TLA +工具箱错误运行模型:重写值Nat

时间:2017-10-15 22:24:19

标签: configuration-files model-checking tla+ tlc

我已经在各种情况下在TLA +工具箱中遇到以下错误几天了:

"Attempted to compute the number of elements in the overridden value Nat.".

以下是我提出的最简单的模块,可以重现这个问题。我已经看到一些提到被覆盖的值,但是我无法看到我在规范中做了什么导致这个问题。

有没有人看到错误,或者可以解释我错过的内容?

-------------------------------- MODULE foo --------------------------------
EXTENDS Naturals

VARIABLE Procs

Init == Procs = 1..5
Next == /\ Procs' = 1..5

Entries == [ i \in Procs |-> [ j \in {} |-> 0] ]
TypeOK == Entries \in [ Procs -> [ (SUBSET Nat) -> Nat ] ]

=============================================================================

将TypeOK设置为不变量时,我得到完整的错误

Attempted to compute the number of elements in the overridden value Nat.
While working on the initial state:
Procs = 1..5

1 个答案:

答案 0 :(得分:3)

TLC无法评估集合Nat,因为它是无限的(另请参阅overridden module Naturals.tla)。通过配置文件用有限集替换Nat是一种可能的解决方法。

执行此操作后,结果TypeOKFALSE,因为DOMAIN Entries = ProcsProcs # SUBSET Nat。换句话说,集[ (SUBSET Nat) -> Nat]包含函数,每个函数的域等于SUBSET Nat。相反,可能的目的是域的功能集等于 Nat的某些子集。以下使用TypeOKChanged完成此操作。

-------------------------------- MODULE foo --------------------------------
EXTENDS Naturals

VARIABLE Procs

Init == Procs = 1..5
Next == Procs' = 1..5

Entries == [ i \in Procs |-> [ j \in {} |-> 0] ]
TypeOK == Entries \in [ Procs -> [ (SUBSET Nat) -> Nat ] ]

TypeOKChanged == Entries \in [ Procs -> UNION {[Dom -> Nat]:  Dom \in SUBSET Nat} ]

NatMock == 0..6
=============================================================================

和配置文件foo.cfg

INIT Init
NEXT Next

CONSTANTS Nat <- NatMock
INVARIANT TypeOKChanged

输出

$ tlc2 foo.tla
TLC2 Version 2.09 of 10 March 2017
Running in Model-Checking mode with 1 worker.
Parsing file foo.tla
Parsing file ~/tlatools/tla/tla2sany/StandardModules/Naturals.tla
Semantic processing of module Naturals
Semantic processing of module foo
Starting... (2017-10-15 16:00:06)
Computing initial states...
Finished computing initial states: 1 distinct state generated.
Model checking completed. No error has been found.
  Estimates of the probability that TLC did not check all reachable states
  because two distinct states had the same fingerprint:
  calculated (optimistic):  val = 5.4E-20
  based on the actual fingerprints:  val = 1.1E-19
2 states generated, 1 distinct states found, 0 states left on queue.
The depth of the complete state graph search is 1.
Finished in 03s at (2017-10-15 16:00:09)

可以使用定理证明器TLAPS来执行涉及无限集Nat的证明。另见Sec。 14.2.3在TLA+ book "Don't Reinvent Mathematics"部分的第234--235页上。

相关问题
最新问题