Why is TLC reporting errors on valid states?
I have the following specification for a queue:
------------------------------- MODULE queue -------------------------------
EXTENDS Naturals
CONSTANT L (* The fixed max length of the queue *)
VARIABLE q (* Represents the queue as the number of items in it *)
----------------------------------------------------------------------------
TypeInvariant == q >= 0 /\ q <= L
----------------------------------------------------------------------------
Init == q = 0
NoOp == q' = q (* Queue unchanged *)
Enqueue == q' = q + 1 (* Element added *)
Dequeue == q' = IF q = 0 THEN q ELSE q - 1 (* Element removed *)
Next == NoOp \/ Enqueue \/ Dequeue
----------------------------------------------------------------------------
Spec == Init /\ [][Next]_q
----------------------------------------------------------------------------
THEOREM Spec => TypeInvariant
============================================================================
When I run TLC with the following values for constants:
L <- 3
And these contraints:
INVARIANT
TypeInvariant
It reports these errors:
But the specification allows values in (0 .. L), so why is TLC reporting q=1, q=2, q=3, q=4 as invalid states?
The error trace output is the following:
<<
[
_TEAction |-> [
position |-> 1,
name |-> "Initial predicate",
location |-> "Unknown location"
],
q |-> 0
],
[
_TEAction |-> [
position |-> 2,
name |-> "Enqueue",
location |-> "line 18, col 12 to line 18, col 21 of module queue"
],
q |-> 1
],
[
_TEAction |-> [
position |-> 3,
name |-> "Enqueue",
location |-> "line 18, col 12 to line 18, col 21 of module queue"
],
q |-> 2
],
[
_TEAction |-> [
position |-> 4,
name |-> "Enqueue",
location |-> "line 18, col 12 to line 18, col 21 of module queue"
],
q |-> 3
],
[
_TEAction |-> [
position |-> 5,
name |-> "Enqueue",
location |-> "line 18, col 12 to line 18, col 21 of module queue"
],
q |-> 4
]
>>
How is one supposed to recognize those that are considered errors and those which are not from this trace? The interface shows no red light on q=0.
Solution
- A red cell indicates that the value of the variable changed in this state compared to its previous value (see https://tla.msr-inria.inria.fr/tlatoolbox/doc/model/executing-tlc.html). Red does not indicate that states are not valid!
- The prefix of an (infinite) behavior -reported by the trace explorer as an error trace- does not satisfy the (safety) property
TypeInvariantbecauseTypeInvariantdoes not allowq=4.
By the way, the TLA+ group is a much better place to ask questions.
- Programmatically skip a test in RSpec
- What, exactly, is the total number of characters in C's "basic execution character set"?
- Good tools for writing rest api technical especification
- Intershop Enfinity Suite 6 API specs / docs / info
- What does it means by "the following additional names" in the ECMA-262 specification?
- What is the value of the css 'ex' unit?
- How does HTML parser interact with Speculative parser
- Concatenating values of Json only when inputted via Jolt
- JOLT SPEC: Shift into existing array
- How to revers a seq relation in Alloy
- Specifications other than OpenAPI Specification to document a restful API
- Specification/Predicate to Search Nested Objects
- Spring boot SUM(column) with specification
- JOLT SPEC for Filtering on two Conditions
- Spring Data JPA. How to get only a list of IDs from findAll() method
- Gif File Specification - Comment property of frames
- Where can I find SQL language specification
- Error in Bluetooth specification? Heading field of Location and Speed
- onEdit() dependent on more than 1 variable
- What characters are allowed in an HTML attribute name?
- Joining multiple tables in Criteria ruins the expected output
- How do bluetooth speakers / headsets / devices exchange battery level information? (especially with an Android device)
- Is it valid to write '<' and '>' in HTML5 with spaces surrounding them or must they always be written as HTML entities?
- Any reason to write the "private" keyword in C#?
- Does anyone know details about PERM-AR-DO?
- What does "c14n" mean?
- Dialyzer: Unknown Type re:mp()
- Where is the official specification for XPath syntax?
- Tools for describing JSON schemas
- date command is giving erroneous output while using inside rpm spec file