Temporal formulas containing actions must be of forms <>[]A or []<>A.at util.Assert.fail(Assert.java:64)at tlc2.tool.liveness.Liveness.classifyExpr(Liveness.java:727)at tlc2.tool.liveness.Liveness.processLiveness(Liveness.java:566)at tlc2.tool.liveness.LiveCheck.init(LiveCheck.java:36)
Spec /\ []<><<TRUE>>_AllVars
Liveness
The error occurred when TLC was checking liveness.The exception was a java.io.IOException: Negative seekoffsetjava.io.IOException: Negative seek offsetat java.io.RandomAccessFile.seek(Native Method)at tlc2.util.BufferedRandomAccessFile.seek(BufferedRandomAccessFile.java:212)at tlc2.tool.liveness.DiskGraph.getNode(DiskGraph.java:145)at tlc2.tool.liveness.DiskGraph.getPath(DiskGraph.java:309)at tlc2.tool.liveness.LiveWorker.printTrace(LiveWorker.java:521)at tlc2.tool.liveness.LiveWorker.checkComponent(LiveWorker.java:290)at tlc2.tool.liveness.LiveWorker.checkSccs(LiveWorker.java:119)at tlc2.tool.liveness.LiveWorker.run(LiveWorker.java:613)
http://bugzilla.tlaplus.net/show_bug.cgi?id=293
I tried one further thing. I defined a 'legitimate termination' condition for the system, in which no progress could be made. This is true if no 'public APIs' are enabled (i.e. no new operations can be started), and all existing operations have been driven as far as they can be without new operations being started. i.e. It's legitimate deadlock. I did verify that my legitimate-termination condition is possible, by checking that the invariant ~ LegitimateTermination is violated in the expected case.
I then changed my liveness property to:
Liveness == \A id \in Ids : MyProperty(id) ~> (\/ SomeOtherProperty(id)
\/ LegitimateTermination)
i.e. This is the moral equivalent of my '\/ HenceforthStuttering' approach earlier.
I then tried checking my known-to-be-incorrect liveness properties. But TLC again failed to find any violations on models that I believe should exhibit those violations.
Finally, I tried intentionally 'breaking' my specification by injecting bugs to prevent some operations from making progress. In that case TLC did correctly report deadlock. It didn't report that my liveness property was violated -- it just hit states in which the Next action was not enabled.
I don't really know what to try next. Perhaps the problem is with my spec or liveness property; I'll try Leslie's examples from the hyperbook and Specifying Systems.
thanks,
Chris
On Saturday, October 13, 2012 10:50:18 AM UTC-7, Stephan Merz wrote:
Hi Chris,unfortunately, TLC doesn't check arbitrary temporal properties. "Implied temporal formulas" are restricted to "simple temporal formulas", which may only contain action sub formulas of the form WF_v(A), SF_v(A), []<><A>_v or <>[][A]_v (cf. Section 14.2.4, AFAIK this is still true of current versions of TLC). Your subformula HenceforthStuttering is even simpler, but not a "simple temporal formula" in that sense.I'd suggest that you rewrite your property so that TLC will accept it. For example, trySpec /\ []<><TRUE>_vars => Liveness(for your original definition of liveness). In this way, the liveness property will only be evaluated over behaviors that do not end in infinite stuttering.However, checking liveness properties in the presence of state constraints can be really tricky because the specification may not assert what you think it does. In particular, see section 14.3.5 of the TLA+ book.Hope this helps,StephanOn Oct 12, 2012, at 11:09 PM, Chris Newcombe <chris...@xxxxxxxxx> wrote:I'm trying to use TLC to check liveness properties for the first time.I'm using a state-constraint with TLC, as I described in a previous message: https://groups.google.com/d/msg/tlaplus/ nfd1H-tZbe8/eCV3DNKZOicJ My liveness property is a simple leads-to formula:Liveness == \A id \in Ids : MyProperty(id) ~> SomeOtherProperty(id)TLC finds counter-examples in which the (temporal) antecedent is satisfied (for some id in some state), but the consequent is never satisfied because the behavior generated by TLC is artificially truncated -- i.e. ends with infinite stuttering -- because of the state-constraint.As the counter-example ends in infinite stuttering, I tried weakening the liveness property to allow that:HenceforthStuttering == [] UNCHANGED AllVars \* all future steps don't change any variables
Liveness == \A id \in Ids : MyProperty(id) ~> (\/ SomeOtherProperty(id)
\/ HenceforthStuttering)
But that's not valid TLA+ because the definition of HenceforthStuttering is not a legal TLA+ formula. The toolbox says:Parse error: [] followed by action not of the form [A]_v
So I tried:HenceforthStuttering == [][UNCHANGED AllVars]_AllVars \* all future steps don't change any variables
That parses, but TLC now fails immediately with:Temporal formulas containing actions must be of forms <>[]A or []<>A.What am I missing? I did wonder if, rather than weakening the liveness property, there might be a way to change the state-constraint such that it wouldn't cause the liveness property to be artificially violated. But I don't currently see how to do that.many thanks,Chris--
You received this message because you are subscribed to the Google Groups "tlaplus" group.
To post to this group, send email to tla...@xxxxxxxxxxxxxxxx.
To unsubscribe from this group, send email to tlaplus+u...@googlegroups.com .
Visit this group at http://groups.google.com/group/tlaplus?hl=en .