The (FALSE) ~> (y = 5) case looks like a bug to me! I was able to reproduce it in a very simplified example on my own computer. It is either a bug or we have both deeply misunderstood the ~> operator.

The trace you showed for the (x > 0) ~> (y = 5) case does not look like a bug. It looks like a true counterexample to me. In the trace, there is a state where x>0 (e.g. state 2) and that state is not followed by a later state where y=5. Therefore, x>0 does not always lead to y=5. The property is indeed violated.

here is the error trace i'm getting when using the formula (x > 0) ~> (y = 5)

and when using the fomrula (FALSE) ~> (y = 5)

I don't understand why these formulas even causes the error, what am i missing? why mplication operator evaluated as false when left operand of the implication is FALSE?

What is the error trace you're getting?

From the actions you have defined, as long as x remains <= 0, we never need to increment y. A possible behavior is Init, SetX, IncX, SetX, IncX, ...

It may be enough to simply change the enabling condition for IncY to x >= 0 (but that may not be "allowed" by what you are trying to specify).

I'm trying to specify "If some operation does not happens, then some condition eventually becomes true"

full specification is following:
-------------------------------- MODULE test --------------------------------

EXTENDS Integers

VARIABLE x,y

Init ==
/\ x = 0
/\ y = 0

IncX ==
/\ x' = IF x < 5 THEN (x + 1) ELSE 5
/\ UNCHANGED <<y>>

IncY ==
/\ x > 0
/\ y' = IF y < 5 THEN (y + 1) ELSE 5
/\ UNCHANGED <<x>>

SetX ==
/\ x' = -1
/\ UNCHANGED <<y>>

Next ==
\/ IncX
\/ IncY
\/ SetX

Invariant1 ==
/\ x < 6
/\ y < 6

temporalFormula1 ==  (x > 0) ~> (y = 5)
=============================================================================

and behavior spec is:
Init /\ [][Next]_<<x,y>> /\ WF_x(IncX) /\ WF_x(SetX) /\ WF_<<x,y>>(IncY)

my question is, why temporalFormula1 is violated?

I know that (x > 0) ~> (y = 5) means:
((x > 0) => <>(y = 5)) which is
\A n \in Nat. \sigma^{+n} ⊨ (x > 0) => ¬□¬(y = 5) which is
\A n \in Nat. \sigma^{+n} ⊨ (x > 0) => \sigma^{+n} ⊨ \E m \in Nat. \sigma{+m} ⊨ (y = 5) which is
\A n \in Nat. \sigma^{+n} ⊨ (x > 0) => \E m \in Nat. \sigma^{+n+m} ⊨ (y = 5)

so, i believed that error-trace should not contains the state that x is -1 but it does.

I even tried the formula (FALSE) ~> (y = 5) but it still fails with similar error trace. what's my mistake here?

