[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlaplus] Meaning of "equivalence" of specifications

From: Stephan Merz <stephan.merz@xxxxxxxxx>
Date: Fri, 28 Oct 2022 17:33:57 +0200
References: <57ba9669-3f80-b725-a7d4-6e4daf3b6d33@kit.edu>

Hello,

two TLA+ formulas F and G (in particular, two specifications) are equivalent if for any sequence of states sigma,

sigma |= F  iff  sigma |= G.

In other words, the two formulas are satisfied by the same behaviors. Since the formulas Spec from your two modules do not have the same variables (and are both satisfiable but not valid), they cannot be equivalent. For example, a behavior sigma such that

sigma_i(counter) = IF i < max THEN i ELSE max
sigma_i(choice) = -1

satisfies CounterUp!Spec but not Random!Spec.

Instead, what your argument shows is that both

(*) CounterUp!Spec => \EE choice : Random!Spec

and

(**) Random!Spec => \EE counter : CounterUp!Spec

hold, and indeed the use of \EE is important here. It follows that (\EE choice : Random!Spec) and (\EE counter : CounterUp!Spec) are equivalent.

In fact, neither of the two implications above should come as a surprise: the formulas on the right-hand sides of these implications have no free variables (in logicians' terms, they are "closed formulas") and must therefore be equivalent to either TRUE or FALSE, but since the inner formula is satisfiable, they must be equivalent to TRUE.

Had you used the same state variable in specifications CounterUp!Spec and Random!Spec, you could indeed verify that

CounterUp!Spec => Random!Spec

holds. In other words, CounterUp!Spec is a refinement of Random!Spec. The reverse implication does not hold, i.e. here the use of hiding is essential. However, if h were called counter then you could verify

RandomH!Spec => CounterUp!Spec

which again is unsurprising because the history variable mirrors the behavior of the counter.

It is probably somewhat confusing that the TLA+ tools do not support \EE directly. Instead of model checking the implications (**) and (**), you actually check, say,

CounterUp!Spec => (Random!Spec WITH choice <- counter)

where the latter formula is not actual TLA+ syntax but denotes substitution of the term "counter" for the variable "choice". The soundness of adding a history variable cannot be checked using the current TLA+ tools at all.

I do hope this explanation helps more than it adds to the confusion!

Stephan


> On 28 Oct 2022, at 15:44, Grundmann, Matthias (KASTEL) <matthias.grundmann@xxxxxxx> wrote:
> 
> Hello,
> 
> I'm trying to understand what exactly it means if two specifications are "equivalent". As an example, I've created two specifications and, as far as I understand the method presented in [1], we can show that these specifications are equivalent although my intuition says that they are not. The first specification (CounterUp) models a simple counter that always increments a variable by 1 and the second specification (Random) sets a variable in each step to a random value.
> 
> The two specifications are defined as follows:
> 
> ----------------------------- MODULE CounterUp -----------------------------
> EXTENDS Integers
> VARIABLE counter
> CONSTANT max
> Init == counter = 0
> Next == counter' = IF counter < max THEN counter + 1 ELSE
> Spec == Init /\ [][Next]_counter
> =============================================================================
> 
> ------------------------------- MODULE Random -------------------------------
> EXTENDS Integers
> VARIABLE choice
> CONSTANT max
> Init == choice \in 0..max
> Next == choice' \in 0..max
> Spec == Init /\ [][Next]_choice
> =============================================================================
> 
> It is intuitive that CounterUp!Spec => Random!Spec as incrementing a value by 1 is a special case of choosing the next value arbitrarily.
> To show this implication, we add "Random == INSTANCE Random WITH choice <- counter" to the module CounterUp. Now, we can show "THEOREM CounterUp!Spec => Random!Spec" by running TLC for a model for CounterUp with the temporal formula "Spec" checking the property "Random!Spec".
> 
> To show Random!Spec => CounterUp!Spec, we introduce a new specification RandomH defined as follows (along the lines of [1, Section 3.1]):
> 
> ------------------------------ MODULE RandomH ------------------------------
> EXTENDS Random
> VARIABLE h
> varsH == <<choice, h>>
> InitH == Init /\ h = 0
> NextH == Next /\ h' = IF h < max THEN h + 1 ELSE 0
> SpecH == InitH /\ [][NextH]_varsH
> 
> CounterUp == INSTANCE CounterUp WITH counter <- h
> THEOREM SpecH => CounterUp!Spec
> =============================================================================
> 
> According to Theorem 1 of [1], Random!Spec is equivalent to \EE h : RandomH!SpecH (1).
> Using the definition "CounterUp == INSTANCE CounterUp WITH counter <- h" (second last line of module RandomH), we can show that RandomH!SpecH => CounterUp!Spec (2).
> According to [1, Section 3.4], it follows from (1) and (2) that Random!Spec => CounterUp!Spec (or maybe Random!Spec => \EE h : CounterUp!Spec ???).
> 
> Having shown the two implications, we have shown that Random!Spec is equivalent to CounterUp!Spec.
> I conclude that a system that counts is equivalent to a system that chooses values arbitrarily. This result contradicts my intuition which says that counting is not equivalent to choosing values arbitrarily. -- It might be that my intuition is wrong. It might be that my conclusion is wrong as I might have misunderstood what "equivalence" means in this context. It might be that I have included a methodological flaw above (see the "???"). What are your thoughts? What does it mean for one specification to be equivalent to another specification?
> 
> Thanks!
> 
> Matthias
> 
> 
> [1] Lamport, Leslie, and Stephan Merz. “Auxiliary Variables in TLA+”. https://lamport.azurewebsites.net/pubs/auxiliary.pdf
> 
> -- 
> You received this message because you are subscribed to the Google Groups "tlaplus" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to tlaplus+unsubscribe@xxxxxxxxxxxxxxxx.
> To view this discussion on the web visit https://groups.google.com/d/msgid/tlaplus/57ba9669-3f80-b725-a7d4-6e4daf3b6d33%40kit.edu.

-- 
You received this message because you are subscribed to the Google Groups "tlaplus" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tlaplus+unsubscribe@xxxxxxxxxxxxxxxx.
To view this discussion on the web visit https://groups.google.com/d/msgid/tlaplus/D651F324-5AAF-4402-956D-A970B3606613%40gmail.com.

References:
- [tlaplus] Meaning of "equivalence" of specifications
  - From: Grundmann, Matthias (KASTEL)

Prev by Date: Re: [tlaplus] Re: Meaning of "equivalence" of specifications
Next by Date: Re: [tlaplus] Meaning of "equivalence" of specifications
Previous by thread: Re: [tlaplus] Re: Meaning of "equivalence" of specifications
Next by thread: Re: [tlaplus] Meaning of "equivalence" of specifications
Index(es):
- Date
- Thread