I don’t think I wrote this up anywhere yet, but I used TLA+ to verify the fixes for XSA-299 several years ago. I’d always intended to post them once the embargo was up, but never got around to it. TLA came up in an online discussion board recently, so I spent a bit of time to clean things up and get them posted. Here they are, if anyone’s interested.
https://gitlab.com/xen-project/people/gdunlap/tla -George
