-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathvchan.tla
More file actions
2296 lines (2122 loc) · 108 KB
/
vchan.tla
File metadata and controls
2296 lines (2122 loc) · 108 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
A TLA+ specification for Xen vchan.
A Xen vchan is a bidirectional channel, similar to a Unix-domain socket,
but for communicating between different VMs (running on a single host).
One of the two VMs, the "server", allocates three regions of memory:
1. A ring buffer for sending data from the client to the server.
2. A ring buffer for sending data from the server to the client.
3. A control structure.
If the ring buffers are small enough, all three can be in the same physical
page of memory. The server grants the client access to the pages. It also
creates a listening (unbound) event channel port for the client.
The server publishes details of the shared memory and event port to e.g. XenStore.
The client maps the memory into its address space and connects to the event channel.
A vchan is bidirectional, but the two directions are largely independent, so this
specification is written in terms of a single direction only. To model the complete
channel you would instantiate this module twice, sharing the event channel and
liveness flags between them (but reversing them, so that SenderLive refers to
the client's liveness flag in one direction and to the server's in the other).
We assume here that the memory has already been allocated, shared, and mapped
by the client. The algorithm described here provides reliable lock-free operation,
allowing the sender and receiver to write to and read from the buffer at the same
time without risk of data corruption or deadlock.
I believe that the C implementation implements this algorithm except for one detail:
when the sender closes the connection (and the receiver doesn't) this version
ensures that all data already transmitted will be received. My assumption is that
this is simply a bug in the C implementation, but perhaps it was intentional.
I have no special information about the design of the protocol; I just read the
code and made guesses.
The C implementation can be used in blocking or non-blocking mode. I believe this
algorithm covers both cases, depending on whether you consider the blocking states
to be part of the library or part of the application.
The library can be used in streaming mode or in packet mode. In packet mode, sending
waits until there is enough space for the whole message before starting to write it,
while in streaming mode it writes as much as possible.
TODO: Currently, the specification assumes streaming mode.
That is, we assume that the sender will eventually send some data whenever there is
space, which is not the case for packet mode.
The C implementation also provides packet-based receive, which waits until there
is enough data in the buffer before starting to read. I believe that if you want
to read a fixed-size message, it would be better to stream it into a fixed-size
buffer by calling the streaming read function in a loop. If the sender is doing
matching fixed-size writes then this will always succeed in a single read, and
if not then it avoids the risk of deadlock.
This specification is organised as follows:
1. Constants and definitions.
2. The algorithm (as PlusCal, followed by its translation to TLA).
3. The properties (`Availability' and `Integrity').
4. How to check the properties using TLC.
5. Inductive invariants for Integrity and deadlock freedom.
6. Proofs of the above.
7. Some additional proofs (`ReadLimit` and `WriteLimit`).
-- Thomas Leonard, 2018
------------------------------- MODULE vchan -------------------------------
EXTENDS Naturals, Sequences, TLAPS, SequenceTheorems
CONSTANT Byte \* 0..255, but overridable for modelling purposes.
(* The size of the ring buffer in bytes. The two directions do not need to use
the same size buffer. In reality, the buffer size must be a power of 2
between 2^10 and 2^20. For modelling purposes however it is convenient to
allow any size greater than zero. *)
CONSTANT BufferSize
ASSUME BufferSizeType == BufferSize \in Nat \ {0}
(* The most data a sender will try to send in one go.
This will typically be MAX_INT, but it is convenient to set it lower in models. *)
CONSTANT MaxWriteLen
ASSUME MaxWriteLenType == MaxWriteLen \in Nat
(* The most data a receiver will try to read in one go.
This will typically be MAX_INT, but it is convenient to set it lower in models. *)
CONSTANT MaxReadLen
ASSUME MaxReadLenType == MaxReadLen \in Nat
(* Normally a receiving application will start by performing a read call, and blocking
only if the buffer is empty. However, some applications (e.g. QubesDB) block first
without checking the buffer. *)
CONSTANT ReceiverBlocksFirst
ASSUME ReceiverBlocksFirst \in BOOLEAN
Min(x, y) == IF x < y THEN x ELSE y
(* The type of the entire message the client application sends. *)
MESSAGE == Seq(Byte)
(* The type of finite messages up to length L.
A sequence in TLA is a function from index to value.
[ 1..N -> Byte ] is the set of all Byte sequences of length N. *)
FINITE_MESSAGE(L) == UNION ( { [ 1..N -> Byte ] : N \in 0..L } )
(* MSG is the set of messages we may try to send.
This is the set of messages with lengths from 1 to
MaxWriteLen (i.e. excluding << >>): *)
MSG == FINITE_MESSAGE(MaxWriteLen) \ { << >> }
(* Take(m, i) is just the first i elements of message m.
Sequences in TLA+ can be confusing because they are indexed from 1.
Using Take avoids this issue. *)
Take(m, i) == SubSeq(m, 1, i)
(* Everything except the first i elements of message m. *)
Drop(m, i) == SubSeq(m, i + 1, Len(m))
(* The system is modelled as five processes, each with its own ID.
The close operations are modelled as separate processes because they can
occur in parallel with a read or write operation. *)
SenderWriteID == "SW" \* The sender writing data to the buffer
SenderCloseID == "SC" \* The sender closing the channel
ReceiverReadID == "RR" \* The receiver reading from the buffer
ReceiverCloseID == "RC" \* The receiver closing the channel
SpuriousID == "SP" \* Spurious interrupts from the other direction
-----------------------------------------------------------------------------
(* Overview of the algorithm:
On the sending side:
1. The sending application asks to send some bytes.
We check whether the receiver has closed the channel and abort if so.
2. We check the amount of buffer space available.
3. If there isn't enough, we set NotifyRead so the receiver will notify us when there is more.
We also check the space again after this, in case it changed while setting the flag.
4. If there is any space:
- We write as much data as we can to the buffer.
- If the NotifyWrite flag is set, we clear it and notify the receiver of the write.
5. If we wrote everything, we return success.
6. Otherwise, we wait to be notified of more space.
7. We check whether the receiver has closed the channel.
If so we abort. Otherwise, we go back to step 2.
On the receiving side:
1. The receiving application asks us to read some data.
2. We check the amount of data available in the buffer.
3. If there isn't any, we set NotifyWrite so the sender will notify us when there is.
We also check the space again after this, in case it changed while setting the flag.
4. If there is some data, we read some or all of it.
If the NotifyRead flag is set, we clear it and notify the receiver of the new space.
We return the data read to the application.
5. Otherwise, we check whether the sender has closed the connection.
If it has, we check the buffer again in case data was added after we checked.
If the buffer is still empty, we abort.
If there is now data available, we go back to step 2 to read it.
6. Otherwise (if the connection is still open), we wait to be notified of more data
and go back to 2.
Either side can close the connection by clearing their "live" flag and signalling
the other side. We assume there is also some process-local way that the close operation
can notify its own side if it's currently blocked. *)
(* --algorithm vchan {
(* This section gives PlusCal code for each of the five processes and their state.
Note: each label in the code below represents a state of the process,
and the blocks of code between the labels are modelled as a single atomic action.
These variables represent state shared by the client and server.
Only one access (read or write) to a shared variable is allowed per atomic block.
Otherwise, it wouldn't be possible to implement this in real code.
(TLA calls this the "Single Access Rule") *)
variables
(* In the real system, srv_live and cli_live indicate the status of the endpoints.
Either end can set its own value to 0 to indicate that it is closing the connection.
If the client exits, the server detects this and sets cli_live to 0 on the client's behalf.
For simplicity, we represent these as the "sender" and "receiver" states.
For the client->server stream, SenderLive is cli_live, while
for the server->client stream, SenderLive is srv_live, etc.
Here, we are only modelling a single stream. *)
SenderLive = TRUE, \* Cleared by sender
ReceiverLive = TRUE, \* Cleared by receiver
(* Buffer represents the data in transit from the sender to the receiver.
In reality, we have a Xen ring, with a producer counter, a consumer counter,
and an array used as a ring buffer. As such ring buffers are standard to Xen, we
don't model it here in detail. Instead, the buffer is represented as the
sequence of bytes that have been produced but not yet consumed. This sequence
can be any length from 0 to the size of the buffer.
The sender only changes this by appending to it (writing data and updating the producer counter
in the real system), while the receiver only changes it by removing a prefix from the beginning
(i.e. reading the data and updating the consumer counter).
Calculating Len(Buffer) corresponds to taking the difference of the two counters.
It is considered to be a single atomic read because in reality one of the two counters
will be our local copy, so we only need one access to the shared state. *)
Buffer = << >>,
(* NotifyWrite is a shared flag that is set by the receiver to indicate that it wants to know when data
has been written to the buffer. The sender checks it after adding data. If set, the sender
clears the flag and notifies the receiver using the event channel. This is represented by
DataReadyInt being set to TRUE. It becomes FALSE when the receiver handles the event.
NotifyWrite is initialised to TRUE to support some programs (e.g. QubesDB) that block first,
before checking the buffer state. *)
NotifyWrite = TRUE, \* Set by receiver, cleared by sender
DataReadyInt = FALSE, \* Set by sender, cleared by receiver
(* NotifyRead is a shared flag that indicates that the sender wants to know when some data
has been read and removed from the buffer (and, therefore, that more space is now available).
If the receiver sees that this is set after removing data from the buffer,
it clears the flag and signals the sender via the event channel, represented by SpaceAvailableInt. *)
NotifyRead = FALSE, \* Set by sender, cleared by receiver
SpaceAvailableInt = FALSE; \* Set by receiver, cleared by sender
(* This process represents the sender application using the vchan library to send messages. *)
fair process (SenderWrite = SenderWriteID)
variables (* Our local belief about the space available for writing: *)
free = 0,
(* The remaining data that has not yet been added to the buffer: *)
msg = << >>,
(* Pseudo-variable recording all data ever sent by sender (for modelling): *)
Sent = << >>;
{
\* We are waiting for the application to send some data.
\* The "-" means that it's OK if the application stops at this point
\* and never sends any more data.
sender_ready:- while (TRUE) {
if (~SenderLive \/ ~ReceiverLive) goto Done
else {
\* Set msg to the message that the client is trying to send:
with (m \in MSG) { msg := m };
Sent := Sent \o msg; \* Remember we wanted to send this
};
sender_write: while (TRUE) {
free := BufferSize - Len(Buffer);
sender_request_notify: if (free >= Len(msg)) goto sender_write_data
else NotifyRead := TRUE;
sender_recheck_len: free := BufferSize - Len(Buffer);
sender_write_data: if (free > 0) {
Buffer := Buffer \o Take(msg, Min(Len(msg), free));
msg := Drop(msg, Min(Len(msg), free));
free := 0;
sender_check_notify_data: if (NotifyWrite) {
NotifyWrite := FALSE; \* Atomic test-and-clear
sender_notify_data: DataReadyInt := TRUE; \* Signal receiver
if (msg = << >>) goto sender_ready
} else if (msg = << >>) goto sender_ready
};
sender_blocked: await SpaceAvailableInt \/ ~SenderLive;
if (~SenderLive) goto Done;
else SpaceAvailableInt := FALSE;
sender_check_recv_live: if (~ReceiverLive) goto Done;
}
}
}
(* This process represents the sender application asking the vchan library to close the channel,
which can happen concurrently with a write operation. *)
fair process (SenderClose = SenderCloseID) {
\* "-" because we're not forced ever to close the connection.
sender_open:- SenderLive := FALSE; \* Clear liveness flag
sender_notify_closed: DataReadyInt := TRUE; \* Signal receiver
}
(* This process represents the receiver application asking the vchan library to read data into a buffer.
The whole process is marked as "fair", meaning that the receiving application must keep performing
reads. Otherwise, we can't show any useful liveness property of the system, since data might never
get read. *)
fair process (ReceiverRead = ReceiverReadID)
variables have = 0, \* The amount of data we think the buffer contains.
Got = << >>; \* Pseudo-variable recording all data ever received by receiver.
{
recv_init: if (ReceiverBlocksFirst) {
\* (QubesDB does this)
goto recv_await_data;
};
recv_ready: while (ReceiverLive) {
recv_reading: while (TRUE) {
have := Len(Buffer);
recv_got_len: either {
if (have > 0) goto recv_read_data
else NotifyWrite := TRUE;
} or { \* (see note 1)
NotifyWrite := TRUE;
};
recv_recheck_len: have := Len(Buffer);
recv_read_data: if (have > 0) {
with (len \in 1..have) {
Got := Got \o Take(Buffer, len);
Buffer := Drop(Buffer, len);
};
have := 0;
recv_check_notify_read: if (NotifyRead) {
NotifyRead := FALSE; \* (atomic test-and-clear)
recv_notify_read: SpaceAvailableInt := TRUE;
goto recv_ready; \* Return success
} else goto recv_ready; \* Return success
} else if (~SenderLive \/ ~ReceiverLive) {
\* (see note 2)
recv_final_check: if (Len(Buffer) = 0) goto Done;
else goto recv_reading;
};
recv_await_data: await DataReadyInt \/ ~ReceiverLive;
if (~ReceiverLive) goto Done;
else DataReadyInt := FALSE;
}
}
}
(* The receiver can close the connection at any time, so model close as a separate process. *)
fair process (ReceiverClose = ReceiverCloseID) {
(* "-" because we're not required ever to close the connection. *)
recv_open:- ReceiverLive := FALSE; \* Clear liveness flag
recv_notify_closed: SpaceAvailableInt := TRUE; \* Signal sender
}
(* We share our event channel with the stream going in the other direction,
so we can receive wakeups even when there's nothing to do. This process
represents that possibility. Also, there are various inefficient ways to
use the library that involve setting the flags unnecessarily. This show
that doing that is always safe. *)
process (SpuriousInterrupts = SpuriousID) {
spurious: while (TRUE) {
either SpaceAvailableInt := TRUE
or DataReadyInt := TRUE
}
}
}
*)
(* Notes on the algorithm:
Note 1:
The C receiver code sets NotifyWrite whenever there isn't enough data to fill the
buffer provided by the application completely. Typically, however, an application
will just give us a buffer big enough for the largest possible message and be happy
with whatever actual message we return. Therefore, it would probably be better to
set the flag here only if there is no data at all.
The first branch of the `either' represents the recommended algorithm.
The `or' branch allows an implementation to set the NotifyWrite flag in other cases too.
This covers the behaviour of the C implementation when there is data in Buffer
but not as much as requested, as well as the behaviour of QubesDB (which always
sets the flag however much data there is).
Note 2:
The C code doesn't do the recv_final_check check, but that presumably means that it
might not read all of the client's data.
Note on formatting:
TLA's PDF rendering gets the indentation wrong if you put a semicolon after a closing brace,
but the PlusCal-to-TLA translator requires it.
*)
-----------------------------------------------------------------------------
(* This section is just the generated translation of the above PlusCal. You can skip it. *)
\* BEGIN TRANSLATION
VARIABLES SenderLive, ReceiverLive, Buffer, NotifyWrite, DataReadyInt,
NotifyRead, SpaceAvailableInt, pc, free, msg, Sent, have, Got
vars == << SenderLive, ReceiverLive, Buffer, NotifyWrite, DataReadyInt,
NotifyRead, SpaceAvailableInt, pc, free, msg, Sent, have, Got >>
ProcSet == {SenderWriteID} \cup {SenderCloseID} \cup {ReceiverReadID} \cup {ReceiverCloseID} \cup {SpuriousID}
Init == (* Global variables *)
/\ SenderLive = TRUE
/\ ReceiverLive = TRUE
/\ Buffer = << >>
/\ NotifyWrite = TRUE
/\ DataReadyInt = FALSE
/\ NotifyRead = FALSE
/\ SpaceAvailableInt = FALSE
(* Process SenderWrite *)
/\ free = 0
/\ msg = << >>
/\ Sent = << >>
(* Process ReceiverRead *)
/\ have = 0
/\ Got = << >>
/\ pc = [self \in ProcSet |-> CASE self = SenderWriteID -> "sender_ready"
[] self = SenderCloseID -> "sender_open"
[] self = ReceiverReadID -> "recv_init"
[] self = ReceiverCloseID -> "recv_open"
[] self = SpuriousID -> "spurious"]
sender_ready == /\ pc[SenderWriteID] = "sender_ready"
/\ IF ~SenderLive \/ ~ReceiverLive
THEN /\ pc' = [pc EXCEPT ![SenderWriteID] = "Done"]
/\ UNCHANGED << msg, Sent >>
ELSE /\ \E m \in MSG:
msg' = m
/\ Sent' = Sent \o msg'
/\ pc' = [pc EXCEPT ![SenderWriteID] = "sender_write"]
/\ UNCHANGED << SenderLive, ReceiverLive, Buffer, NotifyWrite,
DataReadyInt, NotifyRead, SpaceAvailableInt,
free, have, Got >>
sender_write == /\ pc[SenderWriteID] = "sender_write"
/\ free' = BufferSize - Len(Buffer)
/\ pc' = [pc EXCEPT ![SenderWriteID] = "sender_request_notify"]
/\ UNCHANGED << SenderLive, ReceiverLive, Buffer, NotifyWrite,
DataReadyInt, NotifyRead, SpaceAvailableInt,
msg, Sent, have, Got >>
sender_request_notify == /\ pc[SenderWriteID] = "sender_request_notify"
/\ IF free >= Len(msg)
THEN /\ pc' = [pc EXCEPT ![SenderWriteID] = "sender_write_data"]
/\ UNCHANGED NotifyRead
ELSE /\ NotifyRead' = TRUE
/\ pc' = [pc EXCEPT ![SenderWriteID] = "sender_recheck_len"]
/\ UNCHANGED << SenderLive, ReceiverLive, Buffer,
NotifyWrite, DataReadyInt,
SpaceAvailableInt, free, msg, Sent,
have, Got >>
sender_recheck_len == /\ pc[SenderWriteID] = "sender_recheck_len"
/\ free' = BufferSize - Len(Buffer)
/\ pc' = [pc EXCEPT ![SenderWriteID] = "sender_write_data"]
/\ UNCHANGED << SenderLive, ReceiverLive, Buffer,
NotifyWrite, DataReadyInt, NotifyRead,
SpaceAvailableInt, msg, Sent, have, Got >>
sender_write_data == /\ pc[SenderWriteID] = "sender_write_data"
/\ IF free > 0
THEN /\ Buffer' = Buffer \o Take(msg, Min(Len(msg), free))
/\ msg' = Drop(msg, Min(Len(msg), free))
/\ free' = 0
/\ pc' = [pc EXCEPT ![SenderWriteID] = "sender_check_notify_data"]
ELSE /\ pc' = [pc EXCEPT ![SenderWriteID] = "sender_blocked"]
/\ UNCHANGED << Buffer, free, msg >>
/\ UNCHANGED << SenderLive, ReceiverLive, NotifyWrite,
DataReadyInt, NotifyRead,
SpaceAvailableInt, Sent, have, Got >>
sender_check_notify_data == /\ pc[SenderWriteID] = "sender_check_notify_data"
/\ IF NotifyWrite
THEN /\ NotifyWrite' = FALSE
/\ pc' = [pc EXCEPT ![SenderWriteID] = "sender_notify_data"]
ELSE /\ IF msg = << >>
THEN /\ pc' = [pc EXCEPT ![SenderWriteID] = "sender_ready"]
ELSE /\ pc' = [pc EXCEPT ![SenderWriteID] = "sender_blocked"]
/\ UNCHANGED NotifyWrite
/\ UNCHANGED << SenderLive, ReceiverLive, Buffer,
DataReadyInt, NotifyRead,
SpaceAvailableInt, free, msg, Sent,
have, Got >>
sender_notify_data == /\ pc[SenderWriteID] = "sender_notify_data"
/\ DataReadyInt' = TRUE
/\ IF msg = << >>
THEN /\ pc' = [pc EXCEPT ![SenderWriteID] = "sender_ready"]
ELSE /\ pc' = [pc EXCEPT ![SenderWriteID] = "sender_blocked"]
/\ UNCHANGED << SenderLive, ReceiverLive, Buffer,
NotifyWrite, NotifyRead,
SpaceAvailableInt, free, msg, Sent, have,
Got >>
sender_blocked == /\ pc[SenderWriteID] = "sender_blocked"
/\ SpaceAvailableInt \/ ~SenderLive
/\ IF ~SenderLive
THEN /\ pc' = [pc EXCEPT ![SenderWriteID] = "Done"]
/\ UNCHANGED SpaceAvailableInt
ELSE /\ SpaceAvailableInt' = FALSE
/\ pc' = [pc EXCEPT ![SenderWriteID] = "sender_check_recv_live"]
/\ UNCHANGED << SenderLive, ReceiverLive, Buffer,
NotifyWrite, DataReadyInt, NotifyRead, free,
msg, Sent, have, Got >>
sender_check_recv_live == /\ pc[SenderWriteID] = "sender_check_recv_live"
/\ IF ~ReceiverLive
THEN /\ pc' = [pc EXCEPT ![SenderWriteID] = "Done"]
ELSE /\ pc' = [pc EXCEPT ![SenderWriteID] = "sender_write"]
/\ UNCHANGED << SenderLive, ReceiverLive, Buffer,
NotifyWrite, DataReadyInt,
NotifyRead, SpaceAvailableInt, free,
msg, Sent, have, Got >>
SenderWrite == sender_ready \/ sender_write \/ sender_request_notify
\/ sender_recheck_len \/ sender_write_data
\/ sender_check_notify_data \/ sender_notify_data
\/ sender_blocked \/ sender_check_recv_live
sender_open == /\ pc[SenderCloseID] = "sender_open"
/\ SenderLive' = FALSE
/\ pc' = [pc EXCEPT ![SenderCloseID] = "sender_notify_closed"]
/\ UNCHANGED << ReceiverLive, Buffer, NotifyWrite, DataReadyInt,
NotifyRead, SpaceAvailableInt, free, msg, Sent,
have, Got >>
sender_notify_closed == /\ pc[SenderCloseID] = "sender_notify_closed"
/\ DataReadyInt' = TRUE
/\ pc' = [pc EXCEPT ![SenderCloseID] = "Done"]
/\ UNCHANGED << SenderLive, ReceiverLive, Buffer,
NotifyWrite, NotifyRead,
SpaceAvailableInt, free, msg, Sent,
have, Got >>
SenderClose == sender_open \/ sender_notify_closed
recv_init == /\ pc[ReceiverReadID] = "recv_init"
/\ IF ReceiverBlocksFirst
THEN /\ pc' = [pc EXCEPT ![ReceiverReadID] = "recv_await_data"]
ELSE /\ pc' = [pc EXCEPT ![ReceiverReadID] = "recv_ready"]
/\ UNCHANGED << SenderLive, ReceiverLive, Buffer, NotifyWrite,
DataReadyInt, NotifyRead, SpaceAvailableInt, free,
msg, Sent, have, Got >>
recv_ready == /\ pc[ReceiverReadID] = "recv_ready"
/\ IF ReceiverLive
THEN /\ pc' = [pc EXCEPT ![ReceiverReadID] = "recv_reading"]
ELSE /\ pc' = [pc EXCEPT ![ReceiverReadID] = "Done"]
/\ UNCHANGED << SenderLive, ReceiverLive, Buffer, NotifyWrite,
DataReadyInt, NotifyRead, SpaceAvailableInt,
free, msg, Sent, have, Got >>
recv_reading == /\ pc[ReceiverReadID] = "recv_reading"
/\ have' = Len(Buffer)
/\ pc' = [pc EXCEPT ![ReceiverReadID] = "recv_got_len"]
/\ UNCHANGED << SenderLive, ReceiverLive, Buffer, NotifyWrite,
DataReadyInt, NotifyRead, SpaceAvailableInt,
free, msg, Sent, Got >>
recv_got_len == /\ pc[ReceiverReadID] = "recv_got_len"
/\ \/ /\ IF have > 0
THEN /\ pc' = [pc EXCEPT ![ReceiverReadID] = "recv_read_data"]
/\ UNCHANGED NotifyWrite
ELSE /\ NotifyWrite' = TRUE
/\ pc' = [pc EXCEPT ![ReceiverReadID] = "recv_recheck_len"]
\/ /\ NotifyWrite' = TRUE
/\ pc' = [pc EXCEPT ![ReceiverReadID] = "recv_recheck_len"]
/\ UNCHANGED << SenderLive, ReceiverLive, Buffer, DataReadyInt,
NotifyRead, SpaceAvailableInt, free, msg, Sent,
have, Got >>
recv_recheck_len == /\ pc[ReceiverReadID] = "recv_recheck_len"
/\ have' = Len(Buffer)
/\ pc' = [pc EXCEPT ![ReceiverReadID] = "recv_read_data"]
/\ UNCHANGED << SenderLive, ReceiverLive, Buffer,
NotifyWrite, DataReadyInt, NotifyRead,
SpaceAvailableInt, free, msg, Sent, Got >>
recv_read_data == /\ pc[ReceiverReadID] = "recv_read_data"
/\ IF have > 0
THEN /\ \E len \in 1..have:
/\ Got' = Got \o Take(Buffer, len)
/\ Buffer' = Drop(Buffer, len)
/\ have' = 0
/\ pc' = [pc EXCEPT ![ReceiverReadID] = "recv_check_notify_read"]
ELSE /\ IF ~SenderLive \/ ~ReceiverLive
THEN /\ pc' = [pc EXCEPT ![ReceiverReadID] = "recv_final_check"]
ELSE /\ pc' = [pc EXCEPT ![ReceiverReadID] = "recv_await_data"]
/\ UNCHANGED << Buffer, have, Got >>
/\ UNCHANGED << SenderLive, ReceiverLive, NotifyWrite,
DataReadyInt, NotifyRead, SpaceAvailableInt,
free, msg, Sent >>
recv_check_notify_read == /\ pc[ReceiverReadID] = "recv_check_notify_read"
/\ IF NotifyRead
THEN /\ NotifyRead' = FALSE
/\ pc' = [pc EXCEPT ![ReceiverReadID] = "recv_notify_read"]
ELSE /\ pc' = [pc EXCEPT ![ReceiverReadID] = "recv_ready"]
/\ UNCHANGED NotifyRead
/\ UNCHANGED << SenderLive, ReceiverLive, Buffer,
NotifyWrite, DataReadyInt,
SpaceAvailableInt, free, msg, Sent,
have, Got >>
recv_notify_read == /\ pc[ReceiverReadID] = "recv_notify_read"
/\ SpaceAvailableInt' = TRUE
/\ pc' = [pc EXCEPT ![ReceiverReadID] = "recv_ready"]
/\ UNCHANGED << SenderLive, ReceiverLive, Buffer,
NotifyWrite, DataReadyInt, NotifyRead,
free, msg, Sent, have, Got >>
recv_final_check == /\ pc[ReceiverReadID] = "recv_final_check"
/\ IF Len(Buffer) = 0
THEN /\ pc' = [pc EXCEPT ![ReceiverReadID] = "Done"]
ELSE /\ pc' = [pc EXCEPT ![ReceiverReadID] = "recv_reading"]
/\ UNCHANGED << SenderLive, ReceiverLive, Buffer,
NotifyWrite, DataReadyInt, NotifyRead,
SpaceAvailableInt, free, msg, Sent, have,
Got >>
recv_await_data == /\ pc[ReceiverReadID] = "recv_await_data"
/\ DataReadyInt \/ ~ReceiverLive
/\ IF ~ReceiverLive
THEN /\ pc' = [pc EXCEPT ![ReceiverReadID] = "Done"]
/\ UNCHANGED DataReadyInt
ELSE /\ DataReadyInt' = FALSE
/\ pc' = [pc EXCEPT ![ReceiverReadID] = "recv_reading"]
/\ UNCHANGED << SenderLive, ReceiverLive, Buffer,
NotifyWrite, NotifyRead, SpaceAvailableInt,
free, msg, Sent, have, Got >>
ReceiverRead == recv_init \/ recv_ready \/ recv_reading \/ recv_got_len
\/ recv_recheck_len \/ recv_read_data
\/ recv_check_notify_read \/ recv_notify_read
\/ recv_final_check \/ recv_await_data
recv_open == /\ pc[ReceiverCloseID] = "recv_open"
/\ ReceiverLive' = FALSE
/\ pc' = [pc EXCEPT ![ReceiverCloseID] = "recv_notify_closed"]
/\ UNCHANGED << SenderLive, Buffer, NotifyWrite, DataReadyInt,
NotifyRead, SpaceAvailableInt, free, msg, Sent,
have, Got >>
recv_notify_closed == /\ pc[ReceiverCloseID] = "recv_notify_closed"
/\ SpaceAvailableInt' = TRUE
/\ pc' = [pc EXCEPT ![ReceiverCloseID] = "Done"]
/\ UNCHANGED << SenderLive, ReceiverLive, Buffer,
NotifyWrite, DataReadyInt, NotifyRead,
free, msg, Sent, have, Got >>
ReceiverClose == recv_open \/ recv_notify_closed
spurious == /\ pc[SpuriousID] = "spurious"
/\ \/ /\ SpaceAvailableInt' = TRUE
/\ UNCHANGED DataReadyInt
\/ /\ DataReadyInt' = TRUE
/\ UNCHANGED SpaceAvailableInt
/\ pc' = [pc EXCEPT ![SpuriousID] = "spurious"]
/\ UNCHANGED << SenderLive, ReceiverLive, Buffer, NotifyWrite,
NotifyRead, free, msg, Sent, have, Got >>
SpuriousInterrupts == spurious
Next == SenderWrite \/ SenderClose \/ ReceiverRead \/ ReceiverClose
\/ SpuriousInterrupts
\/ (* Disjunct to prevent deadlock on termination *)
((\A self \in ProcSet: pc[self] = "Done") /\ UNCHANGED vars)
Spec == /\ Init /\ [][Next]_vars
/\ WF_vars((pc[SenderWriteID] # "sender_ready") /\ SenderWrite)
/\ WF_vars((pc[SenderCloseID] # "sender_open") /\ SenderClose)
/\ WF_vars(ReceiverRead)
/\ WF_vars((pc[ReceiverCloseID] # "recv_open") /\ ReceiverClose)
Termination == <>(\A self \in ProcSet: pc[self] = "Done")
\* END TRANSLATION
-----------------------------------------------------------------------------
(* To be implemented without locks, each atomic step must only access at most one shared
variable. The elements of Buffer are not considered to be shared in this sense,
as there is never a moment when any one element can be accessed by two processes.
Here are the steps and the shared variables they access:
- SenderWrite: (SenderLive and the producer index are considered to be local)
- sender_ready: ReceiverLive
- sender_write: Len(Buffer) (get consumer index)
- sender_request_notify: NotifyRead
- sender_recheck_len: Len(Buffer)
- sender_write_data: Buffer (write producer index)
- sender_check_notify_data: NotifyWrite (atomic test-and-clear operation)
- sender_notify_data: DataReadyInt
- sender_blocked: SpaceAvailableInt
- sender_check_recv_live: ReceiverLive
- SenderClose:
- sender_open: -
- sender_notify_closed: DataReadyInt
- ReceiverRead: (ReceiverLive and the consumer index are considered to be local)
- recv_init: -
- recv_ready: -
- recv_reading: Len(Buffer) (get producer index)
- recv_got_len: NotifyWrite
- recv_recheck_len: Len(Buffer)
- recv_read_data: Buffer or SenderLive (depending on local variable `have')
- recv_check_notify_read: NotifyRead (atomic test-and-clear operation)
- recv_notify_read: SpaceAvailableInt
- recv_final_check: Buffer
- recv_await_data: DataReadyInt
- ReceiverClose:
- recv_open: -
- recv_notify_closed: SpaceAvailableInt
*)
-----------------------------------------------------------------------------
\* Properties the algorithm should satisfy.
(* An invariant describing the types of all variables (except pc). *)
TypeOK ==
/\ Sent \in MESSAGE
/\ Got \in MESSAGE
/\ Buffer \in FINITE_MESSAGE(BufferSize)
/\ SenderLive \in BOOLEAN
/\ ReceiverLive \in BOOLEAN
/\ NotifyWrite \in BOOLEAN
/\ DataReadyInt \in BOOLEAN
/\ NotifyRead \in BOOLEAN
/\ SpaceAvailableInt \in BOOLEAN
/\ free \in 0..BufferSize
/\ msg \in FINITE_MESSAGE(MaxWriteLen)
/\ have \in 0..BufferSize
(* Whatever we receive is the same as what was sent.
(i.e. `Got' is a prefix of `Sent') *)
Integrity ==
Take(Sent, Len(Got)) = Got
AvailabilityNat == Nat \* Just to allow overriding it in TLC
(* Any data that the write function reports has been sent successfully
(i.e. data in Sent when it is back at "sender_ready") will eventually
be received (if the receiver doesn't close the connection).
In particular, this says that it's OK for the sender to close its
end immediately after sending some data.
Note that this is not currently true of the C implementation. *)
Availability ==
\A x \in AvailabilityNat :
x = Len(Sent) /\ SenderLive /\ pc[SenderWriteID] = "sender_ready"
~> \/ Len(Got) >= x
\/ ~ReceiverLive
(* If either side closes the connection, both end up in their Done state
(or sender_ready, which is also outside the library). *)
ShutdownOK ==
~SenderLive \/ ~ReceiverLive
~> <>[] /\ pc[SenderWriteID] \in {"sender_ready", "Done"}
/\ pc[ReceiverReadID] = "Done"
(* All the possible states of the program counter. *)
PCOK == pc \in [
SW: {"sender_ready", "sender_write", "sender_request_notify", "sender_recheck_len",
"sender_write_data", "sender_blocked", "sender_check_notify_data", "sender_notify_data",
"sender_check_recv_live", "Done"},
SC: {"sender_open", "sender_notify_closed", "Done"},
RR: {"recv_init", "recv_ready", "recv_reading", "recv_got_len", "recv_recheck_len",
"recv_read_data", "recv_final_check", "recv_await_data",
"recv_check_notify_read", "recv_notify_read", "Done"},
RC: {"recv_open", "recv_notify_closed", "Done"},
SP: {"spurious"}
]
-----------------------------------------------------------------------------
(* Model checking
You can load this file into the TLA Toolbox and create a new model to check for it.
These parameters work well to test the claims above:
"What is the model?":
- BufferSize = 2
- MaxReadLen = 2
- MaxWriteLen = 2
- Byte = 0..5
Definition Overrides:
- MSG <- MSG_SEQ
- AvailabilityNat <- 0..5
State Constraints:
- Len(Sent) < 4
Invariants:
- TypeOK
- PCOK
- Integrity
Properties:
- Availability
- ReadLimitCorrect
*)
(* Override MSG with this to limit Sent to the form << 1, 2, 3, ... >>.
This is much faster to check and will still detect any dropped or reordered bytes. *)
MSG_SEQ == { [ x \in 1..N |-> Len(Sent) + x ] : N \in 1..MaxWriteLen }
\* These are just here because we can't put expressions in TLC config files.
ZeroToFive == 0..5
LimitSent == Len(Sent) < 4
-----------------------------------------------------------------------------
\* Why does it work? (inductive invariants)
(* An inductive invariant that can be used to prove Integrity. i.e.
/\ Init => IntegrityI
/\ IntegrityI /\ Next => IntegrityI'
The key properties are that:
- The buffer always contains at least `have' bytes, even if the sender adds more.
- The buffer always has at least `free' bytes unused, even if the receiver frees more.
- Bytes are transferred atomically between the stages (msg, Buffer, Got).
*)
IntegrityI ==
/\ PCOK
/\ pc[SenderWriteID] \in {"sender_ready"} => msg = << >>
/\ TypeOK
/\ Sent = Got \o Buffer \o msg
/\ have <= Len(Buffer)
/\ free <= BufferSize - Len(Buffer)
/\ pc[SenderWriteID] \in {"sender_write", "sender_request_notify", "sender_recheck_len",
"sender_write_data", "sender_blocked", "sender_check_recv_live"} => msg /= << >>
\* `have' is only used in these states:
/\ pc[ReceiverReadID] \in {"recv_got_len", "recv_recheck_len", "recv_read_data"} \/ have = 0
\* `free` is only used in these states:
/\ pc[SenderWriteID] \in {"sender_write", "sender_request_notify", "sender_recheck_len",
"sender_write_data"} \/ free = 0
(* For deadlock / liveness properties, the key idea is (roughly):
- Whenever NotifyRead is set, the sender's information is still accurate.
- Whenever NotifyWrite is set, the receiver's information is still accurate. *)
(* The sender's information is accurate if whenever it is going to block, the buffer
really is full. *)
SenderInfoAccurate ==
\* We have accurate information:
\/ Len(Buffer) + free = BufferSize
\* In these states, we're going to check the buffer before blocking:
\/ pc[SenderWriteID] \in {"sender_ready", "sender_request_notify", "sender_write",
"sender_recheck_len", "sender_check_recv_live", "Done"}
\/ pc[SenderWriteID] \in {"sender_request_notify"} /\ free < Len(msg)
\* If we've been signalled, we'll immediately wake next time we try to block:
\/ SpaceAvailableInt
\* We're about to write some data:
\/ /\ pc[SenderWriteID] \in {"sender_write_data"}
/\ free >= Len(msg) \* We won't need to block
\* If we wrote all the data we intended to, we'll return without blocking:
\/ /\ pc[SenderWriteID] \in {"sender_check_notify_data", "sender_notify_data"}
/\ Len(msg) = 0
(* The receiver's information is accurate if whenever it is going to block, the buffer
really is empty. *)
ReaderInfoAccurate ==
\* The buffer really is empty:
\/ Len(Buffer) = 0
\* In these states we're going to check the buffer before blocking, so
\* we don't have any information to be out-of-date:
\/ pc[ReceiverReadID] \in {"recv_ready", "recv_reading",
"recv_got_len", "recv_recheck_len",
"recv_check_notify_read", "recv_notify_read", "recv_final_check",
"Done"} \* (if we're Done then we don't care)
\* If we've been signalled, we'll immediately wake and check again even if we try to block:
\/ DataReadyInt
\* If we know there are some bytes in the buffer, we'll read them and return
\* without blockig:
\/ pc[ReceiverReadID] \in {"recv_read_data"} /\ have > 0
(* The notify flags are set correctly.
If we're on a path to block, then we must have set our notify flag.
Therefore, either it's still set, or the other process has cleared it and sent an event. *)
NotifyFlagsCorrect ==
/\ (/\ pc[ReceiverReadID] \in {"recv_init", "recv_recheck_len", "recv_read_data", "recv_await_data"}
/\ have = 0
/\ ReceiverLive)
=> \/ NotifyWrite
\/ DataReadyInt
\/ pc[SenderWriteID] = "sender_notify_data"
/\ (\/ pc[SenderWriteID] \in {"sender_recheck_len", "sender_write_data"} /\ free < Len(msg)
\/ pc[SenderWriteID] \in {"sender_check_notify_data", "sender_notify_data"} /\ Len(msg) > 0
\/ pc[SenderWriteID] \in {"sender_blocked"}
) /\ SenderLive
=> \/ NotifyRead
\/ SpaceAvailableInt
\/ pc[ReceiverReadID] = "recv_notify_read"
(* Some obvious facts about shutting down connections. *)
CloseOK ==
\* An endpoint is live iff its close thread hasn't done anything:
/\ pc[SenderCloseID] = "sender_open" <=> SenderLive
/\ pc[ReceiverCloseID] = "recv_open" <=> ReceiverLive
\* The send and receive loops don't terminate unless someone has closed the connection:
/\ pc[ReceiverReadID] \in {"recv_final_check", "Done"} => ~ReceiverLive \/ ~SenderLive
/\ pc[SenderWriteID] \in {"Done"} => ~ReceiverLive \/ ~SenderLive
\* If the receiver closed the connection then we will get (or have got) the signal:
/\ pc[ReceiverCloseID] = "Done" =>
\/ SpaceAvailableInt
\/ pc[SenderWriteID] \in {"sender_check_recv_live", "Done"}
(* The main inductive invariant:
- The notify flags must have been set correctly.
- If the notify flags are still set, the information is still up-to-date. *)
I ==
/\ IntegrityI
/\ CloseOK
/\ NotifyFlagsCorrect
\* If NotifyRead is set then:
/\ NotifyRead =>
\* The sender has accurate information about the buffer:
\/ SenderInfoAccurate
\* Or the flag is just about to be cleared:
\/ pc[ReceiverReadID] \in {"recv_check_notify_read"}
\* If NotifyWrite is set then:
/\ NotifyWrite =>
\* The receiver has accurate information about the buffer:
\/ ReaderInfoAccurate
\* Or the flag is just about to be cleared:
\/ pc[SenderWriteID] \in {"sender_check_notify_data"}
-----------------------------------------------------------------------------
\* Checking the inductive invariants with TLC
\* A quick way to generate valid buffer configurations for model checking:
SentMax == 1
BufferI ==
\E gl \in 0..SentMax :
\E bl \in 0..Min(BufferSize, SentMax - gl) :
\E ml \in 0..(SentMax - bl - gl):
/\ Got = [ x \in 1..gl |-> 1 ]
/\ Buffer = [ x \in 1..bl |-> 1 ]
/\ msg = [ x \in 1..ml |-> 1 ]
/\ Sent = Got \o Buffer \o msg
\* Faster replacement for TypeOK in the initial state
TypeOKI ==
/\ BufferI
/\ SenderLive \in BOOLEAN
/\ ReceiverLive \in BOOLEAN
/\ NotifyWrite \in BOOLEAN
/\ DataReadyInt \in BOOLEAN
/\ NotifyRead \in BOOLEAN
/\ SpaceAvailableInt \in BOOLEAN
/\ free \in 0..BufferSize
/\ have \in 0..BufferSize
-----------------------------------------------------------------------------
\* Proof of Spec => []I
\* These proofs have all been verified automatically by TLAPS.
\* The only operations we do on messages are to split and join them.
\* TLAPS needs a lot of help to prove facts about this, so do it here all in one place:
LEMMA TakeDropFacts ==
ASSUME NEW m \in MESSAGE,
NEW i \in 1..Len(m)
PROVE /\ Take(m, i) \in MESSAGE
/\ Drop(m, i) \in MESSAGE
/\ Len(Take(m, i)) = i
/\ Len(Drop(m, i)) = Len(m) - i
/\ Take(m, i) \o Drop(m, i) = m
<1>1. /\ Take(m, i) \in MESSAGE
/\ Len(Take(m, i)) = i
/\ \A j \in 1..i : Take(m, i)[j] = m[j]
BY DEF Take, MESSAGE
<1>2. /\ Drop(m, i) \in MESSAGE
/\ Len(Drop(m, i)) = Len(m) - i
/\ \A j \in 1 .. Len(m) - i : Drop(m, i)[j] = m[j + i]
<2> DEFINE sm == i + 1
<2> DEFINE sn == Len(m)
<2> m \in Seq(Byte) BY DEF MESSAGE
<2> sm \in 1..Len(m) + 1 OBVIOUS
<2> sn \in sm-1..Len(m) OBVIOUS
<2> SUFFICES
/\ SubSeq(m, sm, sn) \in Seq(Byte)
/\ Len(SubSeq(m, sm, sn)) = sn - sm + 1
/\ \A j \in 1 .. sn-sm+1 : SubSeq(m, sm, sn)[j] = m[sm + j - 1] BY DEF Drop, MESSAGE
<2> HIDE DEF sm, sn
<2> QED BY SubSeqProperties
<1>3. Take(m, i) \o Drop(m, i) = m
<2> DEFINE s1 == Take(m, i)
<2> DEFINE s2 == Drop(m, i)
<2> DEFINE t == s1 \o s2
<2> Len(m) = Len(t) BY <1>1, <1>2
<2> m \in Seq(Byte) BY DEF MESSAGE
<2> t \in Seq(Byte)
<3> s1 \in Seq(Byte) BY <1>1 DEF MESSAGE
<3> s2 \in Seq(Byte) BY <1>2 DEF MESSAGE
<3> QED BY ConcatProperties
<2> ASSUME NEW j \in 1 .. Len(m)
PROVE m[j] = t[j]
<3> \A k \in 1 .. Len(s1) + Len(s2) : (s1 \o s2)[k] =
IF k <= Len(s1) THEN s1[k] ELSE s2[k - Len(s1)] BY ConcatProperties
<3> j \in 1..Len(s1) + Len(s2) OBVIOUS
<3> CASE j <= Len(s1)
<4> (s1 \o s2)[j] = s1[j] OBVIOUS
<4> QED BY <1>1
<3> CASE j > Len(s1)
<4> (s1 \o s2)[j] = s2[j - Len(s1)] OBVIOUS
<4> QED BY <1>2
<3> QED OBVIOUS
<2> SUFFICES m = t OBVIOUS
<2> HIDE DEF t
<2> QED BY SeqEqual
<1> QED BY <1>1, <1>2, <1>3 DEF MESSAGE, Take, Drop
\* A version of ConcatProperties in terms of the MESSAGE type.
LEMMA ConcatFacts ==
ASSUME NEW a \in MESSAGE,
NEW b \in MESSAGE
PROVE /\ a \o b \in MESSAGE
/\ Len(a \o b) = Len(a) + Len(b)
BY ConcatProperties DEF MESSAGE