | +Decide(r) == \/ /\ rmState[r] = "prepared" |
| 40 | + /\ canCommit |
| 41 | + /\ rmState' = [rmState EXCEPT ![r] = "committed"] |
| 42 | + \/ /\ rmState[r] \in {"working", "prepared"} |
| 43 | + /\ notCommitted |
| 44 | + /\ rmState' = [rmState EXCEPT ![r] = "aborted"] |
| 45 | + |
| 46 | +TCNext == \E r \in RM : Prepare(r) \/ Decide(r) |
| 47 | + (*************************************************************************) |
| 48 | + (* The next-state action. *) |
| 49 | + (*************************************************************************) |
| 50 | +----------------------------------------------------------------------------- |
| 51 | +TCConsistent == |
| 52 | + (*************************************************************************) |
| 53 | + (* A state predicate asserting that two RMs have not arrived at *) |
| 54 | + (* conflicting decisions. It is an invariant of the specification. *) |
| 55 | + (*************************************************************************) |
| 56 | + \A r1, r2 \in RM : ~ /\ rmState[r1] = "aborted" |
| 57 | + /\ rmState[r2] = "committed" |
| 58 | +----------------------------------------------------------------------------- |
| 59 | +(***************************************************************************) |
| 60 | +(* The following part of the spec is not discussed in Video Lecture 5. It *) |
| 61 | +(* will be explained in Video Lecture 8. *) |
| 62 | +(***************************************************************************) |
| 63 | +TCSpec == TCInit /\ [][TCNext]_rmState |
| 64 | + (*************************************************************************) |
| 65 | + (* The complete specification of the protocol written as a temporal *) |
| 66 | + (* formula. *) |
| 67 | + (*************************************************************************) |
| 68 | + |
| 69 | +THEOREM TCSpec => [](TCTypeOK /\ TCConsistent) |
| 70 | + (*************************************************************************) |
| 71 | + (* This theorem asserts the truth of the temporal formula whose meaning *) |
| 72 | + (* is that the state predicate TCTypeOK /\ TCInvariant is an invariant *) |
| 73 | + (* of the specification TCSpec. Invariance of this conjunction is *) |
| 74 | + (* equivalent to invariance of both of the formulas TCTypeOK and *) |
| 75 | + (* TCConsistent. *) |
| 76 | + (*************************************************************************) |
| 77 | + |
| 78 | +============================================================================= |
| 79 | +\* Modification History |
| 80 | +\* Last modified Thu Sep 14 22:04:45 EDT 2017 by jay1512 |
| 81 | +\* Created Thu Sep 14 22:04:25 EDT 2017 by jay1512 |
0 commit comments