DieHardest: compare jug configurations via parallel and interleaved self-composition#199
DieHardest: compare jug configurations via parallel and interleaved self-composition#199
Conversation
lemmy
force-pushed
the
mku-DieHardest
branch
from
1fedc7f to
4af357d
Compare
lemmy
force-pushed
the
mku-DieHardest
branch
2 times, most recently
from
d872bd6 to
f9d4e0c
Compare
lemmy
changed the title
lemmy
force-pushed
the
mku-DieHardest
branch
from
f9d4e0c to
05ea707
Compare
lemmy
force-pushed
the
mku-DieHardest
branch
from
05ea707 to
1c146d0
Compare
|
@hwayne Could you please review this example? It references your “Hypermodeling Hyperproperties” article. |
| (* *) | ||
| (* Both paths are individually shortest. However, TLCSet and TLCGet *) | ||
| (* are TLC-specific operators outside the logic of TLA+, making this *) | ||
| (* approach incompatible with other TLA+ tools (e.g. Apalache). *) |
There was a problem hiding this comment.
Also, unless things changed recently, TLC global registers are local to each worker
There was a problem hiding this comment.
Indeed, this would also only work with a single worker.
|
These solutions depend on two assumptions: that the states are searched with BFS, and that the BFS is strict. The first is violated with the
It's pretty rare, but I've seen it happen! A robust and universal TLA+ spec would probably have to store the diehard traces as data values and implement Dijkstra's algorithm to find the shortest path, with the property that |
Strict BFS has in fact been an implicit assumption in the current formulation. This directly contradicts the spec's own statement: "This approach stays entirely within the logic of TLA+ and is compatible with all TLA+ tools." Given that contradiction, what do you think about removing that statement and instead making the assumption explicit, for example: ASSUME TLCGet("config").mode = "bfs" /\ TLCGet("config").worker = 1In my view, the example would still offer an interesting and valuable perspective on self-composition, even with this assumption made explicit. |
lemmy
force-pushed
the
mku-DieHardest
branch
2 times, most recently
from
ec376c8 to
64aa8a8
Compare
I think this make sense, but then section 3's main downside (only TLC) then applies to all of the specs. |
Add DieHardest.tla, which composes two instances of DieHarder to
check a 2-hyperproperty as an ordinary invariant: given two jug
configurations that can each solve the Die Hard problem, which one
reaches the Goal in fewer steps? The invariant NotSolved holds as
long as both configurations have not yet reached the Goal; a
counterexample is a behavior in which both solve the problem,
revealing which configuration is faster.
The module also defines HasSolution, a GCD-based predicate (via
Bézout's identity) used in ASSUME to reject unsolvable
configurations before model checking begins.
Four composition approaches are contrasted in clearly labeled
sections that progressively motivate interleaved composition:
1. Parallel — shows that BFS finds the shortest path for the slower
configuration but not the faster one.
2. Parallel + per-behavior freeze — shows that freezing after
reaching the Goal does not help.
3. Parallel + g BFS-level freeze — correct, but relies on
TLC-specific operators outsi the logic of TLA+.
4. Interleaved — the clean solution: each instanceteps
independently, so BFS minimizes both step counts.
Annotated counterexample traces in Sections 1 and 3 illustrate the
difference concretely.
MCDieHardest instantiates the spec with Goal = 4, comparing a 2-jug
<<5, 3>> setup against a 3-jug <<5, 3, 3>> setup — the duplicate jug
reduces the shortest solution from 6 to steps.
Co-authored-by: Dmitry Kulagin <craft095@users.noreply.github.com>
Signed-off-by: Markus Alexander Kuppe <github.com@lemmster.de>
Remove redundant TLC ASSUME BFS and Workers = 1
Signed-off-by: Markus Alexander Kuppe <github.com@lemmster.de>
lemmy
force-pushed
the
mku-DieHardest
branch
2 times, most recently
from
b6be971 to
a0875fc
Compare
Add APADieHardest.tla, an Apalache-compatible configuration that checks DieHardest's interleaved composition (Section 4) with --cinit for constant initialization and [s \in S |-> ...] in place of :> and @@. Note the Apalache incompatibility of NextParallelGlobalFreeze in DieHardest.tla (TLCGet takes both Str and Int arguments). Signed-off-by: Markus Alexander Kuppe <github.com@lemmster.de>
|
Added an Apalache module that, although slightly slower, produces the same counterexample for That said, it is worth noting that TLA itself does not guarantee that a shortest counterexample will be found. Identifying shortest counterexamples is an implementation detail of particular verification tools, such as TLC and Apalache, rather than a property of the TLA language. |
|
@ahelwer This PR enhances the GitHub automation to support overriding the |
|
Nice! An alternative way to do it which is less directly bound to TLC would be to have an optional boolean parameter to the model in the manifest.json that is called something like |
Add DieHardest.tla, which composes two instances of DieHarder to compare which configuration has the shorter path to the Goal (state).
Four composition approaches are contrasted in clearly labeled sections that progressively motivate interleaved composition: