outline
play

Outline TLAPS Basics 1 2 Tips and Best Practices for Using TLAPS 3 - PowerPoint PPT Presentation

Jan 12, 2024 •510 likes •1.7k views

A Tutorial Introduction to TLAPS Jael Kriener 1 Tom Rodeheffer 2 Tomer Libal 1 1 2 TLA + Community Event, ABZ 2014 Toulouse, June 3, 2014 Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 1 / 52 Outline TLAPS Basics 1 2 Tips

  1. Proof attempt 3 - another fact - success ∆ THEOREM ConcatLeftCancel = ASSUME NEW S , NEW A ∈ Seq ( S ) , NEW B ∈ Seq ( S ) , NEW C ∈ Seq ( S ) , C ◦ A = C ◦ B PROVE A = B PROOF � 1 � 1. Len ( A ) = Len ( B ) OBVIOUS C ◦ A = C ◦ B � 1 � 2. A ∈ [1 . . Len ( A ) → S ] OBVIOUS A ∈ Seq ( S ) � 1 � 3. B ∈ [1 . . Len ( A ) → S ] BY � 1 � 1 � 1 � 4. ∀ i ∈ 1 . . Len ( A ) : A [ i ] = ( C ◦ A )[ i + Len ( C )] OBVIOUS � 1 � 5. ∀ i ∈ 1 . . Len ( A ) : B [ i ] = ( C ◦ B )[ i + Len ( C )] BY � 1 � 1 � 1 � 6. ∀ i ∈ 1 . . Len ( A ) : A [ i ] = B [ i ] BY � 1 � 4 , � 1 � 5 � 1 � QED BY � 1 � 2 , � 1 � 3 , � 1 � 6 Figure 3: Third proof attempt (successful). Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 25 / 52

  2. Proof with better structure ∆ THEOREM ConcatLeftCancel = ASSUME NEW S , NEW A ∈ Seq ( S ) , NEW B ∈ Seq ( S ) , NEW C ∈ Seq ( S ) , C ◦ A = C ◦ B PROVE A = B PROOF � 1 � 1. Len ( A ) = Len ( B ) OBVIOUS C ◦ A = C ◦ B � 1 � 2. A ∈ [1 . . Len ( A ) → S ] OBVIOUS A ∈ Seq ( S ) � 1 � 3. B ∈ [1 . . Len ( A ) → S ] BY � 1 � 1 � 1 � 4. ASSUME NEW i ∈ 1 . . Len ( A ) PROVE A [ i ] = B [ i ] � 2 � 1. A [ i ] = ( C ◦ A )[ i + Len ( C )] OBVIOUS defn of C ◦ A � 2 � 2. B [ i ] = ( C ◦ B )[ i + Len ( C )] BY � 1 � 1 defn of C ◦ B � 2 � QED BY � 2 � 1 , � 2 � 2 � 1 � QED BY � 1 � 2 , � 1 � 3 , � 1 � 4 Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 26 / 52

  3. Lessons from proving ConcatLeftCancel Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 27 / 52

  4. Lessons from proving ConcatLeftCancel The proof centers on showing A = B where A , B are functions ◮ For two functions to be equal, you must show ⋆ they have the same domain ⋆ they have the same value at each point in the domain ◮ It seems this is relatively difficult for TLAPS to conclude Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 27 / 52

  5. Lessons from proving ConcatLeftCancel The proof centers on showing A = B where A , B are functions ◮ For two functions to be equal, you must show ⋆ they have the same domain ⋆ they have the same value at each point in the domain ◮ It seems this is relatively difficult for TLAPS to conclude Before writing a subproof, check if TLAPS thinks a fact is obvious Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 27 / 52

  6. Lessons from proving ConcatLeftCancel The proof centers on showing A = B where A , B are functions ◮ For two functions to be equal, you must show ⋆ they have the same domain ⋆ they have the same value at each point in the domain ◮ It seems this is relatively difficult for TLAPS to conclude Before writing a subproof, check if TLAPS thinks a fact is obvious When TLAPS fails, try to figure out what specific fact you could provide that it is failing to consider Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 27 / 52

  7. Lessons from proving ConcatLeftCancel The proof centers on showing A = B where A , B are functions ◮ For two functions to be equal, you must show ⋆ they have the same domain ⋆ they have the same value at each point in the domain ◮ It seems this is relatively difficult for TLAPS to conclude Before writing a subproof, check if TLAPS thinks a fact is obvious When TLAPS fails, try to figure out what specific fact you could provide that it is failing to consider When introducing a new symbol x , generally it is a good idea to use a domain formula x ∈ S Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 27 / 52

  8. Using the theorem ConcatLeftCancel Often, what a theorem considers as constant parameters are messy formulas at the point where we wish to apply the theorem. In this example, we conjure up formulas that happen to be sequences, and ask TLAPS to apply ConcatLeftCancel . Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 28 / 52

  9. Use attempt 1 - is it obvious - fail ∆ THEOREM UseConcatLeftCancel = ASSUME NEW S , NEW u ∈ Seq ( S ) , NEW v ∈ Seq ( S ) , NEW w ∈ Seq ( S ) , NEW x ∈ Seq ( S ) , NEW m ∈ S , NEW n ∈ S , u ◦ � m , n � ◦ v ◦ x = u ◦ � m , n � ◦ w ◦ x PROVE v ◦ x = w ◦ x PROOF � 1 � QED BY ConcatLeftCancel unable to prove it Figure 5: First use attempt (unsuccessful). Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 29 / 52

  10. Use attempt 2 - add a closure fact - still fail ∆ THEOREM UseConcatLeftCancel = ASSUME NEW S , NEW u ∈ Seq ( S ) , NEW v ∈ Seq ( S ) , NEW w ∈ Seq ( S ) , NEW x ∈ Seq ( S ) , NEW m ∈ S , NEW n ∈ S , u ◦ � m , n � ◦ v ◦ x = u ◦ � m , n � ◦ w ◦ x PROVE v ◦ x = w ◦ x PROOF � 1 � 1. u ◦ � m , n � ∈ Seq ( S ) OBVIOUS ◦ closed � 1 � QED BY � 1 � 1 , ConcatLeftCancel unable to prove it Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 30 / 52

  11. Use attempt 3 - add more closure facts - still fail ∆ THEOREM UseConcatLeftCancel = ASSUME NEW S , NEW u ∈ Seq ( S ) , NEW v ∈ Seq ( S ) , NEW w ∈ Seq ( S ) , NEW x ∈ Seq ( S ) , NEW m ∈ S , NEW n ∈ S , u ◦ � m , n � ◦ v ◦ x = u ◦ � m , n � ◦ w ◦ x PROVE v ◦ x = w ◦ x PROOF � 1 � 1. u ◦ � m , n � ∈ Seq ( S ) OBVIOUS ◦ closed � 1 � 2. v ◦ x ∈ Seq ( S ) OBVIOUS ◦ closed � 1 � 3. w ◦ x ∈ Seq ( S ) OBVIOUS ◦ closed � 1 � QED BY � 1 � 1 , � 1 � 2 , � 1 � 3 , ConcatLeftCancel unable to prove it Figure 7: Third use attempt (still unsuccessful). Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 31 / 52

  12. Use attempt 4 - add an associativity fact - success ∆ THEOREM UseConcatLeftCancel = ASSUME NEW S , NEW u ∈ Seq ( S ) , NEW v ∈ Seq ( S ) , NEW w ∈ Seq ( S ) , NEW x ∈ Seq ( S ) , NEW m ∈ S , NEW n ∈ S , u ◦ � m , n � ◦ v ◦ x = u ◦ � m , n � ◦ w ◦ x PROVE v ◦ x = w ◦ x PROOF � 1 � 1. u ◦ � m , n � ∈ Seq ( S ) OBVIOUS ◦ closed � 1 � 2. v ◦ x ∈ Seq ( S ) OBVIOUS ◦ closed � 1 � 3. w ◦ x ∈ Seq ( S ) OBVIOUS ◦ closed � 1 � 4. u ◦ � m , n � ◦ ( v ◦ x ) = u ◦ � m , n � ◦ ( w ◦ x ) OBVIOUS � 1 � QED BY � 1 � 1 , � 1 � 2 , � 1 � 3 , � 1 � 4 , ConcatLeftCancel Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 32 / 52

  13. Lessons from applying ConcatLeftCancel Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 33 / 52

  14. Lessons from applying ConcatLeftCancel Common mathematical properties of closure and associativity can be important Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 33 / 52

  15. Lessons from applying ConcatLeftCancel Common mathematical properties of closure and associativity can be important ◮ Humans are really good at utilizing these properties Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 33 / 52

  16. Lessons from applying ConcatLeftCancel Common mathematical properties of closure and associativity can be important ◮ Humans are really good at utilizing these properties ◮ Even though TLAPS considered the properties obvious, it was unable to supply them automatically when trying to prove a deduction that required them Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 33 / 52

  17. Lessons from applying ConcatLeftCancel Common mathematical properties of closure and associativity can be important ◮ Humans are really good at utilizing these properties ◮ Even though TLAPS considered the properties obvious, it was unable to supply them automatically when trying to prove a deduction that required them ◮ In my experience, TLAPS has a really difficult time applying associativity Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 33 / 52

  18. Lessons from applying ConcatLeftCancel Common mathematical properties of closure and associativity can be important ◮ Humans are really good at utilizing these properties ◮ Even though TLAPS considered the properties obvious, it was unable to supply them automatically when trying to prove a deduction that required them ◮ In my experience, TLAPS has a really difficult time applying associativity When TLAPS fails, try to figure out what specific fact you could provide that it is failing to consider Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 33 / 52

  19. Finite induction over naturals Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 34 / 52

  20. Finite induction over naturals The ordinary form of induction is simple induction over the naturals, in which a predicate P ( i ) is proved to hold for all i ∈ Nat . Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 34 / 52

  21. Finite induction over naturals The ordinary form of induction is simple induction over the naturals, in which a predicate P ( i ) is proved to hold for all i ∈ Nat . TLAPS has a libary theorem NatInduction , in the library module NaturalsInduction , that encapsulates the simple inductive argument. For any P ( ) , given the base case P ( 0 ) and the inductive step ∀ i ∈ Nat : P ( i ) ⇒ P ( i + 1 ) NatInduction concludes ∀ i ∈ Nat : P ( i ) Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 34 / 52

  22. Finite induction over naturals - 2 Sometimes we do not want or need to prove that P ( i ) holds for all i ∈ Nat , but rather only for a finite range i ∈ m .. n . This often occurs when proving things about sequences. Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 35 / 52

  23. Finite induction over naturals - 2 Sometimes we do not want or need to prove that P ( i ) holds for all i ∈ Nat , but rather only for a finite range i ∈ m .. n . This often occurs when proving things about sequences. In such cases, we could, of course, define a more general predicate ∆ Q ( i ) = i ∈ m .. n ⇒ P ( i ) use NatInduction to prove that Q ( i ) holds for all i ∈ Nat and then deduce what we want about P ( ) . But the proof would be cluttered with the transitions of i into and out of m .. n . Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 35 / 52

  24. Finite induction over naturals - 2 Sometimes we do not want or need to prove that P ( i ) holds for all i ∈ Nat , but rather only for a finite range i ∈ m .. n . This often occurs when proving things about sequences. In such cases, we could, of course, define a more general predicate ∆ Q ( i ) = i ∈ m .. n ⇒ P ( i ) use NatInduction to prove that Q ( i ) holds for all i ∈ Nat and then deduce what we want about P ( ) . But the proof would be cluttered with the transitions of i into and out of m .. n . A better approach is to define a prove and prove a theorem FiniteNatInduction that explicitly deals with finite induction over the naturals. Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 35 / 52

  25. Setting up the inductive argument ∆ THEOREM FiniteNatInduction = ASSUME NEW P ( ) , predicate NEW m ∈ Nat , Define the more general start NEW n ∈ Nat , predicate Q ( ) limit P ( m ) , base case Use a SUFFICES to change the ∀ i ∈ m . . ( n − 1) : P ( i ) ⇒ P ( i + 1) finite ind hyp goal to ∀ i ∈ Nat : Q ( i ) PROVE ∀ i ∈ m . . n : P ( i ) PROOF State the base case and ∆ � 1 � DEFINE Q ( i ) = i ∈ m . . n ⇒ P ( i ) inductive step as facts � 1 � SUFFICES ∀ i ∈ Nat : Q ( i ) OBVIOUS base case Hide the definition of the � 1 � 1. Q (0) OBVIOUS inductive predicate Q ( ) inductive step Appeal to NatInduction � 1 � 2. ∀ i ∈ Nat : Q ( i ) ⇒ Q ( i + 1) � 1 � HIDE DEF Q hide defn of induction predicate � 1 � QED BY � 1 � 1 , � 1 � 2 , NatInduction Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 36 / 52

  26. Completing the subproof of the inductive step ∆ THEOREM FiniteNatInduction = ASSUME NEW P ( ) , predicate NEW m ∈ Nat , start NEW n ∈ Nat , limit P ( m ) , base case ∀ i ∈ m . . ( n − 1) : P ( i ) ⇒ P ( i + 1) finite ind hyp PROVE ∀ i ∈ m . . n : P ( i ) Use SUFFICES ASSUME PROOF PROVE to disassemble the ∆ � 1 � DEFINE Q ( i ) = i ∈ m . . n ⇒ P ( i ) universal quantifier and the � 1 � SUFFICES ∀ i ∈ Nat : Q ( i ) OBVIOUS implication base case � 1 � 1. Q (0) OBVIOUS Use CASE to perform a case inductive step analysis � 1 � 2. ∀ i ∈ Nat : Q ( i ) ⇒ Q ( i + 1) The cases must cover all � 2 � 1. SUFFICES ASSUME NEW i ∈ Nat , Q ( i ) possibilities PROVE Q ( i + 1) OBVIOUS � 2 � 2. CASE i + 1 ∈ ( m + 1) . . n BY � 2 � 1 , � 2 � 2 � 2 � 3. CASE i + 1 = m BY � 2 � 3 � 2 � 4. CASE i + 1 � m . . n BY � 2 � 4 � 2 � QED BY � 2 � 2 , � 2 � 3 , � 2 � 4 � 1 � HIDE DEF Q hide defn of induction predicate � 1 � QED BY � 1 � 1 , � 1 � 2 , NatInduction Figure 11: Complete proof of FiniteNatInduction . Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 37 / 52

  27. Simplified proof of FiniteNatInduction ∆ THEOREM FiniteNatInduction = ASSUME NEW P ( ) , predicate NEW m ∈ Nat , start NEW n ∈ Nat , limit It turns out that TLAPS thinks P ( m ) , base case that the inductive step is ∀ i ∈ m . . ( n − 1) : P ( i ) ⇒ P ( i + 1) finite ind hyp PROVE ∀ i ∈ m . . n : P ( i ) obvious. We neglected to PROOF check this before plunging ∆ � 1 � DEFINE Q ( i ) = i ∈ m . . n ⇒ P ( i ) into the case analysis. Hence � 1 � SUFFICES ∀ i ∈ Nat : Q ( i ) OBVIOUS the proof can be simplified base case considerably. � 1 � 1. Q (0) OBVIOUS inductive step � 1 � 2. ∀ i ∈ Nat : Q ( i ) ⇒ Q ( i + 1) OBVIOUS � 1 � HIDE DEF Q hide defn of induction predicate � 1 � QED BY � 1 � 1 , � 1 � 2 , NatInduction Figure 12: Simplified proof of . Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 38 / 52

  28. Lessons from proving FiniteNatInduction Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 39 / 52

  29. Lessons from proving FiniteNatInduction Hide the definition of the induction predicate before appealing to the induction theorem Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 39 / 52

  30. Lessons from proving FiniteNatInduction Hide the definition of the induction predicate before appealing to the induction theorem ◮ More generally, when applying a proof rule containing a NEW Q ( ) that must be instantiated with some operator Op , you should hide the definition of Op Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 39 / 52

  31. Lessons from proving FiniteNatInduction Hide the definition of the induction predicate before appealing to the induction theorem ◮ More generally, when applying a proof rule containing a NEW Q ( ) that must be instantiated with some operator Op , you should hide the definition of Op Use SUFFICES to change the goal Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 39 / 52

  32. Lessons from proving FiniteNatInduction Hide the definition of the induction predicate before appealing to the induction theorem ◮ More generally, when applying a proof rule containing a NEW Q ( ) that must be instantiated with some operator Op , you should hide the definition of Op Use SUFFICES to change the goal Use SUFFICES ASSUME PROVE to disassemble universal quantifiers and implications Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 39 / 52

  33. Lessons from proving FiniteNatInduction Hide the definition of the induction predicate before appealing to the induction theorem ◮ More generally, when applying a proof rule containing a NEW Q ( ) that must be instantiated with some operator Op , you should hide the definition of Op Use SUFFICES to change the goal Use SUFFICES ASSUME PROVE to disassemble universal quantifiers and implications Use CASE statements to disassemble the current goal into cases ◮ TLAPS will have to be convinced that all cases are covered ◮ Often it can figure this out on its own, but sometimes you need to present the fact explicitly Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 39 / 52

  34. Lessons from proving FiniteNatInduction Hide the definition of the induction predicate before appealing to the induction theorem ◮ More generally, when applying a proof rule containing a NEW Q ( ) that must be instantiated with some operator Op , you should hide the definition of Op Use SUFFICES to change the goal Use SUFFICES ASSUME PROVE to disassemble universal quantifiers and implications Use CASE statements to disassemble the current goal into cases ◮ TLAPS will have to be convinced that all cases are covered ◮ Often it can figure this out on its own, but sometimes you need to present the fact explicitly Always check to see if TLAPS can prove a fact (given the necessary predicate facts) before plunging into a subproof Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 39 / 52

  35. Outline TLAPS Basics 1 2 Tips and Best Practices for Using TLAPS 3 Temporal Reasoning in TLAPS Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 40 / 52

  36. Temporal proofs in TLAPS A standard safety proof ◮ validation of a temporal formula ◮ mostly action reasoning ◮ temporal reasoning for validating QED step Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 41 / 52

  37. Temporal proofs in TLAPS A standard safety proof ◮ validation of a temporal formula ◮ mostly action reasoning ◮ temporal reasoning for validating QED step In this talk: ◮ Why quantified temporal formulas can be proved using first-order and propositional temporal backends Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 41 / 52

  38. Temporal proofs in TLAPS A standard safety proof ◮ validation of a temporal formula ◮ mostly action reasoning ◮ temporal reasoning for validating QED step In this talk: ◮ Why quantified temporal formulas can be proved using first-order and propositional temporal backends ◮ How to write the proofs correctly Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 41 / 52

  39. Temporal proofs in TLAPS A standard safety proof ◮ validation of a temporal formula ◮ mostly action reasoning ◮ temporal reasoning for validating QED step In this talk: ◮ Why quantified temporal formulas can be proved using first-order and propositional temporal backends ◮ How to write the proofs correctly ◮ Which formulas can be proved using that ⋆ Note: TLA + is not complete for quantified temporal logic. Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 41 / 52

  40. Temporal concepts in TLA + Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 42 / 52

  41. Temporal concepts in TLA + Semantics ◮ Program Executions Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 42 / 52

  42. Temporal concepts in TLA + Semantics ◮ Program Executions ◮ States Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 42 / 52

  43. Temporal concepts in TLA + Semantics ◮ Program Executions ◮ States ◮ Behaviors and suffixes Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 42 / 52

  44. Temporal concepts in TLA + Semantics ◮ Program Executions ◮ States ◮ Behaviors and suffixes Syntax ◮ Constant expressions Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 42 / 52

  45. Temporal concepts in TLA + Semantics ◮ Program Executions ◮ States ◮ Behaviors and suffixes Syntax ◮ Constant expressions ◮ State expressions Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 42 / 52

  46. Temporal concepts in TLA + Semantics ◮ Program Executions ◮ States ◮ Behaviors and suffixes Syntax ◮ Constant expressions ◮ State expressions ◮ Action expressions Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 42 / 52

  47. Temporal concepts in TLA + Semantics ◮ Program Executions ◮ States ◮ Behaviors and suffixes Syntax ◮ Constant expressions ◮ State expressions ◮ Action expressions ◮ Temporal expressions Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 42 / 52

  48. Temporal concepts in TLA + Semantics ◮ Program Executions ◮ States ◮ Behaviors and suffixes Syntax ◮ Constant expressions ◮ State expressions ◮ Action expressions ◮ Temporal expressions Logic ◮ First-order [1] [1] Coalescing: Syntactic Abstraction for Reasoning in First-Order Modal Logics Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 42 / 52

  49. Temporal concepts in TLA + Semantics ◮ Program Executions ◮ States ◮ Behaviors and suffixes Syntax ◮ Constant expressions ◮ State expressions ◮ Action expressions ◮ Temporal expressions Logic ◮ First-order [1] ◮ Temporal [1] Coalescing: Syntactic Abstraction for Reasoning in First-Order Modal Logics Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 42 / 52

  50. Temporal concepts in TLA + Semantics ◮ Program Executions ◮ States ◮ Behaviors and suffixes Syntax ◮ Constant expressions ◮ State expressions ◮ Action expressions ◮ Temporal expressions Logic ◮ First-order [1] ◮ Temporal ⋆ PTL [1] Coalescing: Syntactic Abstraction for Reasoning in First-Order Modal Logics Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 42 / 52

  51. Breaking temporal formulas into action formulas Proving quantified temporal formulas from action formulas and propositional temporal rules. Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 43 / 52

  52. Breaking temporal formulas into action formulas Proving quantified temporal formulas from action formulas and propositional temporal rules. ◮ find a temporal rule Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 43 / 52

  53. Breaking temporal formulas into action formulas Proving quantified temporal formulas from action formulas and propositional temporal rules. ◮ find a temporal rule ◮ verify the rule Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 43 / 52

  54. Breaking temporal formulas into action formulas Proving quantified temporal formulas from action formulas and propositional temporal rules. ◮ find a temporal rule ◮ verify the rule ◮ understand failures Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 43 / 52

  55. How to find the rules Safety properties - based on variations of the inductive invariant rule: Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 44 / 52

  56. How to find the rules Safety properties - based on variations of the inductive invariant rule: Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 44 / 52

  57. How to find the rules Safety properties - based on variations of the inductive invariant rule: Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 44 / 52

  58. How to find the rules Safety properties - based on variations of the inductive invariant rule: Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 44 / 52

  59. How to find the rules Safety properties - based on variations of the inductive invariant rule: Other properties - other rules Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 44 / 52

  60. Are the rules sound? Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 45 / 52

  61. Are the rules sound? Rule is an instance of the PTL rule: Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 45 / 52

  62. Are the rules sound? Rule is an instance of the PTL rule: Success of PTL backend verifies this Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 45 / 52

  63. Understanding failures Consider this valid lemma Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 46 / 52

  64. Understanding failures Consider this valid lemma which seems to be an instance of the PTL rule: Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 46 / 52

  65. Understanding failures Consider this valid lemma which seems to be an instance of the PTL rule: But it is not, why? Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 46 / 52

  66. Necessitation Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 47 / 52

  67. Necessitation Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 47 / 52

  68. Necessitation Since � 1 � 2 holds in all behaviours, it can be boxed This is called necessitation Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 47 / 52

  69. Necessitation Since � 1 � 2 holds in all behaviours, it can be boxed This is called necessitation The PTL rules normally requires the application of necessitation on the action steps Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 47 / 52

  70. Necessitation Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 48 / 52

  71. Necessitation Spec Spec is assumed when proving the proof steps Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 48 / 52

  72. Necessitation Spec Spec is assumed when proving the proof steps � 1 � 2 doesn’t hold in all behaviours Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 48 / 52

  73. Necessitation Spec Spec is assumed when proving the proof steps � 1 � 2 doesn’t hold in all behaviours Necessitation is not applied Jael K., Tom R. and Tomer L. TLAPS Tutorial Toulouse, June 2014 48 / 52

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Ins Domingues Breast Cancer Workshop April 7th 2015 Outline Outline Outline Outline

Ins Domingues Breast Cancer Workshop April 7th 2015 Outline Outline Outline Outline

An automatic mammogram system: from screening to diagnosis Ins Domingues Breast Cancer Workshop April 7th 2015 Outline Outline Outline Outline Outline Outline Outline Outline Outline Outline Outline Outline Pectoral muscle

589 views • 45 slides
Presentation Preparation Outline Speech Outline Template ***Use this outline to guide you in

Presentation Preparation Outline Speech Outline Template ***Use this outline to guide you in

Presentation Preparation Outline Speech Outline Template ***Use this outline to guide you in preparing for your presentation; this outline is required. Title: I. Introduction (The speech actually starts here.) A. Attention Getter:

479 views • 3 slides
PT1 TMP Presentation Outline 1 Group Members: ___________________________________ Use this outline

PT1 TMP Presentation Outline 1 Group Members: ___________________________________ Use this outline

PT1 TMP Presentation Outline 1 Group Members: ___________________________________ Use this outline to organize your argument to create a logical flow of information and plan your presentation layout. This outline is worth a group grade (one copy

506 views • 3 slides
1 Web Application Development 2 3 Web Application Development CSS Outline An outline is a

1 Web Application Development 2 3 Web Application Development CSS Outline An outline is a

1 Web Application Development 2 3 Web Application Development CSS Outline An outline is a line that is drawn around elements, OUTSIDE the borders, to make the element "stand out". CSS has the following outline properties:

1.76k views • 117 slides
Outline Outline Background of the Network Vision Vision Aims Activities

Outline Outline Background of the Network Vision Vision Aims Activities

Asia Pacific Adaptation Network (APAN)- A k A key regional Initiative i l I iti ti Puja Sawhney Coordinator, APAN , Institute for Global Environmental Strategies Thimpu, Bhutan p 16 th November, 2011 Outline Outline Background of the

441 views • 9 slides
When (Low ) Pow er Really Matters When (Low ) Pow er Really Matters When (Low ) Pow er Really

When (Low ) Pow er Really Matters When (Low ) Pow er Really Matters When (Low ) Pow er Really

When (Low ) Pow er Really Matters When (Low ) Pow er Really Matters When (Low ) Pow er Really Matters When (Low ) Pow er Really Matters Yogesh K. Ramadass, AnanthaGroup Microsystems Technology Laboratory Outline Outline Outline Outline

507 views • 36 slides
Presentation Outline Worksheet You can use part or all of this outline to help you. This is YOUR

Presentation Outline Worksheet You can use part or all of this outline to help you. This is YOUR

Presentation Outline Worksheet You can use part or all of this outline to help you. This is YOUR personal presentation so you can create it however you want. These are just suggestions to help you get started. The purpose is to educate your

618 views • 3 slides
Outline 2 Outline 2 ZSim core simulation techniques Outline 2 ZSim core simulation

Outline 2 Outline 2 ZSim core simulation techniques Outline 2 ZSim core simulation

ZSim Tutorial MICRO 2015 S TATS AND C ONFIGURATION Core Models Po-An Tsai Outline 2 Outline 2 ZSim core simulation techniques Outline 2 ZSim core simulation techniques ZSim core structure I1D I1I Simple IPC 1 core

1.96k views • 120 slides
Outline Outline Motivation Motivation 1 1. Email Speech Acts 2. Modeling textual intention

Outline Outline Motivation Motivation 1 1. Email Speech Acts 2. Modeling textual intention

Modeling Intention in Email : Speech Acts, Information Leaks and User Ranking Methods p g Vitor R. Carvalho Carnegie Mellon University William Cohen Ramnath a at Tom Tom Jon Jon Balasubramanyan Mitchell Elsas Outline Outline

1.09k views • 65 slides
Session Outline Course themes imperative problem solving (think: outline form) C

Session Outline Course themes imperative problem solving (think: outline form) C

Session Outline Course themes imperative problem solving (think: outline form) C programming (close to the machine) storage and processing of data Linux operating system control of robots Demo Course Web site

780 views • 9 slides
Outline : Outline : Our method to perform periodicity search Candidates of the next Geminga The

Outline : Outline : Our method to perform periodicity search Candidates of the next Geminga The

Periodicity Sear Periodicity Search of ch of the the Geming Geminga-lik -like Pulsar e Pulsars Lupin Chun-Che Lin () Institute of Astronomy, National Central University, Taiwan Outline : Outline : Our method to perform periodicity

654 views • 19 slides
Outline for St Outline for St Outline for

Outline for St Outline for St Outline for

Outline for St Outline for St Outline for St Outline for St Francis Participation Francis Participation Francis Participation Francis Participation St Francis Overview Current Work on

120 views • 10 slides
RDF Beyond RDF Beyond Outline Outline RDFa RDFa Microformat Schema.org S h RDFa

RDF Beyond RDF Beyond Outline Outline RDFa RDFa Microformat Schema.org S h RDFa

RDF Beyond RDF Beyond Outline Outline RDFa RDFa Microformat Schema.org S h RDFa RDFa RDFa RDFa RDFa: A collection of attributes and processing p g rules for extending XHTML to support RDF. HTML contains structured data,

768 views • 37 slides
Appendix J: Capstone Presentation Outline Revised Spring 2016 CAPSTONE PRESENTATION OUTLINE This

Appendix J: Capstone Presentation Outline Revised Spring 2016 CAPSTONE PRESENTATION OUTLINE This

Appendix J: Capstone Presentation Outline Revised Spring 2016 CAPSTONE PRESENTATION OUTLINE This is a suggested outline only. Students should work closely with their Faculty Advisors to adapt this format the presentation to the needs of the

418 views • 4 slides
1 Course Outline Course Outline Course Outline Course Outline 3D Graphics Pipeline 3D

1 Course Outline Course Outline Course Outline Course Outline 3D Graphics Pipeline 3D

Goals Goals Foundations of Computer Graphics Foundations of Computer Graphics Systems: Write complex 3D graphics programs (Spring 2010) (Spring 2010) (real-time in OpenGL, offline raytracer, animation) CS 184, Lecture 1: Overview and

176 views • 5 slides
Outline Outline 1. About Cambodia 1. About Cambodia 2. Overview of disaster Hazards &

Outline Outline 1. About Cambodia 1. About Cambodia 2. Overview of disaster Hazards &

Sophak PHOEUN, National DRR Forum Coordinat or & Executive Assistant to Vice President of NCDM , National Committee for Disaster Management. Outline Outline 1. About Cambodia 1. About Cambodia 2. Overview of disaster Hazards &

346 views • 15 slides
SMT Solvers Theory & Practice Leonardo de Moura leonardo@microsoft.com Microsoft Research

SMT Solvers Theory & Practice Leonardo de Moura leonardo@microsoft.com Microsoft Research

SMT Solvers Theory & Practice Leonardo de Moura leonardo@microsoft.com Microsoft Research FMCAD 2006 p.1/75 Credits Slides inspired by previous presentations by: Clark Barrett, Harald Ruess, Natarajan Shankar, Cesare Tinelli, Ashish

1.18k views • 113 slides
The Approach of a Private Equity in an M &A Transaction Andrea Foti 11 November, 2019 M y

The Approach of a Private Equity in an M &A Transaction Andrea Foti 11 November, 2019 M y

The Approach of a Private Equity in an M &A Transaction Andrea Foti 11 November, 2019 M y background Investment Banking Advisory | Milan 2017 Investment Banking Advisory | Milan 2013 S trictly private & confidential 2004 Investment

372 views • 25 slides
Consonant Patterns in Angait e Paige Erin Wheeler Department of Linguistics The University of

Consonant Patterns in Angait e Paige Erin Wheeler Department of Linguistics The University of

Consonant Patterns in Angait e Paige Erin Wheeler Department of Linguistics The University of Texas at Austin Slides available at: http://bit.ly/wheeler-slides 15 February 2020 Paige Erin Wheeler TLS 2020 Austin, TX 15 February 2020 1 / 20

363 views • 20 slides
To the Typology of Writing Systems Fedorova Liudmila lfvoux@yandex.ru Institute of Linguistics,

To the Typology of Writing Systems Fedorova Liudmila lfvoux@yandex.ru Institute of Linguistics,

To the Typology of Writing Systems Fedorova Liudmila lfvoux@yandex.ru Institute of Linguistics, Russian State University for the Humanities, Moscow G21C2020 Grapholinguistics in the 21st century From graphemes to knowledge The problem

392 views • 26 slides
CVS Tutorial An Introduction to Using C VS Versions System Concurrent * history: when? why? *

CVS Tutorial An Introduction to Using C VS Versions System Concurrent * history: when? why? *

CVS Tutorial An Introduction to Using C VS Versions System Concurrent * history: when? why? * collaboration * examine old revisions * bugfix releases Steve Robbins p. 1/19 CVS Tutorial checkout Repository commit Workspace p.

472 views • 19 slides
Introduction to CVS and NACHOS CSE 120 UCSD 17 January 2007 CSE 120 (UCSD) Introduction to CVS

Introduction to CVS and NACHOS CSE 120 UCSD 17 January 2007 CSE 120 (UCSD) Introduction to CVS

Introduction to CVS and NACHOS CSE 120 UCSD 17 January 2007 CSE 120 (UCSD) Introduction to CVS and NACHOS 17 January 2007 1 / 10 CVS Basics CVS = Concurrent Versions System Designed to: Keep a history of changes made to your

650 views • 17 slides
The CVS Health/ NMF Pharm.D. Scholarship 2019 Application Live Q&A Tuesday, September 17,

The CVS Health/ NMF Pharm.D. Scholarship 2019 Application Live Q&A Tuesday, September 17,

The CVS Health/ NMF Pharm.D. Scholarship 2019 Application Live Q&A Tuesday, September 17, 2019 Hosted by Colleen McLellan (cmclellan@nmfonline.org) About the Scholarship Established in order to support African American students who are

352 views • 11 slides
r t s rs tr

r t s rs tr

r str r tt rs s r st r r rr t t rs

515 views • 35 slides

More recommend