Outline TLAPS Basics 1 2 Tips and Best Practices for Using TLAPS 3 - - PowerPoint PPT Presentation

A Tutorial Introduction to TLAPS

Jael Kriener 1 Tom Rodeheffer 2 Tomer Libal 1

1 2

TLA+ Community Event, ABZ 2014 Toulouse, June 3, 2014

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 1 / 52

Outline

1 TLAPS Basics 2

Tips and Best Practices for Using TLAPS

3

Temporal Reasoning in TLAPS

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 2 / 52

TLAPS in Context

TLA: specification language proof language hierarchical structuring + tactics

TLAPS: proof manager

compiles proofs into obligations SMT solvers (Z3, CVC) 1st-order solvers (Zenon) Isabelle Modal solvers (LS4) ...? TLAPS: proof system TLC: model checker PLUSCAL: pseudo code

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 3 / 52

TLAPS in Context

TLA: specification language proof language hierarchical structuring + tactics

TLAPS: proof manager

compiles proofs into obligations SMT solvers (Z3, CVC) 1st-order solvers (Zenon) Isabelle Modal solvers (LS4) ...?

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 4 / 52

TLAPS in Context

TLAPS essentially does two things:

translate between TLA and the languages that the backend provers understand; help the user break up a theorem P into obligations O1 . . . On, while maintaining the fact that O1 ∧ . . . ∧ On ⇒ P .

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 5 / 52

Talking to ATPs about TLA Specs

Z3, CVC Zenon Isabelle LS4 S M T L I B 2 certificates “abcd” “efgh” “ijkl” “mnop” “ p r s t ” “uvxy”

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 6 / 52

Talking to ATPs about TLA Specs

TLAPS

Z3, CVC Zenon Isabelle LS4

OBVIOUS BY .. DEF .. ASSUME ... PROVE ... CASE PICK WITNESS SUFFICES USE HIDE QED

Proof Language C

• l
• u

r s S M T L I B 2 certificates “abcd” “efgh” “ i j k l ” “mnop” “prst” “uvxy”

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 7 / 52

Hence the way the interface looks:

conversation snipplets of conversations user ⇐ ⇒ TLAPS

TLAPS ⇐

⇒ backend provers

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 8 / 52

TLAPS Proofs

There are two kinds of TLAPS proofs:

• ne-liners

OBVIOUS BY . . . [DEF . . .]

Each one-line proof generates

• ne obligation.

(Or there abouts... )

hierarchical

11 X 21 Y

OBVIOUS . . .

2q QED

BY . . . DEF . . . . . .

1q QED

BY . . . DEF . . .

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 9 / 52

Obligations

An obligation is a claim of the form Γ ⊢ P, which is translated and handed on to the backend provers.

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 10 / 52

Obligations

An obligation is a claim of the form ASSUME Γ

PROVE P,

which is translated and handed on to the backend provers. To prove an obligation, by default, TLAPS will ask:

1

CVC

2

Zenon

3

Isabelle But one can change that...

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 11 / 52

Obligations: Controlling Γ

An obligation is a claim of the form ASSUME Γ

PROVE P,

which is translated and handed on to the backend provers. The TLAPS game is mainly to construct obligations so that:

1

they are true, i.e.:

1

Γ contains all relevant facts), and

2

all relevant definitions are unfolded;

2

they are not too big for the backend provers to handle.

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 12 / 52

Obligations: Controlling Γ

Once one has one’s logic right, the game is to control Γ. By default: all constant-/variable-declarations, with domain-assumptions, are in Γ; no definitions are unfolded.

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 13 / 52

Obligations: Controlling Γ

Once one has one’s logic right, the game is to control Γ.

named & un-named steps

11 X . . . 1 Y . . . 13 Z

(* here Y is in Γ, but X is not *) BY 11 (* here Y and X are in Γ *)

USE & HIDE

The keywords USE resp. HIDE include in resp. remove from Γ steps, theorems or assumptions;

USE [DEF] resp. HIDE [DEF] fold

• resp. unfold definitions in Γ.

Whether a USE- and HIDE-step is named

• r un-named does not matter.

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 14 / 52

Writing a simple Hierarchical Proof

quick recap: EWD 840

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 15 / 52

Writing a simple Hierarchical Proof

The safety-proof has the following structure:

LEMMA Spec ⇒ TerminationDetection (* Dijkstra’s invariant implies correctness *)

11 Inv ⇒ TerminationDetection

(* Dijkstra’s invariant is (trivially) established by the initial condition *)

12 Init ⇒ Inv

(* Dijkstra’s invariant is inductive relative to the type invariant *)

13 TypeOK ∧ Inv ∧ [Next]vars ⇒ Inv′

1q QED

BY 11, 12, 13, TypeOKinv, PTL DEF Spec

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 16 / 52

Writing a simple Hierarchical Proof

writing a simple hierarchical proof

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 17 / 52

Some more Proof Constructs:

WITNESS

When proving a goal of the form:

∃x ∈ S : P(x)

To prove it we can write:

16 WITNESS a ∈ S

for some a already in Γ. The effect is:

1

step 16 needs a proof that a ∈ S;

2

the goal from now on is P(a).

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 18 / 52

Some more Proof Constructs:

PICK

When Γ contains a statement of the form:

∃x ∈ S : P(x)

To use it we can write:

16 PICK a ∈ S : P(a)

for some fresh a. The effect is:

1

we have a new a ∈ S in Γ;

2

using 16 will put P(a) into Γ.

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 19 / 52

Some more Proof Constructs:

SUFFICES

SUFFICES is useful to avoid deeply nested hierarchical proofs:

64 X 7 proof Π 6q QED

BY 64, proof Σ

64 SUFFICES X

proof Σ

65 proof Π 6q QED

BY 64, 65

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 20 / 52

Outline

1 TLAPS Basics 2

Tips and Best Practices for Using TLAPS

3

Temporal Reasoning in TLAPS

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 21 / 52

A simple theorem about sequences

Concat left cancellation: Given three sequences A, B, C where C ◦ A = C ◦ B, it follows that A = B.

◮ Simple, but not trivial. Multiplication, for example, does not have

left cancellation, because you can multiply by zero.

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 22 / 52

A simple theorem about sequences

Concat left cancellation: Given three sequences A, B, C where C ◦ A = C ◦ B, it follows that A = B.

◮ Simple, but not trivial. Multiplication, for example, does not have

left cancellation, because you can multiply by zero.

Write the theorem in TLA

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 22 / 52

A simple theorem about sequences

Concat left cancellation: Given three sequences A, B, C where C ◦ A = C ◦ B, it follows that A = B.

◮ Simple, but not trivial. Multiplication, for example, does not have

left cancellation, because you can multiply by zero.

Write the theorem in TLA As a quantified formula: ∀ S : ∀ A, B, C ∈ Seq(S) : C ◦ A = C ◦ B ⇒ A = B

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 22 / 52

A simple theorem about sequences

Concat left cancellation: Given three sequences A, B, C where C ◦ A = C ◦ B, it follows that A = B.

◮ Simple, but not trivial. Multiplication, for example, does not have

left cancellation, because you can multiply by zero.

Write the theorem in TLA As a quantified formula: ∀ S : ∀ A, B, C ∈ Seq(S) : C ◦ A = C ◦ B ⇒ A = B As an ASSUME-PROVE:

ASSUME NEW S, NEW A ∈ Seq(S), NEW B ∈ Seq(S), NEW C ∈ Seq(S),

C ◦ A = C ◦ B

PROVE A = B

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 22 / 52

Proof attempt 1 - is it obvious - fail

THEOREM ConcatLeftCancel

∆

=

ASSUME NEW S, NEW A ∈ Seq(S), NEW B ∈ Seq(S), NEW C ∈ Seq(S),

C ◦ A = C ◦ B

PROVE

A = B

PROOF

1 QED OBVIOUS

unable to prove it

Figure 1: First proof attempt (unsuccessful).

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 23 / 52

Proof attempt 2 - add some facts - still fail

THEOREM ConcatLeftCancel

∆

=

ASSUME NEW S, NEW A ∈ Seq(S), NEW B ∈ Seq(S), NEW C ∈ Seq(S),

C ◦ A = C ◦ B

PROVE

A = B

PROOF

• 11. Len(A) = Len(B) OBVIOUS

C ◦ A = C ◦ B

• 12. A ∈ [1 . . Len(A) → S] OBVIOUS

A ∈ Seq(S)

• 13. B ∈ [1 . . Len(A) → S] BY 11
• 14. ∀ i ∈ 1 . . Len(A) : A[i] = (C ◦ A)[i + Len(C)] OBVIOUS
• 15. ∀ i ∈ 1 . . Len(A) : B[i] = (C ◦ B)[i + Len(C)] BY 11

1 QED BY 12, 13, 14, 15

unable to prove it

Figure 2: Second proof attempt (also unsuccessful).

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 24 / 52

Proof attempt 3 - another fact - success

THEOREM ConcatLeftCancel

∆

=

ASSUME NEW S, NEW A ∈ Seq(S), NEW B ∈ Seq(S), NEW C ∈ Seq(S),

C ◦ A = C ◦ B

PROVE

A = B

PROOF

• 11. Len(A) = Len(B) OBVIOUS

C ◦ A = C ◦ B

• 12. A ∈ [1 . . Len(A) → S] OBVIOUS

A ∈ Seq(S)

• 13. B ∈ [1 . . Len(A) → S] BY 11
• 14. ∀ i ∈ 1 . . Len(A) : A[i] = (C ◦ A)[i + Len(C)] OBVIOUS
• 15. ∀ i ∈ 1 . . Len(A) : B[i] = (C ◦ B)[i + Len(C)] BY 11
• 16. ∀ i ∈ 1 . . Len(A) : A[i] = B[i] BY 14, 15

1 QED BY 12, 13, 16

Figure 3: Third proof attempt (successful).

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 25 / 52

Proof with better structure

THEOREM ConcatLeftCancel

∆

=

ASSUME NEW S, NEW A ∈ Seq(S), NEW B ∈ Seq(S), NEW C ∈ Seq(S),

C ◦ A = C ◦ B

PROVE

A = B

PROOF

• 11. Len(A) = Len(B) OBVIOUS

C ◦ A = C ◦ B

• 12. A ∈ [1 . . Len(A) → S] OBVIOUS

A ∈ Seq(S)

• 13. B ∈ [1 . . Len(A) → S] BY 11
• 14. ASSUME NEW i ∈ 1 . . Len(A) PROVE A[i] = B[i]
• 21. A[i] = (C ◦ A)[i + Len(C)] OBVIOUS

defn of C ◦ A

• 22. B[i] = (C ◦ B)[i + Len(C)] BY 11

defn of C ◦ B

2 QED BY 21, 22 1 QED BY 12, 13, 14

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 26 / 52

Lessons from proving ConcatLeftCancel

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 27 / 52

Lessons from proving ConcatLeftCancel

The proof centers on showing A = B where A, B are functions

◮ For two functions to be equal, you must show ⋆ they have the same domain ⋆ they have the same value at each point in the domain ◮ It seems this is relatively difficult for TLAPS to conclude Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 27 / 52

Lessons from proving ConcatLeftCancel

The proof centers on showing A = B where A, B are functions

◮ For two functions to be equal, you must show ⋆ they have the same domain ⋆ they have the same value at each point in the domain ◮ It seems this is relatively difficult for TLAPS to conclude

Before writing a subproof, check if TLAPS thinks a fact is obvious

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 27 / 52

Lessons from proving ConcatLeftCancel

The proof centers on showing A = B where A, B are functions

◮ For two functions to be equal, you must show ⋆ they have the same domain ⋆ they have the same value at each point in the domain ◮ It seems this is relatively difficult for TLAPS to conclude

Before writing a subproof, check if TLAPS thinks a fact is obvious When TLAPS fails, try to figure out what specific fact you could provide that it is failing to consider

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 27 / 52

Lessons from proving ConcatLeftCancel

The proof centers on showing A = B where A, B are functions

◮ For two functions to be equal, you must show ⋆ they have the same domain ⋆ they have the same value at each point in the domain ◮ It seems this is relatively difficult for TLAPS to conclude

Before writing a subproof, check if TLAPS thinks a fact is obvious When TLAPS fails, try to figure out what specific fact you could provide that it is failing to consider When introducing a new symbol x, generally it is a good idea to use a domain formula x ∈ S

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 27 / 52

Using the theorem ConcatLeftCancel

Often, what a theorem considers as constant parameters are messy formulas at the point where we wish to apply the theorem. In this example, we conjure up formulas that happen to be sequences, and ask TLAPS to apply ConcatLeftCancel.

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 28 / 52

Use attempt 1 - is it obvious - fail

THEOREM UseConcatLeftCancel

∆

=

ASSUME NEW S, NEW u ∈ Seq(S), NEW v ∈ Seq(S), NEW w ∈ Seq(S), NEW x ∈ Seq(S), NEW m ∈ S, NEW n ∈ S,

u ◦ m, n ◦ v ◦ x = u ◦ m, n ◦ w ◦ x

PROVE

v ◦ x = w ◦ x

PROOF

1 QED BY ConcatLeftCancel

unable to prove it

Figure 5: First use attempt (unsuccessful).

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 29 / 52

Use attempt 2 - add a closure fact - still fail

THEOREM UseConcatLeftCancel

∆

=

ASSUME NEW S, NEW u ∈ Seq(S), NEW v ∈ Seq(S), NEW w ∈ Seq(S), NEW x ∈ Seq(S), NEW m ∈ S, NEW n ∈ S,

u ◦ m, n ◦ v ◦ x = u ◦ m, n ◦ w ◦ x

PROVE

v ◦ x = w ◦ x

PROOF

• 11. u ◦ m, n ∈ Seq(S) OBVIOUS
• closed

1 QED BY 11, ConcatLeftCancel

unable to prove it

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 30 / 52

Use attempt 3 - add more closure facts - still fail

THEOREM UseConcatLeftCancel

∆

=

ASSUME NEW S, NEW u ∈ Seq(S), NEW v ∈ Seq(S), NEW w ∈ Seq(S), NEW x ∈ Seq(S), NEW m ∈ S, NEW n ∈ S,

u ◦ m, n ◦ v ◦ x = u ◦ m, n ◦ w ◦ x

PROVE

v ◦ x = w ◦ x

PROOF

• 11. u ◦ m, n ∈ Seq(S) OBVIOUS
• closed
• 12. v ◦ x ∈ Seq(S) OBVIOUS
• closed
• 13. w ◦ x ∈ Seq(S) OBVIOUS
• closed

1 QED BY 11, 12, 13, ConcatLeftCancel

unable to prove it

Figure 7: Third use attempt (still unsuccessful).

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 31 / 52

Use attempt 4 - add an associativity fact - success

THEOREM UseConcatLeftCancel

∆

=

ASSUME NEW S, NEW u ∈ Seq(S), NEW v ∈ Seq(S), NEW w ∈ Seq(S), NEW x ∈ Seq(S), NEW m ∈ S, NEW n ∈ S,

u ◦ m, n ◦ v ◦ x = u ◦ m, n ◦ w ◦ x

PROVE

v ◦ x = w ◦ x

PROOF

• 11. u ◦ m, n ∈ Seq(S) OBVIOUS
• closed
• 12. v ◦ x ∈ Seq(S) OBVIOUS
• closed
• 13. w ◦ x ∈ Seq(S) OBVIOUS
• closed
• 14. u ◦ m, n ◦ (v ◦ x) = u ◦ m, n ◦ (w ◦ x) OBVIOUS

1 QED BY 11, 12, 13, 14, ConcatLeftCancel

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 32 / 52

Lessons from applying ConcatLeftCancel

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 33 / 52

Lessons from applying ConcatLeftCancel

Common mathematical properties of closure and associativity can be important

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 33 / 52

Lessons from applying ConcatLeftCancel

Common mathematical properties of closure and associativity can be important

◮ Humans are really good at utilizing these properties Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 33 / 52

Lessons from applying ConcatLeftCancel

Common mathematical properties of closure and associativity can be important

◮ Humans are really good at utilizing these properties ◮ Even though TLAPS considered the properties obvious, it was

unable to supply them automatically when trying to prove a deduction that required them

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 33 / 52

Lessons from applying ConcatLeftCancel

Common mathematical properties of closure and associativity can be important

◮ Humans are really good at utilizing these properties ◮ Even though TLAPS considered the properties obvious, it was

unable to supply them automatically when trying to prove a deduction that required them

◮ In my experience, TLAPS has a really difficult time applying

associativity

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 33 / 52

Lessons from applying ConcatLeftCancel

Common mathematical properties of closure and associativity can be important

◮ Humans are really good at utilizing these properties ◮ Even though TLAPS considered the properties obvious, it was

unable to supply them automatically when trying to prove a deduction that required them

◮ In my experience, TLAPS has a really difficult time applying

associativity

When TLAPS fails, try to figure out what specific fact you could provide that it is failing to consider

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 33 / 52

Finite induction over naturals

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 34 / 52

Finite induction over naturals

The ordinary form of induction is simple induction over the naturals, in which a predicate P(i) is proved to hold for all i ∈ Nat.

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 34 / 52

Finite induction over naturals

The ordinary form of induction is simple induction over the naturals, in which a predicate P(i) is proved to hold for all i ∈ Nat.

TLAPS has a libary theorem NatInduction, in the library module

NaturalsInduction, that encapsulates the simple inductive

• argument. For any P( ), given the base case

P(0) and the inductive step ∀ i ∈ Nat : P(i) ⇒ P(i + 1) NatInduction concludes ∀ i ∈ Nat : P(i)

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 34 / 52

Finite induction over naturals - 2

Sometimes we do not want or need to prove that P(i) holds for all i ∈ Nat, but rather only for a finite range i ∈ m..n. This often

• ccurs when proving things about sequences.

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 35 / 52

Finite induction over naturals - 2

Sometimes we do not want or need to prove that P(i) holds for all i ∈ Nat, but rather only for a finite range i ∈ m..n. This often

• ccurs when proving things about sequences.

In such cases, we could, of course, define a more general predicate Q(i)

∆

= i ∈ m..n ⇒ P(i) use NatInduction to prove that Q(i) holds for all i ∈ Nat and then deduce what we want about P( ). But the proof would be cluttered with the transitions of i into and out of m..n.

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 35 / 52

Finite induction over naturals - 2

Sometimes we do not want or need to prove that P(i) holds for all i ∈ Nat, but rather only for a finite range i ∈ m..n. This often

• ccurs when proving things about sequences.

In such cases, we could, of course, define a more general predicate Q(i)

∆

= i ∈ m..n ⇒ P(i) use NatInduction to prove that Q(i) holds for all i ∈ Nat and then deduce what we want about P( ). But the proof would be cluttered with the transitions of i into and out of m..n. A better approach is to define a prove and prove a theorem FiniteNatInduction that explicitly deals with finite induction over the naturals.

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 35 / 52

Setting up the inductive argument

THEOREM FiniteNatInduction

∆

=

ASSUME NEW P( ), predicate NEW m ∈ Nat, start NEW n ∈ Nat, limit

P(m),

base case

∀ i ∈ m . . (n − 1) : P(i) ⇒ P(i + 1)

finite ind hyp PROVE ∀ i ∈ m . . n : P(i) PROOF

1 DEFINE Q(i)

∆

= i ∈ m . . n ⇒ P(i) 1 SUFFICES ∀ i ∈ Nat : Q(i) OBVIOUS

base case

• 11. Q(0) OBVIOUS

inductive step

• 12. ∀ i ∈ Nat : Q(i) ⇒ Q(i + 1)

1 HIDE DEF Q

hide defn of induction predicate

1 QED BY 11, 12, NatInduction

Define the more general predicate Q( ) Use a SUFFICES to change the goal to ∀ i ∈ Nat : Q(i) State the base case and inductive step as facts Hide the definition of the inductive predicate Q( ) Appeal to NatInduction

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 36 / 52

Completing the subproof of the inductive step

THEOREM FiniteNatInduction

∆

=

ASSUME NEW P( ), predicate NEW m ∈ Nat, start NEW n ∈ Nat, limit

P(m),

base case

∀ i ∈ m . . (n − 1) : P(i) ⇒ P(i + 1)

finite ind hyp PROVE ∀ i ∈ m . . n : P(i) PROOF

1 DEFINE Q(i)

∆

= i ∈ m . . n ⇒ P(i) 1 SUFFICES ∀ i ∈ Nat : Q(i) OBVIOUS

base case

• 11. Q(0) OBVIOUS

inductive step

• 12. ∀ i ∈ Nat : Q(i) ⇒ Q(i + 1)
• 21. SUFFICES ASSUME NEW i ∈ Nat, Q(i)

PROVE Q(i + 1) OBVIOUS

22.CASE i + 1 ∈ (m + 1) . . n BY 21, 22 23.CASE i + 1 = m BY 23 24.CASE i + 1 m . . n BY 24 2 QED BY 22, 23, 24 1 HIDE DEF Q

hide defn of induction predicate

1 QED BY 11, 12, NatInduction

Figure 11: Complete proof of FiniteNatInduction. Use SUFFICES ASSUME PROVE to disassemble the universal quantifier and the implication Use CASE to perform a case analysis The cases must cover all possibilities

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 37 / 52

Simplified proof of FiniteNatInduction

THEOREM FiniteNatInduction

∆

=

ASSUME NEW P( ), predicate NEW m ∈ Nat, start NEW n ∈ Nat, limit

P(m),

base case

∀ i ∈ m . . (n − 1) : P(i) ⇒ P(i + 1)

finite ind hyp PROVE ∀ i ∈ m . . n : P(i) PROOF

1 DEFINE Q(i)

∆

= i ∈ m . . n ⇒ P(i) 1 SUFFICES ∀ i ∈ Nat : Q(i) OBVIOUS

base case

• 11. Q(0) OBVIOUS

inductive step

• 12. ∀ i ∈ Nat : Q(i) ⇒ Q(i + 1) OBVIOUS

1 HIDE DEF Q

hide defn of induction predicate

1 QED BY 11, 12, NatInduction

Figure 12: Simplified proof of . It turns out that TLAPS thinks that the inductive step is

• bvious. We neglected to

check this before plunging into the case analysis. Hence the proof can be simplified considerably.

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 38 / 52

Lessons from proving FiniteNatInduction

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 39 / 52

Lessons from proving FiniteNatInduction

Hide the definition of the induction predicate before appealing to the induction theorem

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 39 / 52

Lessons from proving FiniteNatInduction

Hide the definition of the induction predicate before appealing to the induction theorem

◮ More generally, when applying a proof rule containing a NEW Q( )

that must be instantiated with some operator Op, you should hide the definition of Op

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 39 / 52

Lessons from proving FiniteNatInduction

Hide the definition of the induction predicate before appealing to the induction theorem

◮ More generally, when applying a proof rule containing a NEW Q( )

that must be instantiated with some operator Op, you should hide the definition of Op

Use SUFFICES to change the goal

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 39 / 52

Lessons from proving FiniteNatInduction

Hide the definition of the induction predicate before appealing to the induction theorem

◮ More generally, when applying a proof rule containing a NEW Q( )

that must be instantiated with some operator Op, you should hide the definition of Op

Use SUFFICES to change the goal Use SUFFICES ASSUME PROVE to disassemble universal quantifiers and implications

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 39 / 52

Lessons from proving FiniteNatInduction

Hide the definition of the induction predicate before appealing to the induction theorem

◮ More generally, when applying a proof rule containing a NEW Q( )

that must be instantiated with some operator Op, you should hide the definition of Op

Use SUFFICES to change the goal Use SUFFICES ASSUME PROVE to disassemble universal quantifiers and implications Use CASE statements to disassemble the current goal into cases

◮ TLAPS will have to be convinced that all cases are covered ◮ Often it can figure this out on its own, but sometimes you need to

present the fact explicitly

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 39 / 52

Lessons from proving FiniteNatInduction

Hide the definition of the induction predicate before appealing to the induction theorem

◮ More generally, when applying a proof rule containing a NEW Q( )

that must be instantiated with some operator Op, you should hide the definition of Op

Use SUFFICES to change the goal Use SUFFICES ASSUME PROVE to disassemble universal quantifiers and implications Use CASE statements to disassemble the current goal into cases

◮ TLAPS will have to be convinced that all cases are covered ◮ Often it can figure this out on its own, but sometimes you need to

present the fact explicitly

Always check to see if TLAPS can prove a fact (given the necessary predicate facts) before plunging into a subproof

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 39 / 52

Outline

1 TLAPS Basics 2

Tips and Best Practices for Using TLAPS

3

Temporal Reasoning in TLAPS

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 40 / 52

Temporal proofs in TLAPS

A standard safety proof

◮ validation of a temporal formula ◮ mostly action reasoning ◮ temporal reasoning for validating

QED step

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 41 / 52

Temporal proofs in TLAPS

A standard safety proof

◮ validation of a temporal formula ◮ mostly action reasoning ◮ temporal reasoning for validating

QED step

In this talk:

◮ Why quantified temporal formulas can be proved using first-order and propositional temporal backends Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 41 / 52

Temporal proofs in TLAPS

A standard safety proof

◮ validation of a temporal formula ◮ mostly action reasoning ◮ temporal reasoning for validating

QED step

In this talk:

◮ Why quantified temporal formulas can be proved using first-order and propositional temporal backends ◮ How to write the proofs correctly Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 41 / 52

Temporal proofs in TLAPS

A standard safety proof

◮ validation of a temporal formula ◮ mostly action reasoning ◮ temporal reasoning for validating

QED step

In this talk:

◮ Why quantified temporal formulas can be proved using first-order and propositional temporal backends ◮ How to write the proofs correctly ◮ Which formulas can be proved using that ⋆ Note: TLA+ is not complete for

quantified temporal logic.

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 41 / 52

Temporal concepts in TLA+

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 42 / 52

Temporal concepts in TLA+

Semantics

◮ Program Executions Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 42 / 52

Temporal concepts in TLA+

Semantics

◮ Program Executions ◮ States Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 42 / 52

Temporal concepts in TLA+

Semantics

◮ Program Executions ◮ States ◮ Behaviors and suffixes Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 42 / 52

Temporal concepts in TLA+

Semantics

◮ Program Executions ◮ States ◮ Behaviors and suffixes

Syntax

◮ Constant expressions Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 42 / 52

Temporal concepts in TLA+

Semantics

◮ Program Executions ◮ States ◮ Behaviors and suffixes

Syntax

◮ Constant expressions ◮ State expressions Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 42 / 52

Temporal concepts in TLA+

Semantics

◮ Program Executions ◮ States ◮ Behaviors and suffixes

Syntax

◮ Constant expressions ◮ State expressions ◮ Action expressions Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 42 / 52

Temporal concepts in TLA+

Semantics

◮ Program Executions ◮ States ◮ Behaviors and suffixes

Syntax

◮ Constant expressions ◮ State expressions ◮ Action expressions ◮ Temporal expressions Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 42 / 52

Temporal concepts in TLA+

Semantics

◮ Program Executions ◮ States ◮ Behaviors and suffixes

Syntax

◮ Constant expressions ◮ State expressions ◮ Action expressions ◮ Temporal expressions

Logic

◮ First-order [1] [1] Coalescing: Syntactic Abstraction for Reasoning in First-Order Modal Logics Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 42 / 52

Temporal concepts in TLA+

Semantics

◮ Program Executions ◮ States ◮ Behaviors and suffixes

Syntax

◮ Constant expressions ◮ State expressions ◮ Action expressions ◮ Temporal expressions

Logic

◮ First-order [1] ◮ Temporal [1] Coalescing: Syntactic Abstraction for Reasoning in First-Order Modal Logics Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 42 / 52

Temporal concepts in TLA+

Semantics

◮ Program Executions ◮ States ◮ Behaviors and suffixes

Syntax

◮ Constant expressions ◮ State expressions ◮ Action expressions ◮ Temporal expressions

Logic

◮ First-order [1] ◮ Temporal ⋆ PTL [1] Coalescing: Syntactic Abstraction for Reasoning in First-Order Modal Logics Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 42 / 52

Breaking temporal formulas into action formulas

Proving quantified temporal formulas from action formulas and propositional temporal rules.

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 43 / 52

Breaking temporal formulas into action formulas

Proving quantified temporal formulas from action formulas and propositional temporal rules.

◮ find a temporal rule Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 43 / 52

Breaking temporal formulas into action formulas

Proving quantified temporal formulas from action formulas and propositional temporal rules.

◮ find a temporal rule ◮ verify the rule Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 43 / 52

Breaking temporal formulas into action formulas

Proving quantified temporal formulas from action formulas and propositional temporal rules.

◮ find a temporal rule ◮ verify the rule ◮ understand failures Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 43 / 52

How to find the rules

Safety properties - based on variations of the inductive invariant rule:

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 44 / 52

How to find the rules

Safety properties - based on variations of the inductive invariant rule:

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 44 / 52

How to find the rules

Safety properties - based on variations of the inductive invariant rule:

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 44 / 52

How to find the rules

Safety properties - based on variations of the inductive invariant rule:

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 44 / 52

How to find the rules

Safety properties - based on variations of the inductive invariant rule: Other properties - other rules

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 44 / 52

Are the rules sound?

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 45 / 52

Are the rules sound?

Rule is an instance of the PTL rule:

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 45 / 52

Are the rules sound?

Rule is an instance of the PTL rule: Success of PTL backend verifies this

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 45 / 52

Understanding failures

Consider this valid lemma

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 46 / 52

Understanding failures

Consider this valid lemma which seems to be an instance of the PTL rule:

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 46 / 52

Understanding failures

Consider this valid lemma which seems to be an instance of the PTL rule: But it is not, why?

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 46 / 52

Necessitation

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 47 / 52

Necessitation

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 47 / 52

Necessitation

Since 12 holds in all behaviours, it can be boxed This is called necessitation

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 47 / 52

Necessitation

Since 12 holds in all behaviours, it can be boxed This is called necessitation The PTL rules normally requires the application

• f necessitation on the

action steps

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 47 / 52

Necessitation

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 48 / 52

Necessitation

Spec Spec is assumed when proving the proof steps

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 48 / 52

Necessitation

Spec Spec is assumed when proving the proof steps 12 doesn’t hold in all behaviours

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 48 / 52

Necessitation

Spec Spec is assumed when proving the proof steps 12 doesn’t hold in all behaviours Necessitation is not applied

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 48 / 52

Necessitation

Spec Spec is assumed when proving the proof steps 12 doesn’t hold in all behaviours Necessitation is not applied Note: There is a workaround

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 48 / 52

Necessitation and assumptions

Consider the following clearly invalid claim

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 49 / 52

Necessitation and assumptions

Consider the following clearly invalid claim The rule is again an instance

• f the previous PTL rule

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 49 / 52

Necessitation and assumptions

Consider the following clearly invalid claim The rule is again an instance

• f the previous PTL rule

The two hypothesis are valid but the rule is not sound Why? Necessitation fails for 12

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 49 / 52

Necessitation and assumptions

Consider the following clearly invalid claim The rule is again an instance

• f the previous PTL rule

The two hypothesis are valid but the rule is not sound Why? Necessitation fails for 12 Confusing? Necessitation failures are reported in the

• bligation window

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 49 / 52

Necessitation and assumptions II

Now, the claim is valid, even if in a trivial way

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 50 / 52

Necessitation and assumptions II

Now, the claim is valid, even if in a trivial way The proof is idential to the previous one

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 50 / 52

Necessitation and assumptions II

Now, the claim is valid, even if in a trivial way The proof is idential to the previous one This time, necessitation is applied

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 50 / 52

Necessitation and assumptions II

Now, the claim is valid, even if in a trivial way The proof is idential to the previous one This time, necessitation is applied What is the difference?

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 50 / 52

Boxable assumptions

Assumptions P, such that P ⇔ P, allow for necessitation.

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 51 / 52

Boxable assumptions

Assumptions P, such that P ⇔ P, allow for necessitation. We determine this using the following is box algorithm:

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 51 / 52

Boxable assumptions

Assumptions P, such that P ⇔ P, allow for necessitation. We determine this using the following is box algorithm: An assumption proved in the scope of a non-boxed assumption is considered as non-boxed as well

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 51 / 52

Conclusion

TLA+ proofs for quantified temporal formulas - Why and How

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 52 / 52

Conclusion

TLA+ proofs for quantified temporal formulas - Why and How Which:

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 52 / 52

Conclusion

TLA+ proofs for quantified temporal formulas - Why and How Which:

◮ for all safety properties Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 52 / 52

Conclusion

TLA+ proofs for quantified temporal formulas - Why and How Which:

◮ for all safety properties ◮ for liveness properties - still require: Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 52 / 52

Conclusion

TLA+ proofs for quantified temporal formulas - Why and How Which:

◮ for all safety properties ◮ for liveness properties - still require: ⋆ reasoning about ENABLED Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 52 / 52

Conclusion

TLA+ proofs for quantified temporal formulas - Why and How Which:

◮ for all safety properties ◮ for liveness properties - still require: ⋆ reasoning about ENABLED ⋆ some proofs require full quantified temporal reasoning - Ex:

∀x.P(x) ⇔ ∀x.P(x)

Jael K., Tom R. and Tomer L.

TLAPS Tutorial

Toulouse, June 2014 52 / 52