Proving inductive predicates in TLAPS
37 views
Skip to first unread message
Leander Jehl
Nov 12, 2020, 3:07:57 AM11/12/20
to tlaplus
I have a specification with constant Blocks and a function prev \in [Blocks -> Blocks] that defines a tree.
I would like to define an ancestor relation on that tree and prove statements like reflexivity and transitivity.
If I try to prove NatInductiveDefConclusion, it triggers a bug in TLAPS.
I would like to define an ancestor relation on that tree and prove statements like reflexivity and transitivity.
If I try to prove NatInductiveDefConclusion, it triggers a bug in TLAPS.
I would be grateful for any tips on how to define the ancestor relation, or how to avoid the bug.
Here is my current definition of the ancestor relation:
Extend(A) == A \cup { <<b,c>> \in Blocks \X Blocks: <<b,prev[c]>> \in A }
A0 == { <<b,c>> \in Blocks \X Blocks: b=c }
ancestors[i \in Nat] == IF i=0 THEN A0
ELSE Extend(ancestors[i-1])
Ancestor(b,c) == /\ height[b] <= height[c]
/\ height[c] - height[b] \in Nat
/\ <<b,c>> \in ancestors[height[c] - height[b]]
My complete tree specification can be found here:
https://github.com/leandernikolaus/hotstuff-ivy/blob/master/Tree.tla
Thanks,
Leander
A0 == { <<b,c>> \in Blocks \X Blocks: b=c }
ancestors[i \in Nat] == IF i=0 THEN A0
ELSE Extend(ancestors[i-1])
Ancestor(b,c) == /\ height[b] <= height[c]
/\ height[c] - height[b] \in Nat
/\ <<b,c>> \in ancestors[height[c] - height[b]]
My complete tree specification can be found here:
https://github.com/leandernikolaus/hotstuff-ivy/blob/master/Tree.tla
Thanks,
Leander
Stephan Merz
Nov 12, 2020, 4:54:31 AM11/12/20
to tla...@googlegroups.com
Hello,
TLAPS unfortunately doesn't handle quantification over tuples [1]. You have to rewrite your definitions as follows for the proof of the lemma to work:
Extend(A) == A \cup { bc \in Blocks \X Blocks: <<bc[1],prev[bc[2]]>> \in A }
A0 == { bc \in Blocks \X Blocks: bc[1]=bc[2] }
A0 == { bc \in Blocks \X Blocks: bc[1]=bc[2] }
I didn't look at the rest of the module, please feel free to come back if you run into more trouble.
Stephan
--
You received this message because you are subscribed to the Google Groups "tlaplus" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tlaplus+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/tlaplus/8bbc83f3-9900-4230-baa5-c3f5af7d0514n%40googlegroups.com.
Leander Jehl
Nov 20, 2020, 7:38:55 AM11/20/20
to tlaplus
Hi Stephan,
thanks a lot for the help.
I was able to prove all my properties.
Leander
thanks a lot for the help.
I was able to prove all my properties.
I'm including a link to my proofs in case anyone else is interested: https://github.com/leandernikolaus/hotstuff-ivy/blob/tla/tla-spec/Tree.tla
Leander
Reply all
Reply to author
Forward
0 new messages