[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlaplus] Symmetry sets

Hello Philip,

I cannot reconcile these two statements.  Suppose the original CHOOSE _expression_ gives v1.  After the same substitution as in the first quote, the CHOOSE _expression_ gives v3.  Is that not "equal to the original _expression_", in the same way that the tuples above are equal?

 {{v1, v2}, {v1, v3}, {v2, v3}} is not a tuple, but a set (of sets), and sets are unordered. Therefore, {{v3, v2}, {v3, v1}, {v2, v1}} is the same set as the first one. But note that you cannot even write this set unless you have access to the names of its elements.

What is unique about CHOOSE that it is "the only TLA+ operator that can produce a non-symmetric _expression_”?

A CHOOSE _expression_ allows you to name an element of the set, distinguishing it from the others.

Suppose we have a constant parameter S, instantiated to the set of model values {v1,v2,v3}, and a definition

  someS == CHOOSE x \in S : TRUE

Then the _expression_

  IF s = someS THEN 0 ELSE 42

returns 0 for the chosen value but 42 for the others and is therefore not symmetric in S. This shows that S cannot be declared as a symmetry set for a specification that contains these entities.

The other TLA+ operators do not allow you to name elements of your parameter sets, for example you cannot explicitly build the tuple

  << v1, v2, v3 >>

which would not be symmetric in S. In contrast, expressions such as

  { seq \in Seq(S) : Len(seq) = 3 }

i.e., the set of all triples built from S, are symmetric. 

In contrast, replacing the definition of someS with the operator definition

  notS == CHOOSE x : x \notin S

does not destroy symmetry of the specification with respect to S. In particular, the test

  s = notS

returns FALSE for all elements of S.

In summary, symmetry reduction is very helpful for model checking, but deciding if a parameter can be declared as a symmetry set for a given specification can be subtle.

Regards,
Stephan


On 14 Feb 2019, at 00:49, Philip White <philip@xxxxxxxxxxxxx> wrote:

Hello, TLA enthusiasts,

I'm having trouble understanding when it is safe to use symmetry sets.

This documentation at https://tla.msr-inria.inria.fr/tlatoolbox/doc/model/model-values.html says:

The _expression_ {{v1, v2}, {v1, v3}, {v2, v3}} is symmetric for the set {v1, v2, v3} -- for example, interchanging v1 and v3 in this _expression_ produces {{v3, v2}, {v3, v1}, {v2, v1}}, which is equal to the original _expression_.

then it says:

`CHOOSE x \in {v1, v2, v3} : TRUE` is not symmetric for {v1, v2, v3}.

I cannot reconcile these two statements.  Suppose the original CHOOSE _expression_ gives v1.  After the same substitution as in the first quote, the CHOOSE _expression_ gives v3.  Is that not "equal to the original _expression_", in the same way that the tuples above are equal?

What is unique about CHOOSE that it is "the only TLA+ operator that can produce a non-symmetric _expression_”?

Thanks for any insights.


Philip


--
You received this message because you are subscribed to the Google Groups "tlaplus" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tlaplus+unsubscribe@xxxxxxxxxxxxxxxx.
To post to this group, send email to tlaplus@xxxxxxxxxxxxxxxx.
Visit this group at https://groups.google.com/group/tlaplus.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "tlaplus" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tlaplus+unsubscribe@xxxxxxxxxxxxxxxx.
To post to this group, send email to tlaplus@xxxxxxxxxxxxxxxx.
Visit this group at https://groups.google.com/group/tlaplus.
For more options, visit https://groups.google.com/d/optout.