[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlaplus] Re: Checking implementation

Ok, so I should try with refinement maps. I did make it clear, but the variables y and z behave differently in M1 and M2, that's why I want to hide them. When TLC checks the property Spec => M1!Spec, it looks for variables with same names (in M1 and in M2) and compares their behaviors, is it correct? So my problem would be solved if I changed the names of y and z in module M1? Thanks


2018-05-19 10:44 GMT-03:00 Ron Pressler <ron.pr...@xxxxxxxxx>:

The only way you can currently check it in TLC is with a refinement mapping (from M2 to M1) that you have to write yourself. In your case it seems simple enough as M2's state contains M1's, so it's a trivial matter (just Spec => M1!Spec [1]). In other cases, adding auxiliary variables is necessary, and may make this harder.

The theoretical issue is that the problem of checking temporal existential quantification is co-NP-hard in the number of states. I once started to think of an algorithm that may be able to do it in linear time for some/many practical instances but put it aside for now.


[1]: In general for existential quantification, A ⇒ B ⊦ A ⇒ ∃x. B

You received this message because you are subscribed to the Google Groups "tlaplus" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tlaplus+unsubscribe@googlegroups.com.
To post to this group, send email to tla...@xxxxxxxxxxxxxxxx.
Visit this group at https://groups.google.com/group/tlaplus.
For more options, visit https://groups.google.com/d/optout.

Pedro Yuri Arbs Paiva
Engenheiro Eletrônico
Instituto Tecnológico de Aeronáutica (T-16)
(+55) 12 98106-4129