[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[tlaplus] Re: Regular LTL safety properties as Refinement

> sense since refinement is fundamentally a liveness property,
>  I don't know if it makes sense to talk about refinement as a safety property.

Not sure where you're going but as a first approximation both property satisfaction and refinement are both just trace inclusion (traces of the concrete system must be included in the traces of the specification, or the abstract system in case of refinement), or implication in TLA in particular (since implication between two formulas translates to set inclusion between their traces). This is only true if the state space is the same; if not, then you also need a mapping between the two state types (which can be achieved using the WITH clauses in INSTANCE statements). 

Safety/liveness doesn't come into play here yet in my mind. Where they do come into play is when you start having to prove property satisfaction. If you have a transition system (AKA state machine), i.e., something described with Init and Next predicates, you usually prove refinement by proving that any step taken by the concrete system can be simulated by a step taken by the abstract system. This establishes only the safety property, namely that the finite traces of the concrete system are included in the (finite) traces of the abstract system. Which, I think, goes into the direction of what you're saying. Namely, often the simplest way to write a *safety* property down is to create a transition system implementing the property. Writing such a system (e.g., a TLA model with Init and Next) is a more "operational" way of stating the property than a "declarative" description of an LTL formula, but LTL formulas can quickly become undecipherable (if you want to go really inscrutable, you can go beyond LTL write a mu calculus formula with a couple of fixpoints thrown in...). Lamport and Abadi's "Existence of refinement mappings" treats this in more detail.

Also, in my mind (but I'm hardly an LTL expert), the LTL labeling function is mainly about splitting up the "observable" vs "internal" variables. The observable variables in this case being propositions, which extract the interesting parts of the opaque internal state of the system.

For me personally, the big practical win of TLA over LTL is more in the + part of TLA. Having an expressive logic (first-order logic + recursive operators) to encode your system in and then usually being able to model check it in practice is much nicer compared to having to do gymnastics to encode your system in propositional logic.

On Wednesday, June 18, 2025 at 4:25:05 PM UTC+2 Andrew Helwer wrote:
Lately I've been trying to learn how TLC does liveness checking by reading sections of the textbooks Principles of Model Checking (Baier, Katoen, 2008) and Temporal Verification of Reactive Systems (Manna, Pnueli, 1995). The literature is all about checking LTL (Linear Temporal Logic) formulas generally, and while TLA+ isn't exactly the same as LTL it's at least a linear temporal logic (as opposed to branching temporal logic) so the concepts are broadly transmissible. The main difference I've found is that TLA+ requires all formulas to be stuttering-insensitive.

Before learning how LTL liveness properties are checked I've been going through the introductory safety property chapters to build familiarity with LTL vocabulary. In TLA+ we have two types of safety properties, basic invariants which are checked in each state and action-level properties [][A]_v which check that every step taken satisfies some formula A over primed & unprimed variables. LTL tries to address a much broader class of safety properties, and of interest here are regular safety properties. Regular as in "regular language", "regular _expression_", etc., not as in "ordinary". Basically it means the set of properties that can be checked by sending a state trace into a finite automaton; if the trace ends in the automaton's accept state, the trace is a counterexample to the property.

At first glance TLA+ doesn't seem to directly support regular safety properties, beyond the standard tactic of moving various "hasVisited" type flags into the user variable space so the safety property can be written as a standard invariant over those variables. But it strikes me that this bears some resemblance to refinement! In LTL there's a labeling operator, where system states are projected onto subsets of atomic propositions that are fed into the finite automaton, which looks quite a bit like transforming variables in the INSTANCE AbstractSpec WITH val <- op(x) syntax usually used with refinement. And the state graph of the abstract spec is sort of like a finite automaton, although there isn't an accept state that would falsify a trace.

In fact, I have found myself thinking of refinement as a "whole system safety property", which doesn't really make sense since refinement is fundamentally a liveness property, but from this perspective maybe it does. Refinement lets you express "safety" properties like "your system will go through this series of states in this order" which standard invariants can't really capture. So this might explain why I find refinement more intuitive than encoding properties in temporal logic expressions in TLA+.

Of course, the technical difference between safety and liveness properties is that safety properties can be falsified by finite traces, while liveness properties can only be falsified by infinite traces (in practice, a finite series of states ending in an infinite loop). So on those grounds I don't know if it makes sense to talk about refinement as a safety property.

Anyway this was kind of meandering but it's been rolling around my head so I thought I would type it up.

Andrew Helwer

--
You received this message because you are subscribed to the Google Groups "tlaplus" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tlaplus+unsubscribe@xxxxxxxxxxxxxxxx.
To view this discussion visit https://groups.google.com/d/msgid/tlaplus/635decef-2106-485f-912a-b0dea81e794an%40googlegroups.com.