Let’s say you want to specify Timer in TLA+ which counts
down 5 minutes of time.
---------------------------------MODULE TIMER --------------------------------------
EXTENDS Naturals
VARIABLE minutes
CHECK == minutes \in (0..5)
INIT == minutes = 5
NEXT == IF minutes > 0
THEN minutes' = minutes - 1
ELSE minutes' = minutes
SPEC == INIT /\ [][NEXT]_<<minutes>>
====================================================================================Code listed above shows TLA+ specification for the same,
assuming you want minutes to decrease by 1 in single step
until it reaches 0. Ideally you want SPEC to
be INIT /\ []NEXT representing system behavior as shown in
figure.
But alas TLA+ doesn’t allow it. It requires you to
account for stuttering steps which forces you to change
SPEC to
INIT /\ [][NEXT]_<<minutes>>. Some of system
behavior satisfying SPEC is shown below.
Next you want to check temporal formula (property) that
eventually minutes will be 0 always. You add
PROP == <>[](minutes = 0) (<>[]
means eventually always) to module and proceed to model
check. TLA+ model checker points out that temporal formula
is not satisfiable and gives counterexample system behavior - which
stutters infinitely after counting down to 1.
We will look into how to avoid this but for now let’s explore why
stuttering steps are enforced in TLA+.
TLA+ makes it easy to specify systems hierarchically.
Suppose we have hierarchy of specifications S1, S2, … , Sn of a system
where S1 is high
level specification and Sn is low level
specification. To connect between them we need to verify that Sn is correct
implementation (low level details) of high level specification S1. This is done by
showing that S2 is
refinement of S1,
S3 is refinement of
S2 so on.
Let’s look at concept of refinement through an example. Suppose you implemented Timer counting seconds.
-------------------------------- MODULE TIMER2 -------------------------------------
EXTENDS Naturals
VARIABLE minutes, seconds
CHECK == /\ /\ seconds \in (0..59)
/\ minutes \in (0..5)
/\ minutes = 0 => seconds = 0
INIT == minutes = 5 /\ seconds = 0
DECRMINUTES ==
/\ seconds = 59
/\ minutes' = minutes - 1
/\ seconds' = 0
INCRSECONDS ==
/\ minutes > 0
/\ seconds < 59
/\ seconds' = seconds + 1
/\ minutes' = minutes
NEXT == \/ DECRMINUTES
\/ INCRSECONDS
\/ /\ minutes = 0
/\ minutes' = minutes
/\ seconds' = seconds
SPEC == INIT /\ [][NEXT]_<<minutes, seconds>>
====================================================================================To verify that TIMER2 is refinement of
TIMER we add following definition in TIMER2
module and model check that SPECIFICAION SPEC implies
PROPERTY RSPEC.
RTIMER == INSTANCE TIMER
RSPEC == RTIMER!SPECTLA+ model checker validates refinement as success. Part
of why refinement worked out without any ceremony is TLA+
insisted about stuttering steps in high level specification. Through
refinement we want to show that for every system behavior of
TIMER2 there is corresponding system behavior of
TIMER which can be shown by converting
INCRSECONDS to stuttering steps of high level specification
and hiding state of seconds (see illustrations).
We say that system behaves not as specified by
INIT /\ [][NEXT]_<<minutes>> but with a
modification - there can be finite but arbitrary large number of
stuttering steps. WF_minutes(NEXT) is one of ways of
enforcing this - It is always case that if NEXT is enabled
(system can take NEXT step) forever then NEXT
must eventually happen.
We change system specification to
SPEC == INIT /\ [][NEXT]_<<minutes>> /\ WF_minutes(NEXT)
and model check PROP again. This time it succeeds.