# [tlaplus] Utilizing refinement in an inductive proof

Let's say that I have two specs, SpecWeak and SpecStrong, with next state relations SpecWeakNext and SpecStrongNext, respectively. I have proven that

(T1) SpecStrong => SpecWeak
(T2) SpecWeak /\ []C => []Safety

where C and Safety are some state predicates. That is, SpecStrong is a refinement of SpecWeak, and SpecWeak satisfies Safety under an assumption that []C holds.

Now, I want to prove that SpecStrong => []C. I can do this by finding an inductive invariant IC such that IC => C. As part of the proof, I will need to prove this inductive step:

(T3) IC /\ SpecStrongNext => IC'

Now, my question is about whether we can re-use (T1) to help prove (T3). Intuitively, it seems that if we assume a "strong induction" approach, then rather than assuming that IC holds only in the current state, we can also assume it held in all states leading the current one. Additionally, we know that every transition we took to get to the current state should have satisfied SpecStrongNext, which, due to (T1), means that each transition also satisfied SpecWeakNext. So, since the finite prefix leading to the current state "satisfies" SpecWeakNext and IC, by (T2) we should be able to assume that Safety held in every state of this prefix, up to and including the current state, allowing us to use Safety in our inductive step i.e.

(T4) IC /\ Safety /\ SpecStrongNext => IC'

I acknowledge that some of these concepts are not formally defined e.g. usually we only talk about infinite traces "satisfying" a temporal formula. The intuition seems sound, though. I'm curious if there's a better formalization of this technique or precedent for this kind of proof structure.

--
You received this message because you are subscribed to the Google Groups "tlaplus" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tlaplus+unsubscribe@xxxxxxxxxxxxxxxx.