19 views

### hua...@gmail.com

Apr 21, 2021, 11:48:27 PMApr 21
to tlaplus
Folks,

For an TLA's action, which is essentially a boolean expression, does it ONLY relate to two variables(primed or non-primed)?

For instance,  x' + 1 =y. (Please refer to Section 2.3 in Lamport's seminal paper "The Temporal Logic of Actions"-ACM 1993).

Can we have an  x' + 1 = y+z  as an action? If yes, how we define the "old state" and the new state with the postfix notation? maybe define a super-state to cover (y, z)?

Thanks huge,

Huailin

### Andrew Helwer

Apr 22, 2021, 9:37:59 AMApr 22
to tlaplus
Hi Huailin,

The formula x' + 1 = y + z is syntactically valid and can be used in an action property, but if you want to use TLC it cannot be used in an action itself. See Specifying Systems p238 for the expressions TLC can handle when computing successor states; they include expressions of the form:
• x' = e
• x' \in S
• UNCHANGED x
Andrew

### Huailin

Apr 22, 2021, 5:06:30 PMApr 22
Thanks a lot, Andrew.

From Lamport's paper or/and the book,

"An action represents a relation between old states and new states, where is unprimed variables refer to the old state and the primed variables refer to the new state."

and

"Formally, the meaning [[A]] of an action A is a relation between states--a function that assigns a boolean s[[A]]t to a pair of states s, t. "

Hence, if I have an action described as my previous email: x' + 1 = y+z
then the meaning of s[[x' + 1 = y+z ]] t:

s: (x, y,z) values.

t: (x', y,z) values. /* y and z are not changed after this action

In other words, in TLA, the state is NOT 1:1 mapped to a variable, but to the whole set of the variables.

Am I correct?

Thanks,

Huailin

--
You received this message because you are subscribed to a topic in the Google Groups "tlaplus" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/tlaplus/8tZQbkMScgU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to tlaplus+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/tlaplus/f0c51d43-c594-44af-a30b-ded598c34182n%40googlegroups.com.

### Isaac DeFrain

Apr 22, 2021, 5:34:58 PMApr 22
Hello Huailin,

Yes, a state in TLA+ is an assignment of values to all variables declared in the spec. For example, if you have variables x, y, and z declared, then to define a state, we must provide values for each variable x, y, and z.

You can try defining an action, say Action, which does not say how the value of z, for example, changes between states. TLC will throw the following error: Successor state is not completely specified by action Action of the next-state relation. The following variable is not assigned: z.

For example, the spec:

---- MODULE Variables ----

EXTENDS Naturals

VARIABLES x, y, z

Action1 ==
/\ x < 10
/\ x' = x + 1
/\ y' = y + 1

Action2 ==
/\ x < 10
/\ y + z >= 1
/\ x' = y + z - 1
/\ UNCHANGED <<y, z>>

Init ==
/\ x = 0
/\ y = 0
/\ z = 0

Next == Action1 \/ Action2

Spec == Init /\ [][Next]_<<x, y, z>>

====

Action1 does not specify the value of z in a successor state... Maybe you actually do not want the value of z to change so you can add UNCHANGED z to Action1 and TLC will perform a successful model check.

Note: x' = y + z - 1 is equivalent to x' + 1 = y + z, but as Andrew suggested, you must write it in the form x' = y + z - 1 in order for TLC to evaluate it properly.

Best,

Isaac DeFrain

You received this message because you are subscribed to the Google Groups "tlaplus" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tlaplus+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/tlaplus/CAE7Z%3D%2B7X96c9p%3DoKvBMPJe2DUmD2J07VJS775GOQX3qHw%3DY9iw%40mail.gmail.com.

### Andrew Helwer

Apr 22, 2021, 5:37:45 PMApr 22
to tlaplus
I can't really speak to how it works with TLA, but in TLA+ you would need more than the formula x' + 1 = y + z to fully specify the successor state. For one, you would need to specify that y and z remain unchanged, since the formula x' + 1 = y + z would be true even if y and z were to have silly values in successor state t, like y = "green eggs" and z = "ham".

In general a state is an assignment of values to all variables. A spec just captures a small number of those variables out of all the variables in the system, and the world. And each action in the spec must fully specify the values of each spec variable.

Andrew