Re: Tagged formulas

[Leslie Lamport <tlapl...@xxxxxxxxx>]

   Basically I'm looking for a "lowering" operator where:
  
   Lower(x) == the level-0 _expression_ (constant value) which
               is equal to x in this state

I can't think of any way to define such an operator, but it may help
to observe that if Foo is defined by

   Foo(a, b) == a' = e1 /\ b' = e2

Then  \E t : (t=x) /\ Foo(t,y)'  is equivalent to Foo(x, y').

   TLC's requirement that x' be determined in a single _expression_ means
   that I can't write:

  
       \A t \in DOMAIN x : x'[t] = e \* e is some _expression_

  
   This is not a problem when only one variable is involved, as you can
   do:

  
      x' = [t \in DOMAIN x |-> e]

This is exactly the kind of situation that I was talking about.  Those
two formulas are not equivalent.  The second determines the value of
x'.  The first tells you very little about the value of x'.  All it tells
you are the values of x'[t] for t \in DOMAIN x.  It tells you nothing
about the domain of x'.  It doesn't even tell you if x' is a function.
Hence, it's not a sensible formula--at least, not by itself.  The following
formula is equivalent to the second one:

   /\ x' = [t \in DOMAIN x |-> x'[t]]
   /\ \A t \in DOMAIN x : x'[t] = e

but it's hardly simper than the second one.

So, as I wrote before, when TLC doesn't allow you to write something
you think it should, then it's often the case that what you wrote
isn't what you meant to write.  You should learn to read what a
formula says rather than what you want it to say.  This requires that
you stop thinking of TLA+ formula as a program and start thinking of
it as a mathematical assertion.  Occasionally, this is difficult.  For
example, if you write

   f[n \in Nat] == IF n = 0 THEN x ELSE f[n-1]'

it's not easy to realize that if x is a variable, then f[2] is not
equal to the illegal _expression_ (x')'.

Leslie