it's not your fault that this proof doesn't go through. The obligation falls into the theory of non-linear integer arithmetic, which is undecidable and for which SMT solvers implement heuristics. Unfortunately, these are quite brittle, in particular when quantifiers are involved as in this case (namely the definition of Divides). At the time when that chapter of the Hyperbook was written, the version of CVC3 that was then the default solver used by TLAPS must have been able to prove that obligation. I now tried CVC3, CVC4 and Z3, and none of them found the proof automatically, so we must break down the proof one level further and indicate the witness terms for the existential quantifier – see below.
Btw, why this module defines Divides and DivisorOf over all Int instead of a subset like in https://tla.msr-inria.inria.fr/tlaps/content/Documentation/Tutorial/Hierarchical_proofs.html? What is the best approach in this case?
I don't think that there is a single best approach. The two definitions differ in that, for example, the Hyperbook versions have Divides(-2,4) or Divides(0,0), in contrast to the versions on the Web page. But for the Euclid algorithm, we are only interested in positive natural numbers (and the GCD theorems are only stated for those), so these differences should not matter.
Regards,
Stephan
-- THEOREM GCD3 == \A m, n \in Nat \ {0}:
(n > m) => (GCD(m, n) = GCD(m, n-m))
<1> SUFFICES ASSUME NEW m \in Nat \ {0}, NEW n \in Nat \ {0},
n > m
PROVE GCD(m, n) = GCD(m, n-m)
OBVIOUS
<1>1. ASSUME NEW i \in Int, NEW q \in Int, m = i*q, NEW r \in Int, n = i*r
PROVE \E z \in Int : n-m = i*z
<2>1. r-q \in Int /\ n-m = i*(r-q)
BY <1>1
<2>. QED BY <2>1
<1>2. ASSUME NEW i \in Int, NEW q \in Int, m = i*q, NEW r \in Int, n-m = i*r
PROVE \E z \in Int : n = i*z
<2>1. r+q \in Int /\ n = i*(r+q)
BY <1>2
<2>. QED BY <2>1
<1> QED
BY <1>1, <1>2 DEF GCD, SetMax , DivisorsOf, Divides
(n > m) => (GCD(m, n) = GCD(m, n-m))
<1> SUFFICES ASSUME NEW m \in Nat \ {0}, NEW n \in Nat \ {0},
n > m
PROVE GCD(m, n) = GCD(m, n-m)
OBVIOUS
<1>1. ASSUME NEW i \in Int, NEW q \in Int, m = i*q, NEW r \in Int, n = i*r
PROVE \E z \in Int : n-m = i*z
<2>1. r-q \in Int /\ n-m = i*(r-q)
BY <1>1
<2>. QED BY <2>1
<1>2. ASSUME NEW i \in Int, NEW q \in Int, m = i*q, NEW r \in Int, n-m = i*r
PROVE \E z \in Int : n = i*z
<2>1. r+q \in Int /\ n = i*(r+q)
BY <1>2
<2>. QED BY <2>1
<1> QED
BY <1>1, <1>2 DEF GCD, SetMax , DivisorsOf, Divides
On 18 Apr 2020, at 23:50, 'Nicholas Fiorentini' via tlaplus <tlaplus@xxxxxxxxxxxxxxxx> wrote:Hello,After having tried the tutorial from the official TLAPS site, I moved to the chapter 11 of the TLA+ Hyperbook.I was able to prove GCD1 and GCD2, but now I'm stuck on GCD3. I'm at the very last part of the proof: using BY DEF Divides to check the main step of the proof, thus concluding the whole proof. The problem is that TLAPS is unable to use prove this. Here the obligation:ASSUME NEW CONSTANT m \in Nat \ {0},NEW CONSTANT n \in Nat \ {0},n > mPROVE \A i \in Int :(\E q \in Int : m = i * q) /\ (\E q \in Int : n = i * q)<=> (\E q \in Int : m = i * q) /\ (\E q \in Int : n - m = i * q)Reading the book seems that this should not happen. What I'm doing wrong?I also tried changing the few Int with Nat. Btw, why this module defines Divides and DivisorOf over all Int instead of a subset like in https://tla.msr-inria.inria.fr/tlaps/content/Documentation/Tutorial/Hierarchical_proofs.html? What is the best approach in this case?Thanks for your help,NicholasHere my tla file. In bold the line with the problem.--------------------------- MODULE GCDProperties ---------------------------EXTENDS Integers, FiniteSets, TLAPS, NaturalsInductionDivides(p, n) == \E q \in Int : n = p * qDivisorsOf(n) == {p \in Int : Divides(p, n)}SetMax(S) == CHOOSE i \in S : \A j \in S : i >= jGCD(m, n) == SetMax(DivisorsOf(m) \cap DivisorsOf(n))THEOREM GCD1 == \A m \in Nat \ {0} : GCD(m, m) = m<1> SUFFICES ASSUME NEW m \in Nat \ {0}PROVE GCD(m, m) = mOBVIOUS<1>1 Divides(m, m)BY DEF Divides<1>2 \A i \in Nat : Divides(i, m) => (i =< m)BY DEF Divides<1> QEDBY <1>1, <1>2 DEF GCD, SetMax, DivisorsOfTHEOREM GCD2 == \A m, n \in Nat \ {0} : GCD(m, n) = GCD(n, m)BY DEF GCDTHEOREM GCD3 == \A m, n \in Nat \ {0} : (n > m) => (GCD(m, n) = GCD(m, n-m))<1> SUFFICES ASSUME NEW m \in Nat \ {0},NEW n \in Nat \ {0},n > mPROVE GCD(m, n) = GCD(m, n-m)OBVIOUS<1> \A i \in Int : (Divides(i, m) /\ Divides(i, n)) <=> (Divides(i, m) /\ Divides(i, n - m))BY DEF Divides<1> QEDBY DEF GCD, SetMax, DivisorsOf=============================================================================
You received this message because you are subscribed to the Google Groups "tlaplus" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tlaplus+unsubscribe@xxxxxxxxxxxxxxxx.
To view this discussion on the web visit https://groups.google.com/d/msgid/tlaplus/7e0fc5aa-f0c0-4f74-807b-bf0d5a114261%40googlegroups.com.
You received this message because you are subscribed to the Google Groups "tlaplus" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tlaplus+unsubscribe@xxxxxxxxxxxxxxxx.
To view this discussion on the web visit https://groups.google.com/d/msgid/tlaplus/363ADD28-A551-4B86-9771-2156D94EDFBF%40gmail.com.