zolfa
/
tendermint
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 221 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10022 Commits
183 Branches
291 MiB
Tree: 2457deefd4
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '2457deefd4'
${ noResults }
tendermint/spec/consensus/proposer-based-timestamp/tla/Apalache.tla

109 lines
4.3 KiB
Raw Normal View History

Migration of TLA+ files from the spec repo (#8004) (#8018) Co-authored-by: Kukovec <jure.kukovec@gmail.com>
3 years ago
 
  1. --------------------------- MODULE Apalache -----------------------------------
  2. (*
  3.  * This is a standard module for use with the Apalache model checker.
  4.  * The meaning of the operators is explained in the comments.
  5.  * Many of the operators serve as additional annotations of their arguments.
  6.  * As we like to preserve compatibility with TLC and TLAPS, we define the
  7.  * operator bodies by erasure. The actual interpretation of the operators is
  8.  * encoded inside Apalache. For the moment, these operators are mirrored in
  9.  * the class at.forsyte.apalache.tla.lir.oper.ApalacheOper.
  10.  *                                                                          
  11.  * Igor Konnov, Jure Kukovec, Informal Systems 2020-2021                    
  12.  *)
  13. 

  14. (**
  15.  * An assignment of an expression e to a state variable x. Typically, one
  16.  * uses the non-primed version of x in the initializing predicate Init and
  17.  * the primed version of x (that is, x') in the transition predicate Next.
  18.  * Although TLA+ does not have a concept of a variable assignment, we find
  19.  * this concept extremely useful for symbolic model checking. In pure TLA+,
  20.  * one would simply write x = e, or x \in {e}.
  21.  *
  22.  * Apalache automatically converts some expressions of the form
  23.  * x = e or x \in {e} into assignments. However, if you like to annotate
  24.  * assignments by hand, you can use this operator.
  25.  *
  26.  * For a further discussion on that matter, see:
  27.  * https://github.com/informalsystems/apalache/blob/ik/idiomatic-tla/docs/idiomatic/assignments.md
  28.  *)
  29. x := e == x = e
  30. 

  31. (**
  32.  * A generator of a data structure. Given a positive integer `bound`, and
  33.  * assuming that the type of the operator application is known, we
  34.  * recursively generate a TLA+ data structure as a tree, whose width is
  35.  * bound by the number `bound`.
  36.  *
  37.  * The body of this operator is redefined by Apalache.
  38.  *)
  39. Gen(size) == {}
  40. 

  41. (**
  42.  * Convert a set of pairs S to a function F. Note that if S contains at least
  43.  * two pairs <<x, y>> and <<u, v>> such that x = u and y /= v,
  44.  * then F is not uniquely defined. We use CHOOSE to resolve this ambiguity.
  45.  * Apalache implements a more efficient encoding of this operator
  46.  * than the default one.
  47.  *
  48.  * @type: Set(<<a, b>>) => (a -> b);
  49.  *)
  50. SetAsFun(S) ==
  51.     LET Dom == { x: <<x, y>> \in S }
  52.         Rng == { y: <<x, y>> \in S }
  53.     IN
  54.     [ x \in Dom |-> CHOOSE y \in Rng: <<x, y>> \in S ]
  55. 

  56. (**
  57.  * As TLA+ is untyped, one can use function- and sequence-specific operators
  58.  * interchangeably. However, to maintain correctness w.r.t. our type-system,
  59.  * an explicit cast is needed when using functions as sequences.
  60.  *)
  61. LOCAL INSTANCE Sequences
  62. FunAsSeq(fn, maxSeqLen) == SubSeq(fn, 1, maxSeqLen)
  63. 

  64. (**
  65.  * Annotating an expression \E x \in S: P as Skolemizable. That is, it can
  66.  * be replaced with an expression c \in S /\ P(c) for a fresh constant c.
  67.  * Not every exisential can be replaced with a constant, this should be done
  68.  * with care. Apalache detects Skolemizable expressions by static analysis.
  69.  *)
  70. Skolem(e) == e
  71. 

  72. (**
  73.  * A hint to the model checker to expand a set S, instead of dealing
  74.  * with it symbolically. Apalache finds out which sets have to be expanded
  75.  * by static analysis.
  76.  *)
  77. Expand(S) == S
  78. 

  79. (**
  80.  * A hint to the model checker to replace its argument Cardinality(S) >= k
  81.  * with a series of existential quantifiers for a constant k.
  82.  * Similar to Skolem, this has to be done carefully. Apalache automatically
  83.  * places this hint by static analysis.
  84.  *)
  85. ConstCardinality(cardExpr) == cardExpr
  86. 

  87. (**
  88.  * The folding operator, used to implement computation over a set.
  89.  * Apalache implements a more efficient encoding than the one below.
  90.  * (from the community modules).
  91.  *)
  92. RECURSIVE FoldSet(_,_,_)
  93. FoldSet( Op(_,_), v, S ) == IF S = {}
  94.                             THEN v
  95.                             ELSE LET w == CHOOSE x \in S: TRUE
  96.                                   IN LET T == S \ {w}
  97.                                       IN FoldSet( Op, Op(v,w), T )
  98. 

  99. (**
  100.  * The folding operator, used to implement computation over a sequence.
  101.  * Apalache implements a more efficient encoding than the one below.
  102.  * (from the community modules).
  103.  *)
  104. RECURSIVE FoldSeq(_,_,_)
  105. FoldSeq( Op(_,_), v, seq ) == IF seq = <<>>
  106.                               THEN v
  107.                               ELSE FoldSeq( Op, Op(v,Head(seq)), Tail(seq) )
  108. 

  109. ===============================================================================