So yesterday TLA+ made me realize that the property of my protocol that I'm trying to verify makes no sense (the incorrect behaviour is indistinguishable from a client's PoV from a correct behaviour).
So I was thinking how I could make it distinguishable in a way that will work not only in TLA+ but also in real life, and it turns out I could really use pings in the protocol.
Then I looked into my WIP testsuite for this protocol from 2 years ago, and guess what I found?
def assertNoMoreMessages(self):
[...]
self.send(b"ping %s" % nonce) #FIXME: this is non-standard
self.assertRecv(b"pong %s" % nonce)
yup turns out back then I also figured out some things can't be tested without a ping
Of course the problem with pings with nonces in TLA+ is that the set of possible nonces must be larger than the worst-case-scenario number of in-flight pings.
So if you simulate a TCP connection with 2 queues, one in each direction, up to 5 messages in each
then you need 11 different nonces (ok maybe 10 would suffice), which means you get extra 11!-ish states from all the ways your queues can be stuffed with various pings and pongs...
@ignaloidas oh, this isn't state in the process.
I'm not storing a list of all oustanding pings in the process.
It exists in the messages sitting in the queues.
@ignaloidas yeah but like
if the pings in the queue don't have numbers in them
then the client cannot check if the received pong is more than last+1
@ignaloidas so you have nonces in pongs, but not in pings, and relying on part of the specification of the server process to verify that the server process is correct... meh...
I could have the client count how many pings are outstanding, but the problem with that is I'd have to then say "eventually, the number of oustanding pings equals zero" which won't be true because the client can always fill the queue with pings and keep adding more as soon as it receives a pong
Wolf480pl
Ignas Kiela