88(* *)
99(* * We fix the number of ballots *)
1010(* *)
11- (* * We add the necessary type annotation on variables *)
11+ (* * We add the necessary type annotations on variables *)
1212(* *)
1313(* * We rewrite SafeAt and ShowsSafeAt to avoid ranges of integers with *)
1414(* non-constant bounds (which `^Apalache^' does not support). *)
1515(* *)
16- (* Ideally, we would have instantiated Voting.tla, made the appropriate *)
17- (* substitutions, and reused the rest. However, the presence of TLAPS proofs in *)
18- (* Consensus.tla and Voting.tla seem to make `^Apalache^' fail. *)
19- (* *)
20- (* We also give an inductive invariant that proves the Safety property. On a *)
21- (* desktop computer bought in 2022, `^Apalache^' takes 1 minute and 45 seconds to *)
22- (* check that the invariant is inductive when there are for 3 values, 3 processes, *)
23- (* and 4 ballots. Instructions to run `^Apalache^' appear at the end of the *)
16+ (* We also give an inductive invariant that proves the consistency property. On a *)
17+ (* desktop computer from 2022, `^Apalache^' takes 1 minute and 45 seconds to check *)
18+ (* that the invariant is inductive when there are 3 values, 3 processes, and 4 *)
19+ (* ballots. Instructions to run `^Apalache^' appear at the end of the *)
2420(* specification. *)
2521(********************************************************************************** *)
2622
@@ -34,7 +30,7 @@ Quorum == {
3430 { "A1_OF_ACCEPTOR" , "A3_OF_ACCEPTOR" } ,
3531 { "A2_OF_ACCEPTOR" , "A3_OF_ACCEPTOR" } }
3632
37- MaxBal == 3 \* 1m45s with MaxBal=3
33+ MaxBal == 2
3834Ballot == 0 .. MaxBal \* NOTE: has to be finite for `^Apalache^' because it is used as the domain of a function
3935
4036VARIABLES
0 commit comments