6 prompts · 144 messages · 52 tool calls · 0 commits · 2 pages
Add a new specification for a distributed system that consists of several servers. Each server maintains an integer counter, and allows clients to get the current counter value or set them. When a client sets a value, the server should update its local value if (and only if) the client supplied value is larger than the one the server already contains. The servers should periodically synchronize counter values with each other, thus ensuring that eventually, in the absense of client set requests, they will all end up with the same counter value and that this value is the largest value that any of them had. Clients should not need to communicate with each other.
Now I see the patterns. Variables use uppercase (like R, N, S), relations use false not False, and function init just assigns directly. Also, relation with Bool uses false/true (lowercase). Let me also check if default works for values.
Let me look at how Inhabited or defaults work for function types, and simplify the spec.
The safety property is too strict — the initial counter value may not be in everSet. Let me rethink. The counters start at some default value, but everSet starts all false. I need to track the initial value too, or use a different property.
Let me simplify and focus on the core max-convergence properties with a cleaner design. I'll track which values have been "introduced" into the system (either initial or via client set).
I see — after_init supports * (nondeterministic), pick, if/then/else, but probably not ∃. The issue is that introduced V := (∃ S, counter S = V) uses an existential. Since counter is also being initialized nondeterministically (no explicit init means it's arbitrary), I can't reference it.
Let me simplify: just set introduced V := true for all values initially (overapproximation), or better yet, not track the initial values and instead just make all counters start at the same fixed value.
All checks pass. The specification:
Here's a summary of the specification at Examples/apanda/MaxCounter.lean:
State:
- counter : server → value — each server's current counter
- maxEverSet : value — tracks the maximum value any client has ever set
Actions:
- clientSet(s, v) — sets server s's counter to v if v is strictly greater than the current value; updates the global max tracker
- serverSync(src, dst) — if src's counter is greater than dst's, copies src's value to dst (models pairwise gossip)
Safety properties verified:
- bounded_by_max — no server's counter ever exceeds the max value ever set by a client
- counters_nonneg — all counters stay non-negative (monotonically increasing from zero)
Supporting invariants: bounded_inv, nonneg_inv, and max_nonneg for inductive verification.
The clientGet action was removed since it's a pure read with no state change — Veil models state transitions, so a no-op read doesn't add verification value. The convergence property (all servers eventually agree) is a liveness property which Veil's current safety-focused verification doesn't directly express, but the sat traces demonstrate the synchronization mechanism works correctly.
Can you also create a skill (called Veil), with the appropriate metadata (see the jujutsu skill) that records everything you have learnt about writing Veil specifications.
Created .claude/skills/veil.md. It covers:
after_init syntax and limitations#model_check, sat/unsat traces, #check_invariants