TLA+ has syntactic rules to make it impossible to write a formula that is not insensitive to stuttering--formulas like [](x'=x+1).  Whether an arbitrary formula made with [] and ' is insensitive to stuttering is undecidable.  To keep the language simple, TLA+ uses rules that are stronger than necessary, but handle all the formulas that people should write.  (For reasons I won't go into, writing complicated temporal logic formulas is a bad idea.)  So you should understand the formulas that TLA+ does allow you to write, and don't try writing ones that TLA+ doesn't allow.  You will find that TLC doesn't handle many properties that are legal TLA+ formulas that one would sometimes like to write.  This is because those other properties don't arise very often, so enhancing TLC to handle them has low priority.

Leslie

On Tuesday, April 27, 2021 at 9:16:18 PM UTC-7 ns wrote:
I don't have any objection to what you just stated but I'm not seeing how it addresses my question. Consider the following
[](p => []q)                                           (1)
This is saying that for every state, if p holds then henceforth in every state q must hold. By the same reasoning, I don't see why you can't have an "action oriented" version of this
[] [A => [][B]_vars]_vars                              (2)
which would read "for every step, if A holds of that step then henceforth B in every step or UNCHANGED vars must hold, or UNCHANGED vars". I hope that conveys my question a little better.

thanks

On Friday, April 23, 2021 at 6:20:26 PM UTC-7 andrew...@xxxxxxxxx wrote:
The logical formula in your action property must be true or false of a pair of states. The []F temporal operator is true or false of an infinite series of states.

Andrew

On Friday, April 23, 2021 at 3:38:28 PM UTC-4 ns wrote:
If I have a property of the form
[][A => (p /\  [] (q  =>  r))]_vars                                           (1)
where A is an action and p,q,r are state predicates, I get two complaints:

Level error in applying operator \$SquareAct:
The level of argument 1 exceeds the maximum level allowed by the operator.
and
=> has both temporal formula and action as arguments.

If I remove the nested [] then both complaints go away (and TLC is fine with too)
[][A => (p /\  (q  =>  r))]_vars                                                     (2)
However, even if I replace the A with another state predicate the second complaint still remains.
Could someone tell me where I'm going wrong. I don't recall seeing any restriction on nesting of temporal operators in the Specifying Systems book but I could have quite easily missed it. Regarding why TLC accepts the second formula (2), I assume its "nice" because its considered a Box-Action formula?

thanks

--
You received this message because you are subscribed to the Google Groups "tlaplus" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tlaplus+unsubscribe@xxxxxxxxxxxxxxxx.