Why does this liveness property not work?
66 views
Skip to first unread message
Andrew Helwer
Oct 3, 2024, 10:18:00 AMOct 3
to tlaplus
Here's a simple spec with a variable x that counts from 1 to 5 then stutters at 5 forever:
---- MODULE Test ----
EXTENDS Naturals
VARIABLE x
Init ≜ x = 1
Next ≜
IF x = 5 THEN UNCHANGED x
ELSE x' = x + 1
Spec ≜ Init ∧ □[Next]_x ∧ WF_x(Next)
Liveness ≜ (x = 1) ⇒ ◇□(x = 5)
====
EXTENDS Naturals
VARIABLE x
Init ≜ x = 1
Next ≜
IF x = 5 THEN UNCHANGED x
ELSE x' = x + 1
Spec ≜ Init ∧ □[Next]_x ∧ WF_x(Next)
Liveness ≜ (x = 1) ⇒ ◇□(x = 5)
====
However, when I try to check property Liveness with TLC I get this error:
Starting... (2024-10-03 10:15:19)
Implied-temporal checking--satisfiability problem has 1 branches.
Computing initial states...
Finished computing initial states: 1 distinct state generated at 2024-10-03 10:15:19.
Error: Temporal properties were violated.
Error: The following behavior constitutes a counter-example:
State 1: <Initial predicate>
x = 1
2 states generated, 2 distinct states found, 1 states left on queue.
The depth of the complete state graph search is 2.
Finished in 00s at (2024-10-03 10:15:19)
Implied-temporal checking--satisfiability problem has 1 branches.
Computing initial states...
Finished computing initial states: 1 distinct state generated at 2024-10-03 10:15:19.
Error: Temporal properties were violated.
Error: The following behavior constitutes a counter-example:
State 1: <Initial predicate>
x = 1
2 states generated, 2 distinct states found, 1 states left on queue.
The depth of the complete state graph search is 2.
Finished in 00s at (2024-10-03 10:15:19)
Why is this?
Andrew
Stephan Merz
Oct 3, 2024, 10:47:19 AMOct 3
to tla...@googlegroups.com
Interesting observation. I notice that TLC (correctly) verifies the following variants of the property:
Liveness == <>[](x = 5)
Liveness == (x = 1) /\ <>[](x = 5)
Liveness == (x = 0) => <>[](x = 0)
Stephan
--
You received this message because you are subscribed to the Google Groups "tlaplus" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tlaplus+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/tlaplus/42b3b918-e70a-4506-911f-b7b282fcc6acn%40googlegroups.com.
Igor Konnov
Oct 7, 2024, 5:35:14 PMOct 7
to tla...@googlegroups.com
It does not report any liveness violation in the TLA+ Toolbox for me
(using the ASCII version).
--
Igor
> To view this discussion on the web visit https://groups.google.com/d/msgid/tlaplus/67B1C8A4-AEEA-4FDE-AE4F-476CCEEFB2BE%40gmail.com.
(using the ASCII version).
--
Igor
Message has been deleted
Andrew Helwer
Oct 7, 2024, 7:28:02 PMOct 7
to tlaplus
Hmmm, I'm running it from the command line and it does report an error regardless of whether ASCII or Unicode is used.
Andrew
Andrew Helwer
Oct 7, 2024, 7:29:58 PMOct 7
to tlaplus
Aha, this inspired me to check it with an older release and it doesn't report an error there! So this seems to be a regression. An excellent opportunity for me to exercise my git bisect skills.
Andrew
Andrew Helwer
Oct 7, 2024, 7:52:41 PMOct 7
to tlaplus
Bisecting identified the breaking commit, which occurred in August 2021.
I opened this issue in the repo: https://github.com/tlaplus/tlaplus/issues/1037
Andrew
Reply all
Reply to author
Forward
0 new messages