The formula Spec (and its sub-formulas Init, Next etc.) express the algorithm as a TLA+ specification, and we then want to verify properties such as
Spec => []MutualExclusion
Therefore, Spec does not need to be checked, it can be assumed to hold (the implication is trivially true of state sequences that do not satisfy Spec). Concretely, TLC interprets Init and Next in order to construct the initial state(s) and the successor states of any states it has already constructed. For the latter, it considers the different disjuncts in the definition of Next: any successor state allowed by some of these formulas is allowed by Next. For details on how TLC interprets these formulas, please see Specifying Systems, and if you have not yet done so, watch the video lectures on TLA+.
Regards, Stephan
Thanks for quick explanation.
"Now we can define proc(self) as the fact that one of the previous actions is being accomplished:
proc(self) == \/ a0(self) \/ a1(self) \/ a2(self) \/ a3a(self) \/ a3b(self) \/ cs(self) \/ a4(self)
Finally, we define the Next action, as the fact that either proc is accomplished for one of the processes, or the algorithm has finished (to prevent deadlock on termination).
Next == \E self \in {0,1}: proc(self)"
I have a few questions:
1. When TLC will check proc(self) formula? Will this happen after it checks all previous formula's from a0 to a4? 2. Will proc(self) formula be satisfied when all previous formula's satisfied (a0 to a4)? 3. Next formula is satisfied if proc(self) is satisfied where self is element of 0 and 1 (process 0 or 1). Is this correct?
Thanks in advance!
On Wednesday, February 26, 2020 at 3:49:57 PM UTC+1, Stephan Merz wrote: Hello,
the corresponding TLA+ module is contained in the distribution of the TLA Proof System [1] and also available from [2] (with the temporal reasoning steps omitted because TLAPS didn't support them at the time). In short, the module has the definitions
vars == << flag, turn, pc >> Spec == Init /\ [][Next]_vars This is the idiomatic form of TLA+ specifications: the next-state relation allows stuttering steps in which the variables declared in the specification do not change their values. Stephan
[2] https://members.loria.fr/SMerz/papers/fm2012.html
Hi there,
"The temporal formula Spec is the complete specification. It characterizes behaviors (ω-sequences of states) that start in a state satisfying Init and where every pair of successive states either satisfies Next or else leaves the values of the tuple vars unchanged."
I'm having problem with understanding of tuple vars in specified formula. Can anyone explain to me how these variables (turn, flag and pc) relate to tuple vars? I can understand that some variables stays unchanged during verification, but couldn't get it in final Spec temporal formula.
Best regards,
Mursel
-- You received this message because you are subscribed to the Google Groups "tlaplus" group. To unsubscribe from this group and stop receiving emails from it, send an email to tla...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/tlaplus/b23791fe-5aa0-48b4-ae13-151105e94d3f%40googlegroups.com.
-- You received this message because you are subscribed to the Google Groups "tlaplus" group.To unsubscribe from this group and stop receiving emails from it, send an email to tlaplus+unsubscribe@xxxxxxxxxxxxxxxx.To view this discussion on the web visit https://groups.google.com/d/msgid/tlaplus/17e8cb76-2256-4f80-8b89-982187e33eda%40googlegroups.com.
You received this message because you are subscribed to the Google Groups "tlaplus" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tlaplus+unsubscribe@xxxxxxxxxxxxxxxx.
To view this discussion on the web visit https://groups.google.com/d/msgid/tlaplus/7AA48EF6-EC08-45F8-A8AA-EFAD96963737%40gmail.com.
|