Generated Code Conformance Checking #137
Labels
enhancement
New feature or request
Comments
|
Note that related to the last item, TLC has a simulator/generator mode. |
|
@lemmy, thanks for the quick comment. Is it possible to influence/direct TLC during simulator mode -- i.e., to push it along a concrete path that we are checking? |
|
@bestchai The simulator honors state and action constraints. https://github.com/lemmy/PageQueue/blob/master/Schedules.tla is an example of how to make TLC follow a specific schedule. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Related to #122, this is an idea about how to verify that PGo-generated code actually does what the model says it does.
Key idea: encoded into an MPCal model, there exists a mapping from reads/writes involving archetype resources to a form of model state. This mapping is either an identity mapping, or it is one of the mapping macro forms.
Therefore, TLC model state can be (almost) deterministically reconstructed from an ordered log of the archetype resource reads and writes performed by every critical section involved in a system's operation. PGo-generated code can be instrumented to generate such information automatically, and it seems plausible that a close-to-automatic process could then convert this information to a graph of TLC states, at which point conformance checking against the original MPCal model might be performed.
Success of such a check on a collection of real execution traces would go a long way toward indicating that an implementation really does match a specification, and, with the right API, this use case might not be limited to systems generated by PGo.
Additional comments:
The text was updated successfully, but these errors were encountered: