Receive() can receive dropped messages

[dricketts]

I don't think that DropMessage is defined correctly. In particular, it does not actually remove messages from the variables messages. Instead, it decrements the counter for the given message, if it already exists in messages. This has two issues:

• messages is not a function from Message to Nat, as the comment above message suggests. Instead, it is a function from Message to Int.
• Receive only requires that the received message be in the domain of messages, which means that it can continue to receive messages that have been dropped (even if their count drops below zero).

[ongardie]

Hi @dricketts. I think you're right, and I vaguely remember this being a late change to the spec. Care to submit a PR?

[dricketts]

@ongardie I'd be happy to submit a PR. The easiest option that I see is to use the Bags module, but the comment above messages says that Bags is not supported by TLAPS. In what sense is it not supported? I've tried some proofs using Bags, and you can definitely use the definitions and associated theorems from this module: https://tlaps.codeplex.com/SourceControl/latest#library/Bags.tla.

I ask about TLAPS because I'm trying to do the Raft safety proof using TLAPS. I know that it's already been done in Coq, but I'm curious to compare and contrast the proof in the two different formalisms.

[ongardie]

@dricketts, sorry for the delay. I don't remember why I wrote that comment before, but maybe I was wrong or maybe it's changed since. If it's working for you under TLAPS, that's good enough for me. Feel free to switch it to using Bags. Good luck.