The liveness property is defined as:
GuaranteedWithDrawProgress checks the liveness (or progress) property that all withdraw requests
submitted by the client are eventually responded.
However, the definition
hot state PendingReqs {
on eWithDrawResp do (resp: tWithDrawResp) {
assert resp.rId in pendingWDReqs,
format ("unexpected rId: {0} received, expected one of {1}", resp.rId, pendingWDReqs);
pendingWDReqs -= (resp.rId);
if(sizeof(pendingWDReqs) == 0) // all requests have been responded
goto NopendingRequests;
}
Instead checks a stronger property: that eventually all the requests are responded to. If requests come in at the same rate they are resolved, then all withdraw requests are responded to, but the property will still fail.
More formally, the documentation implies it's ∀message: ◇responded, but the actual property checked is ◇(∀message: responded).
The liveness property is defined as:
However, the definition
Instead checks a stronger property: that eventually all the requests are responded to. If requests come in at the same rate they are resolved, then all withdraw requests are responded to, but the property will still fail.
More formally, the documentation implies it's
∀message: ◇responded, but the actual property checked is◇(∀message: responded).