[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlaplus] Re: action never enabled

From: Markus Kuppe <tlaplus-google-group@xxxxxxxxxxx>
Date: Sat, 25 Dec 2021 11:15:34 -0800
References: <ecbf0cb0-29ad-4af6-81c1-4b6d08a7647an@googlegroups.com> <c717a7c6-9860-47b0-8a26-e6c8d87a368bn@googlegroups.com> <a67211a8-1902-4cc1-898a-44446c4b44b3n@googlegroups.com> <1b7bd1a8-c472-4875-874c-5ec4674b98a6n@googlegroups.com> <ce797f94-fd78-4dc8-bf46-267c5e91ccfbn@googlegroups.com> <CABW84Kz45EgjSEABLRAHxQuQw+xN01f_scht2EdWc0TNf=sUyQ@mail.gmail.com> <d64f4b55-5335-4118-ad56-0c283b098328n@googlegroups.com> <a8db58bc-0f3f-49dc-97b1-3ee9dca7cf81n@googlegroups.com>

On 12/24/21 5:20 PM, Jones Martins wrote:

I think I have an answer. You didn't mention invariants, but when Ichecked your model with TypeOK as an invariant, I saw it had beenviolated because of coin0 < upperZero in the second step. Since it'sviolated in the second step, you'll see "<other action> is not enabled."Now, why is the first action in the disjunction always "chosen"? Ibelieve it's because, when TLC is generating the state graph, it's thefirst action it parses (instead of deciding between "A" and "B" in "A \/B", it always picks "A" to evaluate first). When evaluated, TLCimmediately verifies all invariants. Since TypeOK is false during thisverification step, TLC stops, nothing else happens.
This is my speculation, because I'm fairly new to TLA+. Maybe a fewexperts in this group will be able to respond to your question andresolve our doubts.



This explanation is correct! From Specifying Systems page 238:

"The first difference in evaluating the next-state action is that TLCdoes not evaluate disjunctions from left to right." Instead, when itevaluates a subformula A1 \/ ... \/ An, it splits the computation into nseparate evaluations, each taking the subformula to be one of the Ai."

With a single worker, TLC evaluates the subactions A1, ..., Ansequentially in an order derived from the order of the subformulas ofthe next-state relation. Evaluating a subaction Ai yields successorstates, for which TLC checks the invariants *before* evaluating Ai+1.

For the uniswapV1 spec, with Next == tradeOneForZero \/ tradeZeroForOne,TLC evaluates tradeOneForZero and checks the invariant TypeOK for eachsuccessor state given by tradeOneForZero. Since at least one suchsuccessor state violates TypeOK, TLC prints a counterexample and stops.If you want TLC to continue and evaluate the subaction tradeZeroForOne,run TLC with "-continue".

Running TLC with multiple workers causes non-determinism. However, itwill report tradeZeroForOne not to be covered with very high probability.


Markus

--
You received this message because you are subscribed to the Google Groups "tlaplus" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tlaplus+unsubscribe@xxxxxxxxxxxxxxxx.
To view this discussion on the web visit https://groups.google.com/d/msgid/tlaplus/f9bec688-67fd-c58c-627b-b9ed16bde9fa%40lemmster.de.

Follow-Ups:
- Re: [tlaplus] Re: action never enabled
  - From: Mark Ettinger

References:
- [tlaplus] action never enabled
  - From: Mark Ettinger
- [tlaplus] Re: action never enabled
  - From: Jones Martins
- [tlaplus] Re: action never enabled
  - From: Mark Ettinger
- [tlaplus] Re: action never enabled
  - From: Jones Martins
- [tlaplus] Re: action never enabled
  - From: Mark Ettinger
- Re: [tlaplus] Re: action never enabled
  - From: Jones Martins
- Re: [tlaplus] Re: action never enabled
  - From: Mark Ettinger
- Re: [tlaplus] Re: action never enabled
  - From: Jones Martins

Prev by Date: Re: [tlaplus] action never enabled
Next by Date: Re: [tlaplus] TLAPS parser
Previous by thread: Re: [tlaplus] Re: action never enabled
Next by thread: Re: [tlaplus] Re: action never enabled
Index(es):
- Date
- Thread