Re-add parallelism to model

Refactor deli specification: enhance README, update model constraints, and improve state tracking

Author: EricSpencer00

specifications/deli/README.md

@@ -1,22 +1,25 @@
 # Deli
 
-A TLA⁺ specification of a simple deli ordering system with a bounded ticket-queue model.
+A TLA⁺ specification of a deli ordering system with ticket-based queuing and parallel service.
 
-The spec models customers arriving and being served sequentially. Customers arrive (bounded by `MaxArrivals`), receive a ticket number, join an order queue, get assigned to a worker, receive service, and the system resets to serve the next customer. The system progresses through four states: Idle, TakingOrder, PreparingOrder, and Serving; transitions include ReturnToIdle which moves from Serving back to Idle.
+Customers arrive at any time, take a ticket number, and join a FIFO queue. Multiple workers independently pick up the next waiting customer, prepare their order, serve them, and return to idle. Because each worker tracks its own state, several customers can be served concurrently when multiple workers are available.
 
 ## Design
 
-- **Bounded arrivals**: The `MaxArrivals` constant limits customer arrivals for tractable model checking
-- **Queue discipline**: Customers join the orderQueue in FIFO order
-- **Worker assignment**: Any available worker processes the next customer from the queue
-- **Cyclic state machine**: The system explicitly cycles back to Idle after each service, preventing deadlock
+- **No global state**: Instead of a single shop-wide phase variable, each worker has its own state (`Idle`, `Preparing`, `Serving`), enabling true parallelism
+- **Ticket-based customers**: Customers are identified by ticket numbers (1, 2, 3, …) rather than named processes, keeping the model simple and the `Arrive` action always enabled
+- **FIFO queue discipline**: Customers are served in arrival order; the `QueueOrdered` invariant verifies this
+- **State constraint for bounding**: The `arrivals` counter has no guard in the spec itself; a `CONSTRAINT arrivals <= 3` in the config file bounds exploration for model checking without polluting the specification
+- **No `CHECK_DEADLOCK FALSE`**: Because `Arrive` is always enabled (ungated), every reachable state has at least one successor, so deadlock checking works naturally
 
 ## Properties Verified
 
-The specification includes three safety invariants, all verified by TLC:
+The specification includes five safety invariants, all verified by TLC:
 
-1. **TypeOK**: All state variables maintain their declared types throughout execution
-2. **ValidStates**: The system's state variable remains one of the four allowed values
-3. **ConsistentIdle**: When in the Idle state, no customer or worker is assigned
+1. **TypeOK**: All state variables maintain their declared types
+2. **IdleConsistency**: A worker is idle if and only if it has no customer assignment
+3. **NoDoubleAssignment**: No two workers are ever assigned the same customer
+4. **TicketStatePartition**: Every issued ticket is in exactly one logical state—queued, assigned to a worker, or served—with no overlaps and no lost tickets
+5. **QueueOrdered**: Ticket numbers in the queue are strictly increasing (FIFO preserved)
 
-With `MaxArrivals = 2` and `Processes = {p1, p2, p3}`, the model contains **45 distinct states** and completes exhaustive model checking in under 1 second.
+The spec also defines `FairSpec` with weak fairness on each worker's actions, suitable for verifying liveness properties (e.g., every arriving customer is eventually served).

specifications/deli/deli.cfg

@@ -1,12 +1,14 @@
 SPECIFICATION Spec
 
 CONSTANT
-    Processes = {p1, p2, p3}
-    Null = null
-    MaxArrivals = 2
+    Workers = {w1, w2}
+    MaxArrivals = 3
 
-INVARIANT TypeOK
-INVARIANT ValidStates
-INVARIANT ConsistentIdle
+CONSTRAINT
+    StateConstraint
 
-CHECK_DEADLOCK FALSE
+INVARIANT TypeOK
+INVARIANT IdleConsistency
+INVARIANT NoDoubleAssignment
+INVARIANT TicketStatePartition
+INVARIANT QueueOrdered

specifications/deli/deli.tla

@@ -1,98 +1,164 @@
 -------------------------------- MODULE deli --------------------------------
 (***************************************************************************)
-(* A specification of a simple deli ordering system with a ticket queue.   *)
-(* Customers arrive, get assigned to a worker, their order is prepared,    *)
-(* and then served. The system cycles through Idle → TakingOrder →         *)
-(* PreparingOrder → Serving → ReturnToIdle to serve the next customer.     *)
+(* A specification of a deli ordering system with ticket-based queuing     *)
+(* and parallel service by multiple workers.                               *)
+(*                                                                         *)
+(* Customers arrive at any time, take the next ticket number, and join a   *)
+(* FIFO queue. Idle workers independently pick up the next waiting         *)
+(* customer, prepare their order, serve them, and return to idle.          *)
+(* Multiple workers operate concurrently, allowing several customers to    *)
+(* be served in parallel.                                                  *)
 (***************************************************************************)
 
-EXTENDS Naturals, Sequences
+EXTENDS Naturals, Sequences, FiniteSets
 
-CONSTANTS Processes, Null, MaxArrivals
+CONSTANTS Workers, MaxArrivals
 
-VARIABLES ticket, worker, customer, state, orderQueue, arrivals
+VARIABLES
+    arrivals,        \* Nat: count of customers who have arrived
+    queue,           \* Seq(Nat): FIFO queue of ticket numbers waiting
+    workerState,     \* [Workers -> {"Idle", "Preparing", "Serving"}]
+    workerCustomer,  \* [Workers -> Nat]: ticket number each worker handles (0 = none)
+    served           \* Set of ticket numbers already served
+
+vars == <<arrivals, queue, workerState, workerCustomer, served>>
 
 (***************************************************************************)
-(* State variables:                                                        *)
-(*  - ticket: increasing counter issued to arriving customers              *)
-(*  - worker: the current worker serving an order, or Null if idle         *)
-(*  - customer: the current customer being served, or Null if idle         *)
-(*  - state: the system's current phase:                                   *)
-(*          (Idle | TakingOrder | PreparingOrder | Serving)                *)
-(*  - orderQueue: sequence of customers waiting to be served               *)
+(* Helper: the set of elements in a sequence.                              *)
 (***************************************************************************)
+Range(s) == { s[i] : i \in DOMAIN s }
+
+---------------------------------------------------------------------------
 
-TypeOK == 
-    /\ ticket \in Nat
-    /\ worker \in Processes \cup {Null}
-    /\ customer \in Processes \cup {Null}
-    /\ state \in {"Idle", "TakingOrder", "PreparingOrder", "Serving"}
-    /\ orderQueue \in Seq(Processes)
+(***************)
+(* Type check  *)
+(***************)
+
+TypeOK ==
     /\ arrivals \in Nat
+    /\ queue \in Seq(1..arrivals)
+    /\ workerState \in [Workers -> {"Idle", "Preparing", "Serving"}]
+    /\ workerCustomer \in [Workers -> Nat]
+    /\ served \subseteq 1..arrivals
+
+---------------------------------------------------------------------------
+
+(*****************)
+(* Initial state *)
+(*****************)
 
 Init ==
-    /\ ticket = 0
-    /\ worker = Null
-    /\ customer = Null
-    /\ state = "Idle"
-    /\ orderQueue = <<>>
     /\ arrivals = 0
-
-(* Customer arrives, gets a ticket number, and joins the queue *)
-TakeOrder ==
-    /\ state = "Idle"
-    /\ arrivals < MaxArrivals
-    /\ \E c \in Processes :
-        /\ ticket' = ticket + 1
-        /\ arrivals' = arrivals + 1
-        /\ orderQueue' = Append(orderQueue, c)
-        /\ state' = "TakingOrder"
-        /\ UNCHANGED <<worker, customer>>
-
-(* The next customer from the queue is called and a worker is assigned *)
-PrepareOrder ==
-    /\ state = "TakingOrder"
-    /\ Len(orderQueue) > 0
-    /\ LET c == Head(orderQueue) IN
-        /\ \E w \in Processes :
-            /\ customer' = c
-            /\ worker' = w
-            /\ orderQueue' = Tail(orderQueue)
-            /\ state' = "PreparingOrder"
-        /\ UNCHANGED <<ticket, arrivals>>
-
-(* The assigned worker serves the current customer *)
-Serve ==
-    /\ state = "PreparingOrder"
-    /\ state' = "Serving"
-    /\ UNCHANGED <<ticket, worker, customer, orderQueue, arrivals>>
-
-(* Customer is served, worker and customer reset, ready for the next order *)
-ReturnToIdle ==
-    /\ state = "Serving"
-    /\ state' = "Idle"
-    /\ worker' = Null
-    /\ customer' = Null
-    /\ UNCHANGED <<ticket, orderQueue, arrivals>>
+    /\ queue = <<>>
+    /\ workerState = [w \in Workers |-> "Idle"]
+    /\ workerCustomer = [w \in Workers |-> 0]
+    /\ served = {}
+
+---------------------------------------------------------------------------
+
+(***********)
+(* Actions *)
+(***********)
+
+(* A new customer arrives, takes the next ticket, and joins the queue. *)
+(* This action has no guard and is always enabled; the arrivals count  *)
+(* is bounded only by the state constraint in the model config.        *)
+Arrive ==
+    /\ arrivals' = arrivals + 1
+    /\ queue' = Append(queue, arrivals + 1)
+    /\ UNCHANGED <<workerState, workerCustomer, served>>
+
+(* An idle worker picks up the next customer from the head of the queue *)
+AssignWorker(w) ==
+    /\ workerState[w] = "Idle"
+    /\ queue /= <<>>
+    /\ workerCustomer' = [workerCustomer EXCEPT ![w] = Head(queue)]
+    /\ workerState' = [workerState EXCEPT ![w] = "Preparing"]
+    /\ queue' = Tail(queue)
+    /\ UNCHANGED <<arrivals, served>>
+
+(* A worker finishes preparing and begins serving *)
+FinishPreparing(w) ==
+    /\ workerState[w] = "Preparing"
+    /\ workerState' = [workerState EXCEPT ![w] = "Serving"]
+    /\ UNCHANGED <<arrivals, queue, workerCustomer, served>>
+
+(* A worker completes service: customer is marked served, worker goes idle *)
+CompleteService(w) ==
+    /\ workerState[w] = "Serving"
+    /\ served' = served \cup {workerCustomer[w]}
+    /\ workerState' = [workerState EXCEPT ![w] = "Idle"]
+    /\ workerCustomer' = [workerCustomer EXCEPT ![w] = 0]
+    /\ UNCHANGED <<arrivals, queue>>
+
+---------------------------------------------------------------------------
+
+(*****************)
+(* Specification *)
+(*****************)
 
 Next ==
-    TakeOrder \/ PrepareOrder \/ Serve \/ ReturnToIdle
+    \/ Arrive
+    \/ \E w \in Workers : AssignWorker(w) \/ FinishPreparing(w) \/ CompleteService(w)
+
+Spec == Init /\ [][Next]_vars
+
+---------------------------------------------------------------------------
+
+(************)
+(* Fairness *)
+(************)
+
+(* Under weak fairness on each worker's actions, every queued customer *)
+(* is eventually served. Without fairness, workers could idle forever. *)
+FairSpec == Spec /\ \A w \in Workers :
+    /\ WF_vars(AssignWorker(w))
+    /\ WF_vars(FinishPreparing(w))
+    /\ WF_vars(CompleteService(w))
+
+---------------------------------------------------------------------------
+
+(**************)
+(* Invariants *)
+(**************)
+
+(* An idle worker has no customer; a busy worker always has one *)
+IdleConsistency ==
+    \A w \in Workers : workerState[w] = "Idle" <=> workerCustomer[w] = 0
+
+(* No two workers handle the same customer simultaneously *)
+NoDoubleAssignment ==
+    \A w1, w2 \in Workers :
+        w1 /= w2 /\ workerCustomer[w1] /= 0
+        => workerCustomer[w1] /= workerCustomer[w2]
+
+(* Every issued ticket is in exactly one logical state:              *)
+(* queued (waiting), assigned (being prepared or served), or served. *)
+TicketStatePartition ==
+    LET assigned == { workerCustomer[w] : w \in { x \in Workers : workerCustomer[x] /= 0 } }
+        queued   == Range(queue)
+        issued   == 1..arrivals
+    IN /\ queued \cup assigned \cup served = issued
+       /\ queued \cap assigned = {}
+       /\ queued \cap served   = {}
+       /\ assigned \cap served = {}
+
+(* The queue preserves FIFO order: earlier tickets always appear first *)
+QueueOrdered ==
+    \A i, j \in DOMAIN queue : i < j => queue[i] < queue[j]
 
-(* Safety: System stays in one of the allowed states *)
-ValidStates ==
-    state \in {"Idle", "TakingOrder", "PreparingOrder", "Serving"}
+---------------------------------------------------------------------------
 
-(* Safety: No customer is assigned when the system is Idle *)
-ConsistentIdle ==
-    (state = "Idle") => (customer = Null /\ worker = Null)
+(* State constraint for bounding model checking; not part of the spec. *)
+StateConstraint == arrivals <= MaxArrivals
 
-Spec ==
-    Init /\ [][Next]_<<ticket, worker, customer, state, orderQueue, arrivals>>
+---------------------------------------------------------------------------
 
-(* Theorems *)
 THEOREM Spec => []TypeOK
-THEOREM Spec => []ValidStates  
-THEOREM Spec => []ConsistentIdle
+THEOREM Spec => []IdleConsistency
+THEOREM Spec => []NoDoubleAssignment
+THEOREM Spec => []TicketStatePartition
+THEOREM Spec => []QueueOrdered
 
 =============================================================================
 

specifications/deli/manifest.json

@@ -14,9 +14,9 @@
           "runtime": "00:00:01",
           "mode": "exhaustive search",
           "result": "success",
-          "distinctStates": 45,
-          "totalStates": 61,
-          "stateDepth": 1
+          "distinctStates": 82,
+          "totalStates": 215,
+          "stateDepth": 13
         }
       ]
     }