Thank you, Stephan.

Your answer raises a question. "Given a state s, action A may be true for several pairs (s, t) of states, and TLC will compute all successor states t such that A holds of (s, t)."

I believe a "step" is officially defined as "a pair of states." So, given a behavior, a step could be a pair of adjacent or contiguous states, as in (s_i, s_{i+1}), or any pair of states, e.g. (s_i, s_{i+42}). In all examples I've seen, steps are pairs of adjacent states, as in (s_i, s_{i+1}). I think I saw in one of the videos that TLC checks successor state "graph-wise," starting from a state s_i, then constructing a ring outwards from s_i to bunch of candidate s_{i+1} states, then recursively from each candidate s_{+1} state to a bunch more of candidate s_{i+2} states, one out-edge for each action that's enabled in each iteration of that process. Does TLC also check steps from s_i to s_{i+2} etc.?

There is a way to bound this graph-building process, but I forgot where it is in the toolbox.

On Friday, February 12, 2021 at 11:25:05 PM UTC-8 Stephan Merz wrote:

The \/ of TLA+ is ordinary disjunction: an action A \/ B is true for two states if A is true or if B is true, including the case where both A and B are true. TLC will decompose this and check A and B separately. However, remember that given a state s, action A may be true for several pairs (s, t) of states, and TLC will compute all successor states t such that A holds of (s, t). These will in particular include all states t such that A /\ B is true for (s, t), hence there is no need to check for this case separately.In practice, it rarely happens that actions "overlap". For example considerA == x' = x+1 /\ y' = yB == y' = y+1 /\ x' = xThere are no states s, t such that A /\ B is true of (s, t).Stephan

