Introduce runs

[konnov]

Closes #344. This PR introduces the concept of a run, which is not explicitly present in TLA+. I kind of skipped the discussions and ADR phase here and went straight to extending the manual and implementing the new operators in the simulator. By doing so, I have iterated several times on the syntax. After all, we have:

• a new definition qualifier called run, not supported by the effects checker yet.
• a new mode called Run, similar to the modes Action and Temporal.
• Three Run operators:
  • A.then(B) is sequential composition of A and then B.
  • i.times(A) A.repeated(i) is sequential composition of A exactly i times.
  • assert(P) tests P and produces a runtime error, if P evaluates to false.

[Kukovec]

I kind of skipped the discussions and ADR phase here and went straight to extending the manual and implementing the new operators in the simulator

Rules for thee, but not for me?

[Kukovec]

Also, the diff is 2.5 kLOC, can you please make a note as to which files are autogen/trivially changed so I can ignore them?

[konnov]

Also, the diff is 2.5 kLOC, can you please make a note as to which files are autogen/trivially changed so I can ignore them?

Feel free to ignore everything in generated but Tnt.g4, which is the grammar.

[bugarela]

Is there a scenario where someone wants to stutter over variables that are different from the set of variables being updated by the action A? I can't event understand what that would mean.

If x is always the set of variables being updated by A, WDYT about getting rid of the argument? Then we can call the operators something like optionally(A).

[konnov]

That's a good point. TLA+ has variables in [A]_vars, since there are no explicit assignments there. Factored it out in a separate issue, since the stuttering operators were already in the manual before: #354

[bugarela]

This looks like an expectation (like in a testing framework). WDYT of A.changing(x)?

[konnov]

If we remove variables in the stuttering operator, we should also remove them in this one, as this one is the negation of stuttering.

[bugarela]

It is not exactly a negation. [A]_x is defined as A \/ x' = x and <A>_x is defined as A /\ x' # x. This second one I can see being used with a set of vars different then the set of vars being defined by A, as it can constrain A even further.

[konnov]

Correct. I am just saying that <A>_x was introduced as a dual of [A]_x. You are probably right that it does not make a lot of sense in the presence of effects and the requirement that all variables should be touched.

[shonfeder]

sutter/nostutter have the benefit of being clearly dual. OrKeep and MustChange have no such obvious relation in their names, IMO.

I don't know what motivates the change in names here, but I think we should at least keep the names related. So maybe something like

• noChanges/changes
• orKeep / noKeep (I don't like these)

?

[konnov]

Let's postpone this for #354

These operators are not used in specs yet, so there is no rush to pick a perfect name in this PR.

[bugarela]

Can you explain the motivation for adding assert? It seems like a way of reporting counterexamples, but I don't think this should be done at the language level.

[konnov]

Yeah, it looks like the only convenient way of specifying a failing test as a run. The expectation is basically that the run should go through, unless the assertion fails somewhere. I don't like asserts in TLC. We probably can live with asserts in the runs. But it would be great to have something better than asserts.

[bugarela]

I'll have to update those to produce a Run effect, right? So we can't use those in other types of definitions that are not runs.

[konnov]

Yes, exactly. I did not know how to do that :)

[thpani]

In the end, we will have a model-checker written in TNT 😂

I've only read the language docs, I like the approach! Haven't reviewed the code.

[thpani]

Would it make sense to promote this to a closure operator?

[konnov]

I was also thinking about doing that, but then what would be the difference between closure and always on finite prefixes?

[thpani]

Good point :)

[Kukovec]

Could this lead to confusion with the set product operator? Maybe repeat is a better name.

[konnov]

good point. I copied this name from ruby, which reads very nice, e.g., five times A.

[konnov]

I will rename it to A.repeated(n).

[shonfeder]

Are you still planning to make this change? I agree that times could be confusing.

[konnov]

Yes, it is called repeated now

[Kukovec]

Also, like Thomas, I've just read the language part.

[konnov]

@shonfeder, for some reason I am getting this error on MacOS (zsh):

npm run integration
...
TAP version 13
0..0
not ok 0 'exit': unknown command type
  ---
  location: |
    line 26
  supported commands:
    - program
    - in
    - out
    - err
    - check
  ---

# FAILED TO PARSE TESTS

[shonfeder]

@konnov is your worktree clean? The mac tests are passing in CI.

[konnov]

@konnov is your worktree clean? The mac tests are passing in CI.

Actually, npm install -g txm helped! I had an older version.

[konnov]

I think I have addressed the issues, except for stuttering, which is factored out into another issue. Anybody wants to review?

[shonfeder]

Maybe these are more helpful debugging ideas:

• Is the failure happening when running txm cli-tests.md or txm io-cli-tests.md or both?
• What is the content of the failing file?

Given the error message, I'm wondering if you'll find something like

<!-- !test type ... -->
    ....

[konnov]

Maybe these are more helpful debugging ideas:

• Is the failure happening when running txm cli-tests.md or txm io-cli-tests.md or both?
• What is the content of the failing file?

Given the error message, I'm wondering if you'll find something like

<!-- !test type ... -->
    ....

It's all good. The older version of txm did not support test exit, which was introduced in io-cli-tests.md.

[shonfeder]

I see! Hopefully there is a way we can pin the version of our dev deps so we can automate away these kinds of issues in the future.

[bugarela]

Weird, I could swear that I had done this before (pinning the version in package.lock so we don't require a global installation). I was actually questioning why it wasn't working, but it seems like my change never made it through main or was reverted somehow.

Thanks for fixing this, @shonfeder!

[konnov]

Does anybody have cycles to get this merged? :)

[shonfeder]

Does anybody have cycles to get this merged? :)

I'm reviewing now. Sorry for the delay.

[shonfeder]

Looks like at least one left-over change you meant to make in response to previous reviews? I also have a few questions and suggestions.

[shonfeder]

Are you still planning to make this change? I agree that times could be confusing.

[shonfeder]

Why is this being renamed? Seems likely to introduce more confusion imo. "Stutter" already has a lot of docs around it in TLA+, and is specific and unusual enough no one is likely to confuse its meaning for something they already know.

But OrKeep could evoke other associations (related to disjunction, maybe intuitions about processing collections etc.) and users will lose the benefit of finding docs on TLA suttering when they search for it.

[shonfeder]

sutter/nostutter have the benefit of being clearly dual. OrKeep and MustChange have no such obvious relation in their names, IMO.

I don't know what motivates the change in names here, but I think we should at least keep the names related. So maybe something like

• noChanges/changes
• orKeep / noKeep (I don't like these)

?

[shonfeder]

Quite cool.

How soon before users will want to be able to do:

run run1 = {
  n <- 1;
  n <- 2;
  n <- 6;
  n <- 3;
}

:D

[konnov]

Yes, that's why we have then :)

[konnov]

I think I have implemented all the required changes and introduced a follow-up issue on stuttering operators.

[shonfeder]

Awesome! I can’t wait to play with this feature :)