Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merge updated_enabled_cdot. #148

Open
wants to merge 36 commits into
base: main
Choose a base branch
from
Open

Merge updated_enabled_cdot. #148

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
36 commits
Select commit Hold shift + click to select a range
7b034c8
BUG: recompute operator level info in parametrized instantiation
johnyf Dec 7, 2020
3c899a5
BUG: lambdify ENABLED in operators with arguments
johnyf Dec 8, 2020
ab897dc
TST: add tests for `ENABLED` with `INSTANCE`
johnyf Dec 8, 2020
e30f941
TST: correctly detect end of module
johnyf Dec 7, 2020
8a5b74a
BUG: show "VARIABLE" for single variable,
johnyf Dec 8, 2020
c561dbe
ENH: add function `print_modules`
johnyf Dec 7, 2020
aa1f39b
BUG: load modules in `EXTENDS` of submodules
johnyf Dec 7, 2020
09719c8
BUG: correctly shift module units when instantiating
johnyf Dec 8, 2020
4d2129e
REF: add details to error message
johnyf Sep 8, 2020
a4ca6ac
BUG: handle `INSTANCE` statements within `LET`
johnyf Sep 8, 2020
a5dc90a
REF: add details to error message
johnyf Sep 8, 2020
a87906f
BUG: fingerprint `INSTANCE` statements within `LET`
johnyf Sep 8, 2020
93f5186
Merge branch 'let_instance_and_enabled_prm_instance' into merge_let_i…
johnyf Jun 2, 2021
30f1415
liveness proof for EWD840 example
muenchnerkindl Feb 9, 2021
017ebd8
fixed typo in Peterson example
muenchnerkindl Feb 18, 2021
737dd12
DOC: add comments to example and tests
johnyf Nov 12, 2020
f47164b
TST: add TLA+ module `LevelComparisonTest`
johnyf Mar 31, 2021
c7ff69d
TST: add TLA+ module `UnsoundCoalescingThmDecl_test`
johnyf Mar 18, 2021
6b49822
BUG: fingerprint `AutoUSE` results
johnyf Dec 7, 2020
426a200
BUG: correct soundness check for proof levels
johnyf Dec 5, 2020
aec7bbe
DOC: add PlusCal-like algorithm for soundness check
johnyf Dec 5, 2020
987e425
ENH: add proof directives `ENABLEDrules` and `ENABLEDrewrites`
johnyf Dec 5, 2020
70b4eaa
fixup! fpfile changes
johnyf Mar 31, 2021
6a4e5f8
BUG: correct scoping in proof directive `LevelComparison`
johnyf May 25, 2021
23f6f0b
API: print level comparison message only when verbose
johnyf May 26, 2021
c758c25
BUG: correct typo
johnyf Jul 28, 2021
ee56b3d
add labeled arguments in call of expand_enabled_cdot to avoid warning…
quicquid Aug 4, 2022
a963bd3
add example for simple liveness proof, contributed by Andreas Recke
muenchnerkindl Oct 4, 2022
9c27e42
Merge branch 'main' into updated_enabled_cdot
kape1395 Aug 31, 2024
9a6cadd
Print exception backtraces in LSP.
kape1395 Aug 31, 2024
f002d24
Proofs in `examples/EWD840.tla` fixed.
kape1395 Sep 1, 2024
4f4344b
Temporary workaround for making the LSP to work.
kape1395 Sep 1, 2024
cfacd96
Fix proof in `examples/SimpleMutex.tla`.
kape1395 Sep 1, 2024
77ac33f
Fix proof in `examples/SimpleEventually.tla`.
kape1395 Sep 1, 2024
7f63bdd
Properly take the obligation fingerprints in the LSP.
kape1395 Sep 1, 2024
b12dfff
Merge remote-tracking branch 'origin/main' into updated_enabled_cdot
kape1395 Sep 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
106 changes: 106 additions & 0 deletions examples/CountDown.tla
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
----------------------------- MODULE CountDown -----------------------------
(***************************************************************************)
(* Example of a counter that counts down from N to 0, together with a *)
(* liveness proof showing that it will eventually reach 0. *)
(* *)
(* Contributed by Andreas Recke. *)
(***************************************************************************)
EXTENDS Naturals, TLC, TLAPS, NaturalsInduction

----
\* Input: N is the starting number for the countdown
CONSTANTS N

\* N must be a natural number
ASSUME NAssumption == N \in Nat

\* Variable i is the running countdown value
VARIABLES cnt

----
\* We define a set S which contains all possible values of the countdown counter
S == 0..N

----
\* Init: i starts at N
Init == cnt = N

\* Next: if cnt is greater than 0, it will be count down by 1 in the next step
Next == cnt > 0 /\ cnt' = cnt-1

\* The complete spec. Important here is the fairness property. Otherwise, we
\* would not be able to proof that the count down may reach zero, because it
\* may infinitely stutter at a value larger than zero.
Spec == Init /\ [][Next]_cnt /\ WF_cnt(Next)

----
\* Properties of the algorithm
Termination == <>(cnt=0) \* count down reaches zero

NextEnabled == cnt > 0 \* for rewriting the ENABLED property to something simpler

TypeInv == cnt \in S
\* the type correctness property is actually fundamental.
\* TLA+ values do not have a type, but proofs require it

----
\* Theorems

\* this lemma ensures that the type of cnt is always correct
LEMMA TypeCorrectness == Spec => []TypeInv
\* From the correct input, ensured by NAssumption, Init leads to a correct type
<1>1. Init => TypeInv
BY NAssumption DEF Init, TypeInv, S
\* The Next transition, here encoded with the "[Next]_cnt" construct, leaves the
\* TypeInv unchanged in the next state
<1>2. TypeInv /\ [Next]_cnt => TypeInv'
BY NAssumption DEF TypeInv, Next, S
<1>3. QED
BY <1>1, <1>2, PTL DEF Spec \* standard invariant reasoning

----
\* If the input constant N \in Nat, then we can prove that Spec leads to Termination (cnt=0)
\* We use the DownwardNatInduction rule which actually has the same goal as our algorithm:
\* start with a number N and prove that if fulfills a requirement P(N), i.e. <>cnt=N
\* Then just prove that for each n \in 1..N, where P(n) is fulfilled, the requirement P(n-1)
\* is fulfilled, i.e. <>cnt=(n-1)
\* This then proves, if cnt can be in 0..N that P(0) will be reached, i.e. <>cnt=0; which
\* equals Termination
THEOREM WillReachZero == Spec => Termination
PROOF
\* The liveness proof uses an intermediate predicate for downward induction
\* Note that P(0) just expresses the assertion of the theorem.
<1> DEFINE P(m) == Spec => <>(cnt = m)
<1> HIDE DEF P
<1>2. P(0)
<2>1. P(N)
\* Start condition - this is actually obvious. We show that initialization fulfills the first goal
BY PTL DEF P, Spec, Init
<2>2. \A n \in 1..N : P(n) => P(n-1)
\* prove: for all intermediate goals, the next goal will be reached
<3>1. SUFFICES
ASSUME NEW n \in 1 .. N
PROVE Spec /\ <>(cnt = n) => <>(cnt = n-1)
\* Reformulation replacing the quantifier by a constant
\* Note that `Spec' remains in the conclusion so that PTL finds only "boxed" hypotheses in the QED step
BY DEF P
<3>2. (cnt=n) /\ [Next]_cnt => (cnt=n)' \/ (cnt=n-1)'
BY DEF Next
\* WF1 rule, step 1
<3>3. (cnt=n) /\ <<Next>>_cnt => (cnt=n-1)'
BY DEF Next
\* WF1 rule, step 2
<3>4. (cnt=n) => ENABLED <<Next>>_cnt
BY ExpandENABLED DEF Next
\* WF1 rule, step 3
<3> QED
BY <3>1, <3>2, <3>3, <3>4, PTL DEF Spec
\* Now we can conclude the WF1 rule reasoning
<2> QED
BY NAssumption, <2>1, <2>2, DownwardNatInduction, Isa
\* taking the facts <2>1 and <2>2, downward natural induction works
<1> QED
BY <1>2, PTL DEF P, Termination
\* and finally, we can prove the overall goal to show that the spec/algorithm terminates

=============================================================================
Loading