[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlaplus] Meta-theorem (induction lemma) in TLA+

By the way, is there any way to declare a formula including variables by "NEW <something> Invariant"?

For introducing new identifiers in assumptions you can write

NEW [ CONSTANT | STATE | VARIABLE | ACTION | TEMPORAL ] <id>

and if you don't specify a level, it defaults to CONSTANT. For a state-level formula such as an invariant, you want to write

NEW STATE Inv

Regards,
Stephan


2019年7月29日月曜日 15時52分56秒 UTC+9 Stephan Merz:
Hello,

for a lemma involving temporal operators to be useful, its hypotheses should be "boxed", i.e. occur in the scope of an always operator. For example, you could state

LEMMA BoxImplies ==
  ASSUME NEW TEMPORAL F, NEW TEMPORAL G,
         []F, [](F => G)
  PROVE  []G

and then use this lemma somewhere in a proof about temporal properties. For details, please see section 8.3 of [1]. In practice, we never state lemmas of (propositional) temporal logic because the PTL decision procedure proves them automatically.

Also note that your proof only goes through only because "NEW Invariant" implicitly means "NEW CONSTANT Invariant", hence the formula Invariant' in steps <1>2 and <1>3 gets rewritten to Invariant, and these steps are therefore tautologies. It is certainly not what you had in mind.

Regards,
Stephan

[1] http://lamport.azurewebsites.net/tla/tla2-guide.pdf

On 25 Jul 2019, at 18:55, shinsa82 <shin...@gmail.com> wrote:

I want to prove a meta-theorem (or induction lemma, tactic) for a specification and reuse it in other proofs, like Coq.
I wonder if its possible or not.

Consider the following spec:

----
vars == <state variables>

Act1 == ...
Act2 == ...

Next == Act1 \/ Act2
Spec == Init /\ [][Next]_vars
----

Then we expect the following lemma hold for any non-temporal formula "Invariant", and we want to use it to prove, say, its type invariance.
(I know its too simple. Actually I want to consider more complicated cases)
I was able to prove the lemma, but I could not "apply" the lemma to the type invariant theorem.
Is there anything wrong?

----
LEMMA SpecInduction == 
    ASSUME
        NEW Invariant,
        ASSUME Init PROVE Invariant,
        ASSUME Invariant, Act1 PROVE Invariant',
        ASSUME Invariant, Act2 PROVE Invariant',
    PROVE
        Spec => []Invariant
PROOF
    <1>1. Init => Invariant OBVIOUS
    <1>2. Invariant /\ Next => Invariant' OBVIOUS
    <1>3. Invariant /\ UNCHANGED vars => Invariant' OBVIOUS

    <1> QED BY PTL, <1>1, <1>2, <1>3 DEF Spec
----

-- 
You received this message because you are subscribed to the Google Groups "tlaplus" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tla...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/tlaplus/61020587-764f-43bf-859f-24001b37baa4%40googlegroups.com.


-- 
You received this message because you are subscribed to the Google Groups "tlaplus" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tlaplus+unsubscribe@xxxxxxxxxxxxxxxx.
To view this discussion on the web visit https://groups.google.com/d/msgid/tlaplus/d3afd887-ba2f-4b58-b001-b5484a6f5da1%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "tlaplus" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tlaplus+unsubscribe@xxxxxxxxxxxxxxxx.
To view this discussion on the web visit https://groups.google.com/d/msgid/tlaplus/32628BBC-D4E2-4D10-8361-A15125D09CB7%40gmail.com.