Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Bogus violation when checking liveness property [](FALSE ~> P)

See original GitHub issue

Originally report in http://discuss.tlapl.us/msg04237.html

------ MODULE Github604 ------
EXTENDS Naturals

VARIABLE x

Next == x' \in 0..3

Spec ==  x = 0 /\ [][Next]_x /\ WF_x(Next) \* F
====

For some fairness property F, and constant-level liveness properties with a state predicate P (P does not hold):

Property Rewritten To Violation? Bogus? Comment
<>TRUE F /\ ~<>TRUE y y proved by TLAPS
<>x \in Nat F /\ ~<>(x \in Nat) n n state-level
<>[]TRUE F /\ ~<>[]TRUE n n
<>FALSE F /\ ~<>FALSE y n
<>[]FALSE F /\ ~<>[]FALSE y n
[](TRUE=><>P) F /\ ~[](~TRUE \/ <>P) n n
TRUE~>P F /\ ~[](~TRUE \/ <>P) n n
[](FALSE=><>P) F /\ ~[](~FALSE \/ <>P) y y
FALSE~>P F /\ ~[](~FALSE \/ <>P) y y
FALSE~>FALSE F /\ ~[](~FALSE \/ <>FALSE) y y
FALSE~>TRUE F /\ ~[](~FALSE \/ <>TRUE) y y
TRUE~>FALSE F /\ ~[](~TRUE \/ <>FALSE) y n
TRUE~>TRUE F /\ ~[](~TRUE \/ <>TRUE) n n

“Rewritten To” in tlc2.tool.liveness.Liveness.processLiveness(ITool) applying https://en.wikipedia.org/wiki/Material_implication_(rule_of_inference) in case of leads-to.

Note: A constant-level invariant such as TRUE, TLC happily checks the specification without raising a warning. An invariant []TRUE is level-checked as temporal formula and, thus, reject by TLC with Error: The invariant Inv is not a state predicate (one with no primes or temporal operators)..

Related: https://github.com/tlaplus/tlaplus/issues/302

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:8 (4 by maintainers)

github_iconTop GitHub Comments

1reaction
lemmycommented, Apr 19, 2021
1reaction
Calvin-Lcommented, Apr 19, 2021

I spent an hour looking into this. I have a hypothesis about the cause, although my understanding of TLC’s liveness-checking code is very sketchy.

The problem goes away if you change this line in TBGraphNode’s constructor. Replace:

if (ln instanceof LNState) {

with

if (ln instanceof LNState || ln instanceof LNBool) {

I’ll try to explain why I think that line might be significant. Here’s the spec I’m using:

---- MODULE LeadsTo ----

EXTENDS Naturals

VARIABLE x

Init == x = 0

Inc ==
    /\ x < 5
    /\ x' = x + 1

Reset ==
    /\ x' = 0

Next ==
    \/ Inc
    \/ Reset

Property ==
   [](TRUE \/ <>(x=3)) \* <---- the property to check, equivalent to (FALSE ~> (x=3))

====

TLC proves the property by trying to satisfy the property’s negation. So, it starts from

~[](TRUE \/ <>(x=3))

Simplification converts this to:

<>FALSE

The TBGraphNode constructor ignores the FALSE constant, since it is only looking for state expressions. Somehow this causes the tableau-based prover to give erroneous results. Including FALSE in the set of notable state expressions fixes the problem.

An alternative fix might be to improve the simplifier to convert <>FALSE to FALSE… Although, my intuition says that the liveness checking code should work even if fed boolean constants, and the simplification is just an optimization. Or, put another way: the simplifier’s contract is that it produces logically-equivalent expressions. The liveness checker’s contract is that it produces correct output on any input it accepts. (Although, I’m prepared to accept that TLC’s design philosophy could be different from my intuition.)

Read more comments on GitHub >

github_iconTop Results From Across the Web

Finding Liveness Bugs in Systems Code - USENIX
Modern software model checkers find safety violations: breaches where the system enters some bad state. However, we argue that checking liveness properties ......
Read more >
Liveness Property - an overview | ScienceDirect Topics
In symbolic model checking, we verify that the safety property is held in general but if a violation is found, we cannot always...
Read more >
Symbolic Liveness Analysis of Real-World Software
We present an algorithm to detect violations of this liveness property based on a straightforward idea: Execute the program and check after ...
Read more >
Ben-Or: Checking liveness properties #395 - GitHub
I am trying to implement Ben-Or's algorithm and test it for safety and liveness. I'm using the UnReliableBroadCast, FailureInjector and ...
Read more >
Assurance of Distributed Algorithms and Systems - NSF PAR
In practice, they are checked against finite executions by imposing a bound on when the property should hold, and reporting a violation if...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

"In evaluation, the identifier v is either undefined or not an operator" when temporal properties involve operators with Java module overrides

Next page

Parse Error: Encountered "<EOF>" at line 0, column 0 and token - Regression in InJarFilenameToStream