protocon/examplespec/ByzantineGenerals.prot at trunk · ProtocolConvergence/protocon · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73

// The Byzantine Generals Problem adapted from
// Title: The Byzantine Generals Problem
// Author: Leslie Lamport
// Author: Robert Shostak
// Author: Marshall Pease
// Year: 1982

// The number of liutenant generals is fixed at 3.

constant N := 3;
constant D := 2;

// A general can be loyal or disloyal.
direct variable loyal[(N+1)] < 2;

// Each general will choose a plan (e.g., attack or retreat).
direct variable plan[(N+1)] < D;
puppet variable cplan[N] < D;

// Variables used for communication.
puppet variable y[(2*N)] < D;


// There must be at least 3 loyal generals.
(assume & closed)
  (N <= loyal[0] + loyal[1] + loyal[2] + loyal[3]);

// Eventually, every loyal general should agree.
((future & silent) % puppet)
  (exists val < D :
   (forall i < 4 : loyal[i]==0 || plan[i]==val)
  );

// Captain General.
// The captain is represented by N processes,
// where each one communicates to a different lieutenant.
process Captain[i < N]
{
  read: loyal[N];

  // The captain has a plan that will not change.
  read: plan[N];

  write: cplan[i];

  // No actions are allowed when this general is disloyal.
  forbid:
    ( loyal[N]==0 --> );

  puppet:
   ( loyal[N]==1 && cplan[i]!=plan[N] --> cplan[i]:=plan[N]; );
}

// Lieutenant General.
process Lieutenant[i < N]
{
  read: loyal[i];
  write: plan[i];

  read: cplan[i]; // Read decision from captain.

  // Communicate with both other lieutenants.
  symmetric (xlink, olink) <- {# (2*i-1, 2*i+0), (2*i+2, 2*i+1) #}
  {
    read: y[xlink];  // Incoming link with neighbor.
    write: y[olink]; // Outgoing link with neighbor.
  }

  // No actions are allowed when this general is disloyal.
  forbid:
    ( loyal[i]==0 --> );
}