forked from tlaplus-workshops/ewd998
-
Notifications
You must be signed in to change notification settings - Fork 0
/
IncDec.tla
63 lines (49 loc) · 1.11 KB
/
IncDec.tla
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
Apalache is the new kid on the block. Where TLC
implements finite-state model-checking, Apalache
implements bounded model-checking. Apalache
underpins a powerful SMT solver that can answer
queries such as \E n \in 1..Nat : n \in Nat
without enumerating the values of n (TLC won't
even try to enumerate Nat).
Let's see the different powers of Apalache and
TLC...
### Run tools
$ apalache-mc check --inv=Inv --length=10 \
IncDec.tla
$ tlc -config IncDec.tla IncDec.tla
### Quick demo
1) Check spec as is
2) Increment --length to 11
3) Increment Inv and --length to 1000
4) Change Init to v \in Nat
4a) Go Apalache!
(But no longer useful counter-examples
when checking inductive invariants)
4b) TLC gives up
(Workaround: Randomization.tla with
RandomSubset(42,0..10000000))
---- MODULE IncDec ----
EXTENDS Integers, Randomization
VARIABLE
\* @type: Int;
v
Init ==
/\ v = 0
Inc ==
/\ v >= 0
/\ v' = v + 1
Dec ==
/\ v <= 0
/\ v' = v - 1
Next ==
\/ Inc
\/ Dec
Inv ==
/\ v < 10
/\ v > -10
====
---- CONFIG IncDec ----
INIT Init
NEXT Next
INVARIANT Inv
====