-
Notifications
You must be signed in to change notification settings - Fork 0
/
HKFM.tla
291 lines (245 loc) · 13.5 KB
/
HKFM.tla
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
-------------------------------- MODULE HKFM --------------------------------
EXTENDS Integers, Sequences
CONSTANTS Client, Song
VARIABLES inbox, state
-----------------------------------------------------------------------------
(***************************************************************************)
(* Type definitions (kinda sorta) and other useful stuff... *)
(***************************************************************************)
(***************************************************************************)
(* There are various places where we want to refer to all variables at *)
(* once, so it's useful to define a vars tuple. *)
(***************************************************************************)
vars == <<inbox, state>>
(***************************************************************************)
(* The constant Client is the set of all clients, represented however *)
(* we want. It's defined externally, in the model. *)
(* *)
(* We define Node to be the set of all nodes in the system, including the *)
(* server. We don't care how the server is represented, only that it *)
(* doesn't clash with any of the clients. We use the TLA+ CHOOSE operator *)
(* to express this. *)
(***************************************************************************)
Server == CHOOSE x : x \notin Client
Node == Client \cup {Server}
(***************************************************************************)
(* These terms relate to the playhead. A playhead has two fields: *)
(* *)
(* i: the current track in the playlist *)
(* t: the number of seconds into that track *)
(* *)
(* When i = -1 it means we're not playing anything. *)
(***************************************************************************)
Idx == Nat \cup {-1}
Playhead == [i : Idx, t : Nat]
Stopped == [i |-> -1, t |-> 0]
(***************************************************************************)
(* A playlist is a sequence of songs from the constant set Song. *)
(* More formally, Playlist is the set of all sequences of songs. *)
(***************************************************************************)
Playlist == Seq(Song)
(***************************************************************************)
(* Every node has a State containing their current playlist and playhead. *)
(***************************************************************************)
State == [playlist : Playlist, playhead : Playhead]
InitState == [playlist |-> <<>>, playhead |-> Stopped]
(***************************************************************************)
(* Clients send "add", "seek", and "skip" messages to the server and *)
(* the server sends "sync" messages to all clients whenever its state *)
(* changes. The term Message is the set of all possible messages *)
(* that can occur. *)
(***************************************************************************)
Message == [action : {"sync"}, data : State] \cup
[action : {"add"}, data : Song, sender : Client] \cup
[action : {"seek", "skip"}, data: Playhead, sender : Client]
(***************************************************************************)
(* The TypeOK formula states that inbox must be a function from nodes to *)
(* sequences of messages and `state' must be a function from nodes *)
(* to states. We can ask TLC to check that TypeOK is an invariant, *)
(* meaning it will find circumstances where inbox and state end up *)
(* looking wonky. It's also useful to have as a high level type *)
(* declaration for these variables. *)
(***************************************************************************)
TypeOK == /\ inbox \in [Node -> Seq(Message)]
/\ state \in [Node -> State]
-----------------------------------------------------------------------------
(***************************************************************************)
(* Client Actions *)
(***************************************************************************)
(***************************************************************************)
(* A client sends the `"add"' message to the server with the name of the *)
(* desired song in the `data' field. *)
(***************************************************************************)
SendAdd(self, song) ==
LET
msg == [action |-> "add", data |-> song, sender |-> self]
IN
/\ inbox' = [inbox EXCEPT ![Server] = Append(inbox[Server], msg)]
/\ UNCHANGED state
(***************************************************************************)
(* A client sends the `"seek"' message to the server with the intended *)
(* new state of the playhead in the `data' field. *)
(***************************************************************************)
SendSeek(self) ==
LET
playhead == state[self].playhead
newPlayhead == [playhead EXCEPT !.t = @ + 1]
msg == [action |-> "seek", data |-> newPlayhead, sender |-> self]
IN
/\ playhead /= Stopped
/\ inbox' = [inbox EXCEPT ![Server] = Append(inbox[Server], msg)]
/\ UNCHANGED state
(***************************************************************************)
(* A client send the `"skip"' message to the server with their current *)
(* playhead state in the `data' field. *)
(***************************************************************************)
SendSkip(self) ==
LET
playhead == state[self].playhead
msg == [action |-> "skip", data |-> playhead, sender |-> self]
IN
/\ playhead /= Stopped
/\ inbox' = [inbox EXCEPT ![Server] = Append(inbox[Server], msg)]
/\ UNCHANGED state
(***************************************************************************)
(* A client receives the `"sync"' message from the server and updates *)
(* their own state to match the contents of the `data' field. *)
(***************************************************************************)
RecvSync(self) ==
/\ inbox[self] /= <<>>
/\ LET
msg == Head(inbox[self])
tail == Tail(inbox[self])
IN
/\ msg.action = "sync"
/\ inbox' = [inbox EXCEPT ![self] = tail]
/\ state' = [state EXCEPT ![self] = msg.data]
-----------------------------------------------------------------------------
(***************************************************************************)
(* Server Actions *)
(***************************************************************************)
(***************************************************************************)
(* This is a helper operation. All the server's actions consume the first *)
(* message in the server's inbox and then broadcast the new state to all *)
(* clients. That is, it places a `"sync"' message in the inbox of all *)
(* clients. *)
(***************************************************************************)
ConsumeMsgAndBroadcastSync ==
LET
msg == [action |-> "sync", data |-> state'[Server]]
IN
inbox' = [n \in Node |-> IF n = Server
THEN Tail(inbox[n])
ELSE Append(inbox[n], msg)]
(***************************************************************************)
(* The server receives an `"add"' message, appends the requested track *)
(* to the playlist, then performs ConsumeMsgAndBroadcastSync. *)
(* *)
(* If the playhead is currently Stopped, the server starts playing the *)
(* newly-added song. *)
(***************************************************************************)
RecvAdd ==
/\ inbox[Server] /= <<>>
/\ LET
server == state[Server]
msg == Head(inbox[Server])
IN
/\ msg.action = "add"
/\ LET
newPlaylist == Append(server.playlist, msg.data)
newPlayhead == IF server.playhead = Stopped
THEN [i |-> Len(server.playlist), t |-> 0]
ELSE server.playhead
newState == [playlist |-> newPlaylist, playhead |-> newPlayhead]
IN
/\ state' = [state EXCEPT ![Server] = newState]
/\ ConsumeMsgAndBroadcastSync
(***************************************************************************)
(* The server receives a `"seek"' message, updates `playhead.t' to the *)
(* specified value, then performs ConsumeMsgAndBroadcastSync. *)
(***************************************************************************)
RecvSeek ==
/\ inbox[Server] /= <<>>
/\ LET
server == state[Server]
msg == Head(inbox[Server])
IN
/\ msg.action = "seek"
/\ state' = [state EXCEPT ![Server].playhead.t = msg.data.t]
/\ ConsumeMsgAndBroadcastSync
(***************************************************************************)
(* The server receives a `"skip"' message, increments `playhead.i', sets *)
(* `playhead.t' to 0, then performs ConsumeMsgAndBroadcastSync. *)
(* *)
(* If `playhead.i' has gone beyond the bounds of the playlist, the server *)
(* sets the playhead to Stopped. *)
(***************************************************************************)
RecvSkip ==
/\ inbox[Server] /= <<>>
/\ LET
server == state[Server]
msg == Head(inbox[Server])
IN
/\ msg.action = "skip"
/\ LET
newIndex == server.playhead.i + 1
newPlayhead == IF newIndex < Len(server.playlist)
THEN [i |-> newIndex, t |-> 0]
ELSE Stopped
IN
/\ state' = [state EXCEPT ![Server].playhead = newPlayhead]
/\ ConsumeMsgAndBroadcastSync
-----------------------------------------------------------------------------
(***************************************************************************)
(* Randomly lose a message from an inbox *)
(***************************************************************************)
Remove(i, seq) ==
[j \in 1..(Len(seq) - 1) |-> IF j < i THEN seq[j] ELSE seq[j + 1]]
LoseMsg ==
\E n \in DOMAIN inbox :
\E i \in DOMAIN inbox[n] :
/\ inbox' = [inbox EXCEPT ![n] = Remove(i, inbox[n])]
/\ UNCHANGED state
-----------------------------------------------------------------------------
(***************************************************************************)
(* The Spec *)
(***************************************************************************)
(***************************************************************************)
(* `Init' must be true for the first state of all behaviours that satisfy *)
(* `Spec' *)
(***************************************************************************)
Init ==
/\ inbox = [n \in Node |-> <<>>]
/\ state = [n \in Node |-> InitState]
(***************************************************************************)
(* `Next' must be true for all steps in all behaviours that satisfy `Spec'.*)
(* It is the disjunction of the client and server actions defined above. *)
(***************************************************************************)
Next ==
\/ \E self \in Client, song \in Song : SendAdd(self, song)
\/ \E self \in Client : SendSeek(self)
\/ \E self \in Client : SendSkip(self)
\/ \E self \in Client : RecvSync(self)
\/ RecvAdd
\/ RecvSeek
\/ RecvSkip
\/ LoseMsg
(***************************************************************************)
(* Last but not least... Spec itself. *)
(* *)
(* You can read this as: *)
(* *)
(* For every behaviour that satisfies `Spec', `Init' is true for the first *)
(* state and for every pair of states (a "step") either `Next' is true or *)
(* or nothing changes (a "stuttering" step). *)
(***************************************************************************)
Spec ==
Init /\ [][Next]_vars
-----------------------------------------------------------------------------
(***************************************************************************)
(* If `Spec' is true for a behaviour then TypeOK is true for every state *)
(* in that behaviour. THEOREM is (basically) a hint to the reader that we *)
(* can use TLC to check this invariant. *)
(***************************************************************************)
THEOREM Spec => []TypeOK
=============================================================================