# A TLA Solution to the RPC-Memory Specification Problem Martín Abadi<sup>1</sup>, Leslie Lamport<sup>1</sup>, and Stephan Merz<sup>2</sup> **Abstract.** We present a complete solution to the Broy-Lamport specification problem. Our specifications are written in TLA<sup>+</sup>, a formal language based on TLA. We give the high levels of structured proofs and sketch the lower levels, which will appear in full elsewhere. # **Table of Contents** | Int | ${f roduction}$ | 2 | |---------------|----------------------------------------------------|----| | 1 | The Procedure Interface | 3 | | | 1.1 The Module and its Parameters | 3 | | | 1.2 State Functions, State Predicates, and Actions | 4 | | | 1.3 Temporal Formulas | 6 | | 2 | A Memory Component | 7 | | | 2.1 The Parameters | 8 | | | 2.2 The Memory Specification | 9 | | | | 15 | | 3 | Implementing the Memory | 17 | | | | 17 | | | | 17 | | | | 19 | | | <del>-</del> | 22 | | | | 22 | | | | 23 | | 4 | Implementing the RPC Component | 33 | | | | 33 | | | | 36 | | | | 36 | | | | 36 | | $\mathbf{Re}$ | ferences | 44 | | Ind | lex | 46 | $<sup>^1</sup>$ Systems Research Center, Digital Equipment Corporation $^2$ Institut für Informatik, Technische Universität München # Introduction Broy and Lamport have proposed a specification and verification problem [5]. It calls for specifying simple memory and RPC (remote procedure call) components, and proving the correctness of two simple implementations. We present a complete solution to this problem using TLA, the temporal logic of actions [12]. We assume the reader is familiar with Broy and Lamport's problem statement. Since the problem is so much simpler than the ones encountered in real applications, any approach that claims to be both practical and formal should allow a completely formal solution. Our specifications are written in TLA<sup>+</sup>, a formal language based on TLA. Our proofs are completely formal, except that some names are abbreviated for readability. We use a hierarchical proof method [10] that is the most reliable way we know of to write hand proofs. Here, we present only the higher levels of the proofs. Proofs carried down to the level where each justification involves instantiation of proof rules and simple predicate logic will be available on a Web page [4]. Although our proofs are careful and detailed, neither they nor the specifications have been checked mechanically; minor errors undoubtedly remain. Rigor entails a certain degree of tedium. A complete programming language requires boring details like variable declarations that can be omitted in informal pseudo-code. Writing specifications is harder with a formal language than with an informal approach—even one based on a formalism. Formal proofs that are detailed enough to be easy to check are long and boring. However, rigor has its advantages. Informal specifications can be ambiguous. The short, interesting proofs favored by mathematicians are notoriously error prone. Our specifications and proofs are rigorous, hence somewhat laborious. We assume no prior knowledge of TLA or TLA<sup>+</sup>. Concepts and notations are explained as they are introduced; the index on page 46 can help the reader find those explanations. TLA is described in detail in [12], and there are several published examples of TLA<sup>+</sup> specifications [11, 14]. Further information about TLA and TLA<sup>+</sup> can be found on the Web [9]. The problem is not very challenging for TLA, TLA<sup>+</sup>, or our proof style. With our experience, it was possible to grind out the requisite specifications and proofs without much thought. More difficult was choosing from among the many possible ways of writing the specifications. We tried to make the specifications as clear as possible without unduly complicating the correctness proofs. We benefited from studying the many preliminary solutions presented at a Dagstuhl workshop on the specification problem. In particular, we emulated some of these solutions by writing our specifications as the composition of individual process specifications. We also benefited from comments by Ketil Stølen. We found no significant ambiguities in the problem statement, perhaps because we had first-hand knowledge of the authors' intent. However, we did discover some anomalies in the lossy-RPC specification, which we discuss in Section 4. Our presentation parallels Broy and Lamport's problem statement. In particular, our section numbering corresponds to theirs, with the addition of lower-level sections. ## 1 The Procedure Interface A TLA specification is a temporal-logic formula. It expresses a predicate on behaviors, where a behavior is an infinite sequence of states and a state is an assignment of values to variables. TLA<sup>+</sup> is a formal language for writing TLA specifications. It introduces precise conventions for definitions and a module system with name scoping that is modeled after those of programming languages. In this paper, we describe TLA and TLA<sup>+</sup> as they are used. TLA does not have any built-in communication primitives such as message passing or data streams. One can use TLA to define such primitives.<sup>3</sup> We begin by specifying a procedure-calling interface in which a multiprocess caller component interacts with a multiprocess returner component. In this section, we present a module named *ProcedureInterface* that is meant to help specify systems that use the procedure-calling interface. As we explain below, a system may have several such interfaces, described by different "copies" of the module. We describe a rather arbitrary, abstract procedure-calling interface. One might want a specification that describes an actual procedure-calling software standard, complete with register-usage conventions. One might also want a different high-level abstraction. We can convert our specifications into ones with a different interface abstraction by using an *interface refinement*, as described in [3, page 518] and [7]. Our specification makes precise one important detail that is not quite stated in the informal specification. We interpret the requirement: [A]fter one process issues a call, other processes can issue calls to the same component before the component issues a return from the first call. to imply that the same process cannot issue another call until the first one returns. ## 1.1 The Module and its Parameters Module *ProcedureInterface* is given in Figure 1 on the next page. The module first declares some parameters, which are the free symbols that may appear in the expressions defined by the module. By replacing defined symbols with their definitions, all expressions defined in the module can be reduced to ones containing only the parameters and the primitives of TLA<sup>+</sup>. The parameter *ch* is the variable representing the interface. A VARIABLE parameter can have a different value in different states of a behavior. TLA is an untyped logic, so there are no type constraints on the values a variable can have. A CONSTANT parameter is one that has the same value in every state of a behavior. The <sup>&</sup>lt;sup>3</sup> Like most logics, TLA uses variables. One could therefore say that TLA formulas use shared variables as a communication primitive. In the same sense, one could say that the equations x + y = 7 and x - y = 1 communicate via the shared variables x and y. #### - **module** ProcedureInterface - #### parameters ``` PrIds, Args: Constant ch: Variable ``` ``` caller(p) \triangleq \langle ch[p].arg, ch[p].cbit \rangle rtrner(p) \triangleq \langle ch[p].res, ch[p].rbit \rangle Calling(p) \triangleq ch[p].cbit \neq ch[p].rbit Call(p, v) \triangleq \wedge \neg Calling(p) \wedge ch[p].cbit' \neq ch[p].rbit \wedge ch[p].arg' = v Return(p, v) \triangleq \wedge Calling(p) \wedge ch[p].rbit' = ch[p].cbit \wedge ch[p].res' = v ``` ``` \begin{array}{lll} LegalCaller & \triangleq & \forall \ p \in PrIds \ : \ \neg Calling(p) \ \land \ \Box [\exists \ a \in Args \ : \ Call(p,a)]_{caller(p)} \\ LegalReturner & \triangleq & \forall \ p \in PrIds \ : \ \Box [\exists \ v \ : \ Return(p,v)]_{rtrner(p)} \end{array} ``` Fig. 1. Module ProcedureInterface. constant parameter PrIds is the set of all process identifiers; for each p in PrIds, process p of the caller component issues calls to the corresponding process p of the returner component. The parameter Args is the set of all "syntactically correct" procedure arguments. Suppose some module M has a set P of process identifiers and two procedure-calling interfaces, represented by the variables x and y, with syntactically correct argument values in sets $S_x$ and $S_y$ , respectively. Module M will include all the definitions from module ProcedureInterface twice, with the following substitutions for its parameters: $$ch \leftarrow x$$ , $PrIds \leftarrow P$ , $Args \leftarrow S_x$ $ch \leftarrow y$ , $PrIds \leftarrow P$ , $Args \leftarrow S_y$ It is conventional to follow the parameter declarations with a horizontal bar. These bars have no semantic significance. #### 1.2 State Functions, State Predicates, and Actions To model the procedure-calling interface, we let ch[p] be a "channel" over which process p of the caller component interacts with process p of the returner component. Our model uses a standard two-phase handshake protocol [16] illustrated in Figure 2 on the next page. Channel ch[p] contains two "wires" controlled by the caller—a signaling wire ch[p].cbit and an argument-passing wire ch[p].arg—and | | initial | | return | call | | |----------------|------------------------------|------------------------------------|------------------------------------|-------------------------------------------|--| | | $\underline{\textit{state}}$ | Read(23) | 333_ | Write(14, 3.5) | | | ch[p].cbit: | 0 | 1 | 1 | 0 | | | ch[p]. $arg$ : | _ | $\langle\text{``Read''},23\rangle$ | $\langle\text{``Read''},23\rangle$ | $\langle\text{``Write''}, 14, 3.5\rangle$ | | | ch[p].rbit: | 0 | 0 | 1 | 1 | | | ch[p].res: | _ | _ | .333 | .333 | | **Fig. 2.** The two-phase handshake protocol for the channel ch[p]. two wires controlled by the returner—a signaling wire ch[p].rbit and a result-returning wire ch[p].res. In the standard two-phase handshake protocol shown in Figure 2, the signaling values ch[p].cbit and ch[p].rbit are bits. For simplicity, we allow them to assume arbitrary values, since all that matters is whether or not they equal one another. The ProcedureInterface module defines the state function caller(p) to be the pair $\langle ch[p].arg, ch[p].cbit \rangle$ composed of the process p caller's wires. A state function is an expression that may contain variables and constants. It is interpreted semantically as a mapping from states to values. For example, ch[p].arg is the state function that assigns to any state the arg record component of the pth array element of the value that the state assigns to the variable $ch.^4$ The state function rtrner(p) is similarly defined to be the pair composed of the returner's wires. The module defines the state predicate Calling(p) to equal TRUE iff (if and only if) the values on the two signaling wires are unequal. A state predicate is a boolean-valued expression that may contain variables and constants; it is interpreted semantically as a mapping from states to booleans. For the handshake protocol, Calling(p) equals TRUE iff process p is in the middle of a procedure call (the caller has issued a call and the returner has not yet returned). Next comes the definition of the action Call(p, v). An action is a boolean-valued expression that may contain variables and constants, and the operator '(prime), which may not be nested. Semantically, it is interpreted as a boolean-valued function on steps, where a step is a pair of states. Unprimed expressions refer to the first (old) state, and primed expressions refer to the second (new) state. For example, the action (x+1)'=y is true of a step iff 1 plus the value assigned to x by the new state equals the value assigned to y by the old state. Action Call(p, v) describes the issuing of a call with argument v by the process p caller. More precisely, a step represents this event iff it is a Call(p, v) step (one for which Call(p, v) equals TRUE). The first conjunct<sup>5</sup> in the definition asserts <sup>&</sup>lt;sup>4</sup> This value is unspecified if the value assigned to *ch* by the state is not an array whose *p*th element is a record with an *arg* component. <sup>&</sup>lt;sup>5</sup> We let a list of formulas bulleted with $\land$ or $\lor$ denote the conjunction or disjunction of the formulas, using indentation to eliminate parentheses. We also let $\Rightarrow$ have lower precedence than the other Boolean operators. that a call on channel ch[p] is not in progress. The second conjunct asserts that the new value of ch[p].cbit is different from the old value of ch[p].rbit. The final conjunct asserts that the new value of ch[p].arg equals v. Readers familiar with conventional programming languages or state-transition systems can think of Call(p,v) as an atomic statement or transition that is enabled when $\neg Calling(p,v)$ is true, that nondeterministically sets ch[p].rbit to any value different from ch[p].cbit, and that sets ch[p].arg to v. Action Return(p, v) represents the issuing of a return with result v by the process p returner. We do not distinguish in the interface description between normal and exceptional returns—the distinction will be encoded in the result v. ## 1.3 Temporal Formulas Module ProcedureInterface concludes by defining the two temporal formulas LegalCaller and LegalReturner. Formula LegalCaller is defined in terms of formulas of the form $I \wedge \square[N]_v$ where I is a state predicate, N is an action (called the next-state action), and v is a state function. A temporal formula is true or false on a behavior (an infinite sequence of states). Viewed as a temporal formula, a predicate I is true on a behavior iff I is true in the first state. The formula $\square[N]_v$ is true of a behavior iff the action $[N]_v$ , which is defined to equal $N \vee (v' = v)$ , is true for every step (successive pair of states) in the behavior. Thus, $I \wedge \square[N]_v$ asserts of a behavior that I is true in the first state and every step is an N step or leaves the value of v unchanged. Formula LegalCaller therefore asserts that, for every p in PrIds: - The predicate $\neg Calling(p)$ is true in the initial state. In other words, initially there is no call in progress on channel ch[p]. - Every step is either a Call(p, a) step, for some a in Args, or else leaves caller(p) unchanged. In other words, every step that changes the caller's part of the interface ch[p] is a Call(p, a) step with a legal argument a. Formula LegalCaller specifies what it means for a caller to obey the two-phase handshake protocol. It specifies the values of caller(p), for p in PrIds. More precisely, LegalCaller is a temporal formula whose semantic meaning is a predicate on behaviors that depends only on the values assigned by the states of a behavior to the state functions caller(p) and ch[p].rbit. We interpret it as describing the possible values of caller(p) as a function of the values of ch[p].rbit. Since we consider caller(p) to represent the part of an interface controlled by the caller component, we consider LegalCaller to be the specification of a caller. However, the reader should not confuse this intuitive interpretation of LegalCaller with its formal semantics as a predicate on behaviors. Formula LegalReturner is similar to LegalCaller. It asserts that, for every process p, every change to the returner's part of the interface ch[p] is a Return(p, v) step for some value v. It is our specification of what it means for a returner component to obey the handshake protocol. Formula LegalReturner has no initial predicate because we have arbitrarily assigned the initial condition on the channel to the caller's specification.<sup>6</sup> Unlike LegalCaller, which requires that the arguments be elements of Args, formula LegalReturner does not place any restriction on the results returned. This asymmetry arises because the specification problem involves syntactic restrictions on arguments, but not on results. A more realistic general-purpose interface specification would include as an additional parameter the set of legal results and would define LegalReturner to assert that results are in this set. Composing a caller component and a returner component produces a system in which the two components interact according to the protocol. In TLA, composition is conjunction [3]. A simple calculation, using predicate logic and the fact that $\square$ distributes over $\wedge$ and $\forall$ , shows that $\textit{LegalCaller} \wedge \textit{LegalReturner}$ is equivalent to $$\forall \ p \in PrIds \ : \land \neg Calling(p)$$ $$\land \Box \begin{bmatrix} \lor \land \exists \ a \in Args : Call(p,a) \\ \land \ rtrner(p)' = rtrner(p) \\ \lor \land \exists \ v : Return(p,v) \\ \land \ caller(p)' = caller(p) \end{bmatrix}_{\langle \ caller(p), rtrner(p) \rangle}$$ We are using a noninterleaving representation [3], in which a single step can represent operations performed by several processes. This approach seems more convenient for this specification problem than the more traditional interleaving representation, in which each step represents an operation of at most one process. TLA is not inherently biased towards either specification style. # 2 A Memory Component In this section we give two specifications of the memory component described in the problem statement. In both specifications, the memory component supports read and write operations. The two specifications differ on whether the memory component is reliable; the unreliable version can return memory-failure exceptions, while the reliable version cannot. <sup>&</sup>lt;sup>6</sup> Each component's specification would have had an initial condition on its signaling wire had we constrained the values of those wires—for example, by requiring signaling values to be 0 or 1. <sup>&</sup>lt;sup>7</sup> For any actions A and B, an $A \lor B$ step is an A step or a B step. # 2.1 The Parameters For expository reasons, we split the specifications into two modules. The first module, *MemoryParameters*, is given in Figure 3 on this page. It declares the parameters of the memory specification. The **export** statement is explained below. The **parameters** section declares the following parameters. memCh This variable represents the procedure-calling interface to the memory. MemLocs, MemVals, InitVal As in the problem statement, MemLocs is a set of memory locations, MemVals is a set of values that can be stored in those locations, and InitVal is the initial value of all locations. Vals This is the set of syntactically legal argument values mentioned in the problem statement. In particular, we assume that the procedure-calling mechanism allows only read and write calls with arguments in Vals. PrIds The same as for the ProcedureInterface module. The module next asserts assumption ParamAssump about the constant parameters. The assumption's first conjunct states that MemLocs and MemVals are subsets of Vals, so every semantically legal argument is also syntactically legal. The second conjunct states that the strings "BadArg" and "MemFailure" are not elements of MemVals. These strings are used to represent the corresponding exceptions in the problem statement. For convenience, we let a successful read operation return a memory value and represent an exception by returning one of these strings. A successful write operation returns the string "OK". The third conjunct of ParamAssump asserts that InitVal is an element of MemVals, a condition implied by the problem statement. ``` \begin{array}{c} \textbf{module} \ \textit{MemoryParameters} \\ \textbf{export} \ \textit{MemoryParameters}, \ E \\ \textbf{parameters} \\ \textit{MemLocs}, \textit{MemVals}, \textit{InitVal}, \textit{Vals}, \textit{PrIds} : \texttt{CONSTANT} \\ \textit{memCh} : \texttt{VARIABLE} \\ \\ \textbf{assumption} \\ \textit{ParamAssump} \ \stackrel{\triangle}{=} \ \land \ \textit{MemLocs} \cup \textit{MemVals} \subseteq \textit{Vals} \\ \land \ \{\text{"BadArg"}, \text{"MemFailure"}\} \cap \textit{MemVals} = \{\} \\ \land \textit{InitVal} \in \textit{MemVals} \\ \\ \textit{LegalArgs} \ \stackrel{\triangle}{=} \ (\{\text{"Read"}\} \times \textit{Vals}) \cup (\{\text{"Write"}\} \times \textit{Vals} \times \textit{Vals}) \\ \textbf{include} \ \textit{ProcedureInterface} \ \textbf{as} \ \textit{E} \ \textbf{with} \ \textit{ch} \leftarrow \textit{memCh}, \textit{Args} \leftarrow \textit{LegalArgs} \\ \\ \end{array} ``` Fig. 3. Module MemoryParameters. The module defines *LegalArgs* to be the set of syntactically legal arguments of procedure calls to the memory. Finally, the **include** statement includes a copy of the ProcedureInterface module, with each defined symbol X renamed as E.X, with memCh substituted for the parameter ch, with LegalArgs substituted for the parameter Args, and with PrIds (which is a parameter of the current module) implicitly substituted for the parameter PrIds. For example, this statement includes the definitions: ``` \begin{split} E.caller(p) & \triangleq \langle memCh[p].arg, memCh[p].cbit \rangle \\ E.LegalCaller & \triangleq \forall \ p \in PrIds : \\ & \land \neg E.Calling(p) \\ & \land \Box [\exists \ a \in LegalArgs : E.Call(p, a)]_{E.caller(p)} \end{split} ``` The E in the **export** statement asserts that all these included definitions are exported. Exported symbols are the ones obtained by any other module that includes the MemoryParameters module. The MemoryParameters in the **export** statement asserts that the symbols defined in the module itself—in this case, ParamAssump and LegalArgs—are exported. Omitting an **export** statement in a module M is equivalent to adding the statement **export** M. ## 2.2 The Memory Specification The specifications of the reliable and unreliable memories are contained in module *Memory* of Figure 4 on the next page and Figure 5 on page 11. The module begins by importing the *MemoryParameters* module. The **import** statement is equivalent to simply copying the entire *Memory* module—its parameter declarations, assumption, and definitions—into the current module. (However, imported definitions are not automatically exported.) The **export** statement is needed because we want to use formula *E.LegalCaller* in asserting the correctness of an implementation. The reader should note the distinction between **import** and **include**. Importing a module imports its definitions and parameters. Including a module includes its definitions (with renaming), but its parameters are instantiated, not included. We now explain our specification in a top-down fashion, starting with the final definition. Our specifications of the reliable and unreliable memory components are the formulas RSpec and USpec defined in Figure 5, at the end of the module. The two specifications are almost identical, so we now discuss only RSpec, the reliable-memory specification. Afterwards, we explain how USpec differs from it. Formula RSpec is defined to equal $\exists$ mem, result: Inner.IRSpec. Intuitively, it asserts of a behavior that there exist assignments of values for the variables mem and result—possibly assigning different values in each state of the behavior—for which the behavior satisfies Inner.IRSpec. Formula $\exists$ mem, result: Inner.IRSpec asserts nothing about the actual values of the variables mem and result; it is the specification obtained by "hiding" mem and result in the specification Inner.IRSpec. ``` - module Memory - \mathbf{import}\ \mathit{MemoryParameters} export Memory, E \operatorname{\mathbf{--module}}\ Inner\operatorname{\mathbf{--}} parameters mem, result : Variable NotAResult \triangleq CHOOSE v: v \notin \{\text{"OK"}, \text{"BadArg"}, \text{"MemFailure"}\} \cup MemVals MInit(l) \stackrel{\triangle}{=} mem[l] = InitVal PInit(p) \stackrel{\Delta}{=} result[p] = NotAResult Read(p) \triangleq \exists l : \land E.Calling(p) \land memCh[p].arg = \langle "Read", l \rangle \land result'[p] = \mathbf{if} \ l \in MemLocs \ \mathbf{then} \ mem[l] else "BadArg" \land UNCHANGED E.rtrner(p) Write(p, l) \triangleq \exists v : \land E.Calling(p) \land memCh[p].arg = \langle \text{``Write''}, l, v \rangle \land \lor \land (l \in MemLocs) \land (v \in MemVals) \land mem'[l] = v \land result'[p] = "OK" \lor \land \neg((l \in MemLocs) \land (v \in MemVals)) \land result'[p] = "BadArg" \land UNCHANGED mem[l] \land UNCHANGED E.rtrner(p) Fail(p) \triangleq \land E.Calling(p) \land \ \mathit{result'}[p] = \text{``MemFailure''} \land UNCHANGED E.rtrner(p) Return(p) \triangleq \wedge result[p] \neq NotAResult \land result'[p] = NotAResult \land E.Return(p, result[p]) RNext(p) \triangleq Read(p) \lor (\exists l : Write(p, l)) \lor Return(p) UNext(p) \triangleq RNext(p) \vee Fail(p) pvars(p) \triangleq \langle E.rtrner(p), result[p] \rangle RPSpec(p) \triangleq \land PInit(p) \wedge \Box [RNext(p)]_{pvars(p)} \wedge \operatorname{WF}_{pvars(p)}(RNext(p)) \wedge \operatorname{WF}_{pvars(p)}(Return(p)) ``` Fig. 4. First part of module Memory. Fig. 5. Second part of module Memory. Since mem and result are not free variables of the specification, they should not be parameters of module Memory. We therefore introduce a submodule named Inner having these variables as its parameters. The symbol IRSpec defined in submodule Inner is named Inner.IRSpec when used outside the submodule. The symbol Inner.IRSpec can appear only in a context in which mem and result are declared—for example, in the scope of the quantifier $\exists mem, result$ . The bound variable mem represents the current contents of memory; mem[l] equals the contents of memory location l. The bound variable result records the activity of the memory component processes. For each process p, result[p] initially equals NotAResult, which is a value different from any that a procedure call can return. When process p is ready to return a result, that result is result[p]. (Even though it is ready to return, the process can "change its mind" and choose a different result before actually returning.) Formula *IRSpec* is the conjunction of two formulas, which describe two components that constitute the memory component. The first component is responsible for communicating on the channel $mem\,Ch$ and managing the variable result; the second component manages the variable mem. The second conjunct is itself the conjunction $^{10}$ of formulas MSpec(l), for each memory location l. We view MSpec(l) as the specification of a separate process that manages mem[l]. Formula MSpec(l) has the familiar form $I \wedge \square[N]_v$ . It asserts that MInit(l) holds in the initial state, and that every step is either a Write(p,l) step for some process p, or else leaves mem[l] unchanged. The initial <sup>&</sup>lt;sup>8</sup> Instead of introducing a submodule, we could have made *mem* and *result* explicit parameters of all the definitions in which they now occur free. <sup>&</sup>lt;sup>9</sup> The definition of NotAResult in submodule Inner uses the operator choose, which is the TLA<sup>+</sup> name for Hilbert's $\varepsilon$ [15]. We can define NotAResult in this way because the axioms of set theory imply that, for every set S, there exists a value not in S. Informally, we often think of $\forall x \in S : F(x)$ as the conjunction of the formulas F(x) for all x in S. **Fig. 6.** A predicate-action diagram of pvars(p) for formula RPSpec(p) of the Memory module. predicate MInit(l) asserts that mem[l] equals InitVal, the initial memory value. Action Write(p, l), which we discuss below, is enabled only when the memory component is processing a procedure call by process p to write some value v to location l: a Write(p, l) step sets the new value of mem[l] to this v. The first conjunct of IRSpec is the conjunction of formulas RPSpec(p) for each process p in PrIds. We view RPSpec(p) as the specification of a process that manages the returner's part of the channel memCh[p] and the variable result[p]. Formula RPSpec(p) has the form $I \wedge \square[N]_v \wedge F$ . A formula $\square[N]_v$ asserts that every step that changes v is an N step, but it does not require any such steps to occur. It allows a behavior in which v never changes. We require that certain changes do occur by conjoining an additional condition F, which constrains what must eventually happen but does not disallow any individual step. We call $I \wedge \square[N]_v$ the safety condition of the specification and F its fairness or liveness condition. We now examine the safety condition of RPSpec(p); its fairness condition is considered below. A formula $I \wedge \Box[N]_v$ describes how the state function v may change. For RPSpec(p), the subscript v is the state function pvars(p), which is defined to be the pair $\langle E.rtrner(p), result[p] \rangle$ . A pair changes iff one of its elements changes, so RPSpec(p) describes changes to E.rtrner(p), the returner's part of the communication channel memCh[p], and to result[p]. We explain RPSpec(p) with the help of the predicate-action diagram [13] of Figure 6 on this page. This diagram has the following meaning. - The small arrow indicates that initially, $\mathit{result}[p]$ equals NotAResult. - When result[p] equals NotAResult, the pair pvars(p) can be changed only by a Read(p) step or a Write(p, l) step, for some l. Such a step sets result[p] unequal to NotAResult. - When result[p] is not equal to NotAResult, the pair pvars(p) can be changed only by a Read(p) step, some Write(p,l) step, or a Return(p) step. A Read(p) or Write(p,l) step leaves result[p] unequal to NotAResult, while a Return(p) step sets it to NotAResult. Predicate-action diagrams are defined formally in [13] to represent TLA formulas. The assertion that Figure 6 is a diagram for RPSpec(p) means that RPSpec(p) implies the formula represented by the diagram. In general, one can draw many different diagrams for the same formula. Proving that a diagram is a predicate-action diagram for a specification helps confirm our understanding of the specification. The proof for Figure 6 is trivial. This diagram is actually equivalent to the safety part of RPSpec(p). To complete our understanding of the safety part of RPSpec(p), we must examine what steps are allowed by the actions Read(p), Write(p,l), and Return(p). Action Read(p) is enabled when E.Calling(p) is true and memCh[p].arg equals ("Read", l) for some l, so the process p caller has called the read procedure with argument l and the process p returner has not yet returned a result. If l is a legal memory address, then a Read(p) step sets result[p] to mem[l]; otherwise it sets result[p] to the string "BadArg". The step leaves E.rtrner unchanged. (The TLA+ action unchanged p is defined to equal p for any state function p.) Action p is similar. It is enabled when there is a pending request to write some value p in memory location p; it sets p to the appropriate result and sets p and p to p iff the request is valid. Action Return(p) issues the return of result[p] and resets result[p] to equal NotAResult. The action is enabled iff result[p] is unequal to NotAResult and action E.Return(p) is enabled, which is the case iff E.Calling(p) equals TRUE. Looking at Figure 6 again, we now see that returner process p goes through the following cycle. It waits (with result[p] equal to NotAResult) until a procedure call occurs. It then does one or more internal Read(p) or Write(p,l) steps, which choose result[p]. Finally, it returns result[p] and resets result[p] to NotAResult. Allowing multiple Write(p,l) steps is important because mem[l] could be changed between those steps by Write(q,l) steps for some q different from p. Such Write(q,l) steps are allowed by Figure 6 (and by RPSpec(p)) if they do not change pvars(p). It makes no difference to the final specification RSpec whether or not multiple Read(p) steps are allowed. The changes to memCh are the same as if only the last one were performed, and memCh is the only free variable of RSpec. Allowing multiple Read(p) steps simplifies the specification a bit. This completes our explanation of the safety condition of RPSpec(p). We now consider the fairness condition. The safety condition of RPSpec(p) implies that the steps described by Figure 6 are the only ones that are allowed to happen. We want the fairness condition to assert that they must happen. In particular, we want to assert the following two requirements: (L1) after a procedure call has been issued, the transition out of the result[p] = NotAResult state eventually occurs, and (L2) the transition back to that state eventually occurs. These requirements are expressed with weak fairness formulas of the form WF<sub>v</sub>(A). Such a formula asserts that if the action $A \wedge (v' \neq v)$ remains continually enabled, then an $A \wedge (v' \neq v)$ step must occur. In other words, if it remains possible to take an A step that changes v, then such a step must eventually be taken. Condition L1 is implied by $\operatorname{WF}_{p\,vars(p)}(RNext(p))$ . To see this, suppose that result[p] equals NotAResult and a read or write call is issued. Then Read(p) or some Write(p,l) action is enabled, so RNext(p) is enabled. Assuming that the caller obeys the handshake protocol, action RNext(p) will remain enabled until a Read(p) or Write(p,l) step occurs. Formula $\operatorname{WF}_{p\,vars(p)}(RNext(p))$ therefore implies that a RNext(p) step does occur, and that step can only be the desired Read(p) or Write(p,l) step. Formula $\operatorname{WF}_{pvars(p)}(RNext(p))$ implies that, while $result[p] \neq NotAResult$ remains true, RNext(p) steps must keep occurring. However, those steps could be Read(p) or Write(p,l) steps. (Read(p) steps can change pvars(p) if intervening steps by other processes keep changing mem[l].) Formula $\operatorname{WF}_{pvars(p)}(Return(p))$ , the second conjunct of RPSpec(p)'s fairness condition, asserts that a Return(p) step must eventually occur when $result[p] \neq NotAResult$ holds. There are other possible fairness conditions for RPSpec(p). Two other obvious choices are obtained by replacing $WF_{pvars(p)}(RNext(p))$ with one of the following: $$\begin{aligned} & \operatorname{WF}_{pvars(p)}(Read(p)) \ \wedge \ \operatorname{WF}_{pvars(p)}(\exists \ l : \ Write(p,l)) \\ & \operatorname{WF}_{pvars(p)}(Read(p)) \ \wedge \ (\forall \ l : \ \operatorname{WF}_{pvars(p)}(Write(p,l))) \end{aligned}$$ It is not hard to check that the conjunction of E.LegalCaller (the specification that the caller obeys the handshake protocol) and the safety condition of RPSpec(p) implies that both formulas are equivalent to $\operatorname{WF}_{pvars(p)}(RNext(p))$ , for any p in PrIds. We care what the memory component does only when the caller obeys the protocol. Hence, any of these three choices of fairness conditions for RPSpec(p) yield essentially the same specification. (The three fairness conditions need not be equivalent on a behavior in which memCh[p].arg changes while the memory is processing a procedure call by process p.) Weak fairness is a standard concept of concurrency [6, 17]. The reader who is not already familiar with it may find fairness conditions difficult to understand. Fairness can be subtle, and it is not obvious why we express it in TLA with WF formulas. For example, it might seem easier to express L1 by writing the temporal-logic formula $$(result[p] = NotAResult) \land E. Calling(p) \leadsto (result[p] \neq NotAResult)$$ which asserts that if result[p] ever equals NotAResult when E.Calling(p) is true, then it must eventually become unequal to NotAResult. We have found that the use of arbitrary temporal-logic formulas makes it easy to write incorrect specifications, and using WF formulas helps us avoid errors. Finally, let us consider the specification USpec of the unreliable memory component. It is identical to RSpec except it has action UNext(p) instead of RNext(p) as its next-state action. Action UNext(p) differs from RNext(p) by also allowing internal Fail(p) steps, which set result[p] to "MemFailure". Such steps can occur instead of, before, after, or between Read(p) or Write(p, l) steps. We could have replaced RNext(p) with UNext(p) in the fairness condition; LegalCaller implies that the two definitions of USpec are equivalent. However, it might seem odd to require the eventual occurrence of a step that may be a failure step. #### 2.3 Solution to Problem 1 (a) Formulas RSpec and USpec are what we call component specifications. They describe a system containing a properly operating (reliable or unreliable) memory component. Whether they constitute the specifications of a memory depends on what the specifications are for. Component specifications can be used to describe a complete system in which all the components function properly, allowing us to prove properties of the system. The simplest such complete-system specification of a system containing a reliable memory component is $RSpec \wedge E.LegalCaller$ , which asserts that the memory component behaves properly and the rest of the system follows the handshake protocol. Another possible use of a memory specification is to serve as a contract between the user of the memory and its implementor. Such a specification should be satisfied by precisely those behaviors that represent physical histories in which the memory fulfills its obligations. Formula RSpec cannot serve as such a specification because it says nothing about the memory's environment. A real memory that uses the two-phase handshake protocol will display completely unpredictable behavior if its environment does not correctly follow the protocol. To be implementable, the specification must assert only that RSpec is satisfied if the memory's environment satisfies the caller's part of the handshake protocol—in other words, if E. Legal Caller is satisfied. We might therefore expect the specification of a reliable memory to be $E.LegalCaller \Rightarrow RSpec.$ However, for reasons explained in [3], we instead write this specification as the formula E.LegalCaller $\stackrel{\pm}{\rightarrow}$ RSpec. This formula means roughly that RSpec remains true as long as E. Legal Caller does. Such a formula is called an assumption/quarantee specification [8]; the memory guarantees to satisfy its component-specification RSpec as long as the environment assumption E.LegalCaller is satisfied. When we present a component specification as a solution to one of the specification problems, we indicate its environment assumption. Writing the corresponding assumption/guarantee specification is then trivial. When we write a component specification, we think of steps satisfying the specification's next-state action as representing operations performed by that component. We could make this an explicit assumption by formally attributing every step to either the component or its environment, as described in [3]. However, whether the component or its environment actually performs an operation is a question of physical reality, and the connection between a mathematical specification and reality can never be made completely formal. The assumption ParamAssump about the parameters is not part of our memory component specifications, since the formulas RSpec and USpec are not defined in terms of ParamAssump. We could weaken the specifications by adding ParamAssump as an assumption and writing, for example, $ParamAssump \Rightarrow$ RSpec. We do not need to do so; as we will see below, putting the assumption ParamAssump into the Memory module allows us to use it when proving the correctness of an implementation of the memory component. (b) In TLA, implementation is implication. To prove that a reliable memory implements an unreliable one, it suffices to prove the theorem $RSpec \Rightarrow USpec$ . The proof is easy; expanding the definitions shows that it suffices to prove $\Box [RNext(p)]_{pvars(p)} \Rightarrow \Box [UNext(p)]_{pvars(p)}$ , which is trivial since RNext(p) obviously implies UNext(p). In general, we would not expect such an implication to be valid. For example, it would not have been valid had we written $\operatorname{WF}_{pvars(p)}(UNext(p))$ instead of $\operatorname{WF}_{pvars(p)}(RNext(p))$ in the fairness condition of UPSpec(p). Component specifications like RSpec and USpec describe how the component should behave when its environment behaves properly. They do not constrain the environment's behavior, and they may allow bizarre behaviors when the environment behaves improperly. A priori, there is no reason why the particular bizarre behaviors allowed by RSpec as the result of an incorrectly functioning environment should also be allowed by USpec. Hence, we would expect $RSpec \Rightarrow USpec$ to be true only for those behaviors satisfying the memory's environment specification, E.LegalCaller. We would therefore expect to prove only $E.LegalCaller \Rightarrow (RSpec \Rightarrow USpec)$ , which is equivalent to $$E.LegalCaller \land RSpec \Rightarrow USpec \tag{1}$$ We can also phrase implementation in terms of assumption/guarantee specifications. Such specifications are satisfied by precisely those behaviors in which the memory meets its obligation. We would expect the assumption/guarantee specification of the reliable memory to imply that of the unreliable memory: $$(E.LegalCaller \xrightarrow{+} RSpec) \Rightarrow (E.LegalCaller \xrightarrow{+} USpec)$$ (2) The relation between the two forms of implementation conditions exemplified by (1) and (2) is investigated in [3]. Because our two memory-component specifications are so similar, we can prove $RSpec \Rightarrow USpec$ , which implies (1) and (2). (c) If the memory is implemented with unreliable components that can fail forever, then there is no way to guarantee that anything but "MemFailure" exceptions will ever occur. (For example, this will be the case if it is implemented with an RPC component that always returns "RPCFailure" exceptions.) We can easily define a memory that guarantees eventual success. We do so by requiring that if enough calls of some particular kind are issued, then one of them eventually succeeds. Different conditions are obtained by different choices of the kind of calls—for example, calls to a particular memory location, or reads by a particular process. Such conditions can be expressed using *strong fairness* formulas of the form $SF_v(A)$ . This formula asserts that if $A \wedge (v' \neq v)$ is enabled often enough, then an $A \wedge (v' \neq v)$ step must occur. (Strong fairness is stronger than weak fairness because it requires a step to occur if the action is enabled often enough, even if the action does not remain continuously enabled.) For example, to strengthen the specification to require that, if process p keeps issuing calls, then it will eventually receive a result other than "MemFailure", we simply replace the fairness condition of UPSpec(p) by: ``` \land SF_{pvars(p)}(Read(p) \lor (\exists l : Write(p, l))) \land SF_{pvars(p)}(Return(p) \land (result[p] \neq \text{``MemFailure''})) ``` To solve Problem 3 (proving the correctness of a memory implementation), we would then need to add a corresponding liveness condition to the RPC component. # 3 Implementing the Memory The memory implementation is obtained by composing a memory clerk component, an RPC component, and a reliable memory component. The memory clerk translates memory calls into RPC calls, and optionally retries RPC calls when they result in RPC failures. In this section we describe the RPC and the memory clerk components, and then prove the correctness of the implementation. ## 3.1 The RPC Component The RPC component connects a sender to a receiver. As with the memory component, we split its specification into two modules. The Parameters Module The specification of the RPC component begins with module RPCParameters in Figure 7 on the next page; the module declares parameters and both makes and includes some definitions. The RPCParameters module imports the module Naturals, a predefined module that defines the natural numbers and the usual operators on them. It then imports the Sequences module, which defines operators on finite sequences. In $TLA^+$ , an n-tuple $\langle v_1, \ldots, v_n \rangle$ is a function whose domain is the set $\{1, \ldots, n\}$ of natural numbers, where $\langle v_1, \ldots, v_n \rangle[i]$ equals $v_i$ , for $1 \leq i \leq n$ . The Sequences module represents sequences as tuples. The module appeared in [14] (without the definition of Seq, which was not needed there) and is given without further explanation in Figure 8 on the next page. It defines the usual operators Seq, where Seq(S) is the set of sequences of elements in S. (The values of Seq, where Seq(S) is the set of sequences of elements in S. (The values of Seq) and Seq(S) are not constrained when Seq(S) is the empty sequence.) The parameters declared in module RPCParameters have the following interpretations: <sup>&</sup>lt;sup>11</sup> TLA<sup>+</sup> uses square brackets to denote function application. An "array variable" is just a variable whose value is a function. ``` \begin{array}{c} \textbf{module} \ RPCParameters \\ \textbf{export} \ RPCParameters, \ Snd, \ Rcv \\ \textbf{import} \ Naturals, \ Sequences \\ \textbf{parameters} \ sndCh, rcvCh : \text{VARIABLE} \\ Procs, \ ArgNum, \ Vals, \ PrIds : \text{CONSTANT} \\ \\ \textbf{assumption} \ ParamAssump \ \triangleq \ ArgNum \in [Procs \rightarrow Nat] \\ \\ LegalSndArgs \ \triangleq \ \left\{ \text{``RemoteCall''} \right\} \times \text{STRING} \times Seq(Vals) \\ \\ LegalRcvArgs \ \triangleq \\ \left\{ s \in Seq(Procs \cup Vals) : \land \ Len(s) > 0 \\ \land \ Head(s) \in Procs \\ \land \ Tail(s) \in Seq(Vals) \\ \land \ Len(s) = 1 + ArgNum[Head(s)] \right\} \\ \textbf{include} \ ProcedureInterface \ as} \ Snd \ \textbf{with} \ ch \leftarrow sndCh, Args \leftarrow LegalSndArgs \\ \textbf{include} \ ProcedureInterface \ as} \ Rcv \ \textbf{with} \ ch \leftarrow rcvCh, Args \leftarrow LegalRcvArgs \\ \end{array} ``` Fig. 7. Module RPCParameters. ``` import Naturals One To(n) \triangleq \{i \in Nat : (1 \le i) \land (i \le n)\} Seq(S) \triangleq \text{UNION } \{[One To(n) \rightarrow S] : n \in Nat\} Len(s) \triangleq \text{CHOOSE } n : (n \in Nat) \land ((D \text{ OMAIN } s) = One To(n)) Head(s) \triangleq s[1] Tail(s) \triangleq [i \in One To(Len(s) - 1) \mapsto s[i + 1]] (s) \circ (t) \triangleq [i \in One To(Len(s) + Len(t)) \mapsto \text{if } i \le Len(s) then s[i] else t[i - Len(s)] ``` Fig. 8. Module Sequences. sndCh The procedure-calling interface between the sender and the RPC component. $\mathit{rcvCh}$ The procedure-calling interface between the RPC component and the receiver. *Procs*, ArgNum As in the problem statement, Procs is a set of legal procedure names and ArgNum is a function that assigns to each legal procedure name its number of arguments. Vals The set of all possible syntactically valid arguments. PrIds The same as for the ProcedureInterface module. Assumption ParamAssump asserts that ArgNum is a function with domain Procs and range a subset of the set Nat of natural numbers. (The definition of Nat comes from the Naturals module.) The module next defines LegalSndArgs to be the set of syntactically valid arguments with which the RPC component can be called. Calls to the RPC component take two arguments, the first of which is an element of STRING, the set of all strings, and the second of which is a sequence of elements in Vals. We use the same convention as in the memory specification, that the argument of a procedure call is a tuple consisting of the procedure name followed by its arguments. The RPC component has a single procedure, whose name is "RemoteCall". The module defines LegalRcvArgs to be the set of syntactically valid arguments with which the RPC component can call the receiver. These consist of all tuples of the form $\langle p, v_1, \ldots, v_n \rangle$ with p in Procs, the $v_i$ in Vals, and n equal to ArgNum[p]. Finally, the module includes two copies of the *ProcedureInterface* module, one for each of the interfaces, with the appropriate instantiations. The **export** statement (at the beginning of the module) exports these included definitions. **Problem 2: The RPC Component's Specification** The specification of the RPC component appears in module RPC of Figure 10 on page 21. It is the formula $\exists rstate : Inner.ISpec$ , where ISpec is defined in a submodule named Inner. We explain the specification ISpec with the aid of the diagram of Figure 9 on the next page. This is a predicate-action diagram for ISpec of all changes to vars(p), where p is any element of PrIds. The state function vars(p) is the triple $\langle rstate[p], Snd.rtrner(p), Rcv.caller(p) \rangle$ that forms the state of the RPC component's process p. The dotted arrows are not formally part of the diagram. The initial-condition arrow indicates obligations of both the RPC component and its environment; the other dotted arrows represent state changes caused by the environment that do not change the RPC component's state. (Recall that ... Calling(p) can be changed by either the caller changing ... caller(p) or the returner changing ... caller(p).) The top dotted arrow represents the **Fig. 9.** A predicate-action diagram of vars(p) for formula ISpec of module RPC, where p is an element of PrIds. (The dotted arrows are not formally part of the diagram.) sender's action of calling the RPC component, which makes $Snd.\ Calling(p)$ true. The bottom dotted arrow represents the receiver's return action, which makes $Rcv.\ Calling$ false. The solid arrows (the real arrows of the predicate-action diagram) represent steps of process p of the RPC component. The Forward(p) action relays the call to the receiver, making Rcv.Calling(p) true. The Fail(p) action returns "RPCFailure". The Reject(p) action returns "BadCall" without relaying the request. The Reply(p) action returns to the sender the result returned by the receiver. The variable rstate is needed to distinguish the upper right and lower-left states. The values "A" and "B" are arbitrary; any two values can be used. The specification Spec of the RPC component appears in module RPC of Figure 10 on the next page. It is similar enough to the memory specification that it should require little additional explanation. The definition of RelayArg makes use of the way sequences are represented as tuples, and it may seem a little obscure. When the sender's process p has called the RPC component, RelayArg(p) is the argument with which the RPC component should call the receiver. For example, if the RPC component is called with argument $\langle$ "RemoteCall", "Write", $\langle 17, \sqrt{2} \rangle \rangle$ , then RelayArg(p) equals $\langle$ "Write", $17, \sqrt{2} \rangle \rangle$ . In the definitions of the actions, we have eliminated some redundant instances of the conjuncts Snd.Calling(p) and $\neg Rcv.Calling(p)$ that appear in the predicate-action diagram; Snd.Calling(p) is implied by $Snd.Return(p, \ldots)$ , and the diagram shows that $\neg Rcv.Calling(p)$ is implied by rstate[p] = "A" in every reachable state. Formula Spec of the RPC module is the component specification of the RPC component. The component's environment specification is $Snd.LegalCaller \land Rcv.LegalReturner$ . As described above, the conjunction of these two formulas ``` – \mathbf{module}\ RPC - import RPCParameters, Naturals, Sequences export RPC, Snd, Rcv \operatorname{\mathbf{-} \ \mathbf{module} \ } Inner - parameters rstate : Variable Init(p) \triangleq (rstate[p] = \text{``A''}) \land \neg Rcv. Calling(p) RelayArg(p) \triangleq \langle sndCh[p].arg[2] \rangle \circ sndCh[p].arg[3] Forward(p) \stackrel{\triangle}{=} \land Snd. Calling(p) \land (rstate[p] = "A") \land RelayArg(p) \in LegalRcvArgs \land Rcv.Call(p, RelayArg(p)) \land rstate'[p] = "B" \land UNCHANGED Snd.rtrner(p) Reject(p) \triangleq \wedge rstate[p] = \text{``A''} \land RelayArg(p) \notin LegalRcvArgs \land Snd.Return(p, "BadCall") \land UNCHANGED \langle rstate[p], Rcv.caller(p) \rangle Fail(p) \stackrel{\Delta}{=} \wedge \neg Rcv.Calling(p) \land \ Snd.Return(p, \text{``RPCFailure''}) \land rstate'[p] = \text{``A''} \land UNCHANGED Rcv.caller(p) Reply(p) \stackrel{\Delta}{=} \land \neg Rcv.Calling(p) \land (rstate[p] = "B") \land Snd.Return(p, rcvCh[p].res) \land rstate'[p] = \text{``A''} \land UNCHANGED Rcv.caller(p) Next(p) \stackrel{\triangle}{=} Forward(p) \lor Reject(p) \lor Fail(p) \lor Reply(p) vars(p) \triangleq \langle rstate[p], Snd.rtrner(p), Rcv.caller(p) \rangle ISpec \stackrel{\triangle}{=} \forall p \in PrIds : Init(p) \land \Box[Next(p)]_{vars(p)} \land WF_{vars(p)}(Next(p)) Spec \triangleq \exists rstate : Inner.ISpec ``` Fig. 10. The specification of the RPC component. is the specification of a complete system consisting of an RPC component and a sender and receiver that obey the handshake protocol; combining the formulas with the $\stackrel{+}{\rightarrow}$ operator yields an assumption/guarantee specification of the RPC component. ## 3.2 The Implementation The Memory Clerk We now present the specification of the memory clerk, which is quite similar to that of the RPC component. It begins with module MemClerkParameters of Figure 11 on this page. The module declares the following parameters: sndCh, rcvCh The procedure-calling interfaces between the clerk and the memory's caller, and between the clerk and the RPC component. Vals, PrIds The same as for the MemoryParameters and ProcedureInterface modules, respectively. The definitions of LegalSndArgs and LegalRcvArgs and the inclusion of two copies of the ProcedureInterface module serve the same purpose as they do in the RPCParameters module. The specification of the memory clerk is a formula $\exists$ cstate: Inner.ISpec. The formula ISpec is described by the predicate-action diagram of Figure 12 on the next page, which is similar to that of Figure 9 (page 20). The Reply(p) and Forward(p) actions play the same role as in the RPC component's specification. Action Retry(p) retries an RPC call that has yielded an RPC failure. The clerk's specification *Spec* appears in Module *MemClerk* of Figure 13 on page 24. The safety part can be deduced from the predicate-action diagram as we did for the RPC component. The liveness part is a bit trickier. We want to require that the clerk eventually returns from a call, assuming the RPC component eventually returns from each call. Weak fairness on the *Forward(p)* action ensures ``` \begin{array}{c} \textbf{module} \ \textit{MemClerkParameters} \\ \textbf{export} \ \textit{MemClerkParameters}, \ \textit{Snd}, \ \textit{Rcv} \\ \textbf{parameters} \ \textit{sndCh}, \ \textit{rcvCh} : \ \textit{VARIABLE} \\ \textit{PrIds}, \ \textit{Vals} : \ \textit{CONSTANT} \\ \\ \textit{LegalSndArgs} \ \stackrel{\triangle}{=} \ \left( \left\{ \text{"Read"} \right\} \times \textit{Vals} \right) \cup \left( \left\{ \text{"Write"} \right\} \times \textit{Vals} \times \textit{Vals} \right) \\ \textit{LegalRcvArgs} \ \stackrel{\triangle}{=} \ \left\{ \text{"RemoteCall"} \right\} \times \left\{ \text{"Read"}, \text{"Write"} \right\} \times \textit{Seq(Vals)} \\ \\ \textbf{include} \ \textit{ProcedureInterface} \ \textbf{as} \ \textit{Snd} \ \textbf{with} \ \textit{ch} \leftarrow \textit{sndCh}, \ \textit{Args} \leftarrow \textit{LegalSndArgs} \\ \textbf{include} \ \textit{ProcedureInterface} \ \textbf{as} \ \textit{Rcv} \ \textbf{with} \ \textit{ch} \leftarrow \textit{rcvCh}, \ \textit{Args} \leftarrow \textit{LegalRcvArgs} \\ \\ \textbf{onclude} \ \textit{ProcedureInterface} \ \textbf{as} \ \textit{Rcv} \ \textbf{with} \ \textit{ch} \leftarrow \textit{rcvCh}, \ \textit{Args} \leftarrow \textit{LegalRcvArgs} \\ \\ \end{array} ``` Fig. 11. Module Mem ClerkParameters. **Fig. 12.** A predicate-action diagram of vars(p) for formula ISpec of module MemClerk, where p is an element of PrIds. (The dotted arrows are not formally part of the diagram.) progress from the upper-right to the lower-right state of the predicate-action diagram. Strong fairness of Reply(p) is required to ensure eventual progress from the lower-left to the upper-left state; weak fairness would allow behaviors in which the clerk keeps performing Retry(p) steps without ever performing a Reply(p) step. The Implementation Proof We now formally assert that the composition of a memory clerk, an RPC component, and a reliable memory implements an unreliable memory; and we describe the proof of that assertion. Since implementation is implication, the assertion that every behavior allowed by an implementation Imp satisfies a specification Spec is expressed by the formula $Imp \Rightarrow Spec$ . However, as discussed in Section 2.3, we expect to prove the correctness of an implementation only under the assumption that the environment behaves correctly. If Env is the environment's specification, then we expect $Imp \Rightarrow Spec$ to be satisfied only by behaviors that satisfy Env. Thus, correctness of the implementation means that $Env \wedge Imp \Rightarrow Spec$ is valid. Composition is conjunction, so validity of this formula asserts that every behavior allowed by the composition of the environment and the implementation satisfies the specification. The assertion that the composition of the clerk, RPC component, reliable memory, and environment specifications implies the unreliable memory's specification is theorem Impl of module MemoryImplementation in Figure 14 on page 25. The specification of the unreliable memory's environment is formula E.LegalCaller, included from module ProcedureInterface by the imported module Memory. The composition is described schematically by the following picture. When composing two components by conjoining their specifications, the components are "connected" by instantiating their corresponding interface variable parameters with the same variable. The implementing module's specifications have been included with renaming; the specification *USpec* of the memory is imported from the *Memory* module. The **theorem** statement asserts that the formula named *Impl* is a conse- ``` – \mathbf{module} MemClerk - import MemClerkParameters, Sequences - \mathbf{module} Inner - parameters cstate : Variable Init(p) \stackrel{\triangle}{=} (cstate[p] = \text{``A''}) \land \neg Rcv. Calling(p) RelayArg(p) \triangleq \langle \text{``RemoteCall''}, Head(sndCh[p].arg), Tail(sndCh[p].arg) \rangle ReplyVal(p) \triangleq \mathbf{if} \ rcvCh[p].res = "RPCFailure" \mathbf{then} \ "MemFailure" else rcvCh[p].res Forward(p) \stackrel{\triangle}{=} \land Snd. Calling(p) \land (cstate[p] = "A") \land Rcv. Call(p, RelayArg(p)) \land cstate'[p] = "B" \land UNCHANGED Snd.rtrner(p) Retry(p) \stackrel{\Delta}{=} \land (cstate[p] = \text{"B"}) \land (rcvCh[p].res = \text{"RPCFailure"}) \land Rcv. Call(p, RelayArg(p)) \land UNCHANGED \langle cstate[p], Snd.rtrner(p) \rangle Reply(p) \stackrel{\Delta}{=} \wedge \neg Rcv.Calling(p) \wedge (cstate[p] = "B") \land Snd.Return(p, ReplyVal(p)) \land cstate'[p] = \text{``A''} \land UNCHANGED Rcv.caller(p) Next(p) \stackrel{\triangle}{=} Forward(p) \lor Retry(p) \lor Reply(p) vars(p) \triangleq \langle cstate[p], Snd.rtrner(p), Rcv.caller(p) \rangle ISpec \stackrel{\triangle}{=} \forall p \in PrIds : \wedge \ Init(p) \wedge \ \Box [Next(p)]_{vars(p)} \wedge \operatorname{WF}_{vars(p)}(Forward(p)) \wedge \operatorname{SF}_{vars(p)}(Reply(p)) Spec \triangleq \exists cstate : Inner.ISpec ``` Fig. 13. The component specification of the memory clerk. ``` import MemoryParameters, Memory parameters crCh, rmCh : VARIABLE assumption FailureNotAValue \triangleq "RPCFailure" \notin MemVals Procs \triangleq \{ \text{"Read", "Write"} \} ArgNum \triangleq [i \in Procs \mapsto \mathbf{case} \ (i = \text{"Read"}) \to 1, \ (i = \text{"Write"}) \to 2] include RPC as R with sndCh \leftarrow crCh, rcvCh \leftarrow rmCh include MemClerk as C with sndCh \leftarrow memCh, rcvCh \leftarrow crCh include Memory as M with memCh \leftarrow rmCh theorem Impl \triangleq E.LegalCaller \land C.Spec \land R.Spec \land M.RSpec \Rightarrow USpec ``` Fig. 14. Module MemoryImplementation. quence of the assumptions $FailureNotAValue^{12}$ and ParamAssump (imported from module MemoryParameters), and the laws of TLA. For convenience, we have gathered many of the definitions imported and included by module MemoryImplementation in Figure 15 on page 26. In this figure and in our proof, we use the following naming conventions: (i) we eliminate the "Inner." from symbol names—for example, writing C.Retry(p) instead of C.Inner.Retry(p), and (ii) if X is the name of a formula of the form $\forall p \in PrIds: Y$ , then we let X(p) denote the formula Y—as in R.ISpec(p). The figure also defines the following additional symbols: pv, m, e, c, r, and E.Next. 13 Theorem Impl has the form $H\Rightarrow \exists mem, result: G$ . In predicate logic, one proves a formula $\exists y: P(y) \Rightarrow \exists x: Q(x)$ by proving $P(y) \Rightarrow Q(\overline{x})$ for a suitable instantiation $\overline{x}$ of x. In temporal logic, the instantiation is called a refinement mapping [1]. To prove Impl, we define a pair of state functions $\overline{mem}$ and $\overline{result}$ and prove $F\Rightarrow \overline{G}$ , where F is the formula obtained by removing the existential quantifiers from H, and $\overline{G}$ is the formula obtained by substituting $\overline{mem}$ and $\overline{result}$ for mem and result in G. We believe the theorem to be correct without assumption FailureNotAValue, but our proof uses the assumption. We define a number of operators with implicit parameters that are not parameters of module *MemoryImplementation*—for example, the parameters p and result[p] that appear in the definition of m. If we were being truly formal, such definitions would occur in modules that made the parameters explicit, and these modules would then be included in the proof in contexts where the parameters are declared. # The Specification ``` Unreliable Memory Component (imported from Memory) pv \triangleq pvars(p) UNext(p) \triangleq Read(p) \lor (\exists l : Write(p, l)) \lor Return(p) \lor Fail(p) UPSpec(p) \triangleq \wedge PInit(p) \wedge \square [UNext(p)]_{nv} \wedge \operatorname{WF}_{pv}(RNext(p)) \wedge \operatorname{WF}_{pv}(Return(p)) MSpec(l) \triangleq MInit(l) \land \Box [\exists p \in PrIds : Write(p, l)]_{mem[l]} IUSpec \stackrel{\triangle}{=} \land \forall p \in PrIds : UPSpec(p) \land \forall l \in MemLocs : MSpec(l) USpec \stackrel{\triangle}{=} \exists mem, result : IUSpec The Implementation The Environment (included from ProcedureInterface via import of Memory) e \triangleq E.caller(p) E.Next(p) \triangleq \exists a \in LegalArgs : E.Call(p, a) E.LegalCaller \stackrel{\Delta}{=} \forall p \in PrIds : \neg E.Calling(p) \land \Box [E.Next(p)]_e Clerk (included from MemClerk) c \triangleq C.vars(p) C.Next(p) \triangleq C.Forward(p) \lor C.Retry(p) \lor C.Reply(p) C.ISpec(p) \stackrel{\Delta}{=} \wedge C.Init(p) \wedge \square[C.Next(p)]_c \wedge \operatorname{WF}_{c}(C.Forward(p)) \wedge \operatorname{SF}_{c}(C.Reply(p)) C.Spec \triangleq \exists cstate : \forall p \in PrIds : C.ISpec(p) RPC Component (included from RPC) r \triangleq R.vars(p) R.Next(p) \triangleq R.Forward(p) \lor R.Reject(p) \lor R.Fail(p) \lor R.Reply(p) R.ISpec(p) \triangleq R.Init(p) \wedge \square[R.Next(p)]_r \wedge WF_r(R.Next(p)) R.Spec \triangleq \exists rstate : \forall p \in PrIds : R.ISpec(p) Reliable Memory Component (included from Memory) m \triangleq M.pvars(p) M.RNext(p) \triangleq M.Read(p) \lor (\exists l : M.Write(p, l)) \lor M.Return(p) M.RPSpec(p) \triangleq \wedge M.PInit(p) \wedge \square[M.RNext(p)]_m \wedge \operatorname{WF}_m(M.RNext(p)) \wedge \operatorname{WF}_m(M.Return(p)) M.MSpec(l) \triangleq M.MInit(l) \land \Box [\exists p \in PrIds : M.Write(p, l)]_{mem[l]} M.IRSpec \stackrel{\triangle}{=} \land \forall p \in PrIds : M.RPSpec(p) \land \forall l \in MemLocs : M.MSpec(l) M.RSpec \triangleq \exists mem, result : M.IRSpec ``` **Fig. 15.** Formulas defined in module *MemoryImplementation*, plus a few extra definitions. For our proof, we let $\overline{mem}$ equal mem (which comes from M.RSpec). To define $\overline{result}$ , we must introduce a history variable [1]. Intuitively, a history variable a is one that is added to remember what happened in the past. Formally, proving $F \Rightarrow \overline{G}$ by "adding a history variable a" means choosing a variable a that does not appear in F and $\overline{G}$ , finding a formula Hist of a particular form that guarantees that $\exists a: Hist$ is valid, and proving $F \land Hist \Rightarrow \overline{G}$ . Our history variable rmhist is defined so that, for each p in PrIds, the value of rmhist[p] is initially equal to "A". It is set to "B" when process p of the reliable memory component returns to the RPC component or when process p of the RPC component issues a failure return to the clerk. It is reset to "A" when process p of the clerk returns to the caller. Formally, we define: It should be intuitively obvious that, for every p in PrIds, formula Hist implies that the value of rmhist[p] at any time is determined by the values of c, r, and m up to that time. A general theorem of TLA proves the validity of $\exists rmhist : Hist$ . The High-Level Proof We describe a structured proof of theorem Impl, in the style of [10]. We first present the high-level proof. It uses the state function $\overline{result}$ , which we define later (the high-level proof is independent of its definition), and the temporal formula: ``` IPImp(p) \triangleq E.LegalCaller(p) \land C.ISpec(p) \land R.ISpec(p) \\ \land M.RPSpec(p) \land (\forall l \in MemLocs : M.MSpec(l)) \land Hist(p) ``` For any formula F, we let $\overline{F}$ be the formula obtained by substituting $\overline{result}$ for result in F. Note that all formulas in the proof are interpreted in the context of the MemoryImplementation module. The variable declarations in the Assume (including the implicit declaration of p in the assumption $p \in PrIds$ ) are necessary, otherwise the formulas in the Prove part would contain undeclared variables. The following high-level proof is a simple exercise in predicate-logic reasoning with the operators $\forall$ and $\exists$ , since these operators (applied to temporal-logic formulas) obey the usual rules of first-order logic. ``` 1. Assume: 1. cstate, rstate, mem, result, rmhist: variable 2. p \in PrIds Prove: IPImp(p) \Rightarrow \overline{UPSpec(p)} Proof: Proved below. 2. Assume: 1. cstate, rstate, mem, result, rmhist: variable 2. l \in MemLocs Prove: (\forall q \in PrIds : IPImp(q)) \Rightarrow \overline{MSpec(l)} ``` PROOF: Proved below. - 3. Assume: $cstate, rstate, mem, result, rmhist: Variable Prove: E.LegalCaller <math>\land C.ISpec \land R.ISpec \land M.IRSpec \land Hist \Rightarrow \overline{IUSpec}$ Proof: By steps 1 and 2, since $\forall$ distributes over $\land$ , barring (which is just substitution) distributes over $\forall$ and $\land$ , and we can deduce $(\forall u \in U : P(u)) \Rightarrow (\forall u \in U : Q(u))$ by proving $P(u) \Rightarrow Q(u)$ for any u in U. - 4. ASSUME: cstate, rstate, mem, result, rmhist: VARIABLEPROVE: $E.LegalCaller \land C.ISpec \land R.ISpec \land M.IRSpec \land Hist \Rightarrow USpec$ PROOF: By step 3, since we can deduce $F \Rightarrow \exists x : G(x)$ by proving $F \Rightarrow G(\overline{x})$ , for some state function $\overline{x}$ . - 5. Q.E.D. PROOF: By step 4 and the validity of $\exists$ rmhist: Hist, since we can deduce $(\exists x : F(x)) \Rightarrow G$ by proving $F(x) \Rightarrow G$ , assuming x does not occur in G, and we can deduce the equivalence of $\exists x, y : F(x) \land G(y)$ and $(\exists x : F(x)) \land (\exists y : G(y))$ , assuming x does not occur in G(y) and y does not occur in F(x). The Lower-Level Proof At the heart of our argument lie the proofs of steps 1 and 2. They are based on the predicate-action diagram of Figure 16 on the next page. We introduce the abbreviations T and F for TRUE and FALSE, and UC for UNCHANGED. The operator S is defined to assert that - For each of the three channels memCh, crCh, and rmCh, there is a call in progress on that channel iff the corresponding one of the first three arguments equals T. - The values of cstate[p], rstate[p], and rmhist[p] equal the last three arguments, where "AB" indicates a value of either "A" or "B". - Certain relations hold among the other variables—for example, if the first argument is T, then memCh[p].arg is an element of LegalArgs. - -mem[l] is an element of MemVals, for all l in MemLocs. The formal definition of S appears in Figure 17 on page 30. It may help in understanding this definition to observe that: ``` E.Calling(p) \equiv C.Snd.Calling(p) C.Rev.Calling(p) \equiv R.Snd.Calling(p) R.Rev.Calling(p) \equiv M.E.Calling(p) ``` We have labeled the state predicates in the predicate-action diagram $S1, \ldots, S6$ . We define those labels to be synonymous with their respective <u>predicates</u>, so $\underline{S2}$ equals S(T, F, F, "A", "A", "A"). We define the state function $\overline{result}$ so that $\overline{result}[p]$ has the value given in Figure 17, for each p in PrIds. The Proof of Step 1 Intuitively, the proof of step 1 is as follows. 1.1. The implementation's initial condition implies the initial condition S1 of the predicate-action diagram. **Fig. 16.** A predicate-action diagram of $\langle e, c, r, m, h \rangle$ for IPImp(p), where p is an element of PrIds. - 1.2. The implementation's next-state action implies that the diagram describes all possible state transitions. There are six conditions, one for each state predicate in the diagram. - 1.3. The initial condition S1 of the predicate-action diagram implies the initial condition $\overline{PInit(p)}$ of $\overline{UPSpec(p)}$ . - 1.4. Each of the actions allowed by the predicate-action diagram implements (implies) some disjunct of the next-state action $\overline{UNext(p)}$ of $\overline{UPSpec(p)}$ , or else leaves $\overline{pv}$ unchanged. - 1.5. All the temporal reasoning, including the proof of the fairness properties, is left for the final Q.E.D. step. The formal proof is as follows. ``` \begin{array}{ll} 1.1. & \neg E.\ Calling(p) \land C.\ Init(p) \land R.\ Init(p) \land M.\ PInit(p) \\ & \land (\forall\ l \in MemLocs:\ M.\ MInit(l)) \land (h = \text{``A''}) \ \Rightarrow \ S1 \\ 1.2. & \text{Assume:} & 1. \land [E.\ Next(p)]_e \\ & \land [C.\ Next(p)]_c \land [R.\ Next(p)]_r \land [M.\ RNext(p)]_m \\ & \land \forall\ l \in MemLocs: [\exists\ q \in PrIds:\ M.\ Write(q,l)]_{mem[l]} \\ & \land [HNext(p)]_{\langle\ c,r,m,h\rangle} \\ & 2. \ \neg \text{UNCHANGED}\ \langle\ e,c,r,m,h\rangle \\ & PROVE: & 1.\ S1 \Rightarrow S2' \land E.\ Next(p) \land \text{UC}\ \langle\ e,r,m,h\rangle \\ & 2.\ S2 \Rightarrow S3' \land C.\ Forward(p) \land \text{UC}\ \langle\ e,r,m,h\rangle \end{array} ``` ``` S(ECalling, CCalling, RCalling, cs, rs, rh) \triangleq \wedge \wedge ECalling \equiv E.Calling(p) \land ECalling \Rightarrow (memCh[p].arg \in LegalArgs) \wedge \wedge CCalling \equiv R.Snd.Calling(p) \land CCalling \Rightarrow (crCh[p].arg = C.RelayArg(p)) \land \neg CCalling \land (cstate[p] = "B") \Rightarrow crCh[p].res \in MemVals \cup \{\text{"OK"}, \text{"BadArg"}, \text{"RPCFailure"}\} \wedge \wedge RCalling \equiv M.E.Calling(p) \land RCalling \Rightarrow (rmCh[p].arg = R.RelayArg(p)) \land \neg RCalling \Rightarrow (result[p] = NotAResult) \land \neg RCalling \land (rstate[p] = \text{``B''}) \Rightarrow rmCh[p].res \in MemVals \cup \{\text{"OK"}, \text{"BadArg"}\}\ \wedge cs = cstate[p] \land rs = rstate[p] \land rmhist[p] \in \mathbf{if} \ rh = \text{``AB''} \ \mathbf{then} \ \{\text{``A''}, \text{``B''}\} else \{rh\} \land result[p] \in MemVals \cup \{NotAResult, "OK", "BadArg"\} \land \ \forall \ l \in MemLocs : mem[l] \in MemVals \overline{result}[p] = case S1 \vee S2 \rightarrow result[p], S3 \rightarrow \mathbf{if} \ h = \text{``A''} \ \mathbf{then} \ result[p] else "MemFailure". S4 \rightarrow \mathbf{if} \ (h = \mathrm{"B"}) \land (result[p] = NotAResult) then "MemFailure" else result[p], S5 \rightarrow rmCh[p].res, S6 \rightarrow \mathbf{if} \ crCh[p].res = \text{``RPCFailure''} \ \mathbf{then} \ \text{``MemFailure''} else crCh[p].res Fig. 17. The formal definitions of S and \overline{result}[p], for p in PrIds. 3. S3 \Rightarrow \forall S4' \land R.Forward(p) \land UC \langle e, c, m, h \rangle \vee S6' \wedge R.Fail(p) \wedge UC \langle e, c, m \rangle 4. S4 \Rightarrow \bigvee S4' \land (M.Read(p) \lor \exists l : M.Write(p, l)) \wedge UC \langle e, c, r, h \rangle \vee S5' \wedge M.Return(p) \wedge UC \langle e, c, r \rangle 5. S5 \Rightarrow S6' \land (R.Reply(p) \lor R.Fail(p)) \land UC \langle e, c, m \rangle ``` 6. $S6 \Rightarrow \forall S1' \land C.Reply(p) \land UC \langle e, r, m \rangle$ 1.4. 1. $S1 \wedge S2' \wedge E.Next(p) \wedge UC \langle c, r, m \rangle \Rightarrow UC \overline{pv}$ 2. $S2 \wedge S3' \wedge C.Forward(p) \wedge UC \langle e, r, m, h \rangle \Rightarrow UC \overline{pv}$ 3. a. $S3 \wedge S4' \wedge R.Forward(p) \wedge UC \langle e, c, m, h \rangle \Rightarrow UC \overline{pv}$ 1.3. $S1 \Rightarrow \overline{PInit(p)}$ $\vee S3' \wedge C.Retry(p) \wedge UC \langle e, r, m, h \rangle$ ``` b. S3 \land S6' \land R.Fail(p) \land \text{UC} \ \langle e,c,m \rangle \Rightarrow \overline{Fail(p)} 4. a. S4 \land S4' \land M.Read(p) \land \text{UC} \ \langle e,c,r,h \rangle \Rightarrow \overline{Read(p)} b. Assume: l: \text{Constant} PROVE: S4 \land S4' \land M.Write(p,l) \land \text{UC} \ \langle e,c,r,h \rangle \Rightarrow \overline{Write(p,l)} c. S4 \land S5' \land M.Return(p) \land \text{UC} \ \langle e,c,r \rangle \Rightarrow \text{UC} \ \overline{pv} 5. a. S5 \land S6' \land R.Reply(p) \land \text{UC} \ \langle e,c,m \rangle \Rightarrow \overline{Fail(p)} 6. a. S6 \land S1' \land C.Reply(p) \land \text{UC} \ \langle e,c,m \rangle \Rightarrow \overline{Return(p)} b. S6 \land S3' \land C.Retry(p) \land \text{UC} \ \langle e,r,m,h \rangle \Rightarrow \overline{Fail(p)} 7. UC \ \langle e,c,r,m,h \rangle \Rightarrow \text{UC} \ \overline{pv} 1.5. Q.E.D. ``` The proofs of 1.1–1.4 are straightforward, tedious exercises. The part of the proof that shows that the Clerk and RPC components relay their arguments properly requires a bit of simple reasoning about sequences—for example, to prove ``` (memCh[p].arg \in LegalArgs) \Rightarrow (C.RelayArg(p) \in C.LegalRcvArgs) ``` The rest of the proof involves a fairly mindless expanding of definitions and application of first-order logic. The Proof of Step 1.5 We now give the high-level proof of step 1.5, which is the only part of the proof of step 1 that involves temporal logic. Let: $Inv(p) \triangleq S1 \lor S2 \lor S3 \lor S4 \lor S5 \lor S6$ 1.5.1. $IPImp(p) \Rightarrow \Box Inv(p)$ PROOF: By 1.1, 1.2, and the laws of TLA, which allow us in general to deduce $P \wedge (\forall u \in U : \Box[N(u)]_{v(u)}) \Rightarrow \Box I$ from $P \Rightarrow I$ together with $I \wedge (\forall u \in U : [N(u)]_{v(u)}) \Rightarrow I'$ . (Take U to be $\{u_1, u_2, u_3\} \cup MemLocs$ , let $N(u_1)$ be E.Next(p), etc.) $1.5.2. \ IPImp\left(p\right) \land \Box Inv\left(p\right) \Rightarrow \overline{PInit(p)} \land \Box \overline{[UNext\left(p\right)]_{\overline{pv}}}$ PROOF: 1.1–1.4 show that IPImp(p) implies $\overline{PInit(p)}$ and that $Inv(p) \wedge [E.Next(p)]_e \wedge [C.Next(p)]_c \wedge [R.Next(p)]_r \wedge [M.RNext(p)]_m \wedge (\forall l \in MemLocs: [\exists q \in PrIds: M.Write(q, l)]_{mem[l]}) \wedge [HNext(p)]_{\langle c,r,m,h\rangle}$ implies $[\overline{UNext(p)}]_{\overline{pv}}$ . The result is now obtained from the laws of TLA, which allow us in general to infer $\Box I \land (\forall u \in U : \Box [N(u)]_{v(u)}) \Rightarrow \Box [M]_w$ from $I \land I' \land (\forall u \in U : [N(u)]_{v(u)}) \Rightarrow [M]_w$ . - from $I \wedge I' \wedge (\forall u \in U : [N(u)]_{v(u)}) \Rightarrow [M]_w$ . 1.5.3. $IPImp(p) \wedge \Box Inv(p) \Rightarrow \overline{\mathrm{WF}_{pv}(RNext(p))} \wedge \overline{\mathrm{WF}_{pv}(Return(p))}$ PROOF: Described below. - 1.5.4. Q.E.D. PROOF: Step 1.5 (which asserts step 1) follows from 1.5.1–1.5.3 by propositional logic. The Proof of Step 1.5.3 To complete the proof of step 1, we must prove 1.5.3, which shows that the specification's fairness properties are satisfied. We give an intuitive sketch of the proof. To prove $\overline{\mathrm{WF}_{pv}(RNext(p))}$ , we must show that if $\overline{RNext(p)}$ is continuously enabled, then a $\overline{RNext(p)}$ step must eventually occur. To prove $\overline{\mathrm{WF}_{pv}(Return(p))}$ , we must show that if $\overline{Return(p)}$ is continuously enabled, then a $\overline{Return(p)}$ step must eventually occur. The two actions are disabled in state S1. Therefore, to prove the two fairness properties, it suffices to show that, if any of S2-S6 ever holds, then S1 must eventually hold. It is clear from the diagram that this follows from the two conditions: (i) none of the predicates S2-S5 can hold forever and (ii) if S6 holds repeatedly, then S1 must eventually hold. The following implementation fairness properties imply condition (i): - WF<sub>c</sub>(C.Forward(p)) implies that S2 cannot hold forever. - $WF_r(R.Next(p))$ implies that S3 cannot hold forever. - WF<sub>m</sub>(M.RNext(p)) implies that if $S4 \wedge (result[p] = NotAResult)$ holds, then $S4 \wedge (result[p] \neq NotAResult)$ eventually holds, and WF<sub>m</sub>(M.Return(p)) then implies that S5 eventually holds. - $WF_r(R.Next(p))$ implies that S5 cannot hold forever. Condition (ii) follows from $SF_c(C.Reply(p))$ , which implies that if S6 holds repeatedly, then S1 eventually holds. The proof rules of TLA have been designed expressly to formalize this style of informal reasoning. We omit the formal proof. The Proof of Step 2 Finally, we must prove step 2. We now confess that, to simplify the exposition, we have structured the proof incorrectly. The proof of 2 requires steps 1.1-1.4 and step 1.5.1, for an arbitrary p in PrIds. Those steps should therefore be brought out either as a separate lemma, or as level-1 steps. Here, we violate the rules of structured proofs and use those steps directly in the proof of 2. 2.1. $(\forall q \in PrIds : IPImp(q) \land \Box Inv(q)) \Rightarrow \overline{MInit}(l)$ PROOF: By the assumption that $l \in MemLocs$ , since M.MInit(l) trivially implies $\overline{MInit(l)}$ (the two formulas are the same). $2.2. \wedge [E.Next(p)]_e$ $\wedge [C.Next(p)]_c \wedge [R.Next(p)]_r \wedge [M.RNext(p)]_m$ $\land \ \forall \ l1 \in MemLocs \ : \ [\exists \ q1 \in PrIds : M.Write(q1, l1)]_{mem[l1]}$ $\land [HNext(p)]_{\langle c,r,m,h \rangle}$ $\wedge Inv(p) \wedge Inv(p)'$ $\wedge [M.Write(q,l)]_{mem[l]}$ $\Rightarrow \overline{[\mathit{Write}(q,l)]}_{\overline{mem[l]}}$ PROOF: $Inv(p) \land M.Write(p, l)$ implies S4, for any p. We consider two cases. (i) If $\neg UNCHANGED \langle e, c, r, m, h \rangle$ holds, then the result follows from part 4 of 1.2 and part 4b of 1.4. (ii) If $UNCHANGED \langle e, c, r, m, h \rangle$ holds, then S4 and Inv(p)' imply S4', and the result follows from part 4b of 1.4. 2.3. Q.E.D. PROOF: 2.1, 2.2, and the laws of TLA show that $(\forall q \in PrIds : IPImp(q) \land \Box Inv(q)) \Rightarrow \overline{MSpec(l)}$ The result then follows from 1.5.1. # 4 Implementing the RPC Component The problem statement introduces a lossy RPC component, which resembles the RPC component but does not raise "RPCFailure" exceptions and may fail to return. Much as with the memory implementation of Section 3, we specify the lossy RPC and an RPC clerk, and prove that their composition implements the RPC specification. The problem statement's informal description of the lossy RPC component is problematic for reasons we now explain. The RPC component of Problem 2, specified in module RPC, is just as lossy as the "lossy" one—neither will return to the sender if the receiver fails to return. The additional timing constraints on the lossy RPC component, together with the description of the RPC implementation, suggest that a sender process should be able to issue a new call if a previous one has not returned. However, issuing a second call without waiting for a return violates the handshake protocol of the procedure-calling interface. A physical component cannot act correctly without some form of synchronization with its environment. If we eliminate the handshake protocol's requirement that the environment must wait for a return before issuing the next call, we must introduce some other form of synchronization. The problem suggests a new protocol in which a sender process can issue a call when either (a) there is no outstanding call, or (b) some time $\rho$ has elapsed since the previous call. For such an interface to be useful, the sender needs to know for which call a result is being returned. This requires either tagging the calls and returns or, more conventionally, specifying that the lossy RPC component never reply to a call more than time $\rho$ after it was issued. Although replacing the handshake protocol with a timed protocol would produce a more sophisticated example, it is a departure from the problem statement. A literal reading of that statement requires the lossy RPC component to obey the procedure-calling protocol, which forbids more than one outstanding call per process. We therefore adopt this requirement in the specification of the lossy RPC component in Section 4.1 below. This requirement affects our solution to Problem 5, the implementation of an RPC component by composing an RPC clerk with a lossy RPC component. If the lossy RPC component never returns a call by process p and the clerk has returned an RPC failure for that call, then the clerk must always return RPC failures to later calls by p. #### 4.1 A Lossy RPC The only novelty in the specification of the lossy RPC component is its use of real-time constraints. We express these constraints as in [2], by introducing a variable parameter now, whose value represents the current time, and defining five temporal operators RT, VTimer, MaxTimer, MinTimer, and NonZeno (called NZ in [2]). We briefly review these operators. - The temporal formula RT(v) asserts that (a) now is a monotonically non-decreasing real number and (b) steps that change now leave v unchanged. Typically, v is a tuple of relevant variables other than now, so (b) essentially means that changes to these variables are considered to be instantaneous. - If A is an action and v a state function such that any A step changes v, and if t is a variable that does not occur in A or v, then the temporal formula $VTimer(t, A, \delta, v) \wedge MaxTimer(t)$ asserts that A cannot be enabled for more than $\delta$ time units before the next A step occurs. - If A is an action and v a state function such that any A step changes v, and if t is a variable that does not occur in A or v, then the temporal formula $VTimer(t, A, \delta, v) \wedge MinTimer(t, A, v)$ asserts that A must be continuously enabled for at least $\delta$ time units before the next A step occurs. - The temporal formula *NonZeno* asserts that *now* keeps increasing without bound, so time marches on. We define these operators in module RealTime of Figure 18 on this page. This ``` oldsymbol{---} module \mathit{RealTime} oldsymbol{----} import Reals parameters now : VARIABLE \infty : CONSTANT assumption InfinityUnReal \triangleq \infty \notin Real RT(v) \stackrel{\triangle}{=} \wedge now \in Real \land \Box [(now' \in \{r \in Real : now < r\}) \land (v' = v)]_{now} VTimer(x, A, \delta, v) \triangleq \wedge x = \mathbf{if} \; \text{Enabled} \; \langle A \rangle_v \; \; \mathbf{then} \; now + \delta else \infty \wedge \Box [x' = \mathbf{if} \ (\text{Enabled} \ \langle A \rangle_v)' then if \langle A \rangle_v \vee \neg \text{Enabled } \langle A \rangle_v then now' + \delta else x else \infty ]_{\langle x,v\rangle} MaxTimer(x) \stackrel{\triangle}{=} \Box[(x \neq \infty) \Rightarrow (now' \leq x)]_{now} MinTimer(x, A, v) \triangleq \Box [A \Rightarrow (now \geq x)]_v NonZeno \triangleq \forall t \in Real : \Diamond (now > t) ``` Fig. 18. Module Real Time. module has appeared before [11, 14], except that earlier versions did not include NonZeno. It imports module Reals, which defines the set Real of real numbers and some of the usual operators on them such as >. The specification of the lossy RPC component is given in module LossyRPC of Figure 19 on this page. The structure of this specification is familiar. <sup>14</sup> This ``` \operatorname{\mathbf{--module}}\ \mathit{LossyRPC} - import RPC, RealTime, Reals parameters \delta : CONSTANT assumption DeltaAssump \stackrel{\triangle}{=} (\delta \in Real) \land (\delta > 0) ——— module LInner – parameters rstate : Variable LNext(p) \triangleq Inner.Forward(p) \vee Inner.Reject(p) \vee Inner.Reply(p) MaxProcess(s, p) \triangleq \land VTimer(s, Inner.Forward(p) \lor Inner.Reject(p), \delta, \langle Inner.vars(p), Snd.caller(p) \rangle \wedge MaxTimer(s) MaxReturn(s, p) \triangleq \land VTimer(s, Inner.Reply(p), \delta, \langle Inner.vars(p), Rcv.rtrner(p) \rangle) \wedge MaxTimer(s) LISpec \triangleq \forall p \in PrIds : \land Inner.Init(p) \land \Box [LNext(p)]_{Inner.vars(p)} \wedge RT(Inner.vars(p)) \wedge \exists s : MaxProcess(s, p) \wedge \exists s : MaxReturn(s, p) Spec \triangleq \exists rstate : LInner.LISpec ``` Fig. 19. Module LossyRPC. specification is based on that of the RPC component. The initial condition and next-state action are the same as for the ordinary RPC component, except for the use of timing constraints and the absence of Fail(p) steps. The timing constraint MaxProcess(s, p) asserts that a Forward(p) or a Reject(p) step must occur within We have not bothered to introduce a separate module containing the parameter declarations. Names prefixed by "Inner." are defined in submodule Inner of the imported RPC module. Module LossyRPC's submodule is called LInner to avoid name conflicts with the imported submodule. $\delta$ seconds<sup>15</sup> of when it becomes enabled; the timing constraint MaxReturn(s, p) asserts that a Return(p) step must occur within $\delta$ seconds of when it becomes enabled. ## 4.2 The RPC Implementation The RPC Clerk The RPC clerk passes requests to the lossy RPC component. According to the problem statement: The RPC component is implemented with a Lossy RPC component by passing the RemoteCall call through to the Lossy RPC, passing the return back to the caller, and raising an exception if the corresponding return has not been issued after $2\delta + \epsilon$ seconds. Read literally, this requirement implies that, if the lossy RPC component returns more than $2\delta + \epsilon$ seconds after it is called, then the clerk must raise an exception. For example, if the RPC component returns a result $3\delta + \epsilon$ seconds after it is called and the clerk has not yet raised an exception, then the clerk cannot return the result; it must raise an exception. We find it convenient to adopt the more sensible requirement that the clerk returns an exception only if it has not yet received a result. Thus, if the RPC component returns a result $3\delta + \epsilon$ seconds after it is called, and the clerk has not yet raised an exception, then the clerk will return the result. There is another aspect of the problem statement that is bizarre. In light of the timing assumptions on the environment, one would expect the clerk to have to return either a result or an exception within some fixed length of time. However, the problem statement makes no such requirement, implying only that the clerk must eventually return. We follow the problem statement in this respect; the resulting mix of eventuality and real-time requirements yields a more interesting example. Our RPC clerk is specified in module RPCClerk of Figure 20 on the next page. The specification is similar to that of the memory clerk. The major differences are that there are no Retry(p) steps, and that there is a Fail(p) timeout action, which cannot be executed until it has been enabled for at least $\tau$ seconds. Correctness of the RPC component's implementation is proved under the assumption that $\tau$ is greater than $2\delta + \epsilon$ . **The Implementation Proof** The correctness of the RPC implementation is asserted in Module *RPCImplementation* in Figure 21 on page 38. The four components of the implementation are pictured below, where the sender and receiver form the environment. <sup>&</sup>lt;sup>15</sup> Strictly speaking, it asserts that the step must occur before *now* increases by more than $\delta$ ; we interpret such an increase to represent the passing of $\delta$ seconds—rather than the passing of $\delta$ years or $\delta$ kilometers. ``` – \mathbf{module}\;RPCClerk – import Sequences, Reals parameters sndCh, rcvCh: VARIABLE PrIds, Vals, \tau : Constant assumption TauAssump \stackrel{\triangle}{=} (\tau \in Real) \land (\tau > 0) LegalArgs \triangleq \{\text{"RemoteCall"}\} \times STRING \times Seq(Vals) include ProcedureInterface as Snd with ch \leftarrow sndCh, Args \leftarrow LegalArgs include ProcedureInterface as Rcv with ch \leftarrow rcvCh, Args \leftarrow LegalArgs - \mathbf{module}\ Inner - parameters cstate : Variable Init(p) \triangleq (cstate[p] = \text{``A''}) \land \neg Rcv. Calling(p) Forward(p) \stackrel{\triangle}{=} \land Snd. Calling(p) \land (cstate[p] = \text{``A''}) \land Rcv.Call(p, sndCh[p].arg) \land cstate'[p] = "B" \land UNCHANGED Snd.rtrner(p) Fail(p) \triangleq \land Rcv. Calling(p) \land (cstate[p] = "B") \land Snd.Return(p, "RPCFailure") \land cstate'[p] = \text{``A''} \land UNCHANGED Rev.caller(p) Reply(p) \triangleq \land \neg Rcv. Calling(p) \land (cstate[p] = "B") \land Snd.Return(p, rcvCh[p].res) \wedge \ cstate'[p] = \text{``A''} \land UNCHANGED Rcv.caller(p) Next(p) \stackrel{\triangle}{=} Forward(p) \vee Fail(p) \vee Reply(p) vars(p) \stackrel{\triangle}{=} \langle cstate[p], Snd.rtrner(p), Rcv.caller(p) \rangle MinFail(s, p) \triangleq \wedge VTimer(s, Fail(p), \tau, vars(p)) \land MinTimer(s, Fail(p), vars(p)) ISpec \stackrel{\triangle}{=} \forall p \in PrIds : \land Init(p) \land \Box [Next(p)]_{vars(p)} \land RT(vars(p)) \land \exists s : MinFail(s, p) \wedge WF_{vars(p)}(Next(p)) Spec \triangleq \exists cstate : Inner.ISpec ``` Fig. 20. The component specification of the RPC clerk. Formula RcvTiming asserts the requirement that the receiver always return within $\epsilon$ seconds of when it is called. Theorem Impl asserts that the composition of the components' specifications, together with condition RcvTiming and the assumption NonZeno that time keeps advancing, implies the specification of the RPC component. The proof of theorem Impl has a structure similar to that of the proof of the memory implementation in Section 3.2. As in that proof, we eliminate the prefixes "Inner." and "LInner." from symbol names. Definitions from module RPCImplementation along with some additional definitions appear in Figure 22 on the next page. We have overloaded symbols such as C.ISpec, using the convention that $X(a_1, \ldots, a_n)$ is defined to be X with quantification over $a_1, \ldots, a_n$ removed. The "timing" definitions give names to actions and predicates that occur in the RealTime module. To define the refinement mapping $\overline{rstate}$ , we must again introduce a history variable lrhist, where lrhist[p] equals "A" iff the lossy RPC component has performed a Reject(p) action, but the RPC clerk component has not yet returned ``` oldsymbol{-} module \mathit{RPCImplementation} - import RPC, RPCParameters, Reals, RealTime parameters \tau, \delta, \epsilon: CONSTANT clCh: Variable assumption TDEAssump \triangleq \land \{\tau, \delta, \epsilon\} \subseteq \{r \in Real : r > 0\} \wedge \tau > 2 * \delta + \epsilon RcvTiming \triangleq \forall p \in PrIds : \exists s : \land RT(Rcv.rtrner(p)) \land VTimer(s, \exists v : Rev.Return(p, v), \epsilon, revCh[p]) \wedge MaxTimer(s) include LossyRPC as L with sndCh \leftarrow clCh, rcvCh \leftarrow rcvCh include RPCClerk as C with sndCh \leftarrow sndCh, rcvCh \leftarrow clCh theorem Impl \triangleq Snd.LegalCaller \land Rcv.LegalReturner \land RcvTiming \land C.Spec \land L.Spec \land NonZeno \Rightarrow Spec ``` Fig. 21. Module RPCImplementation. ## The Specification ``` RPC Component (imported from RPC) v \stackrel{\Delta}{=} vars(p) Init(p) \stackrel{\triangle}{=} (rstate[p] = \text{``A''}) \land \neg Rev. Calling(p) Next(\textit{p}) \;\; \stackrel{\triangle}{=} \;\; Forward(\textit{p}) \, \lor \, Reject(\textit{p}) \, \lor \, Fail(\textit{p}) \, \lor \, Reply(\textit{p}) ISpec(p) \stackrel{\triangle}{=} Init(p) \wedge \square[Next(p)]_v \wedge WF_v(Next(p)) Spec \ \stackrel{\triangle}{=} \ \textbf{3} \ rstate \ : \ \forall \ p \in PrIds \ : \ ISpec(p) The Implementation The Sender (imported from RPC) s \triangleq Snd.caller(p) Snd.Next(p) \stackrel{\triangle}{=} \exists a \in LegalSndArgs : Snd.Call(p, a) Snd.LegalCaller \triangleq \forall p \in PrIds : \neg Snd.Calling(p) \land \Box [Snd.Next(p)]_s The Receiver (imported from RPC) r \triangleq Rcv.rtrner(p) Rcv.Next(p) \stackrel{\Delta}{=} \exists v : Rcv.Return(p, v) Rcv.LegalReturner \stackrel{\Delta}{=} \forall p \in PrIds : \Box [Rcv.Next(p)]_r RcvT(p, et) \triangleq \wedge RT(r) \wedge VTimer(et, Rcv.Next(p), \epsilon, rcvCh[p]) \land MaxTimer(et) RPC Clerk (included from RPCClerk) c \stackrel{\Delta}{=} C.vars(p) C.ISpec(p, ct) \triangleq \land C.Init(p) \land \Box [C.Next(p)]_c \land WF_c(C.Next(p)) \land RT(c) \land C.MinFail(ct, p) C.Spec \stackrel{\triangle}{=} \exists cstate : \forall p \in PrIds : C.ISpec(p) Lossy RPC (included from LossyRPC) l \stackrel{\Delta}{=} L.vars(p) L.LISpec(p, pt, rt) \triangleq \land L.Init(p) \land \Box [L.LNext(p)]_l \land \ RT(l) \land L.MaxProcess(pt,p) \land L.MaxReturn(rt,p) L.Spec \stackrel{\triangle}{=} \exists rstate : \forall p \in PrIds : L.LISpec(p) Timing TNext(x) \stackrel{\Delta}{=} (now' \in \{r \in Real : now < r\}) \land (x' = x) VInit(t, A, \delta, x) \stackrel{\Delta}{=} t = \mathbf{if} \text{ Enabled } \langle A \rangle_x \text{ then } now + \delta \text{ else } \infty VNext(t, A, \delta, x) \stackrel{\triangle}{=} t' = \mathbf{if} (Enabled \langle A \rangle_x)' then if \langle A \rangle_x \vee \neg \text{Enabled } \langle A \rangle_x then now' + \delta else t else \infty MaxNext(t) \stackrel{\triangle}{=} (t \neq \infty) \Rightarrow (now' \leq t) MinNext(t, A) \stackrel{\triangle}{=} A \Rightarrow (now > t) ``` Fig. 22. Definitions from module RPCImplementation, plus a few more. the result to the sender. The formal definition is as follows: The validity of $\exists lrhist : Hist$ is again asserted by a general TLA theorem. The High-Level Proof The high-level proof uses the state function <u>rstate</u> and the temporal formula ``` IImp(p, et, ct, pt, rt) \triangleq Snd.LegalCaller(p) \land Rcv.LegalReturner(p) \land RcvT(p, et) \land C.ISpec(p, ct) \land L.LISpec(p, pt, rt) \land Hist(p) \land NonZeno ``` We define $\overline{rstate}$ later; the only property we use in the high-level proof is that the timers et, ct, pt, and rt do not occur in its definition. - 1. Assume: 1. cstate, rstate, et, ct, pt, rt, lrhist: variable 2. $p \in PrIds$ Prove: $IImp(p, et, ct, pt, rt) \Rightarrow \overline{ISpec(p)}$ - PROOF: Proved below. - $2. \ \ A\, {\tt SSUME} {\tt :} \ \ 1. \ \ \textit{cstate}, \textit{rstate}, \textit{lrhist} \ : \ \ {\tt VARIABLE}$ - PROVE: $\begin{array}{ll} 2. \ p \in \mathit{PrIds} \\ (\exists \ et, ct, pt, rt : \mathit{Snd.LegalCaller}(p) \land \mathit{Rcv.LegalReturner}(p) \\ & \land \mathit{RcvT}(p, et) \land \mathit{C.ISpec}(p, ct) \land \mathit{L.LISpec}(p, pt, rt) \\ & \land \mathit{Hist}(p)) \ \Rightarrow \overline{\mathit{ISpec}(p)} \end{array}$ PROOF: By step 1 and TLA quantifier rules, because et, ct, pt, and rt do not occur in the definition of IPSpec(p) or $\overline{rstate}$ , so they do not occur in $\overline{ISpec(p)}$ . - 3. Assume: cstate, rstate, lrhist: variable - PROVE: $Snd.LegalCaller \land Rcv.LegalReturner \land RcvTiming \land C.ISpec \land L.LISpec \land Hist \Rightarrow Spec$ PROOF: By step 2 and TLA quantifier rules. 4. Q.E.D. PROOF: By step 3, the validity of $\exists lrhist : Hist$ , and TLA quantifier rules. The Proof of Step 1 The proof of step 1 is based on the predicate-action diagram of Figure 23 on the next page. In this diagram and in the rest of the proof, we assume that $\geq$ is defined so that $r \geq s$ is false unless both r and s are elements of the set Real of real numbers. We use notation similar to that in the proof of the memory implementation. The formal definition of S appears in Figure 24 on the next page. Again, we define the labels $S1, \ldots, S6$ that appear in the predicate-action diagram of Figure 23 to be synonymous with their respective **Fig. 23.** A predicate-action diagram of $\langle s, r, c, l, h \rangle$ for IImp(p, et, ct, pt, rt). ``` S(ECalling, CCalling, LCalling, cs, rs, lh) \triangleq \\ \land \land Snd. Calling(p) \equiv ECalling \\ \land ECalling \Rightarrow (sndCh[p].arg \in LegalSndArgs) \\ \land \land C.Rcv. Calling(p) \equiv CCalling \\ \land CCalling \Rightarrow (clCh[p].arg = sndCh[p].arg) \\ \land L.Rcv. Calling(p) \equiv LCalling \\ \land cstate[p] = cs \\ \land rstate[p] = rs \\ \land \land lrhist[p] \in \mathbf{if} \ lh = \text{``AB''} \ \mathbf{then} \ \{\text{``A''}, \text{``B''}\} \\ \quad \mathbf{else} \ \{lh\} \\ \land (lrhist[p] = \text{``A''}) \Rightarrow \land L.RelayArg(p) \notin L.LegalRcvArgs \\ \land clCh[p].res = \text{``BadCall''} \\ \land (lrhist[p] = \text{``B''}) \land (cs = \text{``B''}) \land \neg CCalling \\ \Rightarrow (clCh[p].res = rcvCh[p].res) \\ \land now \in Real ``` **Fig. 24.** The formal definition of S, for p in PrIds. predicates. We define the state function $\overline{rstate}$ so that: Because we require that the timer variables not occur in $\overline{rstate}$ , we must replace S3, S4, and S5 by just their S conjuncts in the actual definition of $\overline{rstate}[p]$ . The proof of the safety part of the RPC component's specification involves proving that Figure 23 is a correct predicate-action diagram for the formula IImp(p, et, ct, pt, rt). The key step in this proof is showing that the clerk can never take a C.Fail(p) step. The proof is essentially as follows. Because C.Fail(p) is enabled only when C.Rcv.Calling(p) is true and cstate[p] equals "B", such a step is possible only in states satisfying S3, S4, or S5. The equality and inequalities in these state predicates, together with the assumptions on $\tau$ , $\delta$ , and $\epsilon$ , imply that ct is greater than now when S3, S4, or S5 holds. However, the conjunct C.MinFail(ct, p) in the clerk's specification asserts that a C.Fail(p) step can occur only when ct is less than or equal to now, so such a step is impossible. This invariance reasoning about timer values is a direct formalization of the intuitive argument that the lossy RPC component must return from a call before the clerk can take a Fail(p) step. It is typical of assertional proofs of real-time properties. The formal proof of step 1 is analogous to the proof of step 1 of the memory implementation. Steps 1.1 and 1.2 assert that the predicate-action diagram describes the initial state and transitions of formula IImp(p, et, ct, pt, rt); steps 1.3 and 1.4 assert that the system described by the predicate-action implements the initial condition and next-state relation of $\overline{ISpec(p)}$ ; and step 1.5 completes the proof. ``` 1.1. \neg Snd. Calling(p) \land C.Init(p) \land L.Init(p) \land (h = "B") \land (now \in Real) \Rightarrow S1 1.2. Assume: \wedge [Snd.Next(p)]_s \wedge [Rcv.Next(p)]_r \wedge \ [C.Next(p)]_c \wedge [L.LNext(p)]_l \wedge [HNext(p)]_{\langle c,l,h \rangle} \land [TNext(r)]_{now} \land [TNext(c)]_{now} \land [TNext(l)]_{now} \land [VNext(et, Rcv.Next(p), \epsilon, rcvCh[p])]_{\langle et, rcvCh[p] \rangle} \wedge [MaxNext(et)]_{now} \wedge [VNext(ct, C.Fail(p), \tau, c)]_{\langle ct, c \rangle} \land [MinNext(ct, C.Fail(p))]_c \land [VNext(pt, L.Forward(p) \lor L.Reject(p), \delta, \langle l, C.Rcv.caller(p) \rangle \rangle \rangle_{\langle pt, \langle l, C.Rcv.caller(p) \rangle \rangle} \wedge [MaxNext(pt)]_{now} \wedge [VNext(rt, L.Reply(p), \delta, \langle l, Rcv.rtrner(p) \rangle \rangle \rangle \langle rt, \langle l, Rcv.rtrner(p) \rangle \rangle \wedge [MaxNext(rt)]_{now} 1. S1 \Rightarrow \vee S1' \wedge \cup \cup \langle s, r, c, l, h \rangle Prove: \vee S2' \wedge Snd.Next(p) \wedge UC \langle r, c, l \rangle ``` ``` 2. S2 \Rightarrow \forall S2' \land UC \langle s, r, c, l, h \rangle \vee S3' \wedge C.Forward(p) \wedge UC \langle s, r, l \rangle 3. S3 \Rightarrow \forall S3' \land UC \langle s, r, c, l, h \rangle \vee S4' \wedge L.Forward(p) \wedge UC \langle s, r, c \rangle \vee S6' \wedge L.Reject(p) \wedge (h' = "A") \wedge UC \langle s, r, c \rangle 4. S4 \Rightarrow \forall S4' \land UC \langle s, r, c, l, h \rangle \vee S5' \wedge Rcv.Next(p) \wedge UC \langle s, c, l \rangle 5. S5 \Rightarrow \forall S5' \land UC \langle s, r, c, l, h \rangle \vee S6' \wedge L.Reply(p) \wedge UC \langle s, r, c, h \rangle 6. S6 \Rightarrow \vee S6' \land \cup \cup \langle s, r, c, l, h \rangle \vee S1' \wedge C.Reply(p) \wedge UC \langle s, r, l \rangle 1.3. S1 \Rightarrow \overline{Init(p)} 1.4. 1. S1 \wedge S2' \wedge Snd.Next(p) \wedge UC \langle r, c, l \rangle \Rightarrow UC \overline{v} 2. S2 \wedge S3' \wedge C. Forward (p) \wedge UC \langle s, r, l \rangle \Rightarrow UC \overline{v} 3. S3 \wedge S4' \wedge L.Forward(p) \wedge UC(s, r, c) \Rightarrow Forward(p) 4. S3 \wedge S6' \wedge L.Reject(p) \wedge (h' = \text{``A''}) \wedge UC \langle s, r, c \rangle \Rightarrow UC \overline{v} 5. S4 \wedge S5' \wedge Rcv.Next(p) \wedge UC \langle s, c, l \rangle \Rightarrow UC \overline{v} 6. S5 \wedge S6' \wedge L.Reply(p) \wedge UC \langle s, r, c, h \rangle \Rightarrow UC \overline{v} 7. S6 \wedge S1' \wedge C.Reply(p) \wedge UC \langle s, r, l \rangle \Rightarrow Reply(p) \vee Reject(p) 8. UC \langle s, r, c, l, h \rangle \Rightarrow UC \overline{v} 1.5. Q.E.D. ``` The proofs of steps 1.1–1.4 use simple properties of real numbers and predicate logic. They are omitted. The Proof of Step 1.5 The high-level proof of step 1.5 is analogous to the proof of step 1.5 of the memory implementation in Section 3.2. ``` Let: Inv(p) \triangleq S1 \lor S2 \lor S3 \lor S4 \lor S5 \lor S6 1.5.1. IImp(p, et, ct, pt, rt) \Rightarrow \Box Inv(p) Proof: This follows from 1.1 and 1.2, using exactly the same reasoning as in the corresponding step of the memory implementation proof. 1.5.2. IImp(p, et, ct, pt, rt) \land \Box Inv(p) \Rightarrow \overline{Init(p)} \land \Box [\overline{Next(p)}]_{\overline{v}} ``` PROOF: From 1.1, 1.3, and 1.4, using the TLA proof rules explained in the memory implementation proof. 1.5.3 $IImn(n, et, et, nt, nt) \land \Box Inv(n) \rightarrow \overline{WF}(Next(n))$ 1.5.3. $IImp(p, et, ct, pt, rt) \land \Box Inv(p) \Rightarrow \mathrm{WF}_v(Next(p))$ PROOF: Described below. 1.5.4. Q.E.D. PROOF: Step 1 follows from 1.5.1–1.5.3 by propositional logic. The Proof of Step 1.5.3 It remains to prove step 1.5.3, which asserts that the fairness property of the RPC specification is satisfied. We sketch the argument intuitively. To prove $\overline{\mathrm{WF}_v(Next(p))}$ , it is enough to show that $\overline{Next(p)}$ cannot be continuously enabled. The action is disabled in state S1. Therefore, it suffices to show that, if any of S2-S6 ever holds, then S1 must eventually hold. It is clear from the predicate-action diagram of Figure 23 that this follows if we can prove that none of the predicates S2-S6 can hold forever, which is established as follows: - The implementation fairness property $WF_c(C.Next(p))$ implies that neither S2 nor S6 can hold forever. - To show that S3 cannot hold forever, observe that pt remains unchanged while S3 holds. Since S3 asserts that pt is greater than or equal to now, and NonZeno implies that now increases without bound, S3 must eventually become false. Similar reasoning shows that neither S4 nor S5 can hold forever. Observe how NonZeno allows us to deduce eventual progress from invariance properties. The RT, VTimer, MinTimer, and MaxTimer formulas used to specify real-time system requirements are all safety properties. We infer liveness properties from them by using the NonZeno assumption. ## References - Martín Abadi and Leslie Lamport. The existence of refinement mappings. Theoretical Computer Science, 82(2):253-284, May 1991. - Martín Abadi and Leslie Lamport. An old-fashioned recipe for real time. ACM Transactions on Programming Languages and Systems, 16(5):1543-1571, September 1994. - 3. Martín Abadi and Leslie Lamport. Conjoining specifications. ACM Transactions on Programming Languages and Systems, 17(3):507-534, May 1995. - 4. Martín Abadi, Leslie Lamport, and Stephan Merz. The Dagstuhl example—a TLA solution. World Wide Web page at http://www.research.digital.com/SRC /dagstuhl/dagstuhl.html. It can also be found by searching the Web for the 26-letter string formed by concatenating uid and lamportdagstuhlspecprob. - 5. Manfred Broy and Leslie Lamport. The RPC-memory specification problem. In this volume. Also available on [4]. - Nissim Francez. Fairness. Texts and Monographs in Computer Science. Springer-Verlag, New York, Berlin, Heidelberg, Tokyo, 1986. - Rob Gerth, Ruurd Kuiper, and John Segers. Interface refinement in reactive systems. In W. R. Cleaveland, editor, 3rd International Conference on Concurrency Theory, volume 630 of Lecture Notes in Computer Science, pages 77–93, Berlin, Heidelberg, 1992. Springer-Verlag. - 8. Cliff B. Jones. Specification and design of (parallel) programs. In R. E. A. Mason, editor, *Information Processing 83: Proceedings of the IFIP 9th World Congress*, pages 321–332, Amsterdam, September 1983. IFIP, North-Holland. - 9. Leslie Lamport. TLA—temporal logic of actions. At URL http://www.research.digital.com/SRC/tla/ on the World Wide Web. It can also be found by searching the Web for the 21-letter string formed by concatenating uid and lamporttlahomepage. - Leslie Lamport. How to write a proof. American Mathematical Monthly, 102(7):600-608, August-September 1993. - 11. Leslie Lamport. Hybrid systems in TLA<sup>+</sup>. In Robert L. Grossman, Anil Nerode, Anders P. Ravn, and Hans Rischel, editors, *Hybrid Systems*, volume 736 of *Lecture Notes in Computer Science*, pages 77–102, Berlin, Heidelberg, 1993. Springer-Verlag. - 12. Leslie Lamport. The temporal logic of actions. ACM Transactions on Programming Languages and Systems, 16(3):872–923, May 1994. - Leslie Lamport. TLA in pictures. IEEE Transactions on Software Engineering, 21(9):768-775, September 1995. - 14. Leslie Lamport and Stephan Merz. Specifying and verifying fault-tolerant systems. In H. Langmaack, W.-P. de Roever, and J. Vytopil, editors, Formal Techniques in Real-Time and Fault-Tolerant Systems, volume 863 of Lecture Notes in Computer Science, pages 41–76. Springer-Verlag, September 1994. - 15. A. C. Leisenring. Mathematical Logic and Hilbert's $\varepsilon$ -Symbol. Gordon and Breach, New York, 1969. - Carver Mead and Lynn Conway. Introduction to VLSI Systems, chapter 7. Addison-Wesley, Reading, Massachusetts, 1980. - 17. Amir Pnueli. The temporal semantics of concurrent programs. In Gilles Kahn, editor, Semantics of Concurrent Computation, volume 70 of Lecture Notes in Computer Science, pages 1–20. Springer-Verlag, July 1979. # Index | (horizontal bar), 4 | LegalCaller, 6 | | | |------------------------------------------------------------|---------------------------------|--|--| | $\langle v_1, \ldots, v_n \rangle$ (tuple or sequence), 17 | LegalReturner, 6 | | | | ' (prime), 5 | liveness, 12 | | | | $[N]_v$ , 6 | LossyRPC module, 36 | | | | $\Box$ , 6 | , | | | | ∃, 9 | MaxProcess, 34 | | | | $\Rightarrow$ (implication), precedence of, 5 | MaxReturn, 34 | | | | ÷>, 15 | MaxTimer, 34 | | | | $\wedge$ and $\vee$ , lists of, 5 | MemClerk module, 24 | | | | 7, and 7, moto of, 5 | MemClerkParameters module, 22 | | | | action, 5 | Memory module, 10, 11 | | | | next-state, 6 | MemoryImplementation module, 25 | | | | arg component of channel, 4 | MemoryParameters module, 8 | | | | Args, 4 | MinTimer, 34 | | | | array, 17 | , 9 - | | | | assumption, of a module, 8 | Naturals module, 17 | | | | assumption/guarantee, 15 | next-state action, 6 | | | | assumption/ Saurantees, 15 | NonZeno, 34 | | | | behavior, 3 | Not A Result, 11 | | | | | now, 34 | | | | caller, 3 | , | | | | caller(p), 5 | parameter, of a module, 3 | | | | Calling(p), 5 | predicate-action diagram, 12 | | | | $ch,\ 4$ | $PrIds, \ 4$ | | | | channel, 4 | prime, 5 | | | | CHOOSE, 11 | ProcedureInterface module, 4 | | | | component specification, 15 | | | | | composition is conjunction, 7 | $Real,\ 34$ | | | | CONSTANT parameter, 3 | $Reals ext{ module}, 34$ | | | | | RealTime module, 35 | | | | export, 9 | refinement mapping, 27 | | | | | res component of channel, 5 | | | | F (FALSE), $28$ | returner, 3 | | | | fairness, 12 | RPC module, 21 | | | | function, 17 | RPCClerk module, $37$ | | | | 1 11 1 . 1 ~ | RPCImplementation module, 38 | | | | handshake protocol, 5 | RPCParameters module, 18 | | | | hiding, 11 | rtrner(p), 5 | | | | history variable, 27 | | | | | implementation is implication 16 | | | | | | sequence, 17 | | | | = | Sequences module, 18 | | | | include, g | SF (strong fairness), 17 | | | | implementation is implication, 16 | safety, 12 | | | | $\mathbf{import}, 9$ | | | | | include, 9 | SF (strong fairness), 17 | | | | | | | | state, 3 state predicate, 5 step, 5 string, 19 Stølen, Ketil, 2 submodule, 11 T (TRUE), 28 temporal formula, 6 **theorem**, 25 TLA<sup>+</sup>, 3 tuple, 17 types, absence of, 3 UC (UNCHANGED), 28 UNCHANGED, 13 $\begin{array}{c} {\rm VARIABLE~parameter,~3} \\ {\it VTimer,~34} \end{array}$ WF (weak fairness), 13