How to translate formula into TLA+ code - tla+

I've written a TLA+ spec of the Towers of Hanoi problem:
TEX
ASCII
------------------------------- MODULE Hanoi -------------------------------
EXTENDS Sequences, Integers
VARIABLE A, B, C
CanMove(x,y) == /\ Len(x) > 0
/\ IF Len(y) > 0 THEN Head(y) > Head(x) ELSE TRUE
Move(x,y,z) == /\ CanMove(x,y)
/\ x' = Tail(x)
/\ y' = <<Head(x)>> \o y
/\ z' = z
Invariant == C /= <<1,2,3>> \* When we win!
Init == /\ A = <<1,2,3>>
/\ B = <<>>
/\ C = <<>>
Next == \/ Move(A,B,C) \* Move A to B
\/ Move(A,C,B) \* Move A to C
\/ Move(B,A,C) \* Move B to A
\/ Move(B,C,A) \* Move B to C
\/ Move(C,A,B) \* Move C to A
\/ Move(C,B,A) \* Move C to B
=============================================================================
The TLA Model checker will solve the puzzle for me when I specify the Invariant formula as an Invariant.
I want to make it a bit less verbose though, ideally I don't want to pass in the unchanged variable to Move(), but I can't figure out how. What I want to do is to write
Move(x,y) == /\ CanMove(x,y)
/\ x' = Tail(x)
/\ y' = <<Head(x)>> \o y
/\ UNCHANGED (Difference of and {A,B,C} and {y,x})
How can I express that in the TLA language?

Instead of variables A, B, C, you should have a single sequence, towers, where the towers are indexes. This would also have the advantage of being generic in the number of towers. Your Next formula would be shorter, too:
CanMove(i,j) == /\ Len(towers[i]) > 0
/\ Len(towers[j]) = 0 \/ Head(towers[j]) > Head(towers[i])
Move(i, j) == /\ CanMove(i, j)
/\ towers' = [towers EXCEPT ![i] = Tail(#),
![j] = <<Head(towers[i])>> \o #]
Init == towers = << <<1,2,3>>, <<>>, <<>> >> \* Or something more generic
Next == \E i, j \in DOMAIN towers: i /= j /\ Move(i, j)
Alternatively, if you want to continue using letters, you can use a record instead of a sequence for towers, and all you need to change in my suggested spec is:
Init == towers = [a |-> <<1, 2, 3>>, b |-> <<>>, c |-> <<>>]

Related

Few questions encountered when trying to implementing a state machine in TLA+

I'm trying to implement a state machine in TLA+, and I encountered a few questions when checking it with TLC.
I think there might be some problems in my spec,and you might not understand what I'm implementing in spec.So I want to explain what I'm doing first.
First,it will read two inputs.In_sentence_seq stand for future command sequence,changing the state of the state machine.In_layer_name stand for input data,and will be used in some specfic states later.And they will turn into variable in_seq and layer_set,maybe after some processes though.
Then,the state machine starts with Init,and then change its state(cur_state) by state_changer when in_seq not empty, or by state_stabler when in_seq empty.After that, do something(meaning only one in actions derived_def_global,rule_head,derived_def_rule,check_statement) depend on cur_state or do nothing if cur_state equals 0.After that,change state by state_changer or state_stabler again.And the state machine will repeat the change state->do something or nothing process again and again.
My spec is written in this way:
----------------------------- MODULE Parser -----------------------------
EXTENDS Integers,Naturals,Reals,Sequences
CONSTANTS in_sentence_seq,in_layer_names
ASSUME /\ in_sentence_seq \in Seq(1..5)
/\ in_layer_names \subseteq 0..10
VARIABLES in_seq,layer_set,cur_state,cur_scope,rule_nums,layer_connection_set
vars == << in_seq,layer_set,cur_state,cur_scope,rule_nums,layer_connection_set >>
layer_range == {{x,y}:x \in 0..10,y \in -1..10}
layer_connection_range == {<<x,y,z>>: x \in layer_range , y \in layer_range , z \in layer_range}
TypeOK == /\ in_seq \in Seq(1..5)
/\ layer_set \subseteq layer_range
/\ cur_state \in 0..5
/\ cur_scope \in -1..10
/\ rule_nums \in 0..10
/\ layer_connection_set \subseteq layer_connection_range
Init == /\ in_seq = in_sentence_seq
/\ layer_set = {{x,y}:x \in in_layer_names,y \in {-1}}
/\ cur_state = 0
/\ cur_scope = -1
/\ rule_nums = 0
/\ layer_connection_set = {}
state_changer == /\ Len(in_seq) >= 1
/\ cur_state' = Head(in_seq)
/\ in_seq' = Tail(in_seq)
/\ UNCHANGED << layer_set,cur_scope,rule_nums,layer_connection_set >>
state_stabler == /\ Len(in_seq) = 0
/\ cur_state'= 0
/\ UNCHANGED << in_seq,layer_set,cur_scope,rule_nums,layer_connection_set >>
scope_changer == /\ cur_state = 5
/\ cur_scope' = -1
/\ UNCHANGED << in_seq,layer_set,cur_state,rule_nums,layer_connection_set >>
derived_def_global ==
LET
temp_num == CHOOSE x \in 0..10: {x,-1} \notin layer_set
temp == {temp_num,-1}
temp_one_num == CHOOSE x \in 0..10: {x,-1} \in layer_set
temp_two_num == CHOOSE x \in 0..10: {x,-1} \in (layer_set\{temp})
temp_one == {temp_one_num,-1}
temp_two == {temp_two_num,-1}
IN
/\ cur_state = 1
/\ cur_scope = -1
/\ layer_set' = layer_set \union temp
/\ layer_connection_set' = layer_connection_set \union {<<temp_one,temp_two,temp>>}
/\ UNCHANGED << in_seq,cur_state,cur_scope,rule_nums >>
rule_head == /\ cur_state = 2
/\ cur_scope' = drc_rule_nums
/\ rule_nums' = rule_nums + 1
/\ UNCHANGED << in_seq,layer_set,cur_state,layer_connection_set >>
derived_def_rule ==
LET
temp_num == CHOOSE x \in 0..10: {x,rule_nums} \notin layer_set
temp_one == CHOOSE z \in {{x,y}: x \in 0..10, y \in {-1,rule_nums}}: z \in layer_set
temp_two == CHOOSE z \in {{x,y}: x \in 0..10, y \in {-1,rule_nums}}: z \in (layer_set\{temp_one})
temp == {temp_num,rule_nums}
IN
/\ cur_state = 3
/\ layer_set' = layer_set \union temp
/\ layer_connection_set' = layer_connection_set \union {<<temp_one,temp_two,temp>>}
/\ UNCHANGED << in_seq,cur_state,cur_scope,rule_nums >>
check_statement ==
LET
temp_num == CHOOSE x \in 0..10: {x,rule_nums} \notin layer_set
temp_one == CHOOSE z \in {{x,y}: x \in 0..10, y \in {-1,rule_nums}}: z \in layer_set
temp_two == CHOOSE z \in {{x,y}: x \in 0..10, y \in {-1,rule_nums}}: z \in (layer_set\{temp_one})
temp == {temp_num,rule_nums}
IN
/\ cur_state = 4
/\ layer_set' = layer_set \union temp
/\ layer_connection_set' = layer_connection_set \union {<<temp_one,temp_two,temp>>}
/\ UNCHANGED << in_seq,cur_state,cur_scope,rule_nums >>
Next == state_changer \/ state_stabler \/ scope_changer \/ derived_def_global \/ rule_head \/ derived_def_rule \/ check_statement
Spec == Init /\ [][Next]_vars
=============================================================================
I check my spec using in_layer_names <- {1,2,3,4} and in_sentence_seq <- <<1,2,3,4,5>>.Both in ordinary assignments.
And my problems are as follows:
1.TLC reports actions derived_def_global,derived_def_rule,check_statement are never enabled.
2.TLC reports error no.1 that my spec is attempting to compare integer 0 with non-integer:
{-1, 3}.
3.TLC reports error no.2 occurred when TLC was evaluating the nested
expressions in line 75 and 76.
I wonder how to rewrite my spec to make it run as what I think and solve these problems.And I hope my silly descriptions and problems won't bother you and make you angry.(
Thank you.
As per my comment, you may solve some of your problems (and get closer to the system you are trying to model) by replacing CHOOSE with \E. For example, you could rewrite check_statement this way:
check_statement ==
\E temp_num \in 0..10:
/\ {temp_num,rule_nums} \notin layer_set
/\ \E temp_one \in {{x,y}: x \in 0..10, y \in {-1,rule_nums}}:
/\ temp_one \in layer_set
/\ \E temp_two \in ...:
/\ ...
This is a good idea because in TLA+ CHOOSE performs an arbitrary but deterministic choice, and I suspect you actually want to explore every possible choice.

How to check if a decision tree satisfies an invariant?

I know the decision tree and what the invariant is (if that's the right term). All the other definitions used (UsingTor, UsingProxy, etc. can be anything). How can I use TLA+ to check if every leaf of the decision tree satisfies the invariant?
I would know how to do this if the decision tree was a sequence of states: I'd check if it always ends up in a state satisfying this invariant. Not sure how to do this though.
Invariant ==
/\ UsingTor => UsingProxy
/\ UsingProxy => UsingTor
/\ UsingProxy => UsingBlockingClient
/\ UsingBlockingClient => UsingProxy
/\ ToldToUseLocalBitcoinNode => ~ConfiguredToIgnoreLocalBtc
/\ ConfiguredToIgnoreLocalBtc => ~ToldToUseLocalBitcoinNode
/\ ToldToUseLocalBitcoinNode => ~UsingProxy
/\ ~ToldToUseLocalBitcoinNode => DisableUseOfLocalBtcNode
DecisionTree ==
\/ /\ UsingProxy
/\ \/ /\ ConfiguredToIgnoreLocalBtc
/\ UsingBlockingClient
\/ /\ ~ConfiguredToIgnoreLocalBtc
/\ UsingBlockingClient
/\ UsingProxy
/\ ~ToldToUseLocalBitcoinNode => DisableUseOfLocalBtcNode
\/ /\ ~UsingProxy
/\ ~UsingTor
/\ ~UsingBlockingClient
See this example that shows how to use ASSUME to assert some simple mathematical/constant formulas: https://github.com/tlaplus/Examples/blob/master/specifications/SpecifyingSystems/SimpleMath/SimpleMath.tla

Reproducing deadlock in TLA+

I'm trying to reproduce a deadlock from Herlihy's "The Art of Multiprocessor Programming" in TLA+. In the following code when a thread wants to acquire a lock it marks itself as a victim and proceed only when another thread becomes a victim. There is a deadlock here if another thread never comes.
class LockTwo implements Lock {
private int victim;
public void lock() {
int i = ThreadID.get();
victim = i; // let the other go first
while (victim == i) {} // wait
}
public void unlock() {}
}
The TLA+ spec is as follows:
------------------------------ MODULE LockTwo ------------------------------
CONSTANT Thread
VARIABLE victim, owner, wasVictim
Null == CHOOSE v: v \notin Thread
Init ==
/\ victim = Null
/\ owner = [t \in Thread |-> FALSE]
/\ wasVictim = [t \in Thread |-> FALSE]
TypeOK ==
/\ victim \in Thread \cup {Null}
/\ owner \in [Thread -> BOOLEAN]
/\ wasVictim \in [Thread -> BOOLEAN]
BecomeVictim(t) ==
/\ wasVictim[t] = FALSE
/\ owner[t] = FALSE
/\ victim' = t
/\ wasVictim' = [wasVictim EXCEPT ![t] = TRUE]
/\ UNCHANGED owner
AcquireLock(t) ==
/\ wasVictim[t] = TRUE
/\ victim # t
/\ owner' = [owner EXCEPT ![t] = TRUE]
/\ wasVictim' = [wasVictim EXCEPT ![t] = FALSE]
/\ UNCHANGED victim
ReleaseLock(t) ==
/\ owner[t] = TRUE
/\ owner' = [owner EXCEPT ![t] = FALSE]
/\ UNCHANGED <<victim, wasVictim>>
Next ==
\E t \in Thread: BecomeVictim(t) \/ AcquireLock(t) \/ ReleaseLock(t)
MutualExclusion ==
\A t1, t2 \in Thread: (t1 # t2) => ~ (owner[t1] /\ owner[t2])
EventualSuccess ==
\A t \in Thread: (victim = t) ~> owner[t]
Spec == Init /\ [][Next]_<<victim, owner, wasVictim>> /\ EventualSuccess
=============================================================================
TLA spec runs fine with Thread = {t1, t2} where t1 and t2 are model values.
How to make TLA to report a deadlock?
See answer by Leslie Lamport on the semi-official Google Group: https://groups.google.com/forum/#!topic/tlaplus/rp5cE4IzEnM
(Mirror: http://discuss.tlapl.us/msg03229.html)

Check that system passes all the states

A variable state stands for state of a system, for instance state \in {"ready", "prepare", "do", "cleanup", "done"}. How to express condition that state should eventually pass all the five states (in any order)?
Working example (accepted answer):
EXTENDS Naturals
VARIABLE n
Init == n = 1
Next == IF n < 3 THEN n' = n + 1 ELSE n' = n
Spec == Init /\ [][Next]_<<n>> /\ WF_<<n>>(Next)
Check == \A s \in {1,2,3}: <>(s = n) \* This goes: Model Overview >
\* > "What to check?" > Properties
Given States = {"ready", "prepare", "do", "cleanup", "done"}, you can check that it reaches some given state with
<>(state = "ready")
And you can check that it reaches all states with
\A s \in States: <>(state = s)

Haskell building a 'square' map with '#'s in especific cells and calculate empty cells

I'm doing a game for a class, and in one task I need to do a square (it's the 'map') that all I know is the dimension (size of each side) and then I want to calculate the cells I need to replace with a 'value'.
For example, a square with dimension 9 will look like this:
# # # # # # # # #
# _ _ v v v _ _ #
# _ # V # v # _ #
# v v v v v v v #
# v # v # v # v #
# v v v v v v v #
# _ # v # v # _ #
# _ _ v v v _ _ #
# # # # # # # # #
First and last lines allways full with # (walls)
Second line and penultimate lines: allways begins with # and two empty spaces _.
Third and antepenultimate lines: empty space in 2nd and before the last column, and # at every 2nd column.
Then I have always one line without # in middle, and one with those # in every 2 spaces.
So, I need to build a function that calculate the vs. I have on that map, just receiving the Dimension :: Int (in this case was 9 and the function calcV (example of name to the function) would return 28)..
Below is my code that I tried. The square always has odd dimensions and equal or higher then 5, so I did the 5 case, and then a function that I expected would calculate what I want to all other possible values.
But it gives me:
Exception: stack overflow in ghci
Does anyone know what I did wrong in this code?
calcv :: Int -> Int -> Int -> Int
calcv 5 _ _ = 0
calcv d l c -- the l and c will be given has 1(first line/first column) (d will be the dimension)
| (l==1) = 0 + calcv d (l+1) 1
| (l==(d-1)) || (l==2) && (c==1) || (c==2) || (c==3) || (c==(d-2)) || (c==(d-1)) = 0 + calcv d l (c+1)
| (l==(d-1)) || (l==2) && (c>3) && (c<(d-2)) = if even c then 1 + calcv d l (c+1) else calcv d l (c+1)
| (l==(d-1)) || (l==2) && (c==d) = calcv d (l+1) 1
| (l==3) || (l==(d-2)) && (c==1) || (c==2) || (c==3) || (c==(d-2)) || (c==(d-1)) = calcv d l (c+1)
| (l==3) || (l==(d-2)) && (c>3) && (c<(d-2)) = if even c then 1 + calcv d l (c+1) else calcv d l (c+1)
| (l==3) || (l==(d-2)) && (c==d) = calcv d (l+1) 1
| (l==d) = 0
When faced with a problem like this, try to break it down into smaller pieces, and see how to express it with Haskell’s existing tools (like list comprehensions, map, filter, and foldr) before writing a recursive function.
First, you want to generate a square list of lists of length n, where every cell is some function of the row and column indices:
makeMap :: Int -> [[Char]]
makeMap n
| even n || n < 5
= error "makeMap: invalid size"
| otherwise = [[cellAt row col | col <- [1 .. n]] | row <- [1 .. n]]
You could also define this with type Int -> [Char] if you don’t care about separating the rows, or if you want a single index into the whole map. You can also define it in terms of map rather than list comprehensions. I’ll leave those as exercises.
Now you can define the cell at a particular position by providing an implementation of cellAt:
where
cellAt :: Int -> Int -> Char
I won’t enumerate all the cases, since this is a homework problem, but here are a couple to get you started:
-- Produce a border whenever row=1, col=1, row=n, or col=n.
cellAt 1 _ = '#'
cellAt _ 1 = '#'
cellAt row col
| row == n || col == n
= '#'
-- Handle other cases here.
| ...
Then it looks like you want to count the number of v cells, which you can do by iterating over the map:
countV :: [[Char]] -> Int
countV rows = sum [sum [1 | 'v' <- row] | row <- rows]
calcV :: Int -> Int
calcV n = countV (makeMap n)
If your instructor wants a single function, a good exercise would be to manually inline the definitions of countV and makeMap into calcV. But it’s generally easier to write small, simple functions that you can compose to solve larger problems.

Resources