How to model check this "real-time" spec?
101 views
Skip to first unread message
ns
Oct 7, 2021, 9:26:10 PM10/7/21
to tlaplus
hello I've been reading the chapter on Real-time in the Specifying Systems book and am trying to experiment with a small spec that uses an integer clock (thereby bypassing the need to worry about real valued time, which wouldn't work with TLC anyway). This specific example is to turn the lights on and off, but in any case no less than every K seconds. However, it does not model check (invariant TimingOK violated) although it *seems* correct to me. The problem is that there is no way of forcing the LNext action to take place so the invariant is violated. (for the example I used K=2 and MAX_TIME 4). Is there a way to fix this so TLC will model check it?
thanks!
(*turn lights on and off, but at least every K seconds*)
EXTENDS Naturals
CONSTANTS
MAX_TIME, K
Time == 0 .. (MAX_TIME+1)
VARIABLE lights,clock, lightsTrigT
vars == <<lights, clock, lightsTrigT>>
isTyped == lights \in BOOLEAN /\ clock \in Time /\ lightsTrigT \in Time
Init == lights=TRUE /\ clock=0 /\ lightsTrigT=0
LNext == (IF lights THEN lights'=FALSE ELSE lights'=TRUE) /\ lightsTrigT' = clock
DoNothing == UNCHANGED <<lights,lightsTrigT>>
clockNext == clock' = clock+1
TBound(actionTriggerT, maxWait) == clock <= actionTriggerT + maxWait
Next == (LNext \/ DoNothing) /\ clockNext /\ TBound(lightsTrigT, K)
Spec == Init /\ [][Next]_vars
TimingOK == (clock <= lightsTrigT + K)
THEOREM Spec => [] TimingOK
ns
Oct 7, 2021, 9:45:10 PM10/7/21
to tlaplus
Sorry a correction: the TBound is clock < actionTriggerT + maxWait. The problem is deadlock not invariant not being satisfied.
Stephan Merz
Oct 10, 2021, 5:19:32 AM10/10/21
to tla...@googlegroups.com
Not sure I understand your question: TLC *does* model check your spec, it just (correctly) signals a deadlock, since the non-clock variables may stutter according to DoNothing until the clock exceeds its bound, at which point no action is enabled anymore. If you intend to avoid this, DoNothing needs a stronger time bound, see attached module for a possible definition.
Since the modified spec generates an unbounded state space, you'll need to add a state constraint to your model, such as
clock <= MAX_TIME
Hope this helps,
Stephan
ns
Oct 15, 2021, 11:53:55 PM10/15/21
to tlaplus
hi Stephan, thanks as always for your insightful answer. My thinking was that since the spec doesn't admit any traces in which the lights don't change at least once every K s (based on my understanding of TLA semantics) I was hoping that the model checker would agree and say that the invariant was indeed satisfied. But instead it reported deadlock. I did see where the deadlock is coming from, and I suppose its a way of rejecting those bad traces, but was somewhat surprising. I like your solution to the problem using a kind of "lookahead" to prevent DoNothing when a bound is about to expire, but it appears to me a way of getting TLC to do the right thing. Please let me know if I'm still missing something key.
ns
Oct 16, 2021, 12:23:43 AM10/16/21
to tlaplus
But perhaps one answer here is that while the spec doesn't admit any traces in which the invariant is violated, it does admit finite traces (ie those that deadlock) and that is what TLC is catching. However, given TLA semantics, only infinite traces can be traces of the model so finite traces don't or shouldn't enter the picture.
Stephan Merz
Oct 16, 2021, 7:50:41 AM10/16/21
to tla...@googlegroups.com
First, you can of course ignore the deadlock by disabling deadlock checking if you are not interested in it.
Second, a state is deadlocked if `ENABLED Next' is false at that state, but the actual transition relation is [Next]_vars, so a finite behavior ending in a deadlocked state can always be extended to an infinite behavior.
Stephan
--
You received this message because you are subscribed to the Google Groups "tlaplus" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tlaplus+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/tlaplus/ac28683b-f55a-4916-978a-b7a5b1f5f18en%40googlegroups.com.
Earnshaw
May 5, 2023, 11:05:50 PM5/5/23
to tlaplus
Hi ns, this is my spec to solve the problem, hope it can help:
(*turn lights on and off, but at least every K seconds*)
EXTENDS Naturals
CONSTANTS
MAX_TIME, K
VARIABLE lights,clock, lightsTrigT
vars == <<lights, clock, lightsTrigT>>
isTyped == lights \in BOOLEAN /\ clock \in Time /\ lightsTrigT \in Time
Init == lights=TRUE /\ clock=0 /\ lightsTrigT=0
Spec == Init /\ [][Next]_vars
-------------------------------- MODULE Time --------------------------------
(*turn lights on and off, but at least every K seconds*)
EXTENDS Naturals
CONSTANTS
MAX_TIME, K
Time == 0 .. MAX_TIME
VARIABLE lights,clock, lightsTrigT
vars == <<lights, clock, lightsTrigT>>
isTyped == lights \in BOOLEAN /\ clock \in Time /\ lightsTrigT \in Time
Init == lights=TRUE /\ clock=0 /\ lightsTrigT=0
\*Init == lights=FALSE /\ clock=10 /\ lightsTrigT=10
TBound(actionTriggerT, maxWait) == clock < actionTriggerT + maxWait
clockNext == /\ TBound(lightsTrigT, K)
/\ IF TBound(lightsTrigT, K-1)
THEN
/\ clock' = clock+1
/\ UNCHANGED <<lights,lightsTrigT>>
ELSE \*clock = (lightsTrigT + K -1)
/\ (IF lights THEN lights'=FALSE ELSE lights'=TRUE)
/\ clock' = clock+1
/\ lightsTrigT' = clock'
Next == clockNext
TBound(actionTriggerT, maxWait) == clock < actionTriggerT + maxWait
clockNext == /\ TBound(lightsTrigT, K)
/\ IF TBound(lightsTrigT, K-1)
THEN
/\ clock' = clock+1
/\ UNCHANGED <<lights,lightsTrigT>>
ELSE \*clock = (lightsTrigT + K -1)
/\ (IF lights THEN lights'=FALSE ELSE lights'=TRUE)
/\ clock' = clock+1
/\ lightsTrigT' = clock'
Next == clockNext
Spec == Init /\ [][Next]_vars
TimingOK == clock <= lightsTrigT + K
Test == clock # 10
THEOREM Spec => [] TimingOK
=============================================================================
Test == clock # 10
THEOREM Spec => [] TimingOK
=============================================================================
Reply all
Reply to author
Forward
0 new messages