github.com/ari-anchor/sei-tendermint@v0.0.0-20230519144642-dc826b7b56bb/spec/consensus/proposer-based-timestamp/tla/Apalache.tla

github.com/ari-anchor/sei-tendermint@v0.0.0-20230519144642-dc826b7b56bb/spec/consensus/proposer-based-timestamp/tla/Apalache.tla (about)

     1  --------------------------- MODULE Apalache -----------------------------------
     2  (*
     3   * This is a standard module for use with the Apalache model checker.
     4   * The meaning of the operators is explained in the comments.
     5   * Many of the operators serve as additional annotations of their arguments.
     6   * As we like to preserve compatibility with TLC and TLAPS, we define the
     7   * operator bodies by erasure. The actual interpretation of the operators is
     8   * encoded inside Apalache. For the moment, these operators are mirrored in
     9   * the class at.forsyte.apalache.tla.lir.oper.ApalacheOper.
    10   *                                                                          
    11   * Igor Konnov, Jure Kukovec, Informal Systems 2020-2021                    
    12   *)
    13  
    14  (**
    15   * An assignment of an expression e to a state variable x. Typically, one
    16   * uses the non-primed version of x in the initializing predicate Init and
    17   * the primed version of x (that is, x') in the transition predicate Next.
    18   * Although TLA+ does not have a concept of a variable assignment, we find
    19   * this concept extremely useful for symbolic model checking. In pure TLA+,
    20   * one would simply write x = e, or x \in {e}.
    21   *
    22   * Apalache automatically converts some expressions of the form
    23   * x = e or x \in {e} into assignments. However, if you like to annotate
    24   * assignments by hand, you can use this operator.
    25   *
    26   * For a further discussion on that matter, see:
    27   * https://github.com/informalsystems/apalache/blob/ik/idiomatic-tla/docs/idiomatic/assignments.md
    28   *)
    29  x := e == x = e
    30  
    31  (**
    32   * A generator of a data structure. Given a positive integer `bound`, and
    33   * assuming that the type of the operator application is known, we
    34   * recursively generate a TLA+ data structure as a tree, whose width is
    35   * bound by the number `bound`.
    36   *
    37   * The body of this operator is redefined by Apalache.
    38   *)
    39  Gen(size) == {}
    40  
    41  (**
    42   * Convert a set of pairs S to a function F. Note that if S contains at least
    43   * two pairs <<x, y>> and <<u, v>> such that x = u and y /= v,
    44   * then F is not uniquely defined. We use CHOOSE to resolve this ambiguity.
    45   * Apalache implements a more efficient encoding of this operator
    46   * than the default one.
    47   *
    48   * @type: Set(<<a, b>>) => (a -> b);
    49   *)
    50  SetAsFun(S) ==
    51      LET Dom == { x: <<x, y>> \in S }
    52          Rng == { y: <<x, y>> \in S }
    53      IN
    54      [ x \in Dom |-> CHOOSE y \in Rng: <<x, y>> \in S ]
    55  
    56  (**
    57   * As TLA+ is untyped, one can use function- and sequence-specific operators
    58   * interchangeably. However, to maintain correctness w.r.t. our type-system,
    59   * an explicit cast is needed when using functions as sequences.
    60   *)
    61  LOCAL INSTANCE Sequences
    62  FunAsSeq(fn, maxSeqLen) == SubSeq(fn, 1, maxSeqLen)
    63  
    64  (**
    65   * Annotating an expression \E x \in S: P as Skolemizable. That is, it can
    66   * be replaced with an expression c \in S /\ P(c) for a fresh constant c.
    67   * Not every exisential can be replaced with a constant, this should be done
    68   * with care. Apalache detects Skolemizable expressions by static analysis.
    69   *)
    70  Skolem(e) == e
    71  
    72  (**
    73   * A hint to the model checker to expand a set S, instead of dealing
    74   * with it symbolically. Apalache finds out which sets have to be expanded
    75   * by static analysis.
    76   *)
    77  Expand(S) == S
    78  
    79  (**
    80   * A hint to the model checker to replace its argument Cardinality(S) >= k
    81   * with a series of existential quantifiers for a constant k.
    82   * Similar to Skolem, this has to be done carefully. Apalache automatically
    83   * places this hint by static analysis.
    84   *)
    85  ConstCardinality(cardExpr) == cardExpr
    86  
    87  (**
    88   * The folding operator, used to implement computation over a set.
    89   * Apalache implements a more efficient encoding than the one below.
    90   * (from the community modules).
    91   *)
    92  RECURSIVE FoldSet(_,_,_)
    93  FoldSet( Op(_,_), v, S ) == IF S = {}
    94                              THEN v
    95                              ELSE LET w == CHOOSE x \in S: TRUE
    96                                    IN LET T == S \ {w}
    97                                        IN FoldSet( Op, Op(v,w), T )
    98  
    99  (**
   100   * The folding operator, used to implement computation over a sequence.
   101   * Apalache implements a more efficient encoding than the one below.
   102   * (from the community modules).
   103   *)
   104  RECURSIVE FoldSeq(_,_,_)
   105  FoldSeq( Op(_,_), v, seq ) == IF seq = <<>>
   106                                THEN v
   107                                ELSE FoldSeq( Op, Op(v,Head(seq)), Tail(seq) )
   108  
   109  ===============================================================================