[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [tlaplus] Possible TLC soundness bug when checking temporal properties
- From: "'Leslie Lamport' via tlaplus" <tlaplus@xxxxxxxxxxxxxxxx>
- Date: Wed, 10 Jul 2024 01:30:21 +0000
- Accept-language: en-US
- Msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=80ad6205-55f2-4880-81b7-2fd47cf64b57;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2024-07-10T01:17:09Z;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
- References: <0DCE5FB8-B2B0-4DBE-A77A-6EA26C5A527D@lemmster.de>
- Thread-index: AQHa0mQckELrEHuMQ0mBq1tY4PMX97HvKP2Q
- Thread-topic: [tlaplus] Possible TLC soundness bug when checking temporal properties
Should TLC be able to check such a property? I suspect that the error is that TLC should report that it can't check the property. For example, vio1 does not show a counterexample to the property. The behavior that it reports satisfies the property [](~x) , and [](~x) => [](x => y) is a tautology for any formula y.
Is there a spec somewhere of what temporal properties TLC can check? I seem to recall that it doesn't check properties of the form [](F => []G). (Such properties, with F and G state predicates, have to be proved in proofs of liveness properties.)
Leslie
-----Original Message-----
From: tlaplus@xxxxxxxxxxxxxxxx <tlaplus@xxxxxxxxxxxxxxxx> On Behalf Of Markus Kuppe
Sent: Tuesday, July 9, 2024 17:57
To: tlaplus@xxxxxxxxxxxxxxxx
Subject: [tlaplus] Possible TLC soundness bug when checking temporal properties
Federico Ponzi has identified a soundness bug in TLC that affects the verification of temporal properties, when TLC is configured with more than the default number of worker threads. This bug has existed since at least 2009 and possibly since support for the verification of temporal properties was first introduced.
The bug is caused by a concurrency issue in TLC, and we consider the likelihood of encountering this bug to be very low. However, it remains a critical issue that needs to be addressed.
For immediate mitigation, please check temporal properties using only a single worker (command line flag: `-workers 1`). Again, TLC runs with a single worker by default.
We are working on a fix and will release a new version of TLC once the bug is resolved. Announcements regarding the new release will be made here. For technical details or to offer help, please refer to the GitHub issue at https://github.com/tlaplus/tlaplus/issues/971.
Markus
--
You received this message because you are subscribed to the Google Groups "tlaplus" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tlaplus+unsubscribe@xxxxxxxxxxxxxxxx.
To view this discussion on the web visit https://groups.google.com/d/msgid/tlaplus/0DCE5FB8-B2B0-4DBE-A77A-6EA26C5A527D%40lemmster.de.
--
You received this message because you are subscribed to the Google Groups "tlaplus" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tlaplus+unsubscribe@xxxxxxxxxxxxxxxx.
To view this discussion on the web visit https://groups.google.com/d/msgid/tlaplus/MN0PR21MB3727381EA1669650530E2532B8A42%40MN0PR21MB3727.namprd21.prod.outlook.com.