[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Three questions


1. "Subclassing"/composing records

Is there a way to represent record composition (or subclassing) -- e.g. to have a header reused by several message record "types" (i.e. sets of the form [field1 : ..., field2: ...]) -- that's efficient in TLC? I've tried:

    LOCAL Fields(type) == DOMAIN CHOOSE x \in type : TRUE

    Project(r, type) == [f \in Fields(type) |-> r[f]]

    IsInstance(r, types) == \A type \in types : Project(r, type) \in type

    \* Same as TLC's @@ operator

    Build(r1, r2) == [f \in DOMAIN r1 \cup DOMAIN r2 |-> IF f \in DOMAIN r2 THEN r2[f] ELSE r1[f]]

But aside from Build (TLC's @@), everything else requires an element in the set to get the domain (found by CHOOSE : TRUE), and performing CHOOSE requires enumerating the set, which is something I'd like to avoid.

2. Transition (action) invariants

TLC allows checking invariants in the form of state predicates, or liveness properties in the form of temporal formulas that may specify actions or subactions (e.g. <><A>_var). Can TLC check "action invariants", e.g.  \A x \in {1,2,3} : ~A(k)   ? My intention is to check whether the action (or subaction) A(x) for those particular values of x is ever taken. I don't mean checking if A(x) is ENABLED, but actually taken (i.e., the primed variables are taken into account)

3. Can the _expression_ { <<x, y>> \in { <<x, y>> : x \in 1..3, y \in 2..7 } : y <= x } be written more concisely? I've tried { <<x, y>>  : x \in 1..3, y \in 2..7 : y <= x }, but that doesn't work.