Checking if a set is a singleton

[Mathew Kuthur James]

Hi,

In TLA+, given a set S, I understand that it's better to write S = {} than writing Cardinality(S) = 0. Is there a similar method to check if S is a singleton set, that beats using Cardinality(S) = 1? I am considering using singleton(S) == (\A x \in S : \A y \in S : x = y) /\ (S \= {})

In general, is the Cardinality function costly in terms of model-checking performance, such that there are performance gains by using set comprehension for checking if a set is a singleton or empty (readability concerns aside)? What sort of test would I need to run to observe the performance gap, if one exists?

[Felipe Oliveira Carvalho]

Have you tried something along these lines?

forall a, b in S: a = b

--
You received this message because you are subscribed to the Google Groups "tlaplus" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tlaplus+u...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/tlaplus/9a03af10-86d8-44bf-8c39-677d9b02e5d5n%40googlegroups.com.

[Stephan Merz]

Equivalently to what you suggest, you can write \E x \in S : S = {x} or \E x \in S : \A y \in S : y = x. Evaluating the latter has quadratic complexity in TLC because it will enumerate all elements of S for both quantifiers. As far as TLC is concerned, there is no performance penalty in evaluating an expression such as Cardinality(S) = 1.

Note that Cardinality(S) is well-defined only for a finite set S. The semantics of TLA+ doesn’t specify if Cardinality(Nat) = 0, Cardinality(Nat) = 42 or Cardinality(Nat) = "foobar". That doesn’t matter much for model checking where variables cannot take on infinite sets anyway, but it may be a concern for theorem proving. In particular, the backend provers used by TLAPS don’t provide automation for reasoning about Cardinality.

Stephan