| Hi Andrew, let’s be really precise (since that’s what TLA+ is about): it's not the temporal operators that universally quantify over behaviors but the definition of validity. A formula of temporal logic is evaluated over an individual behavior, but we say that a specification Spec has a property Prop if the implication Spec => Prop is valid, i.e., holds for all behaviors. This is very different from saying that if all behaviors satisfy Spec (which will not be the case) then all behaviors satisfy Prop. As you certainly know, branching-time logics such as CTL or CTL* offer connectives that quantify over (suffixes of) behaviors, and you could express reachability of an accepting state using a formula such as E<> accepting. Formulas are then evaluated over computation trees rather than linear behaviors, and the above formula holds if the tree contains a branch that contains a state satisfying the predicate `accepting’. There was a huge debate on the relative merits of linear-time and branching-time logics in the 1980s and 1990s, and it’s not necessary to repeat the arguments. You also know that a reachability property such as the one that you describe can be checked in a linear-time formalism using inverted logic – that is, by asserting the invariant that an accepting state is never reached (in any run of the automaton for the given input string, or equivalently that no application of the CFG rules matches the string), and expecting the model checker to produce a counter example, which exhibits an accepting run / sequence of rule applications. Why is this approach unsuitable for what you are after? Stephan
--
You received this message because you are subscribed to the Google Groups "tlaplus" group. To unsubscribe from this group and stop receiving emails from it, send an email to tlaplus+unsubscribe@xxxxxxxxxxxxxxxx. To view this discussion on the web visit https://groups.google.com/d/msgid/tlaplus/BE0249E6-60BB-4E4D-B137-94A70C3A9313%40gmail.com. |