├── .README.md.swp ├── .gitignore ├── .svnignore ├── Allocator └── Allocator.tla ├── AtomicBakery ├── AtomicBakery.tla └── AtomicBakeryWithoutSMT.tla ├── Bakery └── Bakery.tla ├── BubbleSort └── BubbleSort.tla ├── ByzantinePaxos ├── BPConProof.pdf ├── BPConProof.tla ├── Consensus.pdf ├── Consensus.tla ├── Consensus.tlaps │ └── Consensus.thy ├── PConProof.pdf ├── PConProof.tla ├── VoteProof.pdf ├── VoteProof.tla └── VoteProof.tlaps │ └── VoteProof.thy ├── Cantor ├── Cantor1.tla ├── Cantor10.tla ├── Cantor2.tla ├── Cantor3.tla ├── Cantor4.tla ├── Cantor5.tla ├── Cantor6.tla ├── Cantor7.tla ├── Cantor8.tla └── Cantor9.tla ├── Consensus ├── Consensus.pdf ├── Consensus.tla ├── Consensus.tlaps │ ├── Consensus.thy │ ├── fingerprints │ └── fingerprints.history │ │ ├── 2019-07-16_14_13_35 │ │ ├── Consensus.tla │ │ └── Sets.tla │ │ ├── 2019-07-16_14_19_37 │ │ ├── Consensus.tla │ │ ├── Sets.tla │ │ └── fingerprints │ │ ├── 2019-07-16_14_19_40 │ │ ├── Consensus.tla │ │ ├── Sets.tla │ │ └── fingerprints │ │ ├── 2019-07-16_14_19_50 │ │ ├── Consensus.tla │ │ ├── Sets.tla │ │ └── fingerprints │ │ ├── 2019-07-22_12_04_35 │ │ ├── Consensus.tla │ │ ├── Sets.tla │ │ └── fingerprints │ │ └── 2019-07-22_13_42_54 │ │ ├── Consensus.tla │ │ ├── Sets.tla │ │ └── fingerprints ├── PaxosProof.pdf ├── PaxosProof.tla ├── PaxosProof.tlaps │ ├── PaxosProof.thy │ ├── fingerprints │ └── fingerprints.history │ │ ├── 2019-07-22_16_24_33 │ │ ├── Consensus.tla │ │ ├── PaxosProof.tla │ │ ├── PaxosTuple.tla │ │ ├── Sets.tla │ │ └── Voting.tla │ │ └── 2019-07-22_16_25_15 │ │ ├── Consensus.tla │ │ ├── PaxosProof.tla │ │ ├── PaxosTuple.tla │ │ ├── Sets.tla │ │ ├── Voting.tla │ │ └── fingerprints ├── PaxosTuple.pdf ├── PaxosTuple.tla ├── PaxosTuple.toolbox │ ├── .project │ ├── .settings │ │ └── org.lamport.tla.toolbox.prefs │ ├── Consensus.pdf │ ├── Consensus.tex │ ├── NaturalsInduction.pdf │ ├── NaturalsInduction.tex │ ├── PaxosProof.pdf │ ├── PaxosProof.tex │ ├── PaxosTuple.pdf │ ├── PaxosTuple.tex │ ├── Sets.pdf │ ├── Sets.tex │ ├── Voting.pdf │ └── Voting.tex ├── README.md ├── Sets.pdf ├── Sets.tla ├── Sets.tlaps │ ├── Sets.thy │ ├── fingerprints │ └── fingerprints.history │ │ ├── 2019-07-22_09_46_25 │ │ └── Sets.tla │ │ └── 2019-07-22_09_58_31 │ │ ├── Sets.tla │ │ └── fingerprints ├── Voting.pdf ├── Voting.tla └── Voting.tlaps │ ├── Voting.thy │ └── fingerprints ├── Data ├── GraphTheorem.tla ├── SequencesTheorems.tla └── Sets.tla ├── EWD840 └── EWD840.tla ├── Euclid ├── Euclid-Hyperbook │ ├── EuclidEx.pdf │ ├── EuclidEx.tla │ ├── EuclidEx.tlaps │ │ ├── EuclidEx.thy │ │ ├── fingerprints │ │ └── fingerprints.history │ │ │ ├── 2019-07-16_09_36_50 │ │ │ ├── EuclidEx.tla │ │ │ ├── GCD.tla │ │ │ └── fingerprints │ │ │ ├── 2019-07-16_09_37_06 │ │ │ ├── EuclidEx.tla │ │ │ ├── GCD.tla │ │ │ └── fingerprints │ │ │ ├── 2019-07-16_09_39_22 │ │ │ ├── EuclidEx.tla │ │ │ ├── GCD.tla │ │ │ └── fingerprints │ │ │ ├── 2019-07-16_09_39_27 │ │ │ ├── EuclidEx.tla │ │ │ ├── GCD.tla │ │ │ └── fingerprints │ │ │ ├── 2019-07-16_09_41_19 │ │ │ ├── EuclidEx.tla │ │ │ ├── GCD.tla │ │ │ └── fingerprints │ │ │ ├── 2019-07-16_09_42_24 │ │ │ ├── EuclidEx.tla │ │ │ ├── GCD.tla │ │ │ └── fingerprints │ │ │ ├── 2019-07-16_09_45_06 │ │ │ ├── EuclidEx.tla │ │ │ ├── GCD.tla │ │ │ └── fingerprints │ │ │ ├── 2019-07-16_09_45_47 │ │ │ ├── EuclidEx.tla │ │ │ ├── GCD.tla │ │ │ └── fingerprints │ │ │ ├── 2019-07-16_09_47_48 │ │ │ ├── EuclidEx.tla │ │ │ ├── GCD.tla │ │ │ └── fingerprints │ │ │ └── 2019-07-16_09_47_52 │ │ │ ├── EuclidEx.tla │ │ │ ├── GCD.tla │ │ │ └── fingerprints │ ├── EuclidEx.toolbox │ │ ├── .project │ │ ├── .settings │ │ │ └── org.lamport.tla.toolbox.prefs │ │ ├── EuclidEx.aux │ │ ├── EuclidEx.log │ │ ├── EuclidEx.pdf │ │ ├── EuclidEx.tex │ │ ├── EuclidEx.tla.pmap │ │ ├── GCD.aux │ │ ├── GCD.log │ │ ├── GCD.pdf │ │ └── GCD.tex │ ├── GCD.pdf │ ├── GCD.tla │ ├── GCD.tlaps │ │ ├── GCD.thy │ │ ├── fingerprints │ │ └── fingerprints.history │ │ │ ├── 2019-07-16_10_12_19 │ │ │ ├── GCD.tla │ │ │ └── fingerprints │ │ │ ├── 2019-07-16_10_12_45 │ │ │ ├── GCD.tla │ │ │ └── fingerprints │ │ │ ├── 2019-07-16_10_13_58 │ │ │ ├── GCD.tla │ │ │ └── fingerprints │ │ │ ├── 2019-07-16_10_15_40 │ │ │ ├── GCD.tla │ │ │ └── fingerprints │ │ │ ├── 2019-07-16_10_15_46 │ │ │ ├── GCD.tla │ │ │ └── fingerprints │ │ │ ├── 2019-07-16_10_20_12 │ │ │ ├── GCD.tla │ │ │ └── fingerprints │ │ │ ├── 2019-07-16_10_20_26 │ │ │ ├── GCD.tla │ │ │ └── fingerprints │ │ │ ├── 2019-07-16_10_21_17 │ │ │ ├── GCD.tla │ │ │ └── fingerprints │ │ │ ├── 2019-07-16_10_21_21 │ │ │ ├── GCD.tla │ │ │ └── fingerprints │ │ │ └── 2019-07-16_10_21_25 │ │ │ ├── GCD.tla │ │ │ └── fingerprints │ └── GCD.toolbox │ │ ├── .project │ │ ├── .settings │ │ └── org.lamport.tla.toolbox.prefs │ │ ├── GCD.aux │ │ ├── GCD.log │ │ ├── GCD.pdf │ │ └── GCD.tex └── Euclid-TLAPS-Example │ ├── Euclid.pdf │ ├── Euclid.tla │ ├── Euclid.tlaps │ ├── Euclid.thy │ ├── fingerprints │ └── fingerprints.history │ │ └── 2019-07-16_10_54_20 │ │ └── Euclid.tla │ └── Euclid.toolbox │ ├── .project │ ├── .settings │ └── org.lamport.tla.toolbox.prefs │ ├── Euclid.pdf │ └── Euclid.tex ├── LICENSE ├── Makefile ├── Paxos ├── Consensus.pdf ├── Consensus.tla ├── Consensus.tlaps │ ├── Consensus.thy │ ├── fingerprints │ └── fingerprints.history │ │ ├── 2019-07-16_11_46_33 │ │ ├── Consensus.tla │ │ └── fingerprints │ │ ├── 2019-07-16_11_47_00 │ │ ├── Consensus.tla │ │ └── fingerprints │ │ ├── 2019-07-16_11_47_27 │ │ ├── Consensus.tla │ │ └── fingerprints │ │ ├── 2019-07-16_11_48_21 │ │ ├── Consensus.tla │ │ └── fingerprints │ │ ├── 2019-07-16_13_46_50 │ │ ├── Consensus.tla │ │ └── fingerprints │ │ ├── 2019-07-16_13_47_27 │ │ ├── Consensus.tla │ │ └── fingerprints │ │ ├── 2019-07-16_13_48_05 │ │ ├── Consensus.tla │ │ └── fingerprints │ │ ├── 2019-07-16_13_48_09 │ │ ├── Consensus.tla │ │ └── fingerprints │ │ ├── 2019-07-16_13_48_13 │ │ ├── Consensus.tla │ │ └── fingerprints │ │ └── 2019-07-16_13_48_16 │ │ ├── Consensus.tla │ │ └── fingerprints ├── Consensus.toolbox │ ├── .project │ └── .settings │ │ └── org.lamport.tla.toolbox.prefs ├── Paxos.pdf ├── Paxos.tla ├── Paxos.tlaps │ ├── Paxos.thy │ └── fingerprints ├── Paxos.toolbox │ ├── .project │ ├── .settings │ │ └── org.lamport.tla.toolbox.prefs │ ├── Consensus.pdf │ ├── Consensus.tex │ ├── Paxos.pdf │ ├── Paxos.tex │ ├── PaxosHistVar.pdf │ └── PaxosHistVar.tex ├── PaxosHistVar.pdf ├── PaxosHistVar.tla ├── PaxosHistVar.tlaps │ └── PaxosHistVar.thy └── PaxosHistVar.toolbox │ ├── .project │ ├── .settings │ └── org.lamport.tla.toolbox.prefs │ ├── PaxosHistVar.pdf │ └── PaxosHistVar.tex ├── Peterson └── Peterson.tla ├── README.md ├── Record ├── Record.pdf ├── Record.tla ├── Record.tlaps │ └── Record.thy ├── SimpleVoting.pdf └── SimpleVoting.tla ├── SimpleMutex └── SimpleMutex.tla ├── SumAndMax └── SumAndMax.tla ├── TeachingConcurrency ├── README.md ├── Simple.pdf ├── Simple.tla └── Simple.tlaps │ └── Simple.thy └── Two-Phase ├── Alternate.tla └── TwoPhase.tla /.README.md.swp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/.README.md.swp -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Core latex/pdflatex auxiliary files: 2 | *.aux 3 | *.lof 4 | *.log 5 | *.lot 6 | *.fls 7 | *.out 8 | *.toc 9 | *.fmt 10 | *.fot 11 | *.cb 12 | *.cb2 13 | .*.lb 14 | 15 | ## Intermediate documents: 16 | *.dvi 17 | *.xdv 18 | *-converted-to.* 19 | # these rules might exclude image files for figures etc. 20 | # *.ps 21 | # *.eps 22 | # *.pdf 23 | 24 | ## Generated if empty string is given at "Please type another file name for output:" 25 | .pdf 26 | 27 | ## Bibliography auxiliary files (bibtex/biblatex/biber): 28 | *.bbl 29 | *.bcf 30 | *.blg 31 | *-blx.aux 32 | *-blx.bib 33 | *.run.xml 34 | 35 | ## Build tool auxiliary files: 36 | *.fdb_latexmk 37 | *.synctex 38 | *.synctex(busy) 39 | *.synctex.gz 40 | *.synctex.gz(busy) 41 | *.pdfsync 42 | 43 | ## Auxiliary and intermediate files from other packages: 44 | # algorithms 45 | *.alg 46 | *.loa 47 | 48 | # achemso 49 | acs-*.bib 50 | 51 | # amsthm 52 | *.thm 53 | 54 | # beamer 55 | *.nav 56 | *.pre 57 | *.snm 58 | *.vrb 59 | 60 | # changes 61 | *.soc 62 | 63 | # cprotect 64 | *.cpt 65 | 66 | # elsarticle (documentclass of Elsevier journals) 67 | *.spl 68 | 69 | # endnotes 70 | *.ent 71 | 72 | # fixme 73 | *.lox 74 | 75 | # feynmf/feynmp 76 | *.mf 77 | *.mp 78 | *.t[1-9] 79 | *.t[1-9][0-9] 80 | *.tfm 81 | 82 | #(r)(e)ledmac/(r)(e)ledpar 83 | *.end 84 | *.?end 85 | *.[1-9] 86 | *.[1-9][0-9] 87 | *.[1-9][0-9][0-9] 88 | *.[1-9]R 89 | *.[1-9][0-9]R 90 | *.[1-9][0-9][0-9]R 91 | *.eledsec[1-9] 92 | *.eledsec[1-9]R 93 | *.eledsec[1-9][0-9] 94 | *.eledsec[1-9][0-9]R 95 | *.eledsec[1-9][0-9][0-9] 96 | *.eledsec[1-9][0-9][0-9]R 97 | 98 | # glossaries 99 | *.acn 100 | *.acr 101 | *.glg 102 | *.glo 103 | *.gls 104 | *.glsdefs 105 | 106 | # gnuplottex 107 | *-gnuplottex-* 108 | 109 | # gregoriotex 110 | *.gaux 111 | *.gtex 112 | 113 | # htlatex 114 | *.4ct 115 | *.4tc 116 | *.idv 117 | *.lg 118 | *.trc 119 | *.xref 120 | 121 | # hyperref 122 | *.brf 123 | 124 | # knitr 125 | *-concordance.tex 126 | # TODO Comment the next line if you want to keep your tikz graphics files 127 | *.tikz 128 | *-tikzDictionary 129 | 130 | # listings 131 | *.lol 132 | 133 | # makeidx 134 | *.idx 135 | *.ilg 136 | *.ind 137 | *.ist 138 | 139 | # minitoc 140 | *.maf 141 | *.mlf 142 | *.mlt 143 | *.mtc[0-9]* 144 | *.slf[0-9]* 145 | *.slt[0-9]* 146 | *.stc[0-9]* 147 | 148 | # minted 149 | _minted* 150 | *.pyg 151 | 152 | # morewrites 153 | *.mw 154 | 155 | # nomencl 156 | *.nlg 157 | *.nlo 158 | *.nls 159 | 160 | # pax 161 | *.pax 162 | 163 | # pdfpcnotes 164 | *.pdfpc 165 | 166 | # sagetex 167 | *.sagetex.sage 168 | *.sagetex.py 169 | *.sagetex.scmd 170 | 171 | # scrwfile 172 | *.wrt 173 | 174 | # sympy 175 | *.sout 176 | *.sympy 177 | sympy-plots-for-*.tex/ 178 | 179 | # pdfcomment 180 | *.upa 181 | *.upb 182 | 183 | # pythontex 184 | *.pytxcode 185 | pythontex-files-*/ 186 | 187 | # thmtools 188 | *.loe 189 | 190 | # TikZ & PGF 191 | *.dpth 192 | *.md5 193 | *.auxlock 194 | 195 | # todonotes 196 | *.tdo 197 | 198 | # easy-todo 199 | *.lod 200 | 201 | # xmpincl 202 | *.xmpi 203 | 204 | # xindy 205 | *.xdy 206 | 207 | # xypic precompiled matrices 208 | *.xyc 209 | 210 | # endfloat 211 | *.ttt 212 | *.fff 213 | 214 | # Latexian 215 | TSWLatexianTemp* 216 | 217 | ## Editors: 218 | # WinEdt 219 | *.bak 220 | *.sav 221 | 222 | # Texpad 223 | .texpadtmp 224 | 225 | # Kile 226 | *.backup 227 | 228 | # KBibTeX 229 | *~[0-9]* 230 | 231 | # auto folder when using emacs and auctex 232 | ./auto/* 233 | *.el 234 | 235 | # expex forward references with \gathertags 236 | *-tags.tex 237 | 238 | # standalone packages 239 | *.sta 240 | 241 | # generated if using elsarticle.cls 242 | *.spl 243 | 244 | *Snapshot* 245 | *toolbox* 246 | *fingerprints* 247 | 248 | # Swap 249 | [._]*.s[a-v][a-z] 250 | [._]*.sw[a-p] 251 | [._]s[a-rt-v][a-z] 252 | [._]ss[a-gi-z] 253 | [._]sw[a-p] 254 | 255 | # Session 256 | Session.vim 257 | Sessionx.vim 258 | 259 | # Temporary 260 | .netrwhist 261 | *~ 262 | # Auto-generated tag files 263 | tags 264 | # Persistent undo 265 | [._]*.un~ 266 | -------------------------------------------------------------------------------- /.svnignore: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | svn propset -R svn:ignore ' 4 | 5 | *.tlaps 6 | *.toolbox 7 | 8 | ' . 9 | -------------------------------------------------------------------------------- /ByzantinePaxos/BPConProof.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/ByzantinePaxos/BPConProof.pdf -------------------------------------------------------------------------------- /ByzantinePaxos/Consensus.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/ByzantinePaxos/Consensus.pdf -------------------------------------------------------------------------------- /ByzantinePaxos/PConProof.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/ByzantinePaxos/PConProof.pdf -------------------------------------------------------------------------------- /ByzantinePaxos/VoteProof.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/ByzantinePaxos/VoteProof.pdf -------------------------------------------------------------------------------- /Cantor/Cantor1.tla: -------------------------------------------------------------------------------- 1 | (* Contributed by Damien Doligez *) 2 | 3 | -------------- MODULE Cantor1 ----------------- 4 | THEOREM cantor == 5 | \A S : 6 | \A f \in [S -> SUBSET S] : 7 | \E A \in SUBSET S : 8 | \A x \in S : 9 | f [x] # A 10 | PROOF 11 | <1>1. TAKE S 12 | <1>2. TAKE f \in [S -> SUBSET S] 13 | <1>3. DEFINE T == { z \in S : z \notin f[z] } 14 | <1>4. WITNESS T \in SUBSET S 15 | <1>5. TAKE x \in S 16 | <1>6. QED BY x \in T \/ x \notin T 17 | =============================================== 18 | -------------------------------------------------------------------------------- /Cantor/Cantor10.tla: -------------------------------------------------------------------------------- 1 | ------------------------------ MODULE Cantor10 ------------------------------ 2 | (***************************************************************************) 3 | (* Cantor's theorem: no function from a set to its powerset is surjective. *) 4 | (***************************************************************************) 5 | THEOREM Cantor == 6 | \A S, f : 7 | \E A \in SUBSET S : 8 | \A x \in S : 9 | f [x] # A 10 | <1> SUFFICES 11 | ASSUME NEW S, NEW f 12 | PROVE \E A \in SUBSET S : \A x \in S : f[x] # A 13 | OBVIOUS 14 | <1> WITNESS { z \in S : z \notin f[z] } \in SUBSET S 15 | <1> QED OBVIOUS 16 | 17 | (***************************************************************************) 18 | (* Corollary: no set is universal. *) 19 | (***************************************************************************) 20 | THEOREM NoSetContainsAllValues == 21 | \A S : \E x : x \notin S 22 | <1>. SUFFICES 23 | ASSUME NEW S, 24 | \A x : x \in S 25 | PROVE FALSE 26 | OBVIOUS 27 | <1>. DEFINE f == [x \in S |-> x] 28 | <1>. ASSUME NEW A \in SUBSET S 29 | PROVE \E x \in S : f[x] = A 30 | <2>. WITNESS A \in S 31 | <2>. QED 32 | OBVIOUS 33 | <1>. QED 34 | BY Cantor 35 | 36 | 37 | ============================================================================= 38 | \* Modification History 39 | \* Last modified Sun Aug 29 17:27:32 PDT 2010 by lamport 40 | \* Created Sun Aug 29 17:25:20 PDT 2010 by lamport 41 | -------------------------------------------------------------------------------- /Cantor/Cantor2.tla: -------------------------------------------------------------------------------- 1 | (* Contributed by Leslie Lamport *) 2 | 3 | -------------- MODULE Cantor2 ------------------ 4 | THEOREM cantor == 5 | \A S : 6 | \A f \in [S -> SUBSET S] : 7 | \E A \in SUBSET S : 8 | \A x \in S : 9 | f [x] # A 10 | <1>1. SUFFICES 11 | ASSUME NEW S, 12 | NEW f \in [S -> SUBSET S] 13 | PROVE \E A \in SUBSET S : 14 | \A x \in S : f [x] # A 15 | OBVIOUS 16 | <1>2. DEFINE T == {z \in S : z \notin f [z]} 17 | <1>3. SUFFICES ASSUME NEW x \in S 18 | PROVE f[x] # T 19 | <2>1. WITNESS T \in SUBSET S 20 | <2>2. QED OBVIOUS 21 | <1>4. CASE x \in T 22 | <2>1. x \notin f [x] BY <1>4 23 | <2>2. QED BY <2>1 24 | <1>5. CASE x \notin T 25 | <2>1. x \in f [x] BY <1>3, <1>5 26 | <2>2. QED BY <2>1 27 | <1>6. QED 28 | BY <1>4, <1>5 29 | =============================================== 30 | -------------------------------------------------------------------------------- /Cantor/Cantor3.tla: -------------------------------------------------------------------------------- 1 | (* Contributed by Leslie Lamport *) 2 | 3 | -------------- MODULE Cantor3 ------------------ 4 | THEOREM cantor == 5 | \A S : 6 | \A f \in [S -> SUBSET S] : 7 | \E A \in SUBSET S : 8 | \A x \in S : 9 | f [x] # A 10 | <1>1. ASSUME NEW S, 11 | NEW f \in [S -> SUBSET S] 12 | PROVE \E A \in SUBSET S : 13 | \A x \in S : f [x] # A 14 | <2>1. DEFINE T == {z \in S : z \notin f [z]} 15 | <2>2. \A x \in S : f [x] # T 16 | <3>1. ASSUME NEW x \in S 17 | PROVE f[x] # T 18 | <4>1. CASE x \in T 19 | <5>1. x \notin f [x] BY <4>1 20 | <5>2. QED BY <5>1 21 | <4>2. CASE x \notin T 22 | <5>1. x \in f [x] BY <4>2 23 | <5>2. QED BY <5>1 24 | <4>3. QED BY <4>1, <4>2 25 | <3>2. QED BY <3>1 26 | <2>3. QED 27 | <3>1. WITNESS T \in SUBSET S 28 | <3>2. QED BY <2>2 29 | <1>2. QED BY <1>1 30 | =============================================== 31 | -------------------------------------------------------------------------------- /Cantor/Cantor4.tla: -------------------------------------------------------------------------------- 1 | (* Contributed by Stephan Merz *) 2 | 3 | -------------- MODULE Cantor4 ------------------ 4 | THEOREM cantor == 5 | \A S : 6 | \A f \in [S -> SUBSET S] : 7 | \E A \in SUBSET S : 8 | \A x \in S : 9 | f [x] # A 10 | <1>. TAKE S 11 | <1>. TAKE f \in [S -> SUBSET S] 12 | <1>. DEFINE T == {z \in S : z \notin f[z]} 13 | <1>1. \A x \in S : f[x] # T 14 | <2>. TAKE x \in S 15 | <2>1. CASE x \in T 16 | <3>1. x \notin f[x] BY <2>1 17 | <3>2. QED BY <3>1 18 | <2>2. CASE x \notin T 19 | <3>1. x \in f[x] BY <2>2 20 | <3>2. QED BY <3>1 21 | <2>3. QED BY <2>1, <2>2 22 | <1>. WITNESS T \in SUBSET S 23 | <1>. QED BY <1>1 24 | =============================================== 25 | -------------------------------------------------------------------------------- /Cantor/Cantor5.tla: -------------------------------------------------------------------------------- 1 | (* Contributed by Damien Doligez *) 2 | 3 | -------------- MODULE Cantor5 ------------------ 4 | THEOREM cantor == 5 | \A S, f : 6 | \E A \in SUBSET S : 7 | \A x \in S : 8 | f [x] # A 9 | <1>1. ASSUME NEW S, NEW f 10 | PROVE \E A \in SUBSET S : \A x \in S : f[x] # A 11 | <2> WITNESS { z \in S : z \notin f[z] } \in SUBSET S 12 | <2> QED OBVIOUS 13 | <1> QED BY <1>1 14 | =============================================== 15 | -------------------------------------------------------------------------------- /Cantor/Cantor6.tla: -------------------------------------------------------------------------------- 1 | (* Contributed by Damien Doligez *) 2 | 3 | -------------- MODULE Cantor6 ------------------ 4 | THEOREM cantor == 5 | \A S, f : 6 | \E A \in SUBSET S : 7 | \A x \in S : 8 | f [x] # A 9 | <1> TAKE S 10 | <1> TAKE f 11 | <1> WITNESS { z \in S : z \notin f[z] } \in SUBSET S 12 | <1> QED OBVIOUS 13 | =============================================== 14 | -------------------------------------------------------------------------------- /Cantor/Cantor7.tla: -------------------------------------------------------------------------------- 1 | (* Contributed by Damien Doligez *) 2 | 3 | -------------- MODULE Cantor7 ------------------ 4 | THEOREM cantor == 5 | \A S, f : 6 | \E A \in SUBSET S : 7 | \A x \in S : 8 | f [x] # A 9 | <1> SUFFICES 10 | ASSUME NEW S, NEW f 11 | PROVE \E A \in SUBSET S : \A x \in S : f[x] # A 12 | OBVIOUS 13 | <1> WITNESS { z \in S : z \notin f[z] } \in SUBSET S 14 | <1> QED OBVIOUS 15 | =============================================== 16 | -------------------------------------------------------------------------------- /Cantor/Cantor8.tla: -------------------------------------------------------------------------------- 1 | -------------- MODULE Cantor8 -------------- 2 | 3 | Range (f) == { f[x] : x \in DOMAIN f } 4 | 5 | Surj (f, S) == S \subseteq Range (f) 6 | 7 | THEOREM Cantor == 8 | \A S : ~ \E f \in [S -> SUBSET S] : Surj (f, SUBSET S) 9 | PROOF 10 | <1>1. ASSUME NEW S, 11 | \E f \in [S -> SUBSET S] : Surj (f, SUBSET S) 12 | PROVE FALSE 13 | <2>. PICK f \in [S -> SUBSET S] : Surj (f, SUBSET S) 14 | BY <1>1 15 | <2>2. ~ Surj (f, SUBSET S) 16 | <3>1. DEFINE D == {x \in S : x \notin f[x]} 17 | <3>2. D \in SUBSET S 18 | OBVIOUS 19 | <3>3. D \notin Range (f) 20 | BY DEF Range 21 | <3>4. QED BY <3>2, <3>3 DEF Surj 22 | <2>3. QED BY <2>2 23 | <1>2. QED BY <1>1 24 | 25 | ==== 26 | -------------------------------------------------------------------------------- /Cantor/Cantor9.tla: -------------------------------------------------------------------------------- 1 | -------------- MODULE Cantor9 -------------- 2 | 3 | Range (f) == { f[x] : x \in DOMAIN f } 4 | 5 | Surj (f, S) == S \subseteq Range (f) 6 | 7 | THEOREM Cantor == 8 | ~ \E f : Surj (f, SUBSET (DOMAIN f)) 9 | <1>1. SUFFICES ASSUME \E f : Surj (f, SUBSET (DOMAIN f)) 10 | PROVE FALSE 11 | OBVIOUS 12 | <1>. PICK f : Surj (f, SUBSET (DOMAIN f)) 13 | BY <1>1!1!1 14 | <1>3. ~ Surj (f, SUBSET (DOMAIN f)) 15 | <2>1. DEFINE D == {x \in DOMAIN f : x \notin f[x]} 16 | <2>2. D \in SUBSET (DOMAIN f) OBVIOUS 17 | <2>3. D \notin Range (f) BY DEF Range 18 | <2>4. QED BY <2>2, <2>3 DEF Surj 19 | <1>4. QED BY <1>3 20 | 21 | ==== 22 | -------------------------------------------------------------------------------- /Consensus/Consensus.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Consensus/Consensus.pdf -------------------------------------------------------------------------------- /Consensus/Consensus.tla: -------------------------------------------------------------------------------- 1 | ----------------------------- MODULE Consensus ------------------------------ 2 | EXTENDS Sets, TLAPS 3 | ----------------------------------------------------------------------------- 4 | CONSTANT Value \* the set of values that can be chosen 5 | VARIABLE chosen \* the set of values that have been chosen 6 | ----------------------------------------------------------------------------- 7 | Init == chosen = {} 8 | 9 | Next == 10 | /\ chosen = {} 11 | /\ \E v \in Value : chosen' = {v} 12 | 13 | Spec == Init /\ [][Next]_chosen 14 | ----------------------------------------------------------------------------- 15 | Inv == 16 | /\ chosen \subseteq Value 17 | /\ IsFiniteSet(chosen) 18 | /\ Cardinality(chosen) \leq 1 19 | ----------------------------------------------------------------------------- 20 | THEOREM Invariance == Spec => []Inv 21 | <1>1. Init => Inv 22 | BY CardinalityZero, SMT DEF Init, Inv 23 | <1>2. Inv /\ [Next]_chosen => Inv' 24 | BY CardinalityOne, SMT DEF Next, Inv 25 | <1>3. QED 26 | BY <1>1, <1>2, PTL DEF Spec 27 | ============================================================================= -------------------------------------------------------------------------------- /Consensus/Consensus.tlaps/Consensus.thy: -------------------------------------------------------------------------------- 1 | (* automatically generated -- do not edit manually *) 2 | theory Consensus imports Constant Zenon begin 3 | ML_command {* writeln ("*** TLAPS PARSED\n"); *} 4 | consts 5 | "isReal" :: c 6 | "isa_slas_a" :: "[c,c] => c" 7 | "isa_bksl_diva" :: "[c,c] => c" 8 | "isa_perc_a" :: "[c,c] => c" 9 | "isa_peri_peri_a" :: "[c,c] => c" 10 | "isInfinity" :: c 11 | "isa_lbrk_rbrk_a" :: "[c] => c" 12 | "isa_less_more_a" :: "[c] => c" 13 | 14 | end 15 | -------------------------------------------------------------------------------- /Consensus/Consensus.tlaps/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Consensus/Consensus.tlaps/fingerprints -------------------------------------------------------------------------------- /Consensus/Consensus.tlaps/fingerprints.history/2019-07-16_14_13_35/Consensus.tla: -------------------------------------------------------------------------------- 1 | ----------------------------- MODULE Consensus ------------------------------ 2 | EXTENDS Sets, TLAPS 3 | ----------------------------------------------------------------------------- 4 | CONSTANT Value 5 | 6 | VARIABLE chosen 7 | ----------------------------------------------------------------------------- 8 | Init == chosen = {} 9 | Next == 10 | /\ chosen = {} 11 | /\ \E v \in Value : chosen' = {v} 12 | 13 | Spec == Init /\ [][Next]_chosen 14 | ----------------------------------------------------------------------------- 15 | Inv == 16 | /\ chosen \subseteq Value 17 | /\ IsFiniteSet(chosen) 18 | /\ Cardinality(chosen) \leq 1 19 | ----------------------------------------------------------------------------- 20 | THEOREM Invariance == Spec => []Inv 21 | <1>1 Init => Inv 22 | BY CardinalityZero, SMT DEFS Init, Inv 23 | <1>2. Inv /\ [Next]_chosen => Inv' 24 | BY CardinalityOne, SMT DEFS Next, Inv 25 | <1>3 QED 26 | PROOF BY <1>1,<1>2,PTL DEF Spec 27 | ============================================================================= 28 | -------------------------------------------------------------------------------- /Consensus/Consensus.tlaps/fingerprints.history/2019-07-16_14_19_37/Consensus.tla: -------------------------------------------------------------------------------- 1 | ----------------------------- MODULE Consensus ------------------------------ 2 | EXTENDS Sets, TLAPS 3 | ----------------------------------------------------------------------------- 4 | CONSTANT Value 5 | 6 | VARIABLE chosen 7 | ----------------------------------------------------------------------------- 8 | Init == chosen = {} 9 | Next == 10 | /\ chosen = {} 11 | /\ \E v \in Value : chosen' = {v} 12 | 13 | Spec == Init /\ [][Next]_chosen 14 | ----------------------------------------------------------------------------- 15 | Inv == 16 | /\ chosen \subseteq Value 17 | /\ IsFiniteSet(chosen) 18 | /\ Cardinality(chosen) \leq 1 19 | ----------------------------------------------------------------------------- 20 | THEOREM Invariance == Spec => []Inv 21 | <1>1 Init => Inv 22 | BY CardinalityZero, SMT DEFS Init, Inv 23 | <1>2. Inv /\ [Next]_chosen => Inv' 24 | BY CardinalityOne, SMT DEFS Next, Inv 25 | <1>3 QED 26 | PROOF BY <1>1,<1>2,PTL DEF Spec 27 | ============================================================================= 28 | -------------------------------------------------------------------------------- /Consensus/Consensus.tlaps/fingerprints.history/2019-07-16_14_19_37/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Consensus/Consensus.tlaps/fingerprints.history/2019-07-16_14_19_37/fingerprints -------------------------------------------------------------------------------- /Consensus/Consensus.tlaps/fingerprints.history/2019-07-16_14_19_40/Consensus.tla: -------------------------------------------------------------------------------- 1 | ----------------------------- MODULE Consensus ------------------------------ 2 | EXTENDS Sets, TLAPS 3 | ----------------------------------------------------------------------------- 4 | CONSTANT Value 5 | 6 | VARIABLE chosen 7 | ----------------------------------------------------------------------------- 8 | Init == chosen = {} 9 | Next == 10 | /\ chosen = {} 11 | /\ \E v \in Value : chosen' = {v} 12 | 13 | Spec == Init /\ [][Next]_chosen 14 | ----------------------------------------------------------------------------- 15 | Inv == 16 | /\ chosen \subseteq Value 17 | /\ IsFiniteSet(chosen) 18 | /\ Cardinality(chosen) \leq 1 19 | ----------------------------------------------------------------------------- 20 | THEOREM Invariance == Spec => []Inv 21 | <1>1 Init => Inv 22 | BY CardinalityZero, SMT DEFS Init, Inv 23 | <1>2. Inv /\ [Next]_chosen => Inv' 24 | BY CardinalityOne, SMT DEFS Next, Inv 25 | <1>3 QED 26 | PROOF BY <1>1,<1>2,PTL DEF Spec 27 | ============================================================================= 28 | -------------------------------------------------------------------------------- /Consensus/Consensus.tlaps/fingerprints.history/2019-07-16_14_19_40/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Consensus/Consensus.tlaps/fingerprints.history/2019-07-16_14_19_40/fingerprints -------------------------------------------------------------------------------- /Consensus/Consensus.tlaps/fingerprints.history/2019-07-16_14_19_50/Consensus.tla: -------------------------------------------------------------------------------- 1 | ----------------------------- MODULE Consensus ------------------------------ 2 | EXTENDS Sets, TLAPS 3 | ----------------------------------------------------------------------------- 4 | CONSTANT Value 5 | 6 | VARIABLE chosen 7 | ----------------------------------------------------------------------------- 8 | Init == chosen = {} 9 | Next == 10 | /\ chosen = {} 11 | /\ \E v \in Value : chosen' = {v} 12 | 13 | Spec == Init /\ [][Next]_chosen 14 | ----------------------------------------------------------------------------- 15 | Inv == 16 | /\ chosen \subseteq Value 17 | /\ IsFiniteSet(chosen) 18 | /\ Cardinality(chosen) \leq 1 19 | ----------------------------------------------------------------------------- 20 | THEOREM Invariance == Spec => []Inv 21 | <1>1 Init => Inv 22 | BY CardinalityZero, SMT DEFS Init, Inv 23 | <1>2. Inv /\ [Next]_chosen => Inv' 24 | BY CardinalityOne, SMT DEFS Next, Inv 25 | <1>3 QED 26 | PROOF BY <1>1,<1>2,PTL DEF Spec 27 | ============================================================================= 28 | -------------------------------------------------------------------------------- /Consensus/Consensus.tlaps/fingerprints.history/2019-07-16_14_19_50/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Consensus/Consensus.tlaps/fingerprints.history/2019-07-16_14_19_50/fingerprints -------------------------------------------------------------------------------- /Consensus/Consensus.tlaps/fingerprints.history/2019-07-22_12_04_35/Consensus.tla: -------------------------------------------------------------------------------- 1 | ----------------------------- MODULE Consensus ------------------------------ 2 | EXTENDS Sets, TLAPS 3 | ----------------------------------------------------------------------------- 4 | CONSTANT Value \* the set of values that can be chosen 5 | VARIABLE chosen \* the set of values that have been chosen 6 | ----------------------------------------------------------------------------- 7 | Init == chosen = {} 8 | Next == 9 | /\ chosen = {} 10 | /\ \E v \in Value : chosen' = {v} 11 | 12 | Spec == Init /\ [][Next]_chosen 13 | ----------------------------------------------------------------------------- 14 | Inv == 15 | /\ chosen \subseteq Value 16 | /\ IsFiniteSet(chosen) 17 | /\ Cardinality(chosen) \leq 1 18 | ----------------------------------------------------------------------------- 19 | THEOREM Invariance == Spec => []Inv 20 | <1>1 Init => Inv 21 | BY CardinalityZero, SMT 22 | DEFS Init, Inv 23 | <1>2. Inv /\ [Next]_chosen => Inv' 24 | BY CardinalityOne, SMT 25 | DEFS Next, Inv 26 | <1>3 QED 27 | BY <1>1, <1>2, PTL DEF Spec 28 | ============================================================================= -------------------------------------------------------------------------------- /Consensus/Consensus.tlaps/fingerprints.history/2019-07-22_12_04_35/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Consensus/Consensus.tlaps/fingerprints.history/2019-07-22_12_04_35/fingerprints -------------------------------------------------------------------------------- /Consensus/Consensus.tlaps/fingerprints.history/2019-07-22_13_42_54/Consensus.tla: -------------------------------------------------------------------------------- 1 | ----------------------------- MODULE Consensus ------------------------------ 2 | EXTENDS Sets, TLAPS 3 | ----------------------------------------------------------------------------- 4 | CONSTANT Value \* the set of values that can be chosen 5 | VARIABLE chosen \* the set of values that have been chosen 6 | ----------------------------------------------------------------------------- 7 | Init == chosen = {} 8 | Next == 9 | /\ chosen = {} 10 | /\ \E v \in Value : chosen' = {v} 11 | 12 | Spec == Init /\ [][Next]_chosen 13 | ----------------------------------------------------------------------------- 14 | Inv == 15 | /\ chosen \subseteq Value 16 | /\ IsFiniteSet(chosen) 17 | /\ Cardinality(chosen) \leq 1 18 | ----------------------------------------------------------------------------- 19 | THEOREM Invariance == Spec => []Inv 20 | <1>1. Init => Inv 21 | BY CardinalityZero, SMT 22 | DEFS Init, Inv 23 | <1>2. Inv /\ [Next]_chosen => Inv' 24 | BY CardinalityOne, SMT 25 | DEFS Next, Inv 26 | <1>3. QED 27 | BY <1>1, <1>2, PTL DEF Spec 28 | ============================================================================= -------------------------------------------------------------------------------- /Consensus/Consensus.tlaps/fingerprints.history/2019-07-22_13_42_54/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Consensus/Consensus.tlaps/fingerprints.history/2019-07-22_13_42_54/fingerprints -------------------------------------------------------------------------------- /Consensus/PaxosProof.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Consensus/PaxosProof.pdf -------------------------------------------------------------------------------- /Consensus/PaxosProof.tlaps/PaxosProof.thy: -------------------------------------------------------------------------------- 1 | (* automatically generated -- do not edit manually *) 2 | theory PaxosProof imports Constant Zenon begin 3 | ML_command {* writeln ("*** TLAPS PARSED\n"); *} 4 | consts 5 | "isReal" :: c 6 | "isa_slas_a" :: "[c,c] => c" 7 | "isa_bksl_diva" :: "[c,c] => c" 8 | "isa_perc_a" :: "[c,c] => c" 9 | "isa_peri_peri_a" :: "[c,c] => c" 10 | "isInfinity" :: c 11 | "isa_lbrk_rbrk_a" :: "[c] => c" 12 | "isa_less_more_a" :: "[c] => c" 13 | 14 | end 15 | -------------------------------------------------------------------------------- /Consensus/PaxosProof.tlaps/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Consensus/PaxosProof.tlaps/fingerprints -------------------------------------------------------------------------------- /Consensus/PaxosProof.tlaps/fingerprints.history/2019-07-22_16_24_33/Consensus.tla: -------------------------------------------------------------------------------- 1 | ----------------------------- MODULE Consensus ------------------------------ 2 | EXTENDS Sets, TLAPS 3 | ----------------------------------------------------------------------------- 4 | CONSTANT Value \* the set of values that can be chosen 5 | VARIABLE chosen \* the set of values that have been chosen 6 | ----------------------------------------------------------------------------- 7 | Init == chosen = {} 8 | Next == 9 | /\ chosen = {} 10 | /\ \E v \in Value : chosen' = {v} 11 | 12 | Spec == Init /\ [][Next]_chosen 13 | ----------------------------------------------------------------------------- 14 | Inv == 15 | /\ chosen \subseteq Value 16 | /\ IsFiniteSet(chosen) 17 | /\ Cardinality(chosen) \leq 1 18 | ----------------------------------------------------------------------------- 19 | THEOREM Invariance == Spec => []Inv 20 | <1>1. Init => Inv 21 | BY CardinalityZero, SMT 22 | DEFS Init, Inv 23 | <1>2. Inv /\ [Next]_chosen => Inv' 24 | BY CardinalityOne, SMT 25 | DEFS Next, Inv 26 | <1>3. QED 27 | BY <1>1, <1>2, PTL DEF Spec 28 | ============================================================================= -------------------------------------------------------------------------------- /Consensus/PaxosProof.tlaps/fingerprints.history/2019-07-22_16_24_33/PaxosTuple.tla: -------------------------------------------------------------------------------- 1 | -------------------------------- MODULE PaxosTuple -------------------------- 2 | EXTENDS Integers, Sets 3 | ----------------------------------------------------------------------------- 4 | CONSTANT Value, Acceptor, Quorum 5 | 6 | ASSUME QuorumAssumption == /\ \A Q \in Quorum : Q \subseteq Acceptor 7 | /\ \A Q1, Q2 \in Quorum : Q1 \cap Q2 # {} 8 | Ballot == Nat 9 | None == CHOOSE v : v \notin Ballot 10 | ----------------------------------------------------------------------------- 11 | Message == 12 | {"1a"} \X Ballot 13 | \cup {"1b"} \X Acceptor \X Ballot \X (Ballot \cup {-1}) \X (Value \cup {None}) 14 | \cup {"2a"} \X Ballot \X Value 15 | \cup {"2b"} \X Acceptor \X Ballot \X Value 16 | ----------------------------------------------------------------------------- 17 | VARIABLE maxBal, 18 | maxVBal, \* <>: the vote with the largest ballot number cast by a; 19 | maxVal, \* it is <<-1, None>> if a has not cast any vote. 20 | msgs 21 | 22 | Send(m) == msgs' = msgs \cup {m} 23 | 24 | vars == <> 25 | 26 | TypeOK == /\ maxBal \in [Acceptor -> Ballot \cup {-1}] 27 | /\ maxVBal \in [Acceptor -> Ballot \cup {-1}] 28 | /\ maxVal \in [Acceptor -> Value \cup {None}] 29 | /\ msgs \subseteq Message 30 | ----------------------------------------------------------------------------- 31 | Init == /\ maxBal = [a \in Acceptor |-> -1] 32 | /\ maxVBal = [a \in Acceptor |-> -1] 33 | /\ maxVal = [a \in Acceptor |-> None] 34 | /\ msgs = {} 35 | 36 | Phase1a(b) == /\ Send(<<"1a", b>>) 37 | /\ UNCHANGED <> 38 | 39 | Phase1b(a) == /\ \E m \in msgs : 40 | /\ m[1] = "1a" 41 | /\ m[2] > maxBal[a] 42 | /\ maxBal' = [maxBal EXCEPT ![a] = m[2]] 43 | /\ Send(<<"1b", a, m[2], maxVBal[a], maxVal[a]>>) 44 | /\ UNCHANGED <> 45 | 46 | Phase2a(b, v) == 47 | /\ ~ \E m \in msgs : m[1] = "2a" /\ m[3] = b 48 | /\ \E Q \in Quorum : 49 | LET Q1b == {m \in msgs : /\ m[1] = "1b" 50 | /\ m[2] \in Q 51 | /\ m[3] = b} 52 | Q1bv == {m \in Q1b : m[4] \geq 0} 53 | IN /\ \A a \in Q : \E m \in Q1b : m[2] = a 54 | /\ \/ Q1bv = {} 55 | \/ \E m \in Q1bv : 56 | /\ m[5] = v 57 | /\ \A mm \in Q1bv : m[4] \geq mm[4] 58 | /\ Send(<<"2a", b, v>>) 59 | /\ UNCHANGED <> 60 | 61 | Phase2b(a) == \E m \in msgs : /\ m[1] = "2a" 62 | /\ m[2] \geq maxBal[a] 63 | /\ maxBal' = [maxBal EXCEPT ![a] = m[2]] 64 | /\ maxVBal' = [maxVBal EXCEPT ![a] = m[2]] 65 | /\ maxVal' = [maxVal EXCEPT ![a] = m[3]] 66 | /\ Send(<<"2b", a, m[2], m[3]>>) 67 | ---------------------------------------------------------------------------- 68 | Next == \/ \E b \in Ballot : \/ Phase1a(b) 69 | \/ \E v \in Value : Phase2a(b, v) 70 | \/ \E a \in Acceptor : Phase1b(a) \/ Phase2b(a) 71 | 72 | Spec == Init /\ [][Next]_vars 73 | ---------------------------------------------------------------------------- 74 | votes == [a \in Acceptor |-> 75 | {<> : m \in {mm \in msgs: /\ mm[1] = "2b" 76 | /\ mm[2] = a }}] 77 | V == INSTANCE Voting 78 | 79 | THEOREM Spec => V!Spec 80 | ============================================================================ -------------------------------------------------------------------------------- /Consensus/PaxosProof.tlaps/fingerprints.history/2019-07-22_16_25_15/Consensus.tla: -------------------------------------------------------------------------------- 1 | ----------------------------- MODULE Consensus ------------------------------ 2 | EXTENDS Sets, TLAPS 3 | ----------------------------------------------------------------------------- 4 | CONSTANT Value \* the set of values that can be chosen 5 | VARIABLE chosen \* the set of values that have been chosen 6 | ----------------------------------------------------------------------------- 7 | Init == chosen = {} 8 | Next == 9 | /\ chosen = {} 10 | /\ \E v \in Value : chosen' = {v} 11 | 12 | Spec == Init /\ [][Next]_chosen 13 | ----------------------------------------------------------------------------- 14 | Inv == 15 | /\ chosen \subseteq Value 16 | /\ IsFiniteSet(chosen) 17 | /\ Cardinality(chosen) \leq 1 18 | ----------------------------------------------------------------------------- 19 | THEOREM Invariance == Spec => []Inv 20 | <1>1. Init => Inv 21 | BY CardinalityZero, SMT 22 | DEFS Init, Inv 23 | <1>2. Inv /\ [Next]_chosen => Inv' 24 | BY CardinalityOne, SMT 25 | DEFS Next, Inv 26 | <1>3. QED 27 | BY <1>1, <1>2, PTL DEF Spec 28 | ============================================================================= -------------------------------------------------------------------------------- /Consensus/PaxosProof.tlaps/fingerprints.history/2019-07-22_16_25_15/PaxosTuple.tla: -------------------------------------------------------------------------------- 1 | -------------------------------- MODULE PaxosTuple -------------------------- 2 | EXTENDS Integers, Sets 3 | ----------------------------------------------------------------------------- 4 | CONSTANT Value, Acceptor, Quorum 5 | 6 | ASSUME QuorumAssumption == /\ \A Q \in Quorum : Q \subseteq Acceptor 7 | /\ \A Q1, Q2 \in Quorum : Q1 \cap Q2 # {} 8 | Ballot == Nat 9 | None == CHOOSE v : v \notin Ballot 10 | ----------------------------------------------------------------------------- 11 | Message == 12 | {"1a"} \X Ballot 13 | \cup {"1b"} \X Acceptor \X Ballot \X (Ballot \cup {-1}) \X (Value \cup {None}) 14 | \cup {"2a"} \X Ballot \X Value 15 | \cup {"2b"} \X Acceptor \X Ballot \X Value 16 | ----------------------------------------------------------------------------- 17 | VARIABLE maxBal, 18 | maxVBal, \* <>: the vote with the largest ballot number cast by a; 19 | maxVal, \* it is <<-1, None>> if a has not cast any vote. 20 | msgs 21 | 22 | Send(m) == msgs' = msgs \cup {m} 23 | 24 | vars == <> 25 | 26 | TypeOK == /\ maxBal \in [Acceptor -> Ballot \cup {-1}] 27 | /\ maxVBal \in [Acceptor -> Ballot \cup {-1}] 28 | /\ maxVal \in [Acceptor -> Value \cup {None}] 29 | /\ msgs \subseteq Message 30 | ----------------------------------------------------------------------------- 31 | Init == /\ maxBal = [a \in Acceptor |-> -1] 32 | /\ maxVBal = [a \in Acceptor |-> -1] 33 | /\ maxVal = [a \in Acceptor |-> None] 34 | /\ msgs = {} 35 | 36 | Phase1a(b) == /\ Send(<<"1a", b>>) 37 | /\ UNCHANGED <> 38 | 39 | Phase1b(a) == /\ \E m \in msgs : 40 | /\ m[1] = "1a" 41 | /\ m[2] > maxBal[a] 42 | /\ maxBal' = [maxBal EXCEPT ![a] = m[2]] 43 | /\ Send(<<"1b", a, m[2], maxVBal[a], maxVal[a]>>) 44 | /\ UNCHANGED <> 45 | 46 | Phase2a(b, v) == 47 | /\ ~ \E m \in msgs : m[1] = "2a" /\ m[3] = b 48 | /\ \E Q \in Quorum : 49 | LET Q1b == {m \in msgs : /\ m[1] = "1b" 50 | /\ m[2] \in Q 51 | /\ m[3] = b} 52 | Q1bv == {m \in Q1b : m[4] \geq 0} 53 | IN /\ \A a \in Q : \E m \in Q1b : m[2] = a 54 | /\ \/ Q1bv = {} 55 | \/ \E m \in Q1bv : 56 | /\ m[5] = v 57 | /\ \A mm \in Q1bv : m[4] \geq mm[4] 58 | /\ Send(<<"2a", b, v>>) 59 | /\ UNCHANGED <> 60 | 61 | Phase2b(a) == \E m \in msgs : /\ m[1] = "2a" 62 | /\ m[2] \geq maxBal[a] 63 | /\ maxBal' = [maxBal EXCEPT ![a] = m[2]] 64 | /\ maxVBal' = [maxVBal EXCEPT ![a] = m[2]] 65 | /\ maxVal' = [maxVal EXCEPT ![a] = m[3]] 66 | /\ Send(<<"2b", a, m[2], m[3]>>) 67 | ---------------------------------------------------------------------------- 68 | Next == \/ \E b \in Ballot : \/ Phase1a(b) 69 | \/ \E v \in Value : Phase2a(b, v) 70 | \/ \E a \in Acceptor : Phase1b(a) \/ Phase2b(a) 71 | 72 | Spec == Init /\ [][Next]_vars 73 | ---------------------------------------------------------------------------- 74 | votes == [a \in Acceptor |-> 75 | {<> : m \in {mm \in msgs: /\ mm[1] = "2b" 76 | /\ mm[2] = a }}] 77 | V == INSTANCE Voting 78 | 79 | THEOREM Spec => V!Spec 80 | ============================================================================ -------------------------------------------------------------------------------- /Consensus/PaxosProof.tlaps/fingerprints.history/2019-07-22_16_25_15/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Consensus/PaxosProof.tlaps/fingerprints.history/2019-07-22_16_25_15/fingerprints -------------------------------------------------------------------------------- /Consensus/PaxosTuple.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Consensus/PaxosTuple.pdf -------------------------------------------------------------------------------- /Consensus/PaxosTuple.tla: -------------------------------------------------------------------------------- 1 | -------------------------------- MODULE PaxosTuple -------------------------- 2 | EXTENDS Integers, Sets 3 | ----------------------------------------------------------------------------- 4 | CONSTANT Value, Acceptor, Quorum 5 | 6 | ASSUME QuorumAssumption == /\ \A Q \in Quorum : Q \subseteq Acceptor 7 | /\ \A Q1, Q2 \in Quorum : Q1 \cap Q2 # {} 8 | Ballot == Nat 9 | None == CHOOSE v : v \notin Ballot 10 | ----------------------------------------------------------------------------- 11 | Message == 12 | {"1a"} \X Ballot 13 | \cup {"1b"} \X Acceptor \X Ballot \X (Ballot \cup {-1}) \X (Value \cup {None}) 14 | \cup {"2a"} \X Ballot \X Value 15 | \cup {"2b"} \X Acceptor \X Ballot \X Value 16 | ----------------------------------------------------------------------------- 17 | VARIABLE maxBal, 18 | maxVBal, \* <>: the vote with the largest ballot number cast by a; 19 | maxVal, \* it is <<-1, None>> if a has not cast any vote. 20 | msgs 21 | 22 | Send(m) == msgs' = msgs \cup {m} 23 | 24 | vars == <> 25 | 26 | TypeOK == /\ maxBal \in [Acceptor -> Ballot \cup {-1}] 27 | /\ maxVBal \in [Acceptor -> Ballot \cup {-1}] 28 | /\ maxVal \in [Acceptor -> Value \cup {None}] 29 | /\ msgs \subseteq Message 30 | ----------------------------------------------------------------------------- 31 | Init == /\ maxBal = [a \in Acceptor |-> -1] 32 | /\ maxVBal = [a \in Acceptor |-> -1] 33 | /\ maxVal = [a \in Acceptor |-> None] 34 | /\ msgs = {} 35 | 36 | Phase1a(b) == /\ Send(<<"1a", b>>) 37 | /\ UNCHANGED <> 38 | 39 | Phase1b(a) == /\ \E m \in msgs : 40 | /\ m[1] = "1a" 41 | /\ m[2] > maxBal[a] 42 | /\ maxBal' = [maxBal EXCEPT ![a] = m[2]] 43 | /\ Send(<<"1b", a, m[2], maxVBal[a], maxVal[a]>>) 44 | /\ UNCHANGED <> 45 | 46 | Phase2a(b, v) == 47 | /\ ~ \E m \in msgs : m[1] = "2a" /\ m[3] = b 48 | /\ \E Q \in Quorum : 49 | LET Q1b == {m \in msgs : /\ m[1] = "1b" 50 | /\ m[2] \in Q 51 | /\ m[3] = b} 52 | Q1bv == {m \in Q1b : m[4] \geq 0} 53 | IN /\ \A a \in Q : \E m \in Q1b : m[2] = a 54 | /\ \/ Q1bv = {} 55 | \/ \E m \in Q1bv : 56 | /\ m[5] = v 57 | /\ \A mm \in Q1bv : m[4] \geq mm[4] 58 | /\ Send(<<"2a", b, v>>) 59 | /\ UNCHANGED <> 60 | 61 | Phase2b(a) == \E m \in msgs : /\ m[1] = "2a" 62 | /\ m[2] \geq maxBal[a] 63 | /\ maxBal' = [maxBal EXCEPT ![a] = m[2]] 64 | /\ maxVBal' = [maxVBal EXCEPT ![a] = m[2]] 65 | /\ maxVal' = [maxVal EXCEPT ![a] = m[3]] 66 | /\ Send(<<"2b", a, m[2], m[3]>>) 67 | ---------------------------------------------------------------------------- 68 | Next == \/ \E b \in Ballot : \/ Phase1a(b) 69 | \/ \E v \in Value : Phase2a(b, v) 70 | \/ \E a \in Acceptor : Phase1b(a) \/ Phase2b(a) 71 | 72 | Spec == Init /\ [][Next]_vars 73 | ---------------------------------------------------------------------------- 74 | votes == [a \in Acceptor |-> 75 | {<> : m \in {mm \in msgs: /\ mm[1] = "2b" 76 | /\ mm[2] = a }}] 77 | V == INSTANCE Voting 78 | 79 | THEOREM Spec => V!Spec 80 | ============================================================================ -------------------------------------------------------------------------------- /Consensus/PaxosTuple.toolbox/.project: -------------------------------------------------------------------------------- 1 | 2 | 3 | PaxosTuple 4 | 5 | 6 | 7 | 8 | 9 | toolbox.builder.TLAParserBuilder 10 | 11 | 12 | 13 | 14 | 15 | toolbox.natures.TLANature 16 | 17 | 18 | 19 | Consensus.tla 20 | 1 21 | /home/hengxin/git-projects/tlaps-examples/Consensus/Consensus.tla 22 | 23 | 24 | NaturalsInduction.tla 25 | 1 26 | /usr/local/lib/tlaps/NaturalsInduction.tla 27 | 28 | 29 | PaxosProof.tla 30 | 1 31 | PARENT-1-PROJECT_LOC/PaxosProof.tla 32 | 33 | 34 | PaxosTuple.tla 35 | 1 36 | PARENT-1-PROJECT_LOC/PaxosTuple.tla 37 | 38 | 39 | Sets.tla 40 | 1 41 | /home/hengxin/git-projects/tlaps-examples/Consensus/Sets.tla 42 | 43 | 44 | TLAPS.tla 45 | 1 46 | /usr/local/lib/tlaps/TLAPS.tla 47 | 48 | 49 | Voting.tla 50 | 1 51 | /home/hengxin/git-projects/tlaps-examples/Consensus/Voting.tla 52 | 53 | 54 | 55 | -------------------------------------------------------------------------------- /Consensus/PaxosTuple.toolbox/.settings/org.lamport.tla.toolbox.prefs: -------------------------------------------------------------------------------- 1 | ProjectRootFile=PARENT-1-PROJECT_LOC/PaxosTuple.tla 2 | eclipse.preferences.version=1 3 | -------------------------------------------------------------------------------- /Consensus/PaxosTuple.toolbox/Consensus.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Consensus/PaxosTuple.toolbox/Consensus.pdf -------------------------------------------------------------------------------- /Consensus/PaxosTuple.toolbox/NaturalsInduction.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Consensus/PaxosTuple.toolbox/NaturalsInduction.pdf -------------------------------------------------------------------------------- /Consensus/PaxosTuple.toolbox/PaxosProof.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Consensus/PaxosTuple.toolbox/PaxosProof.pdf -------------------------------------------------------------------------------- /Consensus/PaxosTuple.toolbox/PaxosTuple.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Consensus/PaxosTuple.toolbox/PaxosTuple.pdf -------------------------------------------------------------------------------- /Consensus/PaxosTuple.toolbox/Sets.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Consensus/PaxosTuple.toolbox/Sets.pdf -------------------------------------------------------------------------------- /Consensus/PaxosTuple.toolbox/Voting.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Consensus/PaxosTuple.toolbox/Voting.pdf -------------------------------------------------------------------------------- /Consensus/README.md: -------------------------------------------------------------------------------- 1 | # Consensus 2 | 3 | ## [`Consensus.tla`]() 4 | 5 | ## [`Voting.tla`](https://github.com/hengxin/tlaps-examples/blob/master/Consensus/Voting.tla) 6 | `Voting` models the behaviors of Acceptors in Paxos. 7 | 8 | Each acceptor `a` can either `IncreaseMaxBal(a, b)` or `VoteFor(a, b, v)`. 9 | 10 | In `IncreaseMaxBal(a, b)`, the acceptor `a` makes promise that it will not ever accept ballots 11 | numbered less than `b`. 12 | 13 | In `VoteFor(a, b, v)`, the acceptor `a` first checks whether the ballot `<>` 14 | is safe to accept (by `ShowsSafeAt(Q, b, v)`) and if so accepts it. 15 | 16 | --- 17 | For the correctness, it is crucial to show the `VotesSafe` property, 18 | which states that every vote is indeed safe (`SafeAt(b, v)`). 19 | 20 | - `THEOREM ShowsSafety` 21 | 22 | ## [`PaxosTuple.tla`]() 23 | 24 | ## [`PaxosProof.tla`]() 25 | -------------------------------------------------------------------------------- /Consensus/Sets.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Consensus/Sets.pdf -------------------------------------------------------------------------------- /Consensus/Sets.tlaps/Sets.thy: -------------------------------------------------------------------------------- 1 | (* automatically generated -- do not edit manually *) 2 | theory Sets imports Constant Zenon begin 3 | ML_command {* writeln ("*** TLAPS PARSED\n"); *} 4 | consts 5 | "isReal" :: c 6 | "isa_slas_a" :: "[c,c] => c" 7 | "isa_bksl_diva" :: "[c,c] => c" 8 | "isa_perc_a" :: "[c,c] => c" 9 | "isa_peri_peri_a" :: "[c,c] => c" 10 | "isInfinity" :: c 11 | "isa_lbrk_rbrk_a" :: "[c] => c" 12 | "isa_less_more_a" :: "[c] => c" 13 | 14 | end 15 | -------------------------------------------------------------------------------- /Consensus/Sets.tlaps/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Consensus/Sets.tlaps/fingerprints -------------------------------------------------------------------------------- /Consensus/Sets.tlaps/fingerprints.history/2019-07-22_09_58_31/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Consensus/Sets.tlaps/fingerprints.history/2019-07-22_09_58_31/fingerprints -------------------------------------------------------------------------------- /Consensus/Voting.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Consensus/Voting.pdf -------------------------------------------------------------------------------- /Consensus/Voting.tlaps/Voting.thy: -------------------------------------------------------------------------------- 1 | (* automatically generated -- do not edit manually *) 2 | theory Voting imports Constant Zenon begin 3 | ML_command {* writeln ("*** TLAPS PARSED\n"); *} 4 | consts 5 | "isReal" :: c 6 | "isa_slas_a" :: "[c,c] => c" 7 | "isa_bksl_diva" :: "[c,c] => c" 8 | "isa_perc_a" :: "[c,c] => c" 9 | "isa_peri_peri_a" :: "[c,c] => c" 10 | "isInfinity" :: c 11 | "isa_lbrk_rbrk_a" :: "[c] => c" 12 | "isa_less_more_a" :: "[c] => c" 13 | 14 | end 15 | -------------------------------------------------------------------------------- /Consensus/Voting.tlaps/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Consensus/Voting.tlaps/fingerprints -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Euclid/Euclid-Hyperbook/EuclidEx.pdf -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.tla: -------------------------------------------------------------------------------- 1 | ------------------------------ MODULE EuclidEx ------------------------------ 2 | EXTENDS GCD, TLAPS 3 | ----------------------------------------------------------------------------- 4 | CONSTANTS M, N 5 | ASSUME MNPosInt == 6 | /\ M \in Nat \ {0} 7 | /\ N \in Nat \ {0} 8 | (******************************************************************* 9 | --algorithm Euclid { 10 | variables x = M, y = N ; 11 | { while (x # y) { if (x < y) { y := y - x } 12 | else { x := x - y } 13 | }; 14 | } 15 | } 16 | *******************************************************************) 17 | \* BEGIN TRANSLATION 18 | VARIABLES x, y, pc 19 | 20 | vars == << x, y, pc >> 21 | 22 | Init == (* Global variables *) 23 | /\ x = M 24 | /\ y = N 25 | /\ pc = "Lbl_1" 26 | 27 | Lbl_1 == /\ pc = "Lbl_1" 28 | /\ IF x # y 29 | THEN /\ IF x < y 30 | THEN /\ y' = y - x 31 | /\ x' = x 32 | ELSE /\ x' = x - y 33 | /\ y' = y 34 | /\ pc' = "Lbl_1" 35 | ELSE /\ pc' = "Done" 36 | /\ UNCHANGED << x, y >> 37 | 38 | Next == Lbl_1 \* Allow infinite stuttering to prevent deadlock on termination. 39 | \/ (pc = "Done" /\ UNCHANGED vars) 40 | 41 | Spec == Init /\ [][Next]_vars 42 | 43 | Termination == <>(pc = "Done") 44 | 45 | \* END TRANSLATION 46 | ----------------------------------------------------------------------------- 47 | PartialCorrectness == 48 | (pc = "Done") => (x = y) /\ (x = GCD(M, N)) 49 | 50 | TypeOK == 51 | /\ x \in Nat \ {0} 52 | /\ y \in Nat \ {0} 53 | 54 | Inv == 55 | /\ TypeOK 56 | /\ GCD(x, y) = GCD(M, N) 57 | /\ (pc = "Done") => (x = y) 58 | ----------------------------------------------------------------------------- 59 | THEOREM Spec => []PartialCorrectness 60 | <1>1. Init => Inv 61 | BY MNPosInt DEF Init, Inv, TypeOK 62 | <1>2. Inv /\ [Next]_vars => Inv' 63 | BY MNPosInt, GCD2, GCD3 DEF Inv, TypeOK, Next, Lbl_1, vars 64 | <1>3. Inv => PartialCorrectness 65 | BY MNPosInt, GCD1 DEF Inv, TypeOK, PartialCorrectness 66 | <1>4. QED 67 | BY <1>1, <1>2, <1>3, PTL DEF Spec 68 | ============================================================================= 69 | \* Modification History 70 | \* Last modified Tue Jul 16 09:46:10 CST 2019 by hengxin 71 | \* Created Mon Jul 15 16:59:12 CST 2019 by hengxin -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.tlaps/EuclidEx.thy: -------------------------------------------------------------------------------- 1 | (* automatically generated -- do not edit manually *) 2 | theory EuclidEx imports Constant Zenon begin 3 | ML_command {* writeln ("*** TLAPS PARSED\n"); *} 4 | consts 5 | "isReal" :: c 6 | "isa_slas_a" :: "[c,c] => c" 7 | "isa_bksl_diva" :: "[c,c] => c" 8 | "isa_perc_a" :: "[c,c] => c" 9 | "isa_peri_peri_a" :: "[c,c] => c" 10 | "isInfinity" :: c 11 | "isa_lbrk_rbrk_a" :: "[c] => c" 12 | "isa_less_more_a" :: "[c] => c" 13 | 14 | end 15 | -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_36_50/EuclidEx.tla: -------------------------------------------------------------------------------- 1 | ------------------------------ MODULE EuclidEx ------------------------------ 2 | EXTENDS GCD, TLAPS 3 | ----------------------------------------------------------------------------- 4 | CONSTANTS M, N 5 | ASSUME MNPosInt == 6 | /\ M \in Nat \ {0} 7 | /\ N \in Nat \ {0} 8 | (******************************************************************* 9 | --algorithm Euclid { 10 | variables x = M, y = N ; 11 | { while (x # y) { if (x < y) { y := y - x } 12 | else { x := x - y } 13 | }; 14 | } 15 | } 16 | *******************************************************************) 17 | \* BEGIN TRANSLATION 18 | VARIABLES x, y, pc 19 | 20 | vars == << x, y, pc >> 21 | 22 | Init == (* Global variables *) 23 | /\ x = M 24 | /\ y = N 25 | /\ pc = "Lbl_1" 26 | 27 | Lbl_1 == /\ pc = "Lbl_1" 28 | /\ IF x # y 29 | THEN /\ IF x < y 30 | THEN /\ y' = y - x 31 | /\ x' = x 32 | ELSE /\ x' = x - y 33 | /\ y' = y 34 | /\ pc' = "Lbl_1" 35 | ELSE /\ pc' = "Done" 36 | /\ UNCHANGED << x, y >> 37 | 38 | Next == Lbl_1 \* Allow infinite stuttering to prevent deadlock on termination. 39 | \/ (pc = "Done" /\ UNCHANGED vars) 40 | 41 | Spec == Init /\ [][Next]_vars 42 | 43 | Termination == <>(pc = "Done") 44 | 45 | \* END TRANSLATION 46 | ----------------------------------------------------------------------------- 47 | PartialCorrectness == 48 | (pc = "Done") => (x = y) /\ (x = GCD(M, N)) 49 | 50 | TypeOK == 51 | /\ x \in Nat \ {0} 52 | /\ y \in Nat \ {0} 53 | 54 | Inv == 55 | /\ TypeOK 56 | /\ GCD(x, y) = GCD(M, N) 57 | /\ (pc = "Done") => (x = y) 58 | ----------------------------------------------------------------------------- 59 | THEOREM Spec => []PartialCorrectness 60 | <1>1. Init => Inv 61 | BY MNPosInt DEF Init, Inv, TypeOK 62 | <1>2. Inv /\ [Next]_vars => Inv' 63 | <2> SUFFICES ASSUME Inv, 64 | [Next]_vars 65 | PROVE Inv' 66 | OBVIOUS 67 | <2>1. CASE Lbl_1 68 | BY <2>1 DEF Inv, TypeOK 69 | <2>2. CASE pc = "Done" /\ UNCHANGED vars 70 | BY <2>2 DEF Inv, TypeOK 71 | <2>3. CASE UNCHANGED vars 72 | BY <2>3 DEF Inv, TypeOK 73 | <2>4. QED 74 | BY <2>1, <2>2, <2>3 DEF Next 75 | 76 | 77 | <1>3. Inv => PartialCorrectness 78 | <1>4. QED 79 | BY <1>1, <1>2, <1>3, PTL DEF Spec 80 | ============================================================================= 81 | \* Modification History 82 | \* Last modified Tue Jul 16 09:36:49 CST 2019 by hengxin 83 | \* Created Mon Jul 15 16:59:12 CST 2019 by hengxin -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_36_50/GCD.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE GCD --------------------------- 2 | EXTENDS Integers 3 | ------------------------------------------------------------------ 4 | Divides(p, n) == \E q \in Int : n = p * q 5 | DivisorsOf(n) == {p \in Int : Divides(p, n)} 6 | 7 | SetMax(S) == CHOOSE i \in S : \A j \in S : i >= j 8 | 9 | GCD(m, n) == SetMax(DivisorsOf(m) \cap DivisorsOf(n)) 10 | ----------------------------------------------------------------------------- 11 | THEOREM GCD1 == \A m \in Nat \ {0} : GCD(m, m) = m 12 | <1> SUFFICES ASSUME NEW m \in Nat \ {0} 13 | PROVE GCD(m, m) = m 14 | OBVIOUS 15 | <1>1. Divides(m, m) 16 | BY DEF Divides 17 | <1>2. \A i \in Nat : Divides(i, m) => (i <= m) 18 | BY DEF Divides 19 | <1> QED 20 | BY <1>1, <1>2 DEF GCD, SetMax , DivisorsOf , Divides 21 | ----------------------------------------------------------------------------- 22 | THEOREM GCD2 == \A m, n \in Nat \ {0} : GCD(m, n) = GCD(n, m) 23 | BY DEF GCD, SetMax , DivisorsOf , Divides 24 | ----------------------------------------------------------------------------- 25 | THEOREM GCD3 == \A m, n \in Nat \ {0} : (n > m) => (GCD(m, n) = GCD(m, n-m)) 26 | <1> SUFFICES ASSUME NEW m \in Nat \ {0}, NEW n \in Nat \ {0}, 27 | n > m 28 | PROVE GCD(m, n) = GCD(m, n-m) 29 | OBVIOUS 30 | <1> \A i \in Int : Divides(i, m) /\ Divides(i, n) <=> Divides(i, m) /\ Divides(i, n - m) 31 | BY DEF Divides 32 | <1> QED 33 | BY DEF GCD, SetMax , DivisorsOf , Divides 34 | =================================================================== -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_36_50/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_36_50/fingerprints -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_37_06/EuclidEx.tla: -------------------------------------------------------------------------------- 1 | ------------------------------ MODULE EuclidEx ------------------------------ 2 | EXTENDS GCD, TLAPS 3 | ----------------------------------------------------------------------------- 4 | CONSTANTS M, N 5 | ASSUME MNPosInt == 6 | /\ M \in Nat \ {0} 7 | /\ N \in Nat \ {0} 8 | (******************************************************************* 9 | --algorithm Euclid { 10 | variables x = M, y = N ; 11 | { while (x # y) { if (x < y) { y := y - x } 12 | else { x := x - y } 13 | }; 14 | } 15 | } 16 | *******************************************************************) 17 | \* BEGIN TRANSLATION 18 | VARIABLES x, y, pc 19 | 20 | vars == << x, y, pc >> 21 | 22 | Init == (* Global variables *) 23 | /\ x = M 24 | /\ y = N 25 | /\ pc = "Lbl_1" 26 | 27 | Lbl_1 == /\ pc = "Lbl_1" 28 | /\ IF x # y 29 | THEN /\ IF x < y 30 | THEN /\ y' = y - x 31 | /\ x' = x 32 | ELSE /\ x' = x - y 33 | /\ y' = y 34 | /\ pc' = "Lbl_1" 35 | ELSE /\ pc' = "Done" 36 | /\ UNCHANGED << x, y >> 37 | 38 | Next == Lbl_1 \* Allow infinite stuttering to prevent deadlock on termination. 39 | \/ (pc = "Done" /\ UNCHANGED vars) 40 | 41 | Spec == Init /\ [][Next]_vars 42 | 43 | Termination == <>(pc = "Done") 44 | 45 | \* END TRANSLATION 46 | ----------------------------------------------------------------------------- 47 | PartialCorrectness == 48 | (pc = "Done") => (x = y) /\ (x = GCD(M, N)) 49 | 50 | TypeOK == 51 | /\ x \in Nat \ {0} 52 | /\ y \in Nat \ {0} 53 | 54 | Inv == 55 | /\ TypeOK 56 | /\ GCD(x, y) = GCD(M, N) 57 | /\ (pc = "Done") => (x = y) 58 | ----------------------------------------------------------------------------- 59 | THEOREM Spec => []PartialCorrectness 60 | <1>1. Init => Inv 61 | BY MNPosInt DEF Init, Inv, TypeOK 62 | <1>2. Inv /\ [Next]_vars => Inv' 63 | <2> SUFFICES ASSUME Inv, 64 | [Next]_vars 65 | PROVE Inv' 66 | OBVIOUS 67 | <2>1. CASE Lbl_1 68 | BY <2>1 DEF Inv, TypeOK, Lbl_1 69 | <2>2. CASE pc = "Done" /\ UNCHANGED vars 70 | BY <2>2 DEF Inv, TypeOK 71 | <2>3. CASE UNCHANGED vars 72 | BY <2>3 DEF Inv, TypeOK 73 | <2>4. QED 74 | BY <2>1, <2>2, <2>3 DEF Next 75 | 76 | 77 | <1>3. Inv => PartialCorrectness 78 | <1>4. QED 79 | BY <1>1, <1>2, <1>3, PTL DEF Spec 80 | ============================================================================= 81 | \* Modification History 82 | \* Last modified Tue Jul 16 09:37:02 CST 2019 by hengxin 83 | \* Created Mon Jul 15 16:59:12 CST 2019 by hengxin -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_37_06/GCD.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE GCD --------------------------- 2 | EXTENDS Integers 3 | ------------------------------------------------------------------ 4 | Divides(p, n) == \E q \in Int : n = p * q 5 | DivisorsOf(n) == {p \in Int : Divides(p, n)} 6 | 7 | SetMax(S) == CHOOSE i \in S : \A j \in S : i >= j 8 | 9 | GCD(m, n) == SetMax(DivisorsOf(m) \cap DivisorsOf(n)) 10 | ----------------------------------------------------------------------------- 11 | THEOREM GCD1 == \A m \in Nat \ {0} : GCD(m, m) = m 12 | <1> SUFFICES ASSUME NEW m \in Nat \ {0} 13 | PROVE GCD(m, m) = m 14 | OBVIOUS 15 | <1>1. Divides(m, m) 16 | BY DEF Divides 17 | <1>2. \A i \in Nat : Divides(i, m) => (i <= m) 18 | BY DEF Divides 19 | <1> QED 20 | BY <1>1, <1>2 DEF GCD, SetMax , DivisorsOf , Divides 21 | ----------------------------------------------------------------------------- 22 | THEOREM GCD2 == \A m, n \in Nat \ {0} : GCD(m, n) = GCD(n, m) 23 | BY DEF GCD, SetMax , DivisorsOf , Divides 24 | ----------------------------------------------------------------------------- 25 | THEOREM GCD3 == \A m, n \in Nat \ {0} : (n > m) => (GCD(m, n) = GCD(m, n-m)) 26 | <1> SUFFICES ASSUME NEW m \in Nat \ {0}, NEW n \in Nat \ {0}, 27 | n > m 28 | PROVE GCD(m, n) = GCD(m, n-m) 29 | OBVIOUS 30 | <1> \A i \in Int : Divides(i, m) /\ Divides(i, n) <=> Divides(i, m) /\ Divides(i, n - m) 31 | BY DEF Divides 32 | <1> QED 33 | BY DEF GCD, SetMax , DivisorsOf , Divides 34 | =================================================================== -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_37_06/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_37_06/fingerprints -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_39_22/EuclidEx.tla: -------------------------------------------------------------------------------- 1 | ------------------------------ MODULE EuclidEx ------------------------------ 2 | EXTENDS GCD, TLAPS 3 | ----------------------------------------------------------------------------- 4 | CONSTANTS M, N 5 | ASSUME MNPosInt == 6 | /\ M \in Nat \ {0} 7 | /\ N \in Nat \ {0} 8 | (******************************************************************* 9 | --algorithm Euclid { 10 | variables x = M, y = N ; 11 | { while (x # y) { if (x < y) { y := y - x } 12 | else { x := x - y } 13 | }; 14 | } 15 | } 16 | *******************************************************************) 17 | \* BEGIN TRANSLATION 18 | VARIABLES x, y, pc 19 | 20 | vars == << x, y, pc >> 21 | 22 | Init == (* Global variables *) 23 | /\ x = M 24 | /\ y = N 25 | /\ pc = "Lbl_1" 26 | 27 | Lbl_1 == /\ pc = "Lbl_1" 28 | /\ IF x # y 29 | THEN /\ IF x < y 30 | THEN /\ y' = y - x 31 | /\ x' = x 32 | ELSE /\ x' = x - y 33 | /\ y' = y 34 | /\ pc' = "Lbl_1" 35 | ELSE /\ pc' = "Done" 36 | /\ UNCHANGED << x, y >> 37 | 38 | Next == Lbl_1 \* Allow infinite stuttering to prevent deadlock on termination. 39 | \/ (pc = "Done" /\ UNCHANGED vars) 40 | 41 | Spec == Init /\ [][Next]_vars 42 | 43 | Termination == <>(pc = "Done") 44 | 45 | \* END TRANSLATION 46 | ----------------------------------------------------------------------------- 47 | PartialCorrectness == 48 | (pc = "Done") => (x = y) /\ (x = GCD(M, N)) 49 | 50 | TypeOK == 51 | /\ x \in Nat \ {0} 52 | /\ y \in Nat \ {0} 53 | 54 | Inv == 55 | /\ TypeOK 56 | /\ GCD(x, y) = GCD(M, N) 57 | /\ (pc = "Done") => (x = y) 58 | ----------------------------------------------------------------------------- 59 | THEOREM Spec => []PartialCorrectness 60 | <1>1. Init => Inv 61 | BY MNPosInt DEF Init, Inv, TypeOK 62 | <1>2. Inv /\ [Next]_vars => Inv' 63 | <2> SUFFICES ASSUME Inv, 64 | [Next]_vars 65 | PROVE Inv' 66 | OBVIOUS 67 | <2>1. CASE Lbl_1 68 | BY <2>1 DEF Inv, TypeOK, Lbl_1 69 | <2>2. CASE pc = "Done" /\ UNCHANGED vars 70 | BY <2>2 DEF Inv, TypeOK, vars 71 | <2>3. CASE UNCHANGED vars 72 | BY <2>3 DEF Inv, TypeOK, vars 73 | <2>4. QED 74 | BY <2>1, <2>2, <2>3 DEF Next 75 | 76 | 77 | <1>3. Inv => PartialCorrectness 78 | <1>4. QED 79 | BY <1>1, <1>2, <1>3, PTL DEF Spec 80 | ============================================================================= 81 | \* Modification History 82 | \* Last modified Tue Jul 16 09:39:13 CST 2019 by hengxin 83 | \* Created Mon Jul 15 16:59:12 CST 2019 by hengxin -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_39_22/GCD.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE GCD --------------------------- 2 | EXTENDS Integers 3 | ------------------------------------------------------------------ 4 | Divides(p, n) == \E q \in Int : n = p * q 5 | DivisorsOf(n) == {p \in Int : Divides(p, n)} 6 | 7 | SetMax(S) == CHOOSE i \in S : \A j \in S : i >= j 8 | 9 | GCD(m, n) == SetMax(DivisorsOf(m) \cap DivisorsOf(n)) 10 | ----------------------------------------------------------------------------- 11 | THEOREM GCD1 == \A m \in Nat \ {0} : GCD(m, m) = m 12 | <1> SUFFICES ASSUME NEW m \in Nat \ {0} 13 | PROVE GCD(m, m) = m 14 | OBVIOUS 15 | <1>1. Divides(m, m) 16 | BY DEF Divides 17 | <1>2. \A i \in Nat : Divides(i, m) => (i <= m) 18 | BY DEF Divides 19 | <1> QED 20 | BY <1>1, <1>2 DEF GCD, SetMax , DivisorsOf , Divides 21 | ----------------------------------------------------------------------------- 22 | THEOREM GCD2 == \A m, n \in Nat \ {0} : GCD(m, n) = GCD(n, m) 23 | BY DEF GCD, SetMax , DivisorsOf , Divides 24 | ----------------------------------------------------------------------------- 25 | THEOREM GCD3 == \A m, n \in Nat \ {0} : (n > m) => (GCD(m, n) = GCD(m, n-m)) 26 | <1> SUFFICES ASSUME NEW m \in Nat \ {0}, NEW n \in Nat \ {0}, 27 | n > m 28 | PROVE GCD(m, n) = GCD(m, n-m) 29 | OBVIOUS 30 | <1> \A i \in Int : Divides(i, m) /\ Divides(i, n) <=> Divides(i, m) /\ Divides(i, n - m) 31 | BY DEF Divides 32 | <1> QED 33 | BY DEF GCD, SetMax , DivisorsOf , Divides 34 | =================================================================== -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_39_22/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_39_22/fingerprints -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_39_27/EuclidEx.tla: -------------------------------------------------------------------------------- 1 | ------------------------------ MODULE EuclidEx ------------------------------ 2 | EXTENDS GCD, TLAPS 3 | ----------------------------------------------------------------------------- 4 | CONSTANTS M, N 5 | ASSUME MNPosInt == 6 | /\ M \in Nat \ {0} 7 | /\ N \in Nat \ {0} 8 | (******************************************************************* 9 | --algorithm Euclid { 10 | variables x = M, y = N ; 11 | { while (x # y) { if (x < y) { y := y - x } 12 | else { x := x - y } 13 | }; 14 | } 15 | } 16 | *******************************************************************) 17 | \* BEGIN TRANSLATION 18 | VARIABLES x, y, pc 19 | 20 | vars == << x, y, pc >> 21 | 22 | Init == (* Global variables *) 23 | /\ x = M 24 | /\ y = N 25 | /\ pc = "Lbl_1" 26 | 27 | Lbl_1 == /\ pc = "Lbl_1" 28 | /\ IF x # y 29 | THEN /\ IF x < y 30 | THEN /\ y' = y - x 31 | /\ x' = x 32 | ELSE /\ x' = x - y 33 | /\ y' = y 34 | /\ pc' = "Lbl_1" 35 | ELSE /\ pc' = "Done" 36 | /\ UNCHANGED << x, y >> 37 | 38 | Next == Lbl_1 \* Allow infinite stuttering to prevent deadlock on termination. 39 | \/ (pc = "Done" /\ UNCHANGED vars) 40 | 41 | Spec == Init /\ [][Next]_vars 42 | 43 | Termination == <>(pc = "Done") 44 | 45 | \* END TRANSLATION 46 | ----------------------------------------------------------------------------- 47 | PartialCorrectness == 48 | (pc = "Done") => (x = y) /\ (x = GCD(M, N)) 49 | 50 | TypeOK == 51 | /\ x \in Nat \ {0} 52 | /\ y \in Nat \ {0} 53 | 54 | Inv == 55 | /\ TypeOK 56 | /\ GCD(x, y) = GCD(M, N) 57 | /\ (pc = "Done") => (x = y) 58 | ----------------------------------------------------------------------------- 59 | THEOREM Spec => []PartialCorrectness 60 | <1>1. Init => Inv 61 | BY MNPosInt DEF Init, Inv, TypeOK 62 | <1>2. Inv /\ [Next]_vars => Inv' 63 | <2> SUFFICES ASSUME Inv, 64 | [Next]_vars 65 | PROVE Inv' 66 | OBVIOUS 67 | <2>1. CASE Lbl_1 68 | BY <2>1 DEF Inv, TypeOK, Lbl_1 69 | <2>2. CASE pc = "Done" /\ UNCHANGED vars 70 | BY <2>2 DEF Inv, TypeOK, vars 71 | <2>3. CASE UNCHANGED vars 72 | BY <2>3 DEF Inv, TypeOK, vars 73 | <2>4. QED 74 | BY <2>1, <2>2, <2>3 DEF Next 75 | 76 | 77 | <1>3. Inv => PartialCorrectness 78 | <1>4. QED 79 | BY <1>1, <1>2, <1>3, PTL DEF Spec 80 | ============================================================================= 81 | \* Modification History 82 | \* Last modified Tue Jul 16 09:39:13 CST 2019 by hengxin 83 | \* Created Mon Jul 15 16:59:12 CST 2019 by hengxin -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_39_27/GCD.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE GCD --------------------------- 2 | EXTENDS Integers 3 | ------------------------------------------------------------------ 4 | Divides(p, n) == \E q \in Int : n = p * q 5 | DivisorsOf(n) == {p \in Int : Divides(p, n)} 6 | 7 | SetMax(S) == CHOOSE i \in S : \A j \in S : i >= j 8 | 9 | GCD(m, n) == SetMax(DivisorsOf(m) \cap DivisorsOf(n)) 10 | ----------------------------------------------------------------------------- 11 | THEOREM GCD1 == \A m \in Nat \ {0} : GCD(m, m) = m 12 | <1> SUFFICES ASSUME NEW m \in Nat \ {0} 13 | PROVE GCD(m, m) = m 14 | OBVIOUS 15 | <1>1. Divides(m, m) 16 | BY DEF Divides 17 | <1>2. \A i \in Nat : Divides(i, m) => (i <= m) 18 | BY DEF Divides 19 | <1> QED 20 | BY <1>1, <1>2 DEF GCD, SetMax , DivisorsOf , Divides 21 | ----------------------------------------------------------------------------- 22 | THEOREM GCD2 == \A m, n \in Nat \ {0} : GCD(m, n) = GCD(n, m) 23 | BY DEF GCD, SetMax , DivisorsOf , Divides 24 | ----------------------------------------------------------------------------- 25 | THEOREM GCD3 == \A m, n \in Nat \ {0} : (n > m) => (GCD(m, n) = GCD(m, n-m)) 26 | <1> SUFFICES ASSUME NEW m \in Nat \ {0}, NEW n \in Nat \ {0}, 27 | n > m 28 | PROVE GCD(m, n) = GCD(m, n-m) 29 | OBVIOUS 30 | <1> \A i \in Int : Divides(i, m) /\ Divides(i, n) <=> Divides(i, m) /\ Divides(i, n - m) 31 | BY DEF Divides 32 | <1> QED 33 | BY DEF GCD, SetMax , DivisorsOf , Divides 34 | =================================================================== -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_39_27/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_39_27/fingerprints -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_41_19/EuclidEx.tla: -------------------------------------------------------------------------------- 1 | ------------------------------ MODULE EuclidEx ------------------------------ 2 | EXTENDS GCD, TLAPS 3 | ----------------------------------------------------------------------------- 4 | CONSTANTS M, N 5 | ASSUME MNPosInt == 6 | /\ M \in Nat \ {0} 7 | /\ N \in Nat \ {0} 8 | (******************************************************************* 9 | --algorithm Euclid { 10 | variables x = M, y = N ; 11 | { while (x # y) { if (x < y) { y := y - x } 12 | else { x := x - y } 13 | }; 14 | } 15 | } 16 | *******************************************************************) 17 | \* BEGIN TRANSLATION 18 | VARIABLES x, y, pc 19 | 20 | vars == << x, y, pc >> 21 | 22 | Init == (* Global variables *) 23 | /\ x = M 24 | /\ y = N 25 | /\ pc = "Lbl_1" 26 | 27 | Lbl_1 == /\ pc = "Lbl_1" 28 | /\ IF x # y 29 | THEN /\ IF x < y 30 | THEN /\ y' = y - x 31 | /\ x' = x 32 | ELSE /\ x' = x - y 33 | /\ y' = y 34 | /\ pc' = "Lbl_1" 35 | ELSE /\ pc' = "Done" 36 | /\ UNCHANGED << x, y >> 37 | 38 | Next == Lbl_1 \* Allow infinite stuttering to prevent deadlock on termination. 39 | \/ (pc = "Done" /\ UNCHANGED vars) 40 | 41 | Spec == Init /\ [][Next]_vars 42 | 43 | Termination == <>(pc = "Done") 44 | 45 | \* END TRANSLATION 46 | ----------------------------------------------------------------------------- 47 | PartialCorrectness == 48 | (pc = "Done") => (x = y) /\ (x = GCD(M, N)) 49 | 50 | TypeOK == 51 | /\ x \in Nat \ {0} 52 | /\ y \in Nat \ {0} 53 | 54 | Inv == 55 | /\ TypeOK 56 | /\ GCD(x, y) = GCD(M, N) 57 | /\ (pc = "Done") => (x = y) 58 | ----------------------------------------------------------------------------- 59 | THEOREM Spec => []PartialCorrectness 60 | <1>1. Init => Inv 61 | BY MNPosInt DEF Init, Inv, TypeOK 62 | <1>2. Inv /\ [Next]_vars => Inv' 63 | <2> SUFFICES ASSUME Inv, 64 | [Next]_vars 65 | PROVE Inv' 66 | OBVIOUS 67 | <2>1. CASE Lbl_1 68 | BY <2>1, MNPosInt DEF Inv, TypeOK, Lbl_1 69 | <2>2. CASE pc = "Done" /\ UNCHANGED vars 70 | BY <2>2 DEF Inv, TypeOK, vars 71 | <2>3. CASE UNCHANGED vars 72 | BY <2>3 DEF Inv, TypeOK, vars 73 | <2>4. QED 74 | BY <2>1, <2>2, <2>3 DEF Next 75 | 76 | 77 | <1>3. Inv => PartialCorrectness 78 | <1>4. QED 79 | BY <1>1, <1>2, <1>3, PTL DEF Spec 80 | ============================================================================= 81 | \* Modification History 82 | \* Last modified Tue Jul 16 09:41:16 CST 2019 by hengxin 83 | \* Created Mon Jul 15 16:59:12 CST 2019 by hengxin -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_41_19/GCD.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE GCD --------------------------- 2 | EXTENDS Integers 3 | ------------------------------------------------------------------ 4 | Divides(p, n) == \E q \in Int : n = p * q 5 | DivisorsOf(n) == {p \in Int : Divides(p, n)} 6 | 7 | SetMax(S) == CHOOSE i \in S : \A j \in S : i >= j 8 | 9 | GCD(m, n) == SetMax(DivisorsOf(m) \cap DivisorsOf(n)) 10 | ----------------------------------------------------------------------------- 11 | THEOREM GCD1 == \A m \in Nat \ {0} : GCD(m, m) = m 12 | <1> SUFFICES ASSUME NEW m \in Nat \ {0} 13 | PROVE GCD(m, m) = m 14 | OBVIOUS 15 | <1>1. Divides(m, m) 16 | BY DEF Divides 17 | <1>2. \A i \in Nat : Divides(i, m) => (i <= m) 18 | BY DEF Divides 19 | <1> QED 20 | BY <1>1, <1>2 DEF GCD, SetMax , DivisorsOf , Divides 21 | ----------------------------------------------------------------------------- 22 | THEOREM GCD2 == \A m, n \in Nat \ {0} : GCD(m, n) = GCD(n, m) 23 | BY DEF GCD, SetMax , DivisorsOf , Divides 24 | ----------------------------------------------------------------------------- 25 | THEOREM GCD3 == \A m, n \in Nat \ {0} : (n > m) => (GCD(m, n) = GCD(m, n-m)) 26 | <1> SUFFICES ASSUME NEW m \in Nat \ {0}, NEW n \in Nat \ {0}, 27 | n > m 28 | PROVE GCD(m, n) = GCD(m, n-m) 29 | OBVIOUS 30 | <1> \A i \in Int : Divides(i, m) /\ Divides(i, n) <=> Divides(i, m) /\ Divides(i, n - m) 31 | BY DEF Divides 32 | <1> QED 33 | BY DEF GCD, SetMax , DivisorsOf , Divides 34 | =================================================================== -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_41_19/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_41_19/fingerprints -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_42_24/EuclidEx.tla: -------------------------------------------------------------------------------- 1 | ------------------------------ MODULE EuclidEx ------------------------------ 2 | EXTENDS GCD, TLAPS 3 | ----------------------------------------------------------------------------- 4 | CONSTANTS M, N 5 | ASSUME MNPosInt == 6 | /\ M \in Nat \ {0} 7 | /\ N \in Nat \ {0} 8 | (******************************************************************* 9 | --algorithm Euclid { 10 | variables x = M, y = N ; 11 | { while (x # y) { if (x < y) { y := y - x } 12 | else { x := x - y } 13 | }; 14 | } 15 | } 16 | *******************************************************************) 17 | \* BEGIN TRANSLATION 18 | VARIABLES x, y, pc 19 | 20 | vars == << x, y, pc >> 21 | 22 | Init == (* Global variables *) 23 | /\ x = M 24 | /\ y = N 25 | /\ pc = "Lbl_1" 26 | 27 | Lbl_1 == /\ pc = "Lbl_1" 28 | /\ IF x # y 29 | THEN /\ IF x < y 30 | THEN /\ y' = y - x 31 | /\ x' = x 32 | ELSE /\ x' = x - y 33 | /\ y' = y 34 | /\ pc' = "Lbl_1" 35 | ELSE /\ pc' = "Done" 36 | /\ UNCHANGED << x, y >> 37 | 38 | Next == Lbl_1 \* Allow infinite stuttering to prevent deadlock on termination. 39 | \/ (pc = "Done" /\ UNCHANGED vars) 40 | 41 | Spec == Init /\ [][Next]_vars 42 | 43 | Termination == <>(pc = "Done") 44 | 45 | \* END TRANSLATION 46 | ----------------------------------------------------------------------------- 47 | PartialCorrectness == 48 | (pc = "Done") => (x = y) /\ (x = GCD(M, N)) 49 | 50 | TypeOK == 51 | /\ x \in Nat \ {0} 52 | /\ y \in Nat \ {0} 53 | 54 | Inv == 55 | /\ TypeOK 56 | /\ GCD(x, y) = GCD(M, N) 57 | /\ (pc = "Done") => (x = y) 58 | ----------------------------------------------------------------------------- 59 | THEOREM Spec => []PartialCorrectness 60 | <1>1. Init => Inv 61 | BY MNPosInt DEF Init, Inv, TypeOK 62 | <1>2. Inv /\ [Next]_vars => Inv' 63 | <2> SUFFICES ASSUME Inv, 64 | [Next]_vars 65 | PROVE Inv' 66 | OBVIOUS 67 | <2>1. CASE Lbl_1 68 | BY <2>1, MNPosInt DEF Inv, TypeOK, Lbl_1, GCD, SetMax, DivisorsOf, Divides 69 | <2>2. CASE pc = "Done" /\ UNCHANGED vars 70 | BY <2>2 DEF Inv, TypeOK, vars 71 | <2>3. CASE UNCHANGED vars 72 | BY <2>3 DEF Inv, TypeOK, vars 73 | <2>4. QED 74 | BY <2>1, <2>2, <2>3 DEF Next 75 | 76 | 77 | <1>3. Inv => PartialCorrectness 78 | <1>4. QED 79 | BY <1>1, <1>2, <1>3, PTL DEF Spec 80 | ============================================================================= 81 | \* Modification History 82 | \* Last modified Tue Jul 16 09:42:20 CST 2019 by hengxin 83 | \* Created Mon Jul 15 16:59:12 CST 2019 by hengxin -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_42_24/GCD.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE GCD --------------------------- 2 | EXTENDS Integers 3 | ------------------------------------------------------------------ 4 | Divides(p, n) == \E q \in Int : n = p * q 5 | DivisorsOf(n) == {p \in Int : Divides(p, n)} 6 | 7 | SetMax(S) == CHOOSE i \in S : \A j \in S : i >= j 8 | 9 | GCD(m, n) == SetMax(DivisorsOf(m) \cap DivisorsOf(n)) 10 | ----------------------------------------------------------------------------- 11 | THEOREM GCD1 == \A m \in Nat \ {0} : GCD(m, m) = m 12 | <1> SUFFICES ASSUME NEW m \in Nat \ {0} 13 | PROVE GCD(m, m) = m 14 | OBVIOUS 15 | <1>1. Divides(m, m) 16 | BY DEF Divides 17 | <1>2. \A i \in Nat : Divides(i, m) => (i <= m) 18 | BY DEF Divides 19 | <1> QED 20 | BY <1>1, <1>2 DEF GCD, SetMax , DivisorsOf , Divides 21 | ----------------------------------------------------------------------------- 22 | THEOREM GCD2 == \A m, n \in Nat \ {0} : GCD(m, n) = GCD(n, m) 23 | BY DEF GCD, SetMax , DivisorsOf , Divides 24 | ----------------------------------------------------------------------------- 25 | THEOREM GCD3 == \A m, n \in Nat \ {0} : (n > m) => (GCD(m, n) = GCD(m, n-m)) 26 | <1> SUFFICES ASSUME NEW m \in Nat \ {0}, NEW n \in Nat \ {0}, 27 | n > m 28 | PROVE GCD(m, n) = GCD(m, n-m) 29 | OBVIOUS 30 | <1> \A i \in Int : Divides(i, m) /\ Divides(i, n) <=> Divides(i, m) /\ Divides(i, n - m) 31 | BY DEF Divides 32 | <1> QED 33 | BY DEF GCD, SetMax , DivisorsOf , Divides 34 | =================================================================== -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_42_24/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_42_24/fingerprints -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_45_06/EuclidEx.tla: -------------------------------------------------------------------------------- 1 | ------------------------------ MODULE EuclidEx ------------------------------ 2 | EXTENDS GCD, TLAPS 3 | ----------------------------------------------------------------------------- 4 | CONSTANTS M, N 5 | ASSUME MNPosInt == 6 | /\ M \in Nat \ {0} 7 | /\ N \in Nat \ {0} 8 | (******************************************************************* 9 | --algorithm Euclid { 10 | variables x = M, y = N ; 11 | { while (x # y) { if (x < y) { y := y - x } 12 | else { x := x - y } 13 | }; 14 | } 15 | } 16 | *******************************************************************) 17 | \* BEGIN TRANSLATION 18 | VARIABLES x, y, pc 19 | 20 | vars == << x, y, pc >> 21 | 22 | Init == (* Global variables *) 23 | /\ x = M 24 | /\ y = N 25 | /\ pc = "Lbl_1" 26 | 27 | Lbl_1 == /\ pc = "Lbl_1" 28 | /\ IF x # y 29 | THEN /\ IF x < y 30 | THEN /\ y' = y - x 31 | /\ x' = x 32 | ELSE /\ x' = x - y 33 | /\ y' = y 34 | /\ pc' = "Lbl_1" 35 | ELSE /\ pc' = "Done" 36 | /\ UNCHANGED << x, y >> 37 | 38 | Next == Lbl_1 \* Allow infinite stuttering to prevent deadlock on termination. 39 | \/ (pc = "Done" /\ UNCHANGED vars) 40 | 41 | Spec == Init /\ [][Next]_vars 42 | 43 | Termination == <>(pc = "Done") 44 | 45 | \* END TRANSLATION 46 | ----------------------------------------------------------------------------- 47 | PartialCorrectness == 48 | (pc = "Done") => (x = y) /\ (x = GCD(M, N)) 49 | 50 | TypeOK == 51 | /\ x \in Nat \ {0} 52 | /\ y \in Nat \ {0} 53 | 54 | Inv == 55 | /\ TypeOK 56 | /\ GCD(x, y) = GCD(M, N) 57 | /\ (pc = "Done") => (x = y) 58 | ----------------------------------------------------------------------------- 59 | THEOREM Spec => []PartialCorrectness 60 | <1>1. Init => Inv 61 | BY MNPosInt DEF Init, Inv, TypeOK 62 | <1>2. Inv /\ [Next]_vars => Inv' 63 | BY MNPosInt, GCD2, GCD3 DEF Inv, TypeOK, Next, Lbl_1, vars 64 | <1>3. Inv => PartialCorrectness 65 | <1>4. QED 66 | BY <1>1, <1>2, <1>3, PTL DEF Spec 67 | ============================================================================= 68 | \* Modification History 69 | \* Last modified Tue Jul 16 09:45:01 CST 2019 by hengxin 70 | \* Created Mon Jul 15 16:59:12 CST 2019 by hengxin -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_45_06/GCD.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE GCD --------------------------- 2 | EXTENDS Integers 3 | ------------------------------------------------------------------ 4 | Divides(p, n) == \E q \in Int : n = p * q 5 | DivisorsOf(n) == {p \in Int : Divides(p, n)} 6 | 7 | SetMax(S) == CHOOSE i \in S : \A j \in S : i >= j 8 | 9 | GCD(m, n) == SetMax(DivisorsOf(m) \cap DivisorsOf(n)) 10 | ----------------------------------------------------------------------------- 11 | THEOREM GCD1 == \A m \in Nat \ {0} : GCD(m, m) = m 12 | <1> SUFFICES ASSUME NEW m \in Nat \ {0} 13 | PROVE GCD(m, m) = m 14 | OBVIOUS 15 | <1>1. Divides(m, m) 16 | BY DEF Divides 17 | <1>2. \A i \in Nat : Divides(i, m) => (i <= m) 18 | BY DEF Divides 19 | <1> QED 20 | BY <1>1, <1>2 DEF GCD, SetMax , DivisorsOf , Divides 21 | ----------------------------------------------------------------------------- 22 | THEOREM GCD2 == \A m, n \in Nat \ {0} : GCD(m, n) = GCD(n, m) 23 | BY DEF GCD, SetMax , DivisorsOf , Divides 24 | ----------------------------------------------------------------------------- 25 | THEOREM GCD3 == \A m, n \in Nat \ {0} : (n > m) => (GCD(m, n) = GCD(m, n-m)) 26 | <1> SUFFICES ASSUME NEW m \in Nat \ {0}, NEW n \in Nat \ {0}, 27 | n > m 28 | PROVE GCD(m, n) = GCD(m, n-m) 29 | OBVIOUS 30 | <1> \A i \in Int : Divides(i, m) /\ Divides(i, n) <=> Divides(i, m) /\ Divides(i, n - m) 31 | BY DEF Divides 32 | <1> QED 33 | BY DEF GCD, SetMax , DivisorsOf , Divides 34 | =================================================================== -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_45_06/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_45_06/fingerprints -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_45_47/EuclidEx.tla: -------------------------------------------------------------------------------- 1 | ------------------------------ MODULE EuclidEx ------------------------------ 2 | EXTENDS GCD, TLAPS 3 | ----------------------------------------------------------------------------- 4 | CONSTANTS M, N 5 | ASSUME MNPosInt == 6 | /\ M \in Nat \ {0} 7 | /\ N \in Nat \ {0} 8 | (******************************************************************* 9 | --algorithm Euclid { 10 | variables x = M, y = N ; 11 | { while (x # y) { if (x < y) { y := y - x } 12 | else { x := x - y } 13 | }; 14 | } 15 | } 16 | *******************************************************************) 17 | \* BEGIN TRANSLATION 18 | VARIABLES x, y, pc 19 | 20 | vars == << x, y, pc >> 21 | 22 | Init == (* Global variables *) 23 | /\ x = M 24 | /\ y = N 25 | /\ pc = "Lbl_1" 26 | 27 | Lbl_1 == /\ pc = "Lbl_1" 28 | /\ IF x # y 29 | THEN /\ IF x < y 30 | THEN /\ y' = y - x 31 | /\ x' = x 32 | ELSE /\ x' = x - y 33 | /\ y' = y 34 | /\ pc' = "Lbl_1" 35 | ELSE /\ pc' = "Done" 36 | /\ UNCHANGED << x, y >> 37 | 38 | Next == Lbl_1 \* Allow infinite stuttering to prevent deadlock on termination. 39 | \/ (pc = "Done" /\ UNCHANGED vars) 40 | 41 | Spec == Init /\ [][Next]_vars 42 | 43 | Termination == <>(pc = "Done") 44 | 45 | \* END TRANSLATION 46 | ----------------------------------------------------------------------------- 47 | PartialCorrectness == 48 | (pc = "Done") => (x = y) /\ (x = GCD(M, N)) 49 | 50 | TypeOK == 51 | /\ x \in Nat \ {0} 52 | /\ y \in Nat \ {0} 53 | 54 | Inv == 55 | /\ TypeOK 56 | /\ GCD(x, y) = GCD(M, N) 57 | /\ (pc = "Done") => (x = y) 58 | ----------------------------------------------------------------------------- 59 | THEOREM Spec => []PartialCorrectness 60 | <1>1. Init => Inv 61 | BY MNPosInt DEF Init, Inv, TypeOK 62 | <1>2. Inv /\ [Next]_vars => Inv' 63 | BY MNPosInt, GCD2, GCD3 DEF Inv, TypeOK, Next, Lbl_1, vars 64 | <1>3. Inv => PartialCorrectness 65 | BY GCD1 DEF Inv, PartialCorrectness 66 | <1>4. QED 67 | BY <1>1, <1>2, <1>3, PTL DEF Spec 68 | ============================================================================= 69 | \* Modification History 70 | \* Last modified Tue Jul 16 09:45:42 CST 2019 by hengxin 71 | \* Created Mon Jul 15 16:59:12 CST 2019 by hengxin -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_45_47/GCD.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE GCD --------------------------- 2 | EXTENDS Integers 3 | ------------------------------------------------------------------ 4 | Divides(p, n) == \E q \in Int : n = p * q 5 | DivisorsOf(n) == {p \in Int : Divides(p, n)} 6 | 7 | SetMax(S) == CHOOSE i \in S : \A j \in S : i >= j 8 | 9 | GCD(m, n) == SetMax(DivisorsOf(m) \cap DivisorsOf(n)) 10 | ----------------------------------------------------------------------------- 11 | THEOREM GCD1 == \A m \in Nat \ {0} : GCD(m, m) = m 12 | <1> SUFFICES ASSUME NEW m \in Nat \ {0} 13 | PROVE GCD(m, m) = m 14 | OBVIOUS 15 | <1>1. Divides(m, m) 16 | BY DEF Divides 17 | <1>2. \A i \in Nat : Divides(i, m) => (i <= m) 18 | BY DEF Divides 19 | <1> QED 20 | BY <1>1, <1>2 DEF GCD, SetMax , DivisorsOf , Divides 21 | ----------------------------------------------------------------------------- 22 | THEOREM GCD2 == \A m, n \in Nat \ {0} : GCD(m, n) = GCD(n, m) 23 | BY DEF GCD, SetMax , DivisorsOf , Divides 24 | ----------------------------------------------------------------------------- 25 | THEOREM GCD3 == \A m, n \in Nat \ {0} : (n > m) => (GCD(m, n) = GCD(m, n-m)) 26 | <1> SUFFICES ASSUME NEW m \in Nat \ {0}, NEW n \in Nat \ {0}, 27 | n > m 28 | PROVE GCD(m, n) = GCD(m, n-m) 29 | OBVIOUS 30 | <1> \A i \in Int : Divides(i, m) /\ Divides(i, n) <=> Divides(i, m) /\ Divides(i, n - m) 31 | BY DEF Divides 32 | <1> QED 33 | BY DEF GCD, SetMax , DivisorsOf , Divides 34 | =================================================================== -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_45_47/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_45_47/fingerprints -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_47_48/EuclidEx.tla: -------------------------------------------------------------------------------- 1 | ------------------------------ MODULE EuclidEx ------------------------------ 2 | EXTENDS GCD, TLAPS 3 | ----------------------------------------------------------------------------- 4 | CONSTANTS M, N 5 | ASSUME MNPosInt == 6 | /\ M \in Nat \ {0} 7 | /\ N \in Nat \ {0} 8 | (******************************************************************* 9 | --algorithm Euclid { 10 | variables x = M, y = N ; 11 | { while (x # y) { if (x < y) { y := y - x } 12 | else { x := x - y } 13 | }; 14 | } 15 | } 16 | *******************************************************************) 17 | \* BEGIN TRANSLATION 18 | VARIABLES x, y, pc 19 | 20 | vars == << x, y, pc >> 21 | 22 | Init == (* Global variables *) 23 | /\ x = M 24 | /\ y = N 25 | /\ pc = "Lbl_1" 26 | 27 | Lbl_1 == /\ pc = "Lbl_1" 28 | /\ IF x # y 29 | THEN /\ IF x < y 30 | THEN /\ y' = y - x 31 | /\ x' = x 32 | ELSE /\ x' = x - y 33 | /\ y' = y 34 | /\ pc' = "Lbl_1" 35 | ELSE /\ pc' = "Done" 36 | /\ UNCHANGED << x, y >> 37 | 38 | Next == Lbl_1 \* Allow infinite stuttering to prevent deadlock on termination. 39 | \/ (pc = "Done" /\ UNCHANGED vars) 40 | 41 | Spec == Init /\ [][Next]_vars 42 | 43 | Termination == <>(pc = "Done") 44 | 45 | \* END TRANSLATION 46 | ----------------------------------------------------------------------------- 47 | PartialCorrectness == 48 | (pc = "Done") => (x = y) /\ (x = GCD(M, N)) 49 | 50 | TypeOK == 51 | /\ x \in Nat \ {0} 52 | /\ y \in Nat \ {0} 53 | 54 | Inv == 55 | /\ TypeOK 56 | /\ GCD(x, y) = GCD(M, N) 57 | /\ (pc = "Done") => (x = y) 58 | ----------------------------------------------------------------------------- 59 | THEOREM Spec => []PartialCorrectness 60 | <1>1. Init => Inv 61 | BY MNPosInt DEF Init, Inv, TypeOK 62 | <1>2. Inv /\ [Next]_vars => Inv' 63 | BY MNPosInt, GCD2, GCD3 DEF Inv, TypeOK, Next, Lbl_1, vars 64 | <1>3. Inv => PartialCorrectness 65 | BY MNPosInt, GCD1 DEF Inv, TypeOK, PartialCorrectness 66 | <1>4. QED 67 | BY <1>1, <1>2, <1>3, PTL DEF Spec 68 | ============================================================================= 69 | \* Modification History 70 | \* Last modified Tue Jul 16 09:46:10 CST 2019 by hengxin 71 | \* Created Mon Jul 15 16:59:12 CST 2019 by hengxin -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_47_48/GCD.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE GCD --------------------------- 2 | EXTENDS Integers 3 | ------------------------------------------------------------------ 4 | Divides(p, n) == \E q \in Int : n = p * q 5 | DivisorsOf(n) == {p \in Int : Divides(p, n)} 6 | 7 | SetMax(S) == CHOOSE i \in S : \A j \in S : i >= j 8 | 9 | GCD(m, n) == SetMax(DivisorsOf(m) \cap DivisorsOf(n)) 10 | ----------------------------------------------------------------------------- 11 | THEOREM GCD1 == \A m \in Nat \ {0} : GCD(m, m) = m 12 | <1> SUFFICES ASSUME NEW m \in Nat \ {0} 13 | PROVE GCD(m, m) = m 14 | OBVIOUS 15 | <1>1. Divides(m, m) 16 | BY DEF Divides 17 | <1>2. \A i \in Nat : Divides(i, m) => (i <= m) 18 | BY DEF Divides 19 | <1> QED 20 | BY <1>1, <1>2 DEF GCD, SetMax , DivisorsOf , Divides 21 | ----------------------------------------------------------------------------- 22 | THEOREM GCD2 == \A m, n \in Nat \ {0} : GCD(m, n) = GCD(n, m) 23 | BY DEF GCD, SetMax , DivisorsOf , Divides 24 | ----------------------------------------------------------------------------- 25 | THEOREM GCD3 == \A m, n \in Nat \ {0} : (n > m) => (GCD(m, n) = GCD(m, n-m)) 26 | <1> SUFFICES ASSUME NEW m \in Nat \ {0}, NEW n \in Nat \ {0}, 27 | n > m 28 | PROVE GCD(m, n) = GCD(m, n-m) 29 | OBVIOUS 30 | <1> \A i \in Int : Divides(i, m) /\ Divides(i, n) <=> Divides(i, m) /\ Divides(i, n - m) 31 | BY DEF Divides 32 | <1> QED 33 | BY DEF GCD, SetMax , DivisorsOf , Divides 34 | =================================================================== -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_47_48/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_47_48/fingerprints -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_47_52/EuclidEx.tla: -------------------------------------------------------------------------------- 1 | ------------------------------ MODULE EuclidEx ------------------------------ 2 | EXTENDS GCD, TLAPS 3 | ----------------------------------------------------------------------------- 4 | CONSTANTS M, N 5 | ASSUME MNPosInt == 6 | /\ M \in Nat \ {0} 7 | /\ N \in Nat \ {0} 8 | (******************************************************************* 9 | --algorithm Euclid { 10 | variables x = M, y = N ; 11 | { while (x # y) { if (x < y) { y := y - x } 12 | else { x := x - y } 13 | }; 14 | } 15 | } 16 | *******************************************************************) 17 | \* BEGIN TRANSLATION 18 | VARIABLES x, y, pc 19 | 20 | vars == << x, y, pc >> 21 | 22 | Init == (* Global variables *) 23 | /\ x = M 24 | /\ y = N 25 | /\ pc = "Lbl_1" 26 | 27 | Lbl_1 == /\ pc = "Lbl_1" 28 | /\ IF x # y 29 | THEN /\ IF x < y 30 | THEN /\ y' = y - x 31 | /\ x' = x 32 | ELSE /\ x' = x - y 33 | /\ y' = y 34 | /\ pc' = "Lbl_1" 35 | ELSE /\ pc' = "Done" 36 | /\ UNCHANGED << x, y >> 37 | 38 | Next == Lbl_1 \* Allow infinite stuttering to prevent deadlock on termination. 39 | \/ (pc = "Done" /\ UNCHANGED vars) 40 | 41 | Spec == Init /\ [][Next]_vars 42 | 43 | Termination == <>(pc = "Done") 44 | 45 | \* END TRANSLATION 46 | ----------------------------------------------------------------------------- 47 | PartialCorrectness == 48 | (pc = "Done") => (x = y) /\ (x = GCD(M, N)) 49 | 50 | TypeOK == 51 | /\ x \in Nat \ {0} 52 | /\ y \in Nat \ {0} 53 | 54 | Inv == 55 | /\ TypeOK 56 | /\ GCD(x, y) = GCD(M, N) 57 | /\ (pc = "Done") => (x = y) 58 | ----------------------------------------------------------------------------- 59 | THEOREM Spec => []PartialCorrectness 60 | <1>1. Init => Inv 61 | BY MNPosInt DEF Init, Inv, TypeOK 62 | <1>2. Inv /\ [Next]_vars => Inv' 63 | BY MNPosInt, GCD2, GCD3 DEF Inv, TypeOK, Next, Lbl_1, vars 64 | <1>3. Inv => PartialCorrectness 65 | BY MNPosInt, GCD1 DEF Inv, TypeOK, PartialCorrectness 66 | <1>4. QED 67 | BY <1>1, <1>2, <1>3, PTL DEF Spec 68 | ============================================================================= 69 | \* Modification History 70 | \* Last modified Tue Jul 16 09:46:10 CST 2019 by hengxin 71 | \* Created Mon Jul 15 16:59:12 CST 2019 by hengxin -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_47_52/GCD.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE GCD --------------------------- 2 | EXTENDS Integers 3 | ------------------------------------------------------------------ 4 | Divides(p, n) == \E q \in Int : n = p * q 5 | DivisorsOf(n) == {p \in Int : Divides(p, n)} 6 | 7 | SetMax(S) == CHOOSE i \in S : \A j \in S : i >= j 8 | 9 | GCD(m, n) == SetMax(DivisorsOf(m) \cap DivisorsOf(n)) 10 | ----------------------------------------------------------------------------- 11 | THEOREM GCD1 == \A m \in Nat \ {0} : GCD(m, m) = m 12 | <1> SUFFICES ASSUME NEW m \in Nat \ {0} 13 | PROVE GCD(m, m) = m 14 | OBVIOUS 15 | <1>1. Divides(m, m) 16 | BY DEF Divides 17 | <1>2. \A i \in Nat : Divides(i, m) => (i <= m) 18 | BY DEF Divides 19 | <1> QED 20 | BY <1>1, <1>2 DEF GCD, SetMax , DivisorsOf , Divides 21 | ----------------------------------------------------------------------------- 22 | THEOREM GCD2 == \A m, n \in Nat \ {0} : GCD(m, n) = GCD(n, m) 23 | BY DEF GCD, SetMax , DivisorsOf , Divides 24 | ----------------------------------------------------------------------------- 25 | THEOREM GCD3 == \A m, n \in Nat \ {0} : (n > m) => (GCD(m, n) = GCD(m, n-m)) 26 | <1> SUFFICES ASSUME NEW m \in Nat \ {0}, NEW n \in Nat \ {0}, 27 | n > m 28 | PROVE GCD(m, n) = GCD(m, n-m) 29 | OBVIOUS 30 | <1> \A i \in Int : Divides(i, m) /\ Divides(i, n) <=> Divides(i, m) /\ Divides(i, n - m) 31 | BY DEF Divides 32 | <1> QED 33 | BY DEF GCD, SetMax , DivisorsOf , Divides 34 | =================================================================== -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_47_52/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Euclid/Euclid-Hyperbook/EuclidEx.tlaps/fingerprints.history/2019-07-16_09_47_52/fingerprints -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.toolbox/.project: -------------------------------------------------------------------------------- 1 | 2 | 3 | EuclidEx 4 | 5 | 6 | 7 | 8 | 9 | toolbox.builder.TLAParserBuilder 10 | 11 | 12 | 13 | 14 | 15 | toolbox.natures.TLANature 16 | 17 | 18 | 19 | EuclidEx.tla 20 | 1 21 | PARENT-1-PROJECT_LOC/EuclidEx.tla 22 | 23 | 24 | FiniteSets.tla 25 | 1 26 | /usr/local/lib/tlaps/FiniteSets.tla 27 | 28 | 29 | GCD.tla 30 | 1 31 | /home/hengxin/git-projects/tlaps-examples/Euclid/Euclid-Hyperbook/GCD.tla 32 | 33 | 34 | NaturalsInduction.tla 35 | 1 36 | /usr/local/lib/tlaps/NaturalsInduction.tla 37 | 38 | 39 | TLAPS.tla 40 | 1 41 | /usr/local/lib/tlaps/TLAPS.tla 42 | 43 | 44 | 45 | -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.toolbox/.settings/org.lamport.tla.toolbox.prefs: -------------------------------------------------------------------------------- 1 | ProjectRootFile=PARENT-1-PROJECT_LOC/EuclidEx.tla 2 | eclipse.preferences.version=1 3 | -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.toolbox/EuclidEx.aux: -------------------------------------------------------------------------------- 1 | \relax 2 | -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.toolbox/EuclidEx.log: -------------------------------------------------------------------------------- 1 | This is pdfTeX, Version 3.14159265-2.6-1.40.20 (TeX Live 2019/Debian) (preloaded format=pdflatex 2019.4.13) 16 JUL 2019 09:46 2 | entering extended mode 3 | restricted \write18 enabled. 4 | %&-line parsing enabled. 5 | **EuclidEx.tex 6 | (./EuclidEx.tex 7 | LaTeX2e <2018-12-01> 8 | 9 | (/usr/share/texlive/texmf-dist/tex/latex/base/article.cls 10 | Document Class: article 2018/09/03 v1.4i Standard LaTeX document class 11 | (/usr/share/texlive/texmf-dist/tex/latex/base/size10.clo 12 | File: size10.clo 2018/09/03 v1.4i Standard LaTeX file (size option) 13 | ) 14 | \c@part=\count80 15 | \c@section=\count81 16 | \c@subsection=\count82 17 | \c@subsubsection=\count83 18 | \c@paragraph=\count84 19 | \c@subparagraph=\count85 20 | \c@figure=\count86 21 | \c@table=\count87 22 | \abovecaptionskip=\skip41 23 | \belowcaptionskip=\skip42 24 | \bibindent=\dimen102 25 | ) (/usr/share/texlive/texmf-dist/tex/latex/graphics/color.sty 26 | Package: color 2016/07/10 v1.1e Standard LaTeX Color (DPC) 27 | (/usr/share/texlive/texmf-dist/tex/latex/graphics-cfg/color.cfg 28 | File: color.cfg 2016/01/02 v1.6 sample color configuration 29 | ) 30 | Package color Info: Driver file: pdftex.def on input line 147. 31 | (/usr/share/texlive/texmf-dist/tex/latex/graphics-def/pdftex.def 32 | File: pdftex.def 2018/01/08 v1.0l Graphics/color driver for pdftex 33 | )) (/usr/share/texlive/texmf-dist/tex/latex/base/latexsym.sty 34 | Package: latexsym 1998/08/17 v2.2e Standard LaTeX package (lasy symbols) 35 | \symlasy=\mathgroup4 36 | LaTeX Font Info: Overwriting symbol font `lasy' in version `bold' 37 | (Font) U/lasy/m/n --> U/lasy/b/n on input line 52. 38 | ) (/usr/share/texlive/texmf-dist/tex/latex/base/ifthen.sty 39 | Package: ifthen 2014/09/29 v1.1c Standard LaTeX ifthen package (DPC) 40 | ) 41 | \symlength=\skip43 42 | \equalswidth=\skip44 43 | \charwidth=\skip45 44 | \boxrulewd=\skip46 45 | \boxlineht=\skip47 46 | \boxruleht=\skip48 47 | \boxruledp=\skip49 48 | \pcalvspace=\skip50 49 | \lcomindent=\skip51 50 | \@xlen=\skip52 51 | \templena=\skip53 52 | \templenb=\skip54 53 | \tempboxa=\box27 54 | \vshadelen=\skip55 55 | \boxwidth=\skip56 56 | \multicommentdepth=\skip57 57 | \c@pardepth=\count88 58 | \tempsbox=\box28 59 | \@cparht=\skip58 60 | \@cpardp=\skip59 61 | \xmcomlen=\skip60 62 | \spacewidth=\skip61 63 | \alignboxwidth=\skip62 64 | \alignwidth=\skip63 65 | \alignbox=\box29 66 | \symtlaitalics=\mathgroup5 67 | \c@tlx@ctr=\count89 68 | (/usr/share/texlive/texmf-dist/tex/latex/tools/verbatim.sty 69 | Package: verbatim 2014/10/28 v1.5q LaTeX2e package for verbatim enhancements 70 | \every@verbatim=\toks14 71 | \verbatim@line=\toks15 72 | \verbatim@in@stream=\read1 73 | ) (./EuclidEx.aux) 74 | \openout1 = `EuclidEx.aux'. 75 | 76 | LaTeX Font Info: Checking defaults for OML/cmm/m/it on input line 939. 77 | LaTeX Font Info: ... okay on input line 939. 78 | LaTeX Font Info: Checking defaults for T1/cmr/m/n on input line 939. 79 | LaTeX Font Info: ... okay on input line 939. 80 | LaTeX Font Info: Checking defaults for OT1/cmr/m/n on input line 939. 81 | LaTeX Font Info: ... okay on input line 939. 82 | LaTeX Font Info: Checking defaults for OMS/cmsy/m/n on input line 939. 83 | LaTeX Font Info: ... okay on input line 939. 84 | LaTeX Font Info: Checking defaults for OMX/cmex/m/n on input line 939. 85 | LaTeX Font Info: ... okay on input line 939. 86 | LaTeX Font Info: Checking defaults for U/cmr/m/n on input line 939. 87 | LaTeX Font Info: ... okay on input line 939. 88 | (/usr/share/texlive/texmf-dist/tex/context/base/mkii/supp-pdf.mkii 89 | [Loading MPS to PDF converter (version 2006.09.02).] 90 | \scratchcounter=\count90 91 | \scratchdimen=\dimen103 92 | \scratchbox=\box30 93 | \nofMPsegments=\count91 94 | \nofMParguments=\count92 95 | \everyMPshowfont=\toks16 96 | \MPscratchCnt=\count93 97 | \MPscratchDim=\dimen104 98 | \MPnumerator=\count94 99 | \makeMPintoPDFobject=\count95 100 | \everyMPtoPDFconversion=\toks17 101 | ) 102 | LaTeX Font Info: External font `cmex10' loaded for size 103 | (Font) <7> on input line 942. 104 | LaTeX Font Info: External font `cmex10' loaded for size 105 | (Font) <5> on input line 942. 106 | LaTeX Font Info: Try loading font information for U+lasy on input line 942. 107 | (/usr/share/texlive/texmf-dist/tex/latex/base/ulasy.fd 108 | File: ulasy.fd 1998/08/17 v2.2e LaTeX symbol font definitions 109 | ) 110 | LaTeX Font Info: Try loading font information for OMS+cmr on input line 962. 111 | 112 | (/usr/share/texlive/texmf-dist/tex/latex/base/omscmr.fd 113 | File: omscmr.fd 2014/09/29 v2.5h Standard LaTeX font definitions 114 | ) 115 | LaTeX Font Info: Font shape `OMS/cmr/bx/n' in size <10> not available 116 | (Font) Font shape `OMS/cmsy/b/n' tried instead on input line 962. 117 | [1 118 | 119 | {/var/lib/texmf/fonts/map/pdftex/updmap/pdftex.map}] 120 | LaTeX Font Info: External font `cmex10' loaded for size 121 | (Font) <8> on input line 1086. 122 | LaTeX Font Info: External font `cmex10' loaded for size 123 | (Font) <6> on input line 1086. 124 | [2] (./EuclidEx.aux) ) 125 | Here is how much of TeX's memory you used: 126 | 1084 strings out of 492614 127 | 12845 string characters out of 6131384 128 | 86164 words of memory out of 5000000 129 | 5032 multiletter control sequences out of 15000+600000 130 | 9373 words of font info for 36 fonts, out of 8000000 for 9000 131 | 1141 hyphenation exceptions out of 8191 132 | 24i,10n,25p,222b,322s stack positions out of 5000i,500n,10000p,200000b,80000s 133 | 137 | 149 | Output written on EuclidEx.pdf (2 pages, 157832 bytes). 150 | PDF statistics: 151 | 75 PDF objects out of 1000 (max. 8388607) 152 | 54 compressed objects within 1 object stream 153 | 0 named destinations out of 1000 (max. 500000) 154 | 1 words of extra memory for PDF output out of 10000 (max. 10000000) 155 | 156 | -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.toolbox/EuclidEx.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Euclid/Euclid-Hyperbook/EuclidEx.toolbox/EuclidEx.pdf -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.toolbox/EuclidEx.tla.pmap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Euclid/Euclid-Hyperbook/EuclidEx.toolbox/EuclidEx.tla.pmap -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.toolbox/GCD.aux: -------------------------------------------------------------------------------- 1 | \relax 2 | -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.toolbox/GCD.log: -------------------------------------------------------------------------------- 1 | This is pdfTeX, Version 3.14159265-2.6-1.40.20 (TeX Live 2019/Debian) (preloaded format=pdflatex 2019.4.13) 16 JUL 2019 10:21 2 | entering extended mode 3 | restricted \write18 enabled. 4 | %&-line parsing enabled. 5 | **GCD.tex 6 | (./GCD.tex 7 | LaTeX2e <2018-12-01> 8 | 9 | (/usr/share/texlive/texmf-dist/tex/latex/base/article.cls 10 | Document Class: article 2018/09/03 v1.4i Standard LaTeX document class 11 | (/usr/share/texlive/texmf-dist/tex/latex/base/size10.clo 12 | File: size10.clo 2018/09/03 v1.4i Standard LaTeX file (size option) 13 | ) 14 | \c@part=\count80 15 | \c@section=\count81 16 | \c@subsection=\count82 17 | \c@subsubsection=\count83 18 | \c@paragraph=\count84 19 | \c@subparagraph=\count85 20 | \c@figure=\count86 21 | \c@table=\count87 22 | \abovecaptionskip=\skip41 23 | \belowcaptionskip=\skip42 24 | \bibindent=\dimen102 25 | ) (/usr/share/texlive/texmf-dist/tex/latex/graphics/color.sty 26 | Package: color 2016/07/10 v1.1e Standard LaTeX Color (DPC) 27 | (/usr/share/texlive/texmf-dist/tex/latex/graphics-cfg/color.cfg 28 | File: color.cfg 2016/01/02 v1.6 sample color configuration 29 | ) 30 | Package color Info: Driver file: pdftex.def on input line 147. 31 | (/usr/share/texlive/texmf-dist/tex/latex/graphics-def/pdftex.def 32 | File: pdftex.def 2018/01/08 v1.0l Graphics/color driver for pdftex 33 | )) (/usr/share/texlive/texmf-dist/tex/latex/base/latexsym.sty 34 | Package: latexsym 1998/08/17 v2.2e Standard LaTeX package (lasy symbols) 35 | \symlasy=\mathgroup4 36 | LaTeX Font Info: Overwriting symbol font `lasy' in version `bold' 37 | (Font) U/lasy/m/n --> U/lasy/b/n on input line 52. 38 | ) (/usr/share/texlive/texmf-dist/tex/latex/base/ifthen.sty 39 | Package: ifthen 2014/09/29 v1.1c Standard LaTeX ifthen package (DPC) 40 | ) 41 | \symlength=\skip43 42 | \equalswidth=\skip44 43 | \charwidth=\skip45 44 | \boxrulewd=\skip46 45 | \boxlineht=\skip47 46 | \boxruleht=\skip48 47 | \boxruledp=\skip49 48 | \pcalvspace=\skip50 49 | \lcomindent=\skip51 50 | \@xlen=\skip52 51 | \templena=\skip53 52 | \templenb=\skip54 53 | \tempboxa=\box27 54 | \vshadelen=\skip55 55 | \boxwidth=\skip56 56 | \multicommentdepth=\skip57 57 | \c@pardepth=\count88 58 | \tempsbox=\box28 59 | \@cparht=\skip58 60 | \@cpardp=\skip59 61 | \xmcomlen=\skip60 62 | \spacewidth=\skip61 63 | \alignboxwidth=\skip62 64 | \alignwidth=\skip63 65 | \alignbox=\box29 66 | \symtlaitalics=\mathgroup5 67 | \c@tlx@ctr=\count89 68 | (/usr/share/texlive/texmf-dist/tex/latex/tools/verbatim.sty 69 | Package: verbatim 2014/10/28 v1.5q LaTeX2e package for verbatim enhancements 70 | \every@verbatim=\toks14 71 | \verbatim@line=\toks15 72 | \verbatim@in@stream=\read1 73 | ) (./GCD.aux) 74 | \openout1 = `GCD.aux'. 75 | 76 | LaTeX Font Info: Checking defaults for OML/cmm/m/it on input line 939. 77 | LaTeX Font Info: ... okay on input line 939. 78 | LaTeX Font Info: Checking defaults for T1/cmr/m/n on input line 939. 79 | LaTeX Font Info: ... okay on input line 939. 80 | LaTeX Font Info: Checking defaults for OT1/cmr/m/n on input line 939. 81 | LaTeX Font Info: ... okay on input line 939. 82 | LaTeX Font Info: Checking defaults for OMS/cmsy/m/n on input line 939. 83 | LaTeX Font Info: ... okay on input line 939. 84 | LaTeX Font Info: Checking defaults for OMX/cmex/m/n on input line 939. 85 | LaTeX Font Info: ... okay on input line 939. 86 | LaTeX Font Info: Checking defaults for U/cmr/m/n on input line 939. 87 | LaTeX Font Info: ... okay on input line 939. 88 | (/usr/share/texlive/texmf-dist/tex/context/base/mkii/supp-pdf.mkii 89 | [Loading MPS to PDF converter (version 2006.09.02).] 90 | \scratchcounter=\count90 91 | \scratchdimen=\dimen103 92 | \scratchbox=\box30 93 | \nofMPsegments=\count91 94 | \nofMParguments=\count92 95 | \everyMPshowfont=\toks16 96 | \MPscratchCnt=\count93 97 | \MPscratchDim=\dimen104 98 | \MPnumerator=\count94 99 | \makeMPintoPDFobject=\count95 100 | \everyMPtoPDFconversion=\toks17 101 | ) 102 | LaTeX Font Info: External font `cmex10' loaded for size 103 | (Font) <7> on input line 942. 104 | LaTeX Font Info: External font `cmex10' loaded for size 105 | (Font) <5> on input line 942. 106 | LaTeX Font Info: Try loading font information for U+lasy on input line 942. 107 | (/usr/share/texlive/texmf-dist/tex/latex/base/ulasy.fd 108 | File: ulasy.fd 1998/08/17 v2.2e LaTeX symbol font definitions 109 | ) [1 110 | 111 | {/var/lib/texmf/fonts/map/pdftex/updmap/pdftex.map}] (./GCD.aux) ) 112 | Here is how much of TeX's memory you used: 113 | 1039 strings out of 492614 114 | 12217 string characters out of 6131384 115 | 82164 words of memory out of 5000000 116 | 5002 multiletter control sequences out of 15000+600000 117 | 5769 words of font info for 23 fonts, out of 8000000 for 9000 118 | 1141 hyphenation exceptions out of 8191 119 | 23i,10n,20p,217b,113s stack positions out of 5000i,500n,10000p,200000b,80000s 120 | 128 | Output written on GCD.pdf (1 page, 71078 bytes). 129 | PDF statistics: 130 | 36 PDF objects out of 1000 (max. 8388607) 131 | 25 compressed objects within 1 object stream 132 | 0 named destinations out of 1000 (max. 500000) 133 | 1 words of extra memory for PDF output out of 10000 (max. 10000000) 134 | 135 | -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/EuclidEx.toolbox/GCD.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Euclid/Euclid-Hyperbook/EuclidEx.toolbox/GCD.pdf -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/GCD.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Euclid/Euclid-Hyperbook/GCD.pdf -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/GCD.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE GCD --------------------------- 2 | EXTENDS Integers 3 | ------------------------------------------------------------------ 4 | Divides(p, n) == \E q \in Int : n = p * q 5 | DivisorsOf(n) == {p \in Int : Divides(p, n)} 6 | 7 | SetMax(S) == CHOOSE i \in S : \A j \in S : i >= j 8 | 9 | GCD(m, n) == SetMax(DivisorsOf(m) \cap DivisorsOf(n)) 10 | ----------------------------------------------------------------------------- 11 | THEOREM GCD1 == \A m \in Nat \ {0} : GCD(m, m) = m 12 | <1> SUFFICES ASSUME NEW m \in Nat \ {0} 13 | PROVE GCD(m, m) = m 14 | OBVIOUS 15 | <1>1. Divides(m, m) 16 | BY DEF Divides 17 | <1>2. \A i \in Nat : Divides(i, m) => (i <= m) 18 | BY DEF Divides 19 | <1>3. QED 20 | BY <1>1, <1>2 DEF GCD, SetMax, DivisorsOf 21 | ------------------------------------------------------------------ 22 | THEOREM GCD2 == \A m, n \in Nat \ {0} : GCD(m, n) = GCD(n, m) 23 | BY DEF GCD 24 | ------------------------------------------------------------------ 25 | THEOREM GCD3 == \A m, n \in Nat \ {0} : 26 | (n > m) => (GCD(m, n) = GCD(m, n-m)) 27 | <1> SUFFICES ASSUME NEW m \in Nat \ {0}, NEW n \in Nat \ {0}, 28 | n > m 29 | PROVE GCD(m, n) = GCD(m, n-m) 30 | OBVIOUS 31 | <1> \A i \in Int : 32 | Divides(i, m) /\ Divides(i, n) <=> Divides(i, m) /\ Divides(i, n - m) 33 | BY DEF Divides 34 | <1> QED 35 | BY DEF GCD, SetMax, DivisorsOf 36 | =================================================================== -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/GCD.tlaps/GCD.thy: -------------------------------------------------------------------------------- 1 | (* automatically generated -- do not edit manually *) 2 | theory GCD imports Constant Zenon begin 3 | ML_command {* writeln ("*** TLAPS PARSED\n"); *} 4 | consts 5 | "isReal" :: c 6 | "isa_slas_a" :: "[c,c] => c" 7 | "isa_bksl_diva" :: "[c,c] => c" 8 | "isa_perc_a" :: "[c,c] => c" 9 | "isa_peri_peri_a" :: "[c,c] => c" 10 | "isInfinity" :: c 11 | "isa_lbrk_rbrk_a" :: "[c] => c" 12 | "isa_less_more_a" :: "[c] => c" 13 | 14 | end 15 | -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/GCD.tlaps/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Euclid/Euclid-Hyperbook/GCD.tlaps/fingerprints -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/GCD.tlaps/fingerprints.history/2019-07-16_10_12_19/GCD.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE GCD --------------------------- 2 | EXTENDS Integers 3 | ------------------------------------------------------------------ 4 | Divides(p, n) == \E q \in Int : n = p * q 5 | DivisorsOf(n) == {p \in Int : Divides(p, n)} 6 | 7 | SetMax(S) == CHOOSE i \in S : \A j \in S : i >= j 8 | 9 | GCD(m, n) == SetMax(DivisorsOf(m) \cap DivisorsOf(n)) 10 | ----------------------------------------------------------------------------- 11 | THEOREM GCD1 == \A m \in Nat \ {0} : GCD(m, m) = m 12 | <1> SUFFICES ASSUME NEW m \in Nat \ {0} 13 | PROVE GCD(m, m) = m 14 | OBVIOUS 15 | <1>1. Divides(m, m) 16 | <1>2. \A i \in Nat : Divides(i, m) => (i <= m) 17 | <1>3. QED 18 | BY <1>1, <1>2 DEF GCD, SetMax 19 | 20 | 21 | THEOREM GCD2 == \A m, n \in Nat \ {0} : GCD(m, n) = GCD(n, m) 22 | BY DEF GCD 23 | 24 | THEOREM GCD3 == \A m, n \in Nat \ {0} : (n > m) => (GCD(m, n) = GCD(m, n-m)) 25 | BY DEF GCD, SetMax, DivisorsOf, Divides 26 | ----------------------------------------------------------------------------- 27 | (* 28 | THEOREM GCD1 == \A m \in Nat \ {0} : GCD(m, m) = m 29 | <1> SUFFICES ASSUME NEW m \in Nat \ {0} 30 | PROVE GCD(m, m) = m 31 | OBVIOUS 32 | <1>1. Divides(m, m) 33 | BY DEF Divides 34 | <1>2. \A i \in Nat : Divides(i, m) => (i <= m) 35 | BY DEF Divides 36 | <1> QED 37 | BY <1>1, <1>2 DEF GCD, SetMax , DivisorsOf , Divides 38 | ----------------------------------------------------------------------------- 39 | THEOREM GCD2 == \A m, n \in Nat \ {0} : GCD(m, n) = GCD(n, m) 40 | BY DEF GCD, SetMax , DivisorsOf , Divides 41 | ----------------------------------------------------------------------------- 42 | THEOREM GCD3 == \A m, n \in Nat \ {0} : (n > m) => (GCD(m, n) = GCD(m, n-m)) 43 | <1> SUFFICES ASSUME NEW m \in Nat \ {0}, NEW n \in Nat \ {0}, 44 | n > m 45 | PROVE GCD(m, n) = GCD(m, n-m) 46 | OBVIOUS 47 | <1> \A i \in Int : Divides(i, m) /\ Divides(i, n) <=> Divides(i, m) /\ Divides(i, n - m) 48 | BY DEF Divides 49 | <1> QED 50 | BY DEF GCD, SetMax , DivisorsOf , Divides 51 | *) 52 | =================================================================== -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/GCD.tlaps/fingerprints.history/2019-07-16_10_12_19/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Euclid/Euclid-Hyperbook/GCD.tlaps/fingerprints.history/2019-07-16_10_12_19/fingerprints -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/GCD.tlaps/fingerprints.history/2019-07-16_10_12_45/GCD.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE GCD --------------------------- 2 | EXTENDS Integers 3 | ------------------------------------------------------------------ 4 | Divides(p, n) == \E q \in Int : n = p * q 5 | DivisorsOf(n) == {p \in Int : Divides(p, n)} 6 | 7 | SetMax(S) == CHOOSE i \in S : \A j \in S : i >= j 8 | 9 | GCD(m, n) == SetMax(DivisorsOf(m) \cap DivisorsOf(n)) 10 | ----------------------------------------------------------------------------- 11 | THEOREM GCD1 == \A m \in Nat \ {0} : GCD(m, m) = m 12 | <1> SUFFICES ASSUME NEW m \in Nat \ {0} 13 | PROVE GCD(m, m) = m 14 | OBVIOUS 15 | <1>1. Divides(m, m) 16 | <1>2. \A i \in Nat : Divides(i, m) => (i <= m) 17 | <1>3. QED 18 | BY <1>1, <1>2 DEF GCD, SetMax, DivisorsOf 19 | 20 | 21 | THEOREM GCD2 == \A m, n \in Nat \ {0} : GCD(m, n) = GCD(n, m) 22 | BY DEF GCD 23 | 24 | THEOREM GCD3 == \A m, n \in Nat \ {0} : (n > m) => (GCD(m, n) = GCD(m, n-m)) 25 | BY DEF GCD, SetMax, DivisorsOf, Divides 26 | ----------------------------------------------------------------------------- 27 | (* 28 | THEOREM GCD1 == \A m \in Nat \ {0} : GCD(m, m) = m 29 | <1> SUFFICES ASSUME NEW m \in Nat \ {0} 30 | PROVE GCD(m, m) = m 31 | OBVIOUS 32 | <1>1. Divides(m, m) 33 | BY DEF Divides 34 | <1>2. \A i \in Nat : Divides(i, m) => (i <= m) 35 | BY DEF Divides 36 | <1> QED 37 | BY <1>1, <1>2 DEF GCD, SetMax , DivisorsOf , Divides 38 | ----------------------------------------------------------------------------- 39 | THEOREM GCD2 == \A m, n \in Nat \ {0} : GCD(m, n) = GCD(n, m) 40 | BY DEF GCD, SetMax , DivisorsOf , Divides 41 | ----------------------------------------------------------------------------- 42 | THEOREM GCD3 == \A m, n \in Nat \ {0} : (n > m) => (GCD(m, n) = GCD(m, n-m)) 43 | <1> SUFFICES ASSUME NEW m \in Nat \ {0}, NEW n \in Nat \ {0}, 44 | n > m 45 | PROVE GCD(m, n) = GCD(m, n-m) 46 | OBVIOUS 47 | <1> \A i \in Int : Divides(i, m) /\ Divides(i, n) <=> Divides(i, m) /\ Divides(i, n - m) 48 | BY DEF Divides 49 | <1> QED 50 | BY DEF GCD, SetMax , DivisorsOf , Divides 51 | *) 52 | =================================================================== -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/GCD.tlaps/fingerprints.history/2019-07-16_10_12_45/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Euclid/Euclid-Hyperbook/GCD.tlaps/fingerprints.history/2019-07-16_10_12_45/fingerprints -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/GCD.tlaps/fingerprints.history/2019-07-16_10_13_58/GCD.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE GCD --------------------------- 2 | EXTENDS Integers 3 | ------------------------------------------------------------------ 4 | Divides(p, n) == \E q \in Int : n = p * q 5 | DivisorsOf(n) == {p \in Int : Divides(p, n)} 6 | 7 | SetMax(S) == CHOOSE i \in S : \A j \in S : i >= j 8 | 9 | GCD(m, n) == SetMax(DivisorsOf(m) \cap DivisorsOf(n)) 10 | ----------------------------------------------------------------------------- 11 | THEOREM GCD1 == \A m \in Nat \ {0} : GCD(m, m) = m 12 | <1> SUFFICES ASSUME NEW m \in Nat \ {0} 13 | PROVE GCD(m, m) = m 14 | OBVIOUS 15 | <1>1. Divides(m, m) 16 | BY DEF Divides 17 | <1>2. \A i \in Nat : Divides(i, m) => (i <= m) 18 | BY DEF Divides 19 | <1>3. QED 20 | BY <1>1, <1>2 DEF GCD, SetMax, DivisorsOf 21 | 22 | 23 | THEOREM GCD2 == \A m, n \in Nat \ {0} : GCD(m, n) = GCD(n, m) 24 | BY DEF GCD 25 | 26 | THEOREM GCD3 == \A m, n \in Nat \ {0} : (n > m) => (GCD(m, n) = GCD(m, n-m)) 27 | BY DEF GCD, SetMax, DivisorsOf, Divides 28 | ----------------------------------------------------------------------------- 29 | (* 30 | THEOREM GCD1 == \A m \in Nat \ {0} : GCD(m, m) = m 31 | <1> SUFFICES ASSUME NEW m \in Nat \ {0} 32 | PROVE GCD(m, m) = m 33 | OBVIOUS 34 | <1>1. Divides(m, m) 35 | BY DEF Divides 36 | <1>2. \A i \in Nat : Divides(i, m) => (i <= m) 37 | BY DEF Divides 38 | <1> QED 39 | BY <1>1, <1>2 DEF GCD, SetMax , DivisorsOf , Divides 40 | ----------------------------------------------------------------------------- 41 | THEOREM GCD2 == \A m, n \in Nat \ {0} : GCD(m, n) = GCD(n, m) 42 | BY DEF GCD, SetMax , DivisorsOf , Divides 43 | ----------------------------------------------------------------------------- 44 | THEOREM GCD3 == \A m, n \in Nat \ {0} : (n > m) => (GCD(m, n) = GCD(m, n-m)) 45 | <1> SUFFICES ASSUME NEW m \in Nat \ {0}, NEW n \in Nat \ {0}, 46 | n > m 47 | PROVE GCD(m, n) = GCD(m, n-m) 48 | OBVIOUS 49 | <1> \A i \in Int : Divides(i, m) /\ Divides(i, n) <=> Divides(i, m) /\ Divides(i, n - m) 50 | BY DEF Divides 51 | <1> QED 52 | BY DEF GCD, SetMax , DivisorsOf , Divides 53 | *) 54 | =================================================================== -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/GCD.tlaps/fingerprints.history/2019-07-16_10_13_58/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Euclid/Euclid-Hyperbook/GCD.tlaps/fingerprints.history/2019-07-16_10_13_58/fingerprints -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/GCD.tlaps/fingerprints.history/2019-07-16_10_15_40/GCD.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE GCD --------------------------- 2 | EXTENDS Integers 3 | ------------------------------------------------------------------ 4 | Divides(p, n) == \E q \in Int : n = p * q 5 | DivisorsOf(n) == {p \in Int : Divides(p, n)} 6 | 7 | SetMax(S) == CHOOSE i \in S : \A j \in S : i >= j 8 | 9 | GCD(m, n) == SetMax(DivisorsOf(m) \cap DivisorsOf(n)) 10 | ----------------------------------------------------------------------------- 11 | THEOREM GCD1 == \A m \in Nat \ {0} : GCD(m, m) = m 12 | <1> SUFFICES ASSUME NEW m \in Nat \ {0} 13 | PROVE GCD(m, m) = m 14 | OBVIOUS 15 | <1>1. Divides(m, m) 16 | BY DEF Divides 17 | <1>2. \A i \in Nat : Divides(i, m) => (i <= m) 18 | BY DEF Divides 19 | <1>3. QED 20 | BY <1>1, <1>2 DEF GCD, SetMax, DivisorsOf 21 | 22 | 23 | THEOREM GCD2 == \A m, n \in Nat \ {0} : GCD(m, n) = GCD(n, m) 24 | BY DEF GCD 25 | 26 | THEOREM GCD3 == \A m, n \in Nat \ {0} : (n > m) => (GCD(m, n) = GCD(m, n-m)) 27 | <1> SUFFICES ASSUME NEW m \in Nat \ {0}, NEW n \in Nat \ {0}, 28 | n > m 29 | PROVE GCD(m, n) = GCD(m, n-m) 30 | OBVIOUS 31 | <1> QED 32 | BY DEF GCD, SetMax, DivisorsOf, Divides 33 | 34 | ----------------------------------------------------------------------------- 35 | (* 36 | THEOREM GCD3 == \A m, n \in Nat \ {0} : (n > m) => (GCD(m, n) = GCD(m, n-m)) 37 | <1> SUFFICES ASSUME NEW m \in Nat \ {0}, NEW n \in Nat \ {0}, 38 | n > m 39 | PROVE GCD(m, n) = GCD(m, n-m) 40 | OBVIOUS 41 | <1> \A i \in Int : Divides(i, m) /\ Divides(i, n) <=> Divides(i, m) /\ Divides(i, n - m) 42 | BY DEF Divides 43 | <1> QED 44 | BY DEF GCD, SetMax , DivisorsOf , Divides 45 | *) 46 | =================================================================== -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/GCD.tlaps/fingerprints.history/2019-07-16_10_15_40/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Euclid/Euclid-Hyperbook/GCD.tlaps/fingerprints.history/2019-07-16_10_15_40/fingerprints -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/GCD.tlaps/fingerprints.history/2019-07-16_10_15_46/GCD.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE GCD --------------------------- 2 | EXTENDS Integers 3 | ------------------------------------------------------------------ 4 | Divides(p, n) == \E q \in Int : n = p * q 5 | DivisorsOf(n) == {p \in Int : Divides(p, n)} 6 | 7 | SetMax(S) == CHOOSE i \in S : \A j \in S : i >= j 8 | 9 | GCD(m, n) == SetMax(DivisorsOf(m) \cap DivisorsOf(n)) 10 | ----------------------------------------------------------------------------- 11 | THEOREM GCD1 == \A m \in Nat \ {0} : GCD(m, m) = m 12 | <1> SUFFICES ASSUME NEW m \in Nat \ {0} 13 | PROVE GCD(m, m) = m 14 | OBVIOUS 15 | <1>1. Divides(m, m) 16 | BY DEF Divides 17 | <1>2. \A i \in Nat : Divides(i, m) => (i <= m) 18 | BY DEF Divides 19 | <1>3. QED 20 | BY <1>1, <1>2 DEF GCD, SetMax, DivisorsOf 21 | 22 | 23 | THEOREM GCD2 == \A m, n \in Nat \ {0} : GCD(m, n) = GCD(n, m) 24 | BY DEF GCD 25 | 26 | THEOREM GCD3 == \A m, n \in Nat \ {0} : (n > m) => (GCD(m, n) = GCD(m, n-m)) 27 | <1> SUFFICES ASSUME NEW m \in Nat \ {0}, NEW n \in Nat \ {0}, 28 | n > m 29 | PROVE GCD(m, n) = GCD(m, n-m) 30 | OBVIOUS 31 | <1> QED 32 | BY DEF GCD, SetMax, DivisorsOf, Divides 33 | 34 | ----------------------------------------------------------------------------- 35 | (* 36 | THEOREM GCD3 == \A m, n \in Nat \ {0} : (n > m) => (GCD(m, n) = GCD(m, n-m)) 37 | <1> SUFFICES ASSUME NEW m \in Nat \ {0}, NEW n \in Nat \ {0}, 38 | n > m 39 | PROVE GCD(m, n) = GCD(m, n-m) 40 | OBVIOUS 41 | <1> \A i \in Int : Divides(i, m) /\ Divides(i, n) <=> Divides(i, m) /\ Divides(i, n - m) 42 | BY DEF Divides 43 | <1> QED 44 | BY DEF GCD, SetMax , DivisorsOf , Divides 45 | *) 46 | =================================================================== -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/GCD.tlaps/fingerprints.history/2019-07-16_10_15_46/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Euclid/Euclid-Hyperbook/GCD.tlaps/fingerprints.history/2019-07-16_10_15_46/fingerprints -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/GCD.tlaps/fingerprints.history/2019-07-16_10_20_12/GCD.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE GCD --------------------------- 2 | EXTENDS Integers 3 | ------------------------------------------------------------------ 4 | Divides(p, n) == \E q \in Int : n = p * q 5 | DivisorsOf(n) == {p \in Int : Divides(p, n)} 6 | 7 | SetMax(S) == CHOOSE i \in S : \A j \in S : i >= j 8 | 9 | GCD(m, n) == SetMax(DivisorsOf(m) \cap DivisorsOf(n)) 10 | ----------------------------------------------------------------------------- 11 | THEOREM GCD1 == \A m \in Nat \ {0} : GCD(m, m) = m 12 | <1> SUFFICES ASSUME NEW m \in Nat \ {0} 13 | PROVE GCD(m, m) = m 14 | OBVIOUS 15 | <1>1. Divides(m, m) 16 | BY DEF Divides 17 | <1>2. \A i \in Nat : Divides(i, m) => (i <= m) 18 | BY DEF Divides 19 | <1>3. QED 20 | BY <1>1, <1>2 DEF GCD, SetMax, DivisorsOf 21 | 22 | 23 | THEOREM GCD2 == \A m, n \in Nat \ {0} : GCD(m, n) = GCD(n, m) 24 | BY DEF GCD 25 | 26 | THEOREM GCD3 == \A m, n \in Nat \ {0} : 27 | (n > m) => (GCD(m, n) = GCD(m, n-m)) 28 | <1> SUFFICES ASSUME NEW m \in Nat \ {0}, NEW n \in Nat \ {0}, 29 | n > m 30 | PROVE GCD(m, n) = GCD(m, n-m) 31 | OBVIOUS 32 | <1> \A i \in Int : 33 | Divides(i, m) /\ Divides(i, n) <=> Divides(i, m) /\ Divides(i, n - m) 34 | <1> QED 35 | BY DEF GCD, SetMax, DivisorsOf, Divides 36 | 37 | ----------------------------------------------------------------------------- 38 | (* 39 | THEOREM GCD3 == \A m, n \in Nat \ {0} : (n > m) => (GCD(m, n) = GCD(m, n-m)) 40 | <1> SUFFICES ASSUME NEW m \in Nat \ {0}, NEW n \in Nat \ {0}, 41 | n > m 42 | PROVE GCD(m, n) = GCD(m, n-m) 43 | OBVIOUS 44 | <1> \A i \in Int : Divides(i, m) /\ Divides(i, n) <=> Divides(i, m) /\ Divides(i, n - m) 45 | BY DEF Divides 46 | <1> QED 47 | BY DEF GCD, SetMax , DivisorsOf , Divides 48 | *) 49 | =================================================================== -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/GCD.tlaps/fingerprints.history/2019-07-16_10_20_12/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Euclid/Euclid-Hyperbook/GCD.tlaps/fingerprints.history/2019-07-16_10_20_12/fingerprints -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/GCD.tlaps/fingerprints.history/2019-07-16_10_20_26/GCD.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE GCD --------------------------- 2 | EXTENDS Integers 3 | ------------------------------------------------------------------ 4 | Divides(p, n) == \E q \in Int : n = p * q 5 | DivisorsOf(n) == {p \in Int : Divides(p, n)} 6 | 7 | SetMax(S) == CHOOSE i \in S : \A j \in S : i >= j 8 | 9 | GCD(m, n) == SetMax(DivisorsOf(m) \cap DivisorsOf(n)) 10 | ----------------------------------------------------------------------------- 11 | THEOREM GCD1 == \A m \in Nat \ {0} : GCD(m, m) = m 12 | <1> SUFFICES ASSUME NEW m \in Nat \ {0} 13 | PROVE GCD(m, m) = m 14 | OBVIOUS 15 | <1>1. Divides(m, m) 16 | BY DEF Divides 17 | <1>2. \A i \in Nat : Divides(i, m) => (i <= m) 18 | BY DEF Divides 19 | <1>3. QED 20 | BY <1>1, <1>2 DEF GCD, SetMax, DivisorsOf 21 | 22 | 23 | THEOREM GCD2 == \A m, n \in Nat \ {0} : GCD(m, n) = GCD(n, m) 24 | BY DEF GCD 25 | 26 | THEOREM GCD3 == \A m, n \in Nat \ {0} : 27 | (n > m) => (GCD(m, n) = GCD(m, n-m)) 28 | <1> SUFFICES ASSUME NEW m \in Nat \ {0}, NEW n \in Nat \ {0}, 29 | n > m 30 | PROVE GCD(m, n) = GCD(m, n-m) 31 | OBVIOUS 32 | <1> \A i \in Int : 33 | Divides(i, m) /\ Divides(i, n) <=> Divides(i, m) /\ Divides(i, n - m) 34 | <1> QED 35 | BY DEF GCD, SetMax, DivisorsOf 36 | ----------------------------------------------------------------------------- 37 | (* 38 | THEOREM GCD3 == \A m, n \in Nat \ {0} : (n > m) => (GCD(m, n) = GCD(m, n-m)) 39 | <1> SUFFICES ASSUME NEW m \in Nat \ {0}, NEW n \in Nat \ {0}, 40 | n > m 41 | PROVE GCD(m, n) = GCD(m, n-m) 42 | OBVIOUS 43 | <1> \A i \in Int : Divides(i, m) /\ Divides(i, n) <=> Divides(i, m) /\ Divides(i, n - m) 44 | BY DEF Divides 45 | <1> QED 46 | BY DEF GCD, SetMax , DivisorsOf , Divides 47 | *) 48 | =================================================================== -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/GCD.tlaps/fingerprints.history/2019-07-16_10_20_26/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Euclid/Euclid-Hyperbook/GCD.tlaps/fingerprints.history/2019-07-16_10_20_26/fingerprints -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/GCD.tlaps/fingerprints.history/2019-07-16_10_21_17/GCD.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE GCD --------------------------- 2 | EXTENDS Integers 3 | ------------------------------------------------------------------ 4 | Divides(p, n) == \E q \in Int : n = p * q 5 | DivisorsOf(n) == {p \in Int : Divides(p, n)} 6 | 7 | SetMax(S) == CHOOSE i \in S : \A j \in S : i >= j 8 | 9 | GCD(m, n) == SetMax(DivisorsOf(m) \cap DivisorsOf(n)) 10 | ----------------------------------------------------------------------------- 11 | THEOREM GCD1 == \A m \in Nat \ {0} : GCD(m, m) = m 12 | <1> SUFFICES ASSUME NEW m \in Nat \ {0} 13 | PROVE GCD(m, m) = m 14 | OBVIOUS 15 | <1>1. Divides(m, m) 16 | BY DEF Divides 17 | <1>2. \A i \in Nat : Divides(i, m) => (i <= m) 18 | BY DEF Divides 19 | <1>3. QED 20 | BY <1>1, <1>2 DEF GCD, SetMax, DivisorsOf 21 | 22 | 23 | THEOREM GCD2 == \A m, n \in Nat \ {0} : GCD(m, n) = GCD(n, m) 24 | BY DEF GCD 25 | 26 | THEOREM GCD3 == \A m, n \in Nat \ {0} : 27 | (n > m) => (GCD(m, n) = GCD(m, n-m)) 28 | <1> SUFFICES ASSUME NEW m \in Nat \ {0}, NEW n \in Nat \ {0}, 29 | n > m 30 | PROVE GCD(m, n) = GCD(m, n-m) 31 | OBVIOUS 32 | <1> \A i \in Int : 33 | Divides(i, m) /\ Divides(i, n) <=> Divides(i, m) /\ Divides(i, n - m) 34 | BY DEF Divides 35 | <1> QED 36 | BY DEF GCD, SetMax, DivisorsOf 37 | ----------------------------------------------------------------------------- 38 | (* 39 | THEOREM GCD3 == \A m, n \in Nat \ {0} : (n > m) => (GCD(m, n) = GCD(m, n-m)) 40 | <1> SUFFICES ASSUME NEW m \in Nat \ {0}, NEW n \in Nat \ {0}, 41 | n > m 42 | PROVE GCD(m, n) = GCD(m, n-m) 43 | OBVIOUS 44 | <1> \A i \in Int : Divides(i, m) /\ Divides(i, n) <=> Divides(i, m) /\ Divides(i, n - m) 45 | BY DEF Divides 46 | <1> QED 47 | BY DEF GCD, SetMax , DivisorsOf , Divides 48 | *) 49 | =================================================================== -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/GCD.tlaps/fingerprints.history/2019-07-16_10_21_17/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Euclid/Euclid-Hyperbook/GCD.tlaps/fingerprints.history/2019-07-16_10_21_17/fingerprints -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/GCD.tlaps/fingerprints.history/2019-07-16_10_21_21/GCD.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE GCD --------------------------- 2 | EXTENDS Integers 3 | ------------------------------------------------------------------ 4 | Divides(p, n) == \E q \in Int : n = p * q 5 | DivisorsOf(n) == {p \in Int : Divides(p, n)} 6 | 7 | SetMax(S) == CHOOSE i \in S : \A j \in S : i >= j 8 | 9 | GCD(m, n) == SetMax(DivisorsOf(m) \cap DivisorsOf(n)) 10 | ----------------------------------------------------------------------------- 11 | THEOREM GCD1 == \A m \in Nat \ {0} : GCD(m, m) = m 12 | <1> SUFFICES ASSUME NEW m \in Nat \ {0} 13 | PROVE GCD(m, m) = m 14 | OBVIOUS 15 | <1>1. Divides(m, m) 16 | BY DEF Divides 17 | <1>2. \A i \in Nat : Divides(i, m) => (i <= m) 18 | BY DEF Divides 19 | <1>3. QED 20 | BY <1>1, <1>2 DEF GCD, SetMax, DivisorsOf 21 | 22 | 23 | THEOREM GCD2 == \A m, n \in Nat \ {0} : GCD(m, n) = GCD(n, m) 24 | BY DEF GCD 25 | 26 | THEOREM GCD3 == \A m, n \in Nat \ {0} : 27 | (n > m) => (GCD(m, n) = GCD(m, n-m)) 28 | <1> SUFFICES ASSUME NEW m \in Nat \ {0}, NEW n \in Nat \ {0}, 29 | n > m 30 | PROVE GCD(m, n) = GCD(m, n-m) 31 | OBVIOUS 32 | <1> \A i \in Int : 33 | Divides(i, m) /\ Divides(i, n) <=> Divides(i, m) /\ Divides(i, n - m) 34 | BY DEF Divides 35 | <1> QED 36 | BY DEF GCD, SetMax, DivisorsOf 37 | ----------------------------------------------------------------------------- 38 | (* 39 | THEOREM GCD3 == \A m, n \in Nat \ {0} : (n > m) => (GCD(m, n) = GCD(m, n-m)) 40 | <1> SUFFICES ASSUME NEW m \in Nat \ {0}, NEW n \in Nat \ {0}, 41 | n > m 42 | PROVE GCD(m, n) = GCD(m, n-m) 43 | OBVIOUS 44 | <1> \A i \in Int : Divides(i, m) /\ Divides(i, n) <=> Divides(i, m) /\ Divides(i, n - m) 45 | BY DEF Divides 46 | <1> QED 47 | BY DEF GCD, SetMax , DivisorsOf , Divides 48 | *) 49 | =================================================================== -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/GCD.tlaps/fingerprints.history/2019-07-16_10_21_21/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Euclid/Euclid-Hyperbook/GCD.tlaps/fingerprints.history/2019-07-16_10_21_21/fingerprints -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/GCD.tlaps/fingerprints.history/2019-07-16_10_21_25/GCD.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE GCD --------------------------- 2 | EXTENDS Integers 3 | ------------------------------------------------------------------ 4 | Divides(p, n) == \E q \in Int : n = p * q 5 | DivisorsOf(n) == {p \in Int : Divides(p, n)} 6 | 7 | SetMax(S) == CHOOSE i \in S : \A j \in S : i >= j 8 | 9 | GCD(m, n) == SetMax(DivisorsOf(m) \cap DivisorsOf(n)) 10 | ----------------------------------------------------------------------------- 11 | THEOREM GCD1 == \A m \in Nat \ {0} : GCD(m, m) = m 12 | <1> SUFFICES ASSUME NEW m \in Nat \ {0} 13 | PROVE GCD(m, m) = m 14 | OBVIOUS 15 | <1>1. Divides(m, m) 16 | BY DEF Divides 17 | <1>2. \A i \in Nat : Divides(i, m) => (i <= m) 18 | BY DEF Divides 19 | <1>3. QED 20 | BY <1>1, <1>2 DEF GCD, SetMax, DivisorsOf 21 | 22 | 23 | THEOREM GCD2 == \A m, n \in Nat \ {0} : GCD(m, n) = GCD(n, m) 24 | BY DEF GCD 25 | 26 | THEOREM GCD3 == \A m, n \in Nat \ {0} : 27 | (n > m) => (GCD(m, n) = GCD(m, n-m)) 28 | <1> SUFFICES ASSUME NEW m \in Nat \ {0}, NEW n \in Nat \ {0}, 29 | n > m 30 | PROVE GCD(m, n) = GCD(m, n-m) 31 | OBVIOUS 32 | <1> \A i \in Int : 33 | Divides(i, m) /\ Divides(i, n) <=> Divides(i, m) /\ Divides(i, n - m) 34 | BY DEF Divides 35 | <1> QED 36 | BY DEF GCD, SetMax, DivisorsOf 37 | ----------------------------------------------------------------------------- 38 | (* 39 | THEOREM GCD3 == \A m, n \in Nat \ {0} : (n > m) => (GCD(m, n) = GCD(m, n-m)) 40 | <1> SUFFICES ASSUME NEW m \in Nat \ {0}, NEW n \in Nat \ {0}, 41 | n > m 42 | PROVE GCD(m, n) = GCD(m, n-m) 43 | OBVIOUS 44 | <1> \A i \in Int : Divides(i, m) /\ Divides(i, n) <=> Divides(i, m) /\ Divides(i, n - m) 45 | BY DEF Divides 46 | <1> QED 47 | BY DEF GCD, SetMax , DivisorsOf , Divides 48 | *) 49 | =================================================================== -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/GCD.tlaps/fingerprints.history/2019-07-16_10_21_25/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Euclid/Euclid-Hyperbook/GCD.tlaps/fingerprints.history/2019-07-16_10_21_25/fingerprints -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/GCD.toolbox/.project: -------------------------------------------------------------------------------- 1 | 2 | 3 | GCD 4 | 5 | 6 | 7 | 8 | 9 | toolbox.builder.TLAParserBuilder 10 | 11 | 12 | 13 | 14 | 15 | toolbox.natures.TLANature 16 | 17 | 18 | 19 | FiniteSets.tla 20 | 1 21 | /usr/local/lib/tlaps/FiniteSets.tla 22 | 23 | 24 | GCD.tla 25 | 1 26 | PARENT-1-PROJECT_LOC/GCD.tla 27 | 28 | 29 | NaturalsInduction.tla 30 | 1 31 | /usr/local/lib/tlaps/NaturalsInduction.tla 32 | 33 | 34 | TLAPS.tla 35 | 1 36 | /usr/local/lib/tlaps/TLAPS.tla 37 | 38 | 39 | 40 | -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/GCD.toolbox/.settings/org.lamport.tla.toolbox.prefs: -------------------------------------------------------------------------------- 1 | ProjectRootFile=PARENT-1-PROJECT_LOC/GCD.tla 2 | eclipse.preferences.version=1 3 | -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/GCD.toolbox/GCD.aux: -------------------------------------------------------------------------------- 1 | \relax 2 | -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/GCD.toolbox/GCD.log: -------------------------------------------------------------------------------- 1 | This is pdfTeX, Version 3.14159265-2.6-1.40.20 (TeX Live 2019/Debian) (preloaded format=pdflatex 2019.4.13) 15 JUL 2019 16:50 2 | entering extended mode 3 | restricted \write18 enabled. 4 | %&-line parsing enabled. 5 | **GCD.tex 6 | (./GCD.tex 7 | LaTeX2e <2018-12-01> 8 | 9 | (/usr/share/texlive/texmf-dist/tex/latex/base/article.cls 10 | Document Class: article 2018/09/03 v1.4i Standard LaTeX document class 11 | (/usr/share/texlive/texmf-dist/tex/latex/base/size10.clo 12 | File: size10.clo 2018/09/03 v1.4i Standard LaTeX file (size option) 13 | ) 14 | \c@part=\count80 15 | \c@section=\count81 16 | \c@subsection=\count82 17 | \c@subsubsection=\count83 18 | \c@paragraph=\count84 19 | \c@subparagraph=\count85 20 | \c@figure=\count86 21 | \c@table=\count87 22 | \abovecaptionskip=\skip41 23 | \belowcaptionskip=\skip42 24 | \bibindent=\dimen102 25 | ) (/usr/share/texlive/texmf-dist/tex/latex/graphics/color.sty 26 | Package: color 2016/07/10 v1.1e Standard LaTeX Color (DPC) 27 | (/usr/share/texlive/texmf-dist/tex/latex/graphics-cfg/color.cfg 28 | File: color.cfg 2016/01/02 v1.6 sample color configuration 29 | ) 30 | Package color Info: Driver file: pdftex.def on input line 147. 31 | (/usr/share/texlive/texmf-dist/tex/latex/graphics-def/pdftex.def 32 | File: pdftex.def 2018/01/08 v1.0l Graphics/color driver for pdftex 33 | )) (/usr/share/texlive/texmf-dist/tex/latex/base/latexsym.sty 34 | Package: latexsym 1998/08/17 v2.2e Standard LaTeX package (lasy symbols) 35 | \symlasy=\mathgroup4 36 | LaTeX Font Info: Overwriting symbol font `lasy' in version `bold' 37 | (Font) U/lasy/m/n --> U/lasy/b/n on input line 52. 38 | ) (/usr/share/texlive/texmf-dist/tex/latex/base/ifthen.sty 39 | Package: ifthen 2014/09/29 v1.1c Standard LaTeX ifthen package (DPC) 40 | ) 41 | \symlength=\skip43 42 | \equalswidth=\skip44 43 | \charwidth=\skip45 44 | \boxrulewd=\skip46 45 | \boxlineht=\skip47 46 | \boxruleht=\skip48 47 | \boxruledp=\skip49 48 | \pcalvspace=\skip50 49 | \lcomindent=\skip51 50 | \@xlen=\skip52 51 | \templena=\skip53 52 | \templenb=\skip54 53 | \tempboxa=\box27 54 | \vshadelen=\skip55 55 | \boxwidth=\skip56 56 | \multicommentdepth=\skip57 57 | \c@pardepth=\count88 58 | \tempsbox=\box28 59 | \@cparht=\skip58 60 | \@cpardp=\skip59 61 | \xmcomlen=\skip60 62 | \spacewidth=\skip61 63 | \alignboxwidth=\skip62 64 | \alignwidth=\skip63 65 | \alignbox=\box29 66 | \symtlaitalics=\mathgroup5 67 | \c@tlx@ctr=\count89 68 | (/usr/share/texlive/texmf-dist/tex/latex/tools/verbatim.sty 69 | Package: verbatim 2014/10/28 v1.5q LaTeX2e package for verbatim enhancements 70 | \every@verbatim=\toks14 71 | \verbatim@line=\toks15 72 | \verbatim@in@stream=\read1 73 | ) (./GCD.aux) 74 | \openout1 = `GCD.aux'. 75 | 76 | LaTeX Font Info: Checking defaults for OML/cmm/m/it on input line 939. 77 | LaTeX Font Info: ... okay on input line 939. 78 | LaTeX Font Info: Checking defaults for T1/cmr/m/n on input line 939. 79 | LaTeX Font Info: ... okay on input line 939. 80 | LaTeX Font Info: Checking defaults for OT1/cmr/m/n on input line 939. 81 | LaTeX Font Info: ... okay on input line 939. 82 | LaTeX Font Info: Checking defaults for OMS/cmsy/m/n on input line 939. 83 | LaTeX Font Info: ... okay on input line 939. 84 | LaTeX Font Info: Checking defaults for OMX/cmex/m/n on input line 939. 85 | LaTeX Font Info: ... okay on input line 939. 86 | LaTeX Font Info: Checking defaults for U/cmr/m/n on input line 939. 87 | LaTeX Font Info: ... okay on input line 939. 88 | (/usr/share/texlive/texmf-dist/tex/context/base/mkii/supp-pdf.mkii 89 | [Loading MPS to PDF converter (version 2006.09.02).] 90 | \scratchcounter=\count90 91 | \scratchdimen=\dimen103 92 | \scratchbox=\box30 93 | \nofMPsegments=\count91 94 | \nofMParguments=\count92 95 | \everyMPshowfont=\toks16 96 | \MPscratchCnt=\count93 97 | \MPscratchDim=\dimen104 98 | \MPnumerator=\count94 99 | \makeMPintoPDFobject=\count95 100 | \everyMPtoPDFconversion=\toks17 101 | ) 102 | LaTeX Font Info: External font `cmex10' loaded for size 103 | (Font) <7> on input line 942. 104 | LaTeX Font Info: External font `cmex10' loaded for size 105 | (Font) <5> on input line 942. 106 | LaTeX Font Info: Try loading font information for U+lasy on input line 942. 107 | (/usr/share/texlive/texmf-dist/tex/latex/base/ulasy.fd 108 | File: ulasy.fd 1998/08/17 v2.2e LaTeX symbol font definitions 109 | ) 110 | Overfull \hbox (24.06306pt too wide) in paragraph at lines 965--966 111 | [][] 112 | [] 113 | 114 | [1 115 | 116 | {/var/lib/texmf/fonts/map/pdftex/updmap/pdftex.map}] (./GCD.aux) ) 117 | Here is how much of TeX's memory you used: 118 | 1039 strings out of 492614 119 | 12217 string characters out of 6131384 120 | 77164 words of memory out of 5000000 121 | 5002 multiletter control sequences out of 15000+600000 122 | 5769 words of font info for 23 fonts, out of 8000000 for 9000 123 | 1141 hyphenation exceptions out of 8191 124 | 23i,10n,20p,217b,113s stack positions out of 5000i,500n,10000p,200000b,80000s 125 | 133 | Output written on GCD.pdf (1 page, 68933 bytes). 134 | PDF statistics: 135 | 36 PDF objects out of 1000 (max. 8388607) 136 | 25 compressed objects within 1 object stream 137 | 0 named destinations out of 1000 (max. 500000) 138 | 1 words of extra memory for PDF output out of 10000 (max. 10000000) 139 | 140 | -------------------------------------------------------------------------------- /Euclid/Euclid-Hyperbook/GCD.toolbox/GCD.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Euclid/Euclid-Hyperbook/GCD.toolbox/GCD.pdf -------------------------------------------------------------------------------- /Euclid/Euclid-TLAPS-Example/Euclid.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Euclid/Euclid-TLAPS-Example/Euclid.pdf -------------------------------------------------------------------------------- /Euclid/Euclid-TLAPS-Example/Euclid.tla: -------------------------------------------------------------------------------- 1 | -------------------- MODULE Euclid -------------------- 2 | EXTENDS Integers, TLAPS 3 | ------------------------------------------------------- 4 | p | q == \E d \in 1..q : q = p * d 5 | Divisors(q) == {d \in 1..q : d | q} 6 | Maximum(S) == CHOOSE x \in S : \A y \in S : x \geq y 7 | GCD(p,q) == Maximum(Divisors(p) \cap Divisors(q)) 8 | Number == Nat \ {0} 9 | ------------------------------------------------------- 10 | CONSTANTS M, N 11 | VARIABLES x, y 12 | 13 | ASSUME NumberAssumption == M \in Number /\ N \in Number 14 | ------------------------------------------------------- 15 | Init == (x = M) /\ (y = N) 16 | 17 | Next == \/ /\ x < y 18 | /\ y' = y - x 19 | /\ x' = x 20 | \/ /\ y < x 21 | /\ x' = x-y 22 | /\ y' = y 23 | 24 | Spec == Init /\ [][Next]_<> 25 | ------------------------------------------------------- 26 | ResultCorrect == (x = y) => x = GCD(M, N) 27 | 28 | InductiveInvariant == 29 | /\ x \in Number 30 | /\ y \in Number 31 | /\ GCD(x, y) = GCD(M, N) 32 | ------------------------------------------------------- 33 | USE DEF Number 34 | 35 | THEOREM InitProperty == Init => InductiveInvariant 36 | BY NumberAssumption DEF Init, InductiveInvariant 37 | ------------------------------------------------------- 38 | AXIOM GCDProperty1 == \A p \in Number : GCD(p, p) = p 39 | AXIOM GCDProperty2 == \A p, q \in Number : GCD(p, q) = GCD(q, p) 40 | AXIOM GCDProperty3 == \A p, q \in Number : (p < q) => GCD(p, q) = GCD(p, q-p) 41 | ------------------------------------------------------- 42 | THEOREM NextProperty == InductiveInvariant /\ Next => InductiveInvariant' 43 | <1> SUFFICES ASSUME InductiveInvariant, Next 44 | PROVE InductiveInvariant' 45 | OBVIOUS 46 | <1> USE DEF InductiveInvariant, Next 47 | <1>1. (x < y) \/ (y < x) 48 | OBVIOUS 49 | <1>a. CASE x < y 50 | <2>1. (y - x \in Number) /\ ~(y < x) 51 | BY <1>a, SMT DEF Number 52 | <2>2. QED 53 | BY <1>a, <2>1, GCDProperty3 54 | <1>b. CASE y < x 55 | <2>1. (x - y \in Number) /\ ~(x < y) 56 | BY <1>b, SMT DEF Number 57 | <2>2. GCD(y', x') = GCD(y, x) 58 | BY <1>b, <2>1, GCDProperty3 59 | <2>4. QED 60 | BY <1>b, <2>1, <2>2, GCDProperty2 61 | <1> QED 62 | BY <1>1, <1>a, <1>b 63 | ------------------------------------------------------- 64 | THEOREM Correctness == Spec => []ResultCorrect 65 | <1>1 InductiveInvariant /\ UNCHANGED <> => InductiveInvariant' 66 | BY DEF InductiveInvariant 67 | <1>2 Spec => []InductiveInvariant 68 | BY PTL, InitProperty, NextProperty, <1>1 DEF Spec 69 | <1>3 InductiveInvariant => ResultCorrect 70 | BY GCDProperty1 DEF InductiveInvariant, ResultCorrect 71 | <1> QED 72 | BY PTL, <1>2, <1>3 73 | ======================================================= -------------------------------------------------------------------------------- /Euclid/Euclid-TLAPS-Example/Euclid.tlaps/Euclid.thy: -------------------------------------------------------------------------------- 1 | (* automatically generated -- do not edit manually *) 2 | theory Euclid imports Constant Zenon begin 3 | ML_command {* writeln ("*** TLAPS PARSED\n"); *} 4 | consts 5 | "isReal" :: c 6 | "isa_slas_a" :: "[c,c] => c" 7 | "isa_bksl_diva" :: "[c,c] => c" 8 | "isa_perc_a" :: "[c,c] => c" 9 | "isa_peri_peri_a" :: "[c,c] => c" 10 | "isInfinity" :: c 11 | "isa_lbrk_rbrk_a" :: "[c] => c" 12 | "isa_less_more_a" :: "[c] => c" 13 | 14 | end 15 | -------------------------------------------------------------------------------- /Euclid/Euclid-TLAPS-Example/Euclid.tlaps/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Euclid/Euclid-TLAPS-Example/Euclid.tlaps/fingerprints -------------------------------------------------------------------------------- /Euclid/Euclid-TLAPS-Example/Euclid.tlaps/fingerprints.history/2019-07-16_10_54_20/Euclid.tla: -------------------------------------------------------------------------------- 1 | -------------------- MODULE Euclid -------------------- 2 | EXTENDS Integers, TLAPS 3 | ------------------------------------------------------- 4 | p | q == \E d \in 1..q : q = p * d 5 | Divisors(q) == {d \in 1..q : d | q} 6 | Maximum(S) == CHOOSE x \in S : \A y \in S : x \geq y 7 | GCD(p,q) == Maximum(Divisors(p) \cap Divisors(q)) 8 | Number == Nat \ {0} 9 | ------------------------------------------------------- 10 | CONSTANTS M, N 11 | VARIABLES x, y 12 | 13 | ASSUME NumberAssumption == M \in Number /\ N \in Number 14 | ------------------------------------------------------- 15 | Init == (x = M) /\ (y = N) 16 | 17 | Next == \/ /\ x < y 18 | /\ y' = y - x 19 | /\ x' = x 20 | \/ /\ y < x 21 | /\ x' = x-y 22 | /\ y' = y 23 | 24 | Spec == Init /\ [][Next]_<> 25 | ------------------------------------------------------- 26 | ResultCorrect == (x = y) => x = GCD(M, N) 27 | 28 | InductiveInvariant == 29 | /\ x \in Number 30 | /\ y \in Number 31 | /\ GCD(x, y) = GCD(M, N) 32 | ------------------------------------------------------- 33 | USE DEF Number 34 | 35 | THEOREM InitProperty == Init => InductiveInvariant 36 | BY NumberAssumption DEF Init, InductiveInvariant 37 | ------------------------------------------------------- 38 | AXIOM GCDProperty1 == \A p \in Number : GCD(p, p) = p 39 | AXIOM GCDProperty2 == \A p, q \in Number : GCD(p, q) = GCD(q, p) 40 | AXIOM GCDProperty3 == \A p, q \in Number : (p < q) => GCD(p, q) = GCD(p, q-p) 41 | ------------------------------------------------------- 42 | THEOREM NextProperty == InductiveInvariant /\ Next => InductiveInvariant' 43 | <1> SUFFICES ASSUME InductiveInvariant, Next 44 | PROVE InductiveInvariant' 45 | OBVIOUS 46 | <1> USE DEF InductiveInvariant, Next 47 | <1>1. (x < y) \/ (y < x) 48 | OBVIOUS 49 | <1>a. CASE x < y 50 | <2>1. (y - x \in Number) /\ ~(y < x) 51 | BY <1>a, SMT DEF Number 52 | <2>2. QED 53 | BY <1>a, <2>1, GCDProperty3 54 | <1>b. CASE y < x 55 | <2>1. (x - y \in Number) /\ ~(x < y) 56 | BY <1>b, SMT DEF Number 57 | <2>2. GCD(y', x') = GCD(y, x) 58 | BY <1>b, <2>1, GCDProperty3 59 | <2>4. QED 60 | BY <1>b, <2>1, <2>2, GCDProperty2 61 | <1> QED 62 | BY <1>1, <1>a, <1>b 63 | ------------------------------------------------------- 64 | THEOREM Correctness == Spec => []ResultCorrect 65 | <1>1 InductiveInvariant /\ UNCHANGED <> => InductiveInvariant' 66 | BY DEF InductiveInvariant 67 | <1>2 Spec => []InductiveInvariant 68 | BY PTL, InitProperty, NextProperty, <1>1 DEF Spec 69 | <1>3 InductiveInvariant => ResultCorrect 70 | BY GCDProperty1 DEF InductiveInvariant, ResultCorrect 71 | <1> QED 72 | BY PTL, <1>2, <1>3 73 | ======================================================= -------------------------------------------------------------------------------- /Euclid/Euclid-TLAPS-Example/Euclid.toolbox/.project: -------------------------------------------------------------------------------- 1 | 2 | 3 | Euclid 4 | 5 | 6 | 7 | 8 | 9 | toolbox.builder.TLAParserBuilder 10 | 11 | 12 | 13 | 14 | 15 | toolbox.natures.TLANature 16 | 17 | 18 | 19 | Euclid.tla 20 | 1 21 | PARENT-1-PROJECT_LOC/Euclid.tla 22 | 23 | 24 | TLAPS.tla 25 | 1 26 | /usr/local/lib/tlaps/TLAPS.tla 27 | 28 | 29 | 30 | -------------------------------------------------------------------------------- /Euclid/Euclid-TLAPS-Example/Euclid.toolbox/.settings/org.lamport.tla.toolbox.prefs: -------------------------------------------------------------------------------- 1 | ProjectRootFile=PARENT-1-PROJECT_LOC/Euclid.tla 2 | eclipse.preferences.version=1 3 | -------------------------------------------------------------------------------- /Euclid/Euclid-TLAPS-Example/Euclid.toolbox/Euclid.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Euclid/Euclid-TLAPS-Example/Euclid.toolbox/Euclid.pdf -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 hengxin(Hengfeng Wei) 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | 2 | 3 | default: 4 | : This makefile only supports 'make clean'. 5 | 6 | clean: 7 | find . -name '*.tlaps' -o -name '*.toolbox' | xargs rm -rf 8 | -------------------------------------------------------------------------------- /Paxos/Consensus.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Paxos/Consensus.pdf -------------------------------------------------------------------------------- /Paxos/Consensus.tla: -------------------------------------------------------------------------------- 1 | ----------------------------- MODULE Consensus ----------------------------- 2 | (***************************************************************************) 3 | (* This is a trivial specification of consensus. It asserts that the *) 4 | (* variable `chosen', which represents the set of values that someone *) 5 | (* might think has been chosen is initially empty and can be changed only *) 6 | (* by adding a single element to it. *) 7 | (***************************************************************************) 8 | EXTENDS Naturals, FiniteSets, TLAPS 9 | ----------------------------------------------------------------------------- 10 | CONSTANTS Values \* the set of all values that can be chosen 11 | 12 | VARIABLES chosen \* the set of all values that have been chosen 13 | 14 | TypeOK == 15 | /\ chosen \subseteq Values 16 | /\ IsFiniteSet(chosen) 17 | ----------------------------------------------------------------------------- 18 | Init == chosen = {} 19 | 20 | Next == /\ chosen = {} 21 | /\ \E v \in Values : chosen' = {v} 22 | 23 | Spec == Init /\ [][Next]_chosen 24 | ----------------------------------------------------------------------------- 25 | Inv == Cardinality(chosen) <= 1 26 | \* /\ TypeOK 27 | \* /\ Cardinality(chosen) <= 1 28 | 29 | THEOREM Spec => []Inv 30 | <1>1. Init => Inv 31 | BY DEF Init, Inv 32 | (* 33 | <2> SUFFICES ASSUME Init 34 | PROVE Inv 35 | OBVIOUS 36 | <2> QED 37 | BY DEF Init, Inv 38 | *) 39 | 40 | <1>2. Inv /\ [Next]_chosen => Inv' 41 | <2> SUFFICES ASSUME Inv, 42 | [Next]_chosen 43 | PROVE Inv' 44 | OBVIOUS 45 | <2>1. CASE Next 46 | BY <2>1 DEF Inv, Next 47 | <2>2. CASE UNCHANGED chosen 48 | BY <2>2 DEF Inv, Next 49 | <2>3. QED 50 | BY <2>1, <2>2 51 | 52 | <1>3. QED 53 | BY <1>1, <1>2, PTL DEF Spec 54 | ============================================================================= 55 | \* Modification History 56 | \* Last modified Tue Jul 16 13:47:23 CST 2019 by hengxin 57 | \* Last modified Tue Jul 16 11:26:27 CST 2019 by hengxin 58 | \* Last modified Wed Nov 21 11:35:33 PST 2012 by lamport 59 | \* Created Mon Nov 19 15:19:09 PST 2012 by lamport 60 | -------------------------------------------------------------------------------- /Paxos/Consensus.tlaps/Consensus.thy: -------------------------------------------------------------------------------- 1 | (* automatically generated -- do not edit manually *) 2 | theory Consensus imports Constant Zenon begin 3 | ML_command {* writeln ("*** TLAPS PARSED\n"); *} 4 | consts 5 | "isReal" :: c 6 | "isa_slas_a" :: "[c,c] => c" 7 | "isa_bksl_diva" :: "[c,c] => c" 8 | "isa_perc_a" :: "[c,c] => c" 9 | "isa_peri_peri_a" :: "[c,c] => c" 10 | "isInfinity" :: c 11 | "isa_lbrk_rbrk_a" :: "[c] => c" 12 | "isa_less_more_a" :: "[c] => c" 13 | 14 | end 15 | -------------------------------------------------------------------------------- /Paxos/Consensus.tlaps/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Paxos/Consensus.tlaps/fingerprints -------------------------------------------------------------------------------- /Paxos/Consensus.tlaps/fingerprints.history/2019-07-16_11_46_33/Consensus.tla: -------------------------------------------------------------------------------- 1 | ----------------------------- MODULE Consensus ----------------------------- 2 | (***************************************************************************) 3 | (* This is a trivial specification of consensus. It asserts that the *) 4 | (* variable `chosen', which represents the set of values that someone *) 5 | (* might think has been chosen is initially empty and can be changed only *) 6 | (* by adding a single element to it. *) 7 | (***************************************************************************) 8 | EXTENDS Naturals, FiniteSets, TLAPS 9 | ----------------------------------------------------------------------------- 10 | CONSTANTS Values \* the set of all values that can be chosen 11 | 12 | VARIABLES chosen \* the set of all values that have been chosen 13 | 14 | TypeOK == 15 | /\ chosen \subseteq Values 16 | /\ IsFiniteSet(chosen) 17 | ----------------------------------------------------------------------------- 18 | Init == chosen = {} 19 | 20 | Next == /\ chosen = {} 21 | /\ \E v \in Values : chosen' = {v} 22 | 23 | Spec == Init /\ [][Next]_chosen 24 | ----------------------------------------------------------------------------- 25 | Inv == Cardinality(chosen) <= 1 26 | \* /\ TypeOK 27 | \* /\ Cardinality(chosen) <= 1 28 | 29 | THEOREM Spec => []Inv 30 | <1>1. Init => Inv 31 | BY DEF Init, Inv 32 | (* 33 | <2> SUFFICES ASSUME Init 34 | PROVE Inv 35 | OBVIOUS 36 | <2> QED 37 | BY DEF Init, Inv 38 | *) 39 | 40 | <1>2. Inv /\ [Next]_chosen => Inv' 41 | <1>3. QED 42 | BY <1>1, <1>2, PTL DEF Spec 43 | ============================================================================= 44 | \* Modification History 45 | \* Last modified Tue Jul 16 11:46:28 CST 2019 by hengxin 46 | \* Last modified Tue Jul 16 11:26:27 CST 2019 by hengxin 47 | \* Last modified Wed Nov 21 11:35:33 PST 2012 by lamport 48 | \* Created Mon Nov 19 15:19:09 PST 2012 by lamport 49 | -------------------------------------------------------------------------------- /Paxos/Consensus.tlaps/fingerprints.history/2019-07-16_11_46_33/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Paxos/Consensus.tlaps/fingerprints.history/2019-07-16_11_46_33/fingerprints -------------------------------------------------------------------------------- /Paxos/Consensus.tlaps/fingerprints.history/2019-07-16_11_47_00/Consensus.tla: -------------------------------------------------------------------------------- 1 | ----------------------------- MODULE Consensus ----------------------------- 2 | (***************************************************************************) 3 | (* This is a trivial specification of consensus. It asserts that the *) 4 | (* variable `chosen', which represents the set of values that someone *) 5 | (* might think has been chosen is initially empty and can be changed only *) 6 | (* by adding a single element to it. *) 7 | (***************************************************************************) 8 | EXTENDS Naturals, FiniteSets, TLAPS 9 | ----------------------------------------------------------------------------- 10 | CONSTANTS Values \* the set of all values that can be chosen 11 | 12 | VARIABLES chosen \* the set of all values that have been chosen 13 | 14 | TypeOK == 15 | /\ chosen \subseteq Values 16 | /\ IsFiniteSet(chosen) 17 | ----------------------------------------------------------------------------- 18 | Init == chosen = {} 19 | 20 | Next == /\ chosen = {} 21 | /\ \E v \in Values : chosen' = {v} 22 | 23 | Spec == Init /\ [][Next]_chosen 24 | ----------------------------------------------------------------------------- 25 | Inv == Cardinality(chosen) <= 1 26 | \* /\ TypeOK 27 | \* /\ Cardinality(chosen) <= 1 28 | 29 | THEOREM Spec => []Inv 30 | <1>1. Init => Inv 31 | BY Z3 DEF Init, Inv 32 | (* 33 | <2> SUFFICES ASSUME Init 34 | PROVE Inv 35 | OBVIOUS 36 | <2> QED 37 | BY DEF Init, Inv 38 | *) 39 | 40 | <1>2. Inv /\ [Next]_chosen => Inv' 41 | <1>3. QED 42 | BY <1>1, <1>2, PTL DEF Spec 43 | ============================================================================= 44 | \* Modification History 45 | \* Last modified Tue Jul 16 11:46:55 CST 2019 by hengxin 46 | \* Last modified Tue Jul 16 11:26:27 CST 2019 by hengxin 47 | \* Last modified Wed Nov 21 11:35:33 PST 2012 by lamport 48 | \* Created Mon Nov 19 15:19:09 PST 2012 by lamport 49 | -------------------------------------------------------------------------------- /Paxos/Consensus.tlaps/fingerprints.history/2019-07-16_11_47_00/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Paxos/Consensus.tlaps/fingerprints.history/2019-07-16_11_47_00/fingerprints -------------------------------------------------------------------------------- /Paxos/Consensus.tlaps/fingerprints.history/2019-07-16_11_47_27/Consensus.tla: -------------------------------------------------------------------------------- 1 | ----------------------------- MODULE Consensus ----------------------------- 2 | (***************************************************************************) 3 | (* This is a trivial specification of consensus. It asserts that the *) 4 | (* variable `chosen', which represents the set of values that someone *) 5 | (* might think has been chosen is initially empty and can be changed only *) 6 | (* by adding a single element to it. *) 7 | (***************************************************************************) 8 | EXTENDS Naturals, FiniteSets, TLAPS 9 | ----------------------------------------------------------------------------- 10 | CONSTANTS Values \* the set of all values that can be chosen 11 | 12 | VARIABLES chosen \* the set of all values that have been chosen 13 | 14 | TypeOK == 15 | /\ chosen \subseteq Values 16 | /\ IsFiniteSet(chosen) 17 | ----------------------------------------------------------------------------- 18 | Init == chosen = {} 19 | 20 | Next == /\ chosen = {} 21 | /\ \E v \in Values : chosen' = {v} 22 | 23 | Spec == Init /\ [][Next]_chosen 24 | ----------------------------------------------------------------------------- 25 | Inv == Cardinality(chosen) <= 1 26 | \* /\ TypeOK 27 | \* /\ Cardinality(chosen) <= 1 28 | 29 | THEOREM Spec => []Inv 30 | <1>1. Init => Inv 31 | BY DEF Init, Inv, Cardinality 32 | (* 33 | <2> SUFFICES ASSUME Init 34 | PROVE Inv 35 | OBVIOUS 36 | <2> QED 37 | BY DEF Init, Inv 38 | *) 39 | 40 | <1>2. Inv /\ [Next]_chosen => Inv' 41 | <1>3. QED 42 | BY <1>1, <1>2, PTL DEF Spec 43 | ============================================================================= 44 | \* Modification History 45 | \* Last modified Tue Jul 16 11:47:22 CST 2019 by hengxin 46 | \* Last modified Tue Jul 16 11:26:27 CST 2019 by hengxin 47 | \* Last modified Wed Nov 21 11:35:33 PST 2012 by lamport 48 | \* Created Mon Nov 19 15:19:09 PST 2012 by lamport 49 | -------------------------------------------------------------------------------- /Paxos/Consensus.tlaps/fingerprints.history/2019-07-16_11_47_27/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Paxos/Consensus.tlaps/fingerprints.history/2019-07-16_11_47_27/fingerprints -------------------------------------------------------------------------------- /Paxos/Consensus.tlaps/fingerprints.history/2019-07-16_11_48_21/Consensus.tla: -------------------------------------------------------------------------------- 1 | ----------------------------- MODULE Consensus ----------------------------- 2 | (***************************************************************************) 3 | (* This is a trivial specification of consensus. It asserts that the *) 4 | (* variable `chosen', which represents the set of values that someone *) 5 | (* might think has been chosen is initially empty and can be changed only *) 6 | (* by adding a single element to it. *) 7 | (***************************************************************************) 8 | EXTENDS Naturals, FiniteSets, TLAPS 9 | ----------------------------------------------------------------------------- 10 | CONSTANTS Values \* the set of all values that can be chosen 11 | 12 | VARIABLES chosen \* the set of all values that have been chosen 13 | 14 | TypeOK == 15 | /\ chosen \subseteq Values 16 | /\ IsFiniteSet(chosen) 17 | ----------------------------------------------------------------------------- 18 | Init == chosen = {} 19 | 20 | Next == /\ chosen = {} 21 | /\ \E v \in Values : chosen' = {v} 22 | 23 | Spec == Init /\ [][Next]_chosen 24 | ----------------------------------------------------------------------------- 25 | Inv == Cardinality(chosen) <= 1 26 | \* /\ TypeOK 27 | \* /\ Cardinality(chosen) <= 1 28 | 29 | THEOREM Spec => []Inv 30 | <1>1. Init => Inv 31 | BY DEF Init, Inv 32 | (* 33 | <2> SUFFICES ASSUME Init 34 | PROVE Inv 35 | OBVIOUS 36 | <2> QED 37 | BY DEF Init, Inv 38 | *) 39 | 40 | <1>2. Inv /\ [Next]_chosen => Inv' 41 | <1>3. QED 42 | BY <1>1, <1>2, PTL DEF Spec 43 | ============================================================================= 44 | \* Modification History 45 | \* Last modified Tue Jul 16 11:48:17 CST 2019 by hengxin 46 | \* Last modified Tue Jul 16 11:26:27 CST 2019 by hengxin 47 | \* Last modified Wed Nov 21 11:35:33 PST 2012 by lamport 48 | \* Created Mon Nov 19 15:19:09 PST 2012 by lamport 49 | -------------------------------------------------------------------------------- /Paxos/Consensus.tlaps/fingerprints.history/2019-07-16_11_48_21/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Paxos/Consensus.tlaps/fingerprints.history/2019-07-16_11_48_21/fingerprints -------------------------------------------------------------------------------- /Paxos/Consensus.tlaps/fingerprints.history/2019-07-16_13_46_50/Consensus.tla: -------------------------------------------------------------------------------- 1 | ----------------------------- MODULE Consensus ----------------------------- 2 | (***************************************************************************) 3 | (* This is a trivial specification of consensus. It asserts that the *) 4 | (* variable `chosen', which represents the set of values that someone *) 5 | (* might think has been chosen is initially empty and can be changed only *) 6 | (* by adding a single element to it. *) 7 | (***************************************************************************) 8 | EXTENDS Naturals, FiniteSets, TLAPS 9 | ----------------------------------------------------------------------------- 10 | CONSTANTS Values \* the set of all values that can be chosen 11 | 12 | VARIABLES chosen \* the set of all values that have been chosen 13 | 14 | TypeOK == 15 | /\ chosen \subseteq Values 16 | /\ IsFiniteSet(chosen) 17 | ----------------------------------------------------------------------------- 18 | Init == chosen = {} 19 | 20 | Next == /\ chosen = {} 21 | /\ \E v \in Values : chosen' = {v} 22 | 23 | Spec == Init /\ [][Next]_chosen 24 | ----------------------------------------------------------------------------- 25 | Inv == Cardinality(chosen) <= 1 26 | \* /\ TypeOK 27 | \* /\ Cardinality(chosen) <= 1 28 | 29 | THEOREM Spec => []Inv 30 | <1>1. Init => Inv 31 | BY DEF Init, Inv 32 | (* 33 | <2> SUFFICES ASSUME Init 34 | PROVE Inv 35 | OBVIOUS 36 | <2> QED 37 | BY DEF Init, Inv 38 | *) 39 | 40 | <1>2. Inv /\ [Next]_chosen => Inv' 41 | BY DEF Inv, Next 42 | <1>3. QED 43 | BY <1>1, <1>2, PTL DEF Spec 44 | ============================================================================= 45 | \* Modification History 46 | \* Last modified Tue Jul 16 13:46:45 CST 2019 by hengxin 47 | \* Last modified Tue Jul 16 11:26:27 CST 2019 by hengxin 48 | \* Last modified Wed Nov 21 11:35:33 PST 2012 by lamport 49 | \* Created Mon Nov 19 15:19:09 PST 2012 by lamport 50 | -------------------------------------------------------------------------------- /Paxos/Consensus.tlaps/fingerprints.history/2019-07-16_13_46_50/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Paxos/Consensus.tlaps/fingerprints.history/2019-07-16_13_46_50/fingerprints -------------------------------------------------------------------------------- /Paxos/Consensus.tlaps/fingerprints.history/2019-07-16_13_47_27/Consensus.tla: -------------------------------------------------------------------------------- 1 | ----------------------------- MODULE Consensus ----------------------------- 2 | (***************************************************************************) 3 | (* This is a trivial specification of consensus. It asserts that the *) 4 | (* variable `chosen', which represents the set of values that someone *) 5 | (* might think has been chosen is initially empty and can be changed only *) 6 | (* by adding a single element to it. *) 7 | (***************************************************************************) 8 | EXTENDS Naturals, FiniteSets, TLAPS 9 | ----------------------------------------------------------------------------- 10 | CONSTANTS Values \* the set of all values that can be chosen 11 | 12 | VARIABLES chosen \* the set of all values that have been chosen 13 | 14 | TypeOK == 15 | /\ chosen \subseteq Values 16 | /\ IsFiniteSet(chosen) 17 | ----------------------------------------------------------------------------- 18 | Init == chosen = {} 19 | 20 | Next == /\ chosen = {} 21 | /\ \E v \in Values : chosen' = {v} 22 | 23 | Spec == Init /\ [][Next]_chosen 24 | ----------------------------------------------------------------------------- 25 | Inv == Cardinality(chosen) <= 1 26 | \* /\ TypeOK 27 | \* /\ Cardinality(chosen) <= 1 28 | 29 | THEOREM Spec => []Inv 30 | <1>1. Init => Inv 31 | BY DEF Init, Inv 32 | (* 33 | <2> SUFFICES ASSUME Init 34 | PROVE Inv 35 | OBVIOUS 36 | <2> QED 37 | BY DEF Init, Inv 38 | *) 39 | 40 | <1>2. Inv /\ [Next]_chosen => Inv' 41 | <2> SUFFICES ASSUME Inv, 42 | [Next]_chosen 43 | PROVE Inv' 44 | OBVIOUS 45 | <2>1. CASE Next 46 | BY <2>1 DEF Inv, Next 47 | <2>2. CASE UNCHANGED chosen 48 | BY <2>2 DEF Inv, Next 49 | <2>3. QED 50 | BY <2>1, <2>2 51 | 52 | <1>3. QED 53 | BY <1>1, <1>2, PTL DEF Spec 54 | ============================================================================= 55 | \* Modification History 56 | \* Last modified Tue Jul 16 13:47:23 CST 2019 by hengxin 57 | \* Last modified Tue Jul 16 11:26:27 CST 2019 by hengxin 58 | \* Last modified Wed Nov 21 11:35:33 PST 2012 by lamport 59 | \* Created Mon Nov 19 15:19:09 PST 2012 by lamport 60 | -------------------------------------------------------------------------------- /Paxos/Consensus.tlaps/fingerprints.history/2019-07-16_13_47_27/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Paxos/Consensus.tlaps/fingerprints.history/2019-07-16_13_47_27/fingerprints -------------------------------------------------------------------------------- /Paxos/Consensus.tlaps/fingerprints.history/2019-07-16_13_48_05/Consensus.tla: -------------------------------------------------------------------------------- 1 | ----------------------------- MODULE Consensus ----------------------------- 2 | (***************************************************************************) 3 | (* This is a trivial specification of consensus. It asserts that the *) 4 | (* variable `chosen', which represents the set of values that someone *) 5 | (* might think has been chosen is initially empty and can be changed only *) 6 | (* by adding a single element to it. *) 7 | (***************************************************************************) 8 | EXTENDS Naturals, FiniteSets, TLAPS 9 | ----------------------------------------------------------------------------- 10 | CONSTANTS Values \* the set of all values that can be chosen 11 | 12 | VARIABLES chosen \* the set of all values that have been chosen 13 | 14 | TypeOK == 15 | /\ chosen \subseteq Values 16 | /\ IsFiniteSet(chosen) 17 | ----------------------------------------------------------------------------- 18 | Init == chosen = {} 19 | 20 | Next == /\ chosen = {} 21 | /\ \E v \in Values : chosen' = {v} 22 | 23 | Spec == Init /\ [][Next]_chosen 24 | ----------------------------------------------------------------------------- 25 | Inv == Cardinality(chosen) <= 1 26 | \* /\ TypeOK 27 | \* /\ Cardinality(chosen) <= 1 28 | 29 | THEOREM Spec => []Inv 30 | <1>1. Init => Inv 31 | BY DEF Init, Inv 32 | (* 33 | <2> SUFFICES ASSUME Init 34 | PROVE Inv 35 | OBVIOUS 36 | <2> QED 37 | BY DEF Init, Inv 38 | *) 39 | 40 | <1>2. Inv /\ [Next]_chosen => Inv' 41 | <2> SUFFICES ASSUME Inv, 42 | [Next]_chosen 43 | PROVE Inv' 44 | OBVIOUS 45 | <2>1. CASE Next 46 | BY <2>1 DEF Inv, Next 47 | <2>2. CASE UNCHANGED chosen 48 | BY <2>2 DEF Inv, Next 49 | <2>3. QED 50 | BY <2>1, <2>2 51 | 52 | <1>3. QED 53 | BY <1>1, <1>2, PTL DEF Spec 54 | ============================================================================= 55 | \* Modification History 56 | \* Last modified Tue Jul 16 13:47:23 CST 2019 by hengxin 57 | \* Last modified Tue Jul 16 11:26:27 CST 2019 by hengxin 58 | \* Last modified Wed Nov 21 11:35:33 PST 2012 by lamport 59 | \* Created Mon Nov 19 15:19:09 PST 2012 by lamport 60 | -------------------------------------------------------------------------------- /Paxos/Consensus.tlaps/fingerprints.history/2019-07-16_13_48_05/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Paxos/Consensus.tlaps/fingerprints.history/2019-07-16_13_48_05/fingerprints -------------------------------------------------------------------------------- /Paxos/Consensus.tlaps/fingerprints.history/2019-07-16_13_48_09/Consensus.tla: -------------------------------------------------------------------------------- 1 | ----------------------------- MODULE Consensus ----------------------------- 2 | (***************************************************************************) 3 | (* This is a trivial specification of consensus. It asserts that the *) 4 | (* variable `chosen', which represents the set of values that someone *) 5 | (* might think has been chosen is initially empty and can be changed only *) 6 | (* by adding a single element to it. *) 7 | (***************************************************************************) 8 | EXTENDS Naturals, FiniteSets, TLAPS 9 | ----------------------------------------------------------------------------- 10 | CONSTANTS Values \* the set of all values that can be chosen 11 | 12 | VARIABLES chosen \* the set of all values that have been chosen 13 | 14 | TypeOK == 15 | /\ chosen \subseteq Values 16 | /\ IsFiniteSet(chosen) 17 | ----------------------------------------------------------------------------- 18 | Init == chosen = {} 19 | 20 | Next == /\ chosen = {} 21 | /\ \E v \in Values : chosen' = {v} 22 | 23 | Spec == Init /\ [][Next]_chosen 24 | ----------------------------------------------------------------------------- 25 | Inv == Cardinality(chosen) <= 1 26 | \* /\ TypeOK 27 | \* /\ Cardinality(chosen) <= 1 28 | 29 | THEOREM Spec => []Inv 30 | <1>1. Init => Inv 31 | BY DEF Init, Inv 32 | (* 33 | <2> SUFFICES ASSUME Init 34 | PROVE Inv 35 | OBVIOUS 36 | <2> QED 37 | BY DEF Init, Inv 38 | *) 39 | 40 | <1>2. Inv /\ [Next]_chosen => Inv' 41 | <2> SUFFICES ASSUME Inv, 42 | [Next]_chosen 43 | PROVE Inv' 44 | OBVIOUS 45 | <2>1. CASE Next 46 | BY <2>1 DEF Inv, Next 47 | <2>2. CASE UNCHANGED chosen 48 | BY <2>2 DEF Inv, Next 49 | <2>3. QED 50 | BY <2>1, <2>2 51 | 52 | <1>3. QED 53 | BY <1>1, <1>2, PTL DEF Spec 54 | ============================================================================= 55 | \* Modification History 56 | \* Last modified Tue Jul 16 13:47:23 CST 2019 by hengxin 57 | \* Last modified Tue Jul 16 11:26:27 CST 2019 by hengxin 58 | \* Last modified Wed Nov 21 11:35:33 PST 2012 by lamport 59 | \* Created Mon Nov 19 15:19:09 PST 2012 by lamport 60 | -------------------------------------------------------------------------------- /Paxos/Consensus.tlaps/fingerprints.history/2019-07-16_13_48_09/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Paxos/Consensus.tlaps/fingerprints.history/2019-07-16_13_48_09/fingerprints -------------------------------------------------------------------------------- /Paxos/Consensus.tlaps/fingerprints.history/2019-07-16_13_48_13/Consensus.tla: -------------------------------------------------------------------------------- 1 | ----------------------------- MODULE Consensus ----------------------------- 2 | (***************************************************************************) 3 | (* This is a trivial specification of consensus. It asserts that the *) 4 | (* variable `chosen', which represents the set of values that someone *) 5 | (* might think has been chosen is initially empty and can be changed only *) 6 | (* by adding a single element to it. *) 7 | (***************************************************************************) 8 | EXTENDS Naturals, FiniteSets, TLAPS 9 | ----------------------------------------------------------------------------- 10 | CONSTANTS Values \* the set of all values that can be chosen 11 | 12 | VARIABLES chosen \* the set of all values that have been chosen 13 | 14 | TypeOK == 15 | /\ chosen \subseteq Values 16 | /\ IsFiniteSet(chosen) 17 | ----------------------------------------------------------------------------- 18 | Init == chosen = {} 19 | 20 | Next == /\ chosen = {} 21 | /\ \E v \in Values : chosen' = {v} 22 | 23 | Spec == Init /\ [][Next]_chosen 24 | ----------------------------------------------------------------------------- 25 | Inv == Cardinality(chosen) <= 1 26 | \* /\ TypeOK 27 | \* /\ Cardinality(chosen) <= 1 28 | 29 | THEOREM Spec => []Inv 30 | <1>1. Init => Inv 31 | BY DEF Init, Inv 32 | (* 33 | <2> SUFFICES ASSUME Init 34 | PROVE Inv 35 | OBVIOUS 36 | <2> QED 37 | BY DEF Init, Inv 38 | *) 39 | 40 | <1>2. Inv /\ [Next]_chosen => Inv' 41 | <2> SUFFICES ASSUME Inv, 42 | [Next]_chosen 43 | PROVE Inv' 44 | OBVIOUS 45 | <2>1. CASE Next 46 | BY <2>1 DEF Inv, Next 47 | <2>2. CASE UNCHANGED chosen 48 | BY <2>2 DEF Inv, Next 49 | <2>3. QED 50 | BY <2>1, <2>2 51 | 52 | <1>3. QED 53 | BY <1>1, <1>2, PTL DEF Spec 54 | ============================================================================= 55 | \* Modification History 56 | \* Last modified Tue Jul 16 13:47:23 CST 2019 by hengxin 57 | \* Last modified Tue Jul 16 11:26:27 CST 2019 by hengxin 58 | \* Last modified Wed Nov 21 11:35:33 PST 2012 by lamport 59 | \* Created Mon Nov 19 15:19:09 PST 2012 by lamport 60 | -------------------------------------------------------------------------------- /Paxos/Consensus.tlaps/fingerprints.history/2019-07-16_13_48_13/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Paxos/Consensus.tlaps/fingerprints.history/2019-07-16_13_48_13/fingerprints -------------------------------------------------------------------------------- /Paxos/Consensus.tlaps/fingerprints.history/2019-07-16_13_48_16/Consensus.tla: -------------------------------------------------------------------------------- 1 | ----------------------------- MODULE Consensus ----------------------------- 2 | (***************************************************************************) 3 | (* This is a trivial specification of consensus. It asserts that the *) 4 | (* variable `chosen', which represents the set of values that someone *) 5 | (* might think has been chosen is initially empty and can be changed only *) 6 | (* by adding a single element to it. *) 7 | (***************************************************************************) 8 | EXTENDS Naturals, FiniteSets, TLAPS 9 | ----------------------------------------------------------------------------- 10 | CONSTANTS Values \* the set of all values that can be chosen 11 | 12 | VARIABLES chosen \* the set of all values that have been chosen 13 | 14 | TypeOK == 15 | /\ chosen \subseteq Values 16 | /\ IsFiniteSet(chosen) 17 | ----------------------------------------------------------------------------- 18 | Init == chosen = {} 19 | 20 | Next == /\ chosen = {} 21 | /\ \E v \in Values : chosen' = {v} 22 | 23 | Spec == Init /\ [][Next]_chosen 24 | ----------------------------------------------------------------------------- 25 | Inv == Cardinality(chosen) <= 1 26 | \* /\ TypeOK 27 | \* /\ Cardinality(chosen) <= 1 28 | 29 | THEOREM Spec => []Inv 30 | <1>1. Init => Inv 31 | BY DEF Init, Inv 32 | (* 33 | <2> SUFFICES ASSUME Init 34 | PROVE Inv 35 | OBVIOUS 36 | <2> QED 37 | BY DEF Init, Inv 38 | *) 39 | 40 | <1>2. Inv /\ [Next]_chosen => Inv' 41 | <2> SUFFICES ASSUME Inv, 42 | [Next]_chosen 43 | PROVE Inv' 44 | OBVIOUS 45 | <2>1. CASE Next 46 | BY <2>1 DEF Inv, Next 47 | <2>2. CASE UNCHANGED chosen 48 | BY <2>2 DEF Inv, Next 49 | <2>3. QED 50 | BY <2>1, <2>2 51 | 52 | <1>3. QED 53 | BY <1>1, <1>2, PTL DEF Spec 54 | ============================================================================= 55 | \* Modification History 56 | \* Last modified Tue Jul 16 13:47:23 CST 2019 by hengxin 57 | \* Last modified Tue Jul 16 11:26:27 CST 2019 by hengxin 58 | \* Last modified Wed Nov 21 11:35:33 PST 2012 by lamport 59 | \* Created Mon Nov 19 15:19:09 PST 2012 by lamport 60 | -------------------------------------------------------------------------------- /Paxos/Consensus.tlaps/fingerprints.history/2019-07-16_13_48_16/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Paxos/Consensus.tlaps/fingerprints.history/2019-07-16_13_48_16/fingerprints -------------------------------------------------------------------------------- /Paxos/Consensus.toolbox/.project: -------------------------------------------------------------------------------- 1 | 2 | 3 | Consensus 4 | 5 | 6 | 7 | 8 | 9 | toolbox.builder.TLAParserBuilder 10 | 11 | 12 | 13 | 14 | 15 | toolbox.natures.TLANature 16 | 17 | 18 | 19 | Consensus.tla 20 | 1 21 | PARENT-1-PROJECT_LOC/Consensus.tla 22 | 23 | 24 | 25 | -------------------------------------------------------------------------------- /Paxos/Consensus.toolbox/.settings/org.lamport.tla.toolbox.prefs: -------------------------------------------------------------------------------- 1 | ProjectRootFile=PARENT-1-PROJECT_LOC/Consensus.tla 2 | eclipse.preferences.version=1 3 | -------------------------------------------------------------------------------- /Paxos/Paxos.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Paxos/Paxos.pdf -------------------------------------------------------------------------------- /Paxos/Paxos.tlaps/Paxos.thy: -------------------------------------------------------------------------------- 1 | (* automatically generated -- do not edit manually *) 2 | theory Paxos imports Constant Zenon begin 3 | ML_command {* writeln ("*** TLAPS PARSED\n"); *} 4 | consts 5 | "isReal" :: c 6 | "isa_slas_a" :: "[c,c] => c" 7 | "isa_bksl_diva" :: "[c,c] => c" 8 | "isa_perc_a" :: "[c,c] => c" 9 | "isa_peri_peri_a" :: "[c,c] => c" 10 | "isInfinity" :: c 11 | "isa_lbrk_rbrk_a" :: "[c] => c" 12 | "isa_less_more_a" :: "[c] => c" 13 | 14 | end 15 | -------------------------------------------------------------------------------- /Paxos/Paxos.tlaps/fingerprints: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Paxos/Paxos.tlaps/fingerprints -------------------------------------------------------------------------------- /Paxos/Paxos.toolbox/.project: -------------------------------------------------------------------------------- 1 | 2 | 3 | Paxos 4 | 5 | 6 | 7 | 8 | 9 | toolbox.builder.TLAParserBuilder 10 | 11 | 12 | 13 | 14 | 15 | toolbox.natures.TLANature 16 | 17 | 18 | 19 | Consensus.tla 20 | 1 21 | PARENT-1-PROJECT_LOC/Consensus.tla 22 | 23 | 24 | FiniteSets.tla 25 | 1 26 | /usr/local/lib/tlaps/FiniteSets.tla 27 | 28 | 29 | NaturalsInduction.tla 30 | 1 31 | /usr/local/lib/tlaps/NaturalsInduction.tla 32 | 33 | 34 | Paxos.tla 35 | 1 36 | PARENT-1-PROJECT_LOC/Paxos.tla 37 | 38 | 39 | PaxosHistVar.tla 40 | 1 41 | PARENT-1-PROJECT_LOC/PaxosHistVar.tla 42 | 43 | 44 | TLAPS.tla 45 | 1 46 | /usr/local/lib/tlaps/TLAPS.tla 47 | 48 | 49 | 50 | -------------------------------------------------------------------------------- /Paxos/Paxos.toolbox/.settings/org.lamport.tla.toolbox.prefs: -------------------------------------------------------------------------------- 1 | ProjectRootFile=PARENT-1-PROJECT_LOC/Paxos.tla 2 | eclipse.preferences.version=1 3 | -------------------------------------------------------------------------------- /Paxos/Paxos.toolbox/Consensus.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Paxos/Paxos.toolbox/Consensus.pdf -------------------------------------------------------------------------------- /Paxos/Paxos.toolbox/Paxos.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Paxos/Paxos.toolbox/Paxos.pdf -------------------------------------------------------------------------------- /Paxos/Paxos.toolbox/PaxosHistVar.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Paxos/Paxos.toolbox/PaxosHistVar.pdf -------------------------------------------------------------------------------- /Paxos/PaxosHistVar.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Paxos/PaxosHistVar.pdf -------------------------------------------------------------------------------- /Paxos/PaxosHistVar.toolbox/.project: -------------------------------------------------------------------------------- 1 | 2 | 3 | PaxosHistVar 4 | 5 | 6 | 7 | 8 | 9 | toolbox.builder.TLAParserBuilder 10 | 11 | 12 | 13 | 14 | 15 | toolbox.natures.TLANature 16 | 17 | 18 | 19 | NaturalsInduction.tla 20 | 1 21 | /usr/local/lib/tlaps/NaturalsInduction.tla 22 | 23 | 24 | PaxosHistVar.tla 25 | 1 26 | PARENT-1-PROJECT_LOC/PaxosHistVar.tla 27 | 28 | 29 | TLAPS.tla 30 | 1 31 | /usr/local/lib/tlaps/TLAPS.tla 32 | 33 | 34 | 35 | -------------------------------------------------------------------------------- /Paxos/PaxosHistVar.toolbox/.settings/org.lamport.tla.toolbox.prefs: -------------------------------------------------------------------------------- 1 | ProjectRootFile=PARENT-1-PROJECT_LOC/PaxosHistVar.tla 2 | eclipse.preferences.version=1 3 | -------------------------------------------------------------------------------- /Paxos/PaxosHistVar.toolbox/PaxosHistVar.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Paxos/PaxosHistVar.toolbox/PaxosHistVar.pdf -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # tlaps-examples 2 | 3 | > Examples for TLA+ Proof System 4 | 5 | Adapted from the examples accompany with [the tlaps tool](https://tla.msr-inria.inria.fr/tlaps/content/Download/Binaries/Linux.html). 6 | 7 | - [Euclid](https://github.com/hengxin/tlaps-examples/tree/master/Euclid) 8 | - [Euclid-Hyperbook](https://github.com/hengxin/tlaps-examples/tree/master/Euclid/Euclid-Hyperbook) 9 | - Proofs about Euclid's Algorithm. 10 | - Ref: Chapter 11 "Correctness of Euclid's Algorithm" of Hyperbook 11 | - [Euclid-TLAPS-Example](https://github.com/hengxin/tlaps-examples/tree/master/Euclid/Euclid-TLAPS-Example) 12 | - Proofs about Euclid's Algorithm. 13 | - From tlaps/examples 14 | 15 | 16 | ***TODO:*** re-organized 17 | 18 | Allocator.tla: 19 | allocator managing a set of resources 20 | 21 | Bakery.tla 22 | AtomicBakery.tla 23 | AtomicBakeryWithoutSMT.tla 24 | different versions of Lamport's bakery algorithm, 25 | Bakery.tla being the most faithful representation 26 | with non-atomic operations on shared registers 27 | 28 | BubbleSort.tla 29 | the classic BubbleSort algorithm as a PlusCal 30 | algorithm, and its correctness proof 31 | 32 | Euclid.tla 33 | proofs about Euclid's algorithm for computing the 34 | GCD of two positive integers, cf. the TLAPS tutorial 35 | 36 | Peterson.tla: 37 | Peterson's algorithm for mutual exclusion 38 | between two processes using shared memory 39 | 40 | SimpleMutex.tla: 41 | the essence of many mutual exclusion protocols 42 | 43 | SumAndMax.tla: 44 | a simple challenge problem from VSTTE 2010 45 | 46 | ------------------------------------------------------------ 47 | Sub-directories: 48 | 49 | paxos/Paxos.tla 50 | TLA+ specification of the Paxos consensus algorithm 51 | and a proof of its correctness (safety) 52 | 53 | two-phase/*.tla 54 | two-phase handshake 55 | 56 | cantor/Cantor*.tla 57 | several proofs of Cantor's theorem using TLA+'s 58 | hierarchical proof language 59 | 60 | consensus/PaxosProof.tla 61 | high level specification of Consensus with two 62 | refinements implementing an abstract Paxos algorithm 63 | (incomplete and largely superseded by paxos/) 64 | 65 | data/*.tla 66 | various theorems on sets, sequences and graphs (incomplete) 67 | -------------------------------------------------------------------------------- /Record/Record.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Record/Record.pdf -------------------------------------------------------------------------------- /Record/Record.tla: -------------------------------------------------------------------------------- 1 | ------------------------------- MODULE Record ------------------------------- 2 | (* 3 | It is necessary to use type invariant when reasoning about EXCEPT expressions. 4 | See step <4>2 in the proof for Spec => SV!Spec. 5 | 6 | See https://groups.google.com/d/msg/tlaplus/rmmH9vFwH_0/rY18YWMGDQAJ. 7 | *) 8 | EXTENDS Naturals, TLAPS 9 | --------------------------------------------------------------------------- 10 | CONSTANTS Participant \* the set of partipants 11 | 12 | VARIABLES state \* state[p][q]: the state of q \in Participant from the view of p \in Participant 13 | 14 | State == [maxBal: Nat, maxVBal: Nat] 15 | 16 | TypeOK == state \in [Participant -> [Participant -> State]] 17 | --------------------------------------------------------------------------- 18 | InitState == [maxBal |-> 0, maxVBal |-> 0] 19 | 20 | Init == state = [p \in Participant |-> [q \in Participant |-> InitState]] 21 | 22 | Prepare(p, b) == 23 | /\ state[p][p].maxBal < b 24 | /\ state' = [state EXCEPT ![p][p].maxBal = b] 25 | --------------------------------------------------------------------------- 26 | Next == \E p \in Participant, b \in Nat : Prepare(p, b) 27 | 28 | Spec == Init /\ [][Next]_state 29 | --------------------------------------------------------------------------- 30 | (* 31 | Record refines SimpleVoting 32 | *) 33 | maxBal == [p \in Participant |-> state[p][p].maxBal] 34 | 35 | SV == INSTANCE SimpleVoting 36 | 37 | THEOREM Invariant == Spec => []TypeOK 38 | OMITTED 39 | 40 | THEOREM Spec => SV!Spec 41 | <1>1. Init => SV!Init 42 | BY DEF Init, SV!Init, maxBal, InitState 43 | <1>2. TypeOK /\ [Next]_state => [SV!Next]_maxBal 44 | <2>1. UNCHANGED state => UNCHANGED maxBal 45 | BY DEF maxBal 46 | <2>2. TypeOK /\ Next => SV!Next 47 | <3> SUFFICES ASSUME NEW p \in Participant, NEW b \in Nat, 48 | TypeOK, 49 | Prepare(p, b) 50 | PROVE SV!IncreaseMaxBal(p, b) 51 | BY DEF Next, SV!Next 52 | <3>1. maxBal[p] < b 53 | BY DEF Prepare, maxBal 54 | <3>2. maxBal' = [maxBal EXCEPT ![p] = b] 55 | BY DEF Prepare, maxBal, TypeOK, State 56 | <3>3. QED 57 | BY <3>1, <3>2 DEF SV!IncreaseMaxBal 58 | <2>3. QED 59 | BY <2>1, <2>2 60 | <1>3. QED 61 | BY <1>1, <1>2, Invariant, PTL DEF SV!Spec, Spec 62 | ============================================================================= 63 | \* Modification History 64 | \* Last modified Tue Aug 20 10:52:14 CST 2019 by hengxin 65 | \* Created Thu Aug 15 10:52:49 CST 2019 by hengxin -------------------------------------------------------------------------------- /Record/Record.tlaps/Record.thy: -------------------------------------------------------------------------------- 1 | (* automatically generated -- do not edit manually *) 2 | theory Record imports Constant Zenon begin 3 | ML_command {* writeln ("*** TLAPS PARSED\n"); *} 4 | consts 5 | "isReal" :: c 6 | "isa_slas_a" :: "[c,c] => c" 7 | "isa_bksl_diva" :: "[c,c] => c" 8 | "isa_perc_a" :: "[c,c] => c" 9 | "isa_peri_peri_a" :: "[c,c] => c" 10 | "isInfinity" :: c 11 | "isa_lbrk_rbrk_a" :: "[c] => c" 12 | "isa_less_more_a" :: "[c] => c" 13 | 14 | end 15 | -------------------------------------------------------------------------------- /Record/SimpleVoting.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/Record/SimpleVoting.pdf -------------------------------------------------------------------------------- /Record/SimpleVoting.tla: -------------------------------------------------------------------------------- 1 | ---------------------------- MODULE SimpleVoting ---------------------------- 2 | EXTENDS Naturals 3 | ----------------------------------------------------------------------------- 4 | CONSTANT Participant 5 | 6 | VARIABLE maxBal 7 | 8 | TypeOK == maxBal \in [Participant -> Nat] 9 | ----------------------------------------------------------------------------- 10 | Init == maxBal = [p \in Participant |-> 0] 11 | 12 | IncreaseMaxBal(p, b) == 13 | /\ maxBal[p] < b 14 | /\ maxBal' = [maxBal EXCEPT ![p] = b] 15 | ----------------------------------------------------------------------------- 16 | Next == \E p \in Participant, b \in Nat : IncreaseMaxBal(p, b) 17 | 18 | Spec == Init /\ [][Next]_maxBal 19 | ============================================================================= 20 | \* Modification History 21 | \* Last modified Thu Aug 15 12:07:49 CST 2019 by hengxin 22 | \* Created Thu Aug 15 11:12:58 CST 2019 by hengxin -------------------------------------------------------------------------------- /SimpleMutex/SimpleMutex.tla: -------------------------------------------------------------------------------- 1 | ----------------------------- MODULE SimpleMutex ----------------------------- 2 | EXTENDS Integers, TLAPS 3 | 4 | (*********** 5 | 6 | (***************************************************************************) 7 | (* The following algorithm is an important mutual exclusion protocol. *) 8 | (* This protocol is at the heart of many mutual exclusion algorithms. It *) 9 | (* is a two-process protocol that guarantees that both processes cannot *) 10 | (* execute statement cs. (However, they can both deadlock.) *) 11 | (***************************************************************************) 12 | --algorithm Mutex { 13 | variable trying = [i \in {0,1} |-> FALSE] 14 | 15 | process (p \in {0,1}) { 16 | a: trying[self] := TRUE ; 17 | b: await ~trying[1 - self]; 18 | cs: skip \* the critical section 19 | } 20 | } 21 | 22 | ***********) 23 | 24 | \* BEGIN TRANSLATION 25 | VARIABLES trying, pc 26 | 27 | vars == << trying, pc >> 28 | 29 | ProcSet == ({0,1}) 30 | 31 | Init == (* Global variables *) 32 | /\ trying = [i \in {0,1} |-> FALSE] 33 | /\ pc = [self \in ProcSet |-> CASE self \in {0,1} -> "a"] 34 | 35 | a(self) == /\ pc[self] = "a" 36 | /\ trying' = [trying EXCEPT ![self] = TRUE] 37 | /\ pc' = [pc EXCEPT ![self] = "b"] 38 | 39 | b(self) == /\ pc[self] = "b" 40 | /\ ~trying[1 - self] 41 | /\ pc' = [pc EXCEPT ![self] = "cs"] 42 | /\ UNCHANGED trying 43 | 44 | cs(self) == /\ pc[self] = "cs" 45 | /\ TRUE 46 | /\ pc' = [pc EXCEPT ![self] = "Done"] 47 | /\ UNCHANGED trying 48 | 49 | p(self) == a(self) \/ b(self) \/ cs(self) 50 | 51 | Next == (\E self \in {0,1}: p(self)) 52 | \/ (* Disjunct to prevent deadlock on termination *) 53 | ((\A self \in ProcSet: pc[self] = "Done") /\ UNCHANGED vars) 54 | 55 | Spec == Init /\ [][Next]_vars 56 | 57 | Termination == <>(\A self \in ProcSet: pc[self] = "Done") 58 | 59 | \* END TRANSLATION 60 | 61 | TypeOK == 62 | /\ trying \in [{0,1} -> BOOLEAN] 63 | /\ pc \in [{0,1} -> {"a", "b", "cs", "Done"}] 64 | 65 | Inv == \A i \in {0,1} : 66 | /\ pc[i] \in {"b", "cs"} => trying[i] 67 | /\ pc[i] = "cs" => pc[1-i] # "cs" 68 | 69 | 70 | IndInvSpec == (TypeOK /\ Inv) /\ [][Next]_vars 71 | (************************************************************************) 72 | (* TypeOK /\ Inv is an inductive invariant Spec iff it is an invariant *) 73 | (* of IndInvSpec. TLC can be used to check what we are about to prove. *) 74 | (************************************************************************) 75 | 76 | 77 | (***************************************************************************) 78 | (* The following theorem asserts that TypeOK /\ Inv is true in the initial *) 79 | (* state. *) 80 | (***************************************************************************) 81 | THEOREM Initialization == Init => TypeOK /\ Inv 82 | BY DEF Init, TypeOK, Inv, ProcSet 83 | 84 | MutualExclusion == ~(pc[0] = "cs" /\ pc[1] = "cs") 85 | 86 | (***************************************************************************) 87 | (* The following theorem asserts that our invariant implies mutual *) 88 | (* exclusion. *) 89 | (***************************************************************************) 90 | THEOREM Mutex == Inv => MutualExclusion 91 | BY DEF Inv, MutualExclusion 92 | 93 | (***************************************************************************) 94 | (* The following theorem asserts that if a step (a pair of states) *) 95 | (* satisfies the formula Next, and TypeOK /\ Inv is true in the first *) 96 | (* state, then TypeOK /\ Inv is true in the second state. *) 97 | (* *) 98 | (* This proof was written before the implementation of TLAPS's SMT backend *) 99 | (* prover. For the much simpler proof using that backend, see below. *) 100 | (***************************************************************************) 101 | THEOREM Invariance == TypeOK /\ Inv /\ Next => TypeOK' /\ Inv' 102 | <1>1. CASE UNCHANGED vars 103 | BY <1>1 DEF TypeOK, Inv, Next, ProcSet, p, vars 104 | <1>2. ASSUME TypeOK, Inv, 105 | NEW i \in {0,1}, 106 | a(i) \/ b(i) \/ cs(i) 107 | PROVE TypeOK' 108 | BY <1>2, IsaM("auto") DEF TypeOK, Inv, a, b, cs 109 | <1>3. ASSUME TypeOK, TypeOK', Inv, 110 | NEW i \in {0,1}, 111 | a(i) \/ b(i) \/ cs(i), 112 | NEW j \in {0,1}, 113 | Inv!(i) /\ Inv!(j) 114 | PROVE Inv!(j)' 115 | <2>1. /\ 1-i \in {0, 1} 116 | /\ 1-j \in {0, 1} 117 | /\ i # j => /\ 1-i = j 118 | /\ 1-j = i 119 | BY IsaM("auto") 120 | <2>2. USE DEF TypeOK, Inv 121 | <2>3. CASE a(i) 122 | BY <2>1, <1>3, <2>3 DEF a 123 | <2>4. CASE b(i) 124 | <3>1. CASE i = j 125 | BY <2>1, <1>3, <2>4, <3>1 DEF b 126 | <3>2. CASE i # j 127 | BY <2>1, <1>3, <2>4, <3>2 DEF b 128 | <3>3. QED 129 | BY <3>1, <3>2 130 | <2>5. CASE cs(i) 131 | BY <2>1, <2>5, <1>3 DEF cs 132 | <2>6. QED 133 | BY <2>3, <2>4, <2>5, <1>3 134 | <1>4. QED 135 | BY <1>1, <1>2, <1>3 DEF Next, p, ProcSet, Inv 136 | 137 | (****************************************************************************) 138 | (* The same theorem proved with the help of the SMT backend. *) 139 | (****************************************************************************) 140 | THEOREM 141 | ASSUME TypeOK, Inv, Next 142 | PROVE TypeOK' /\ Inv' 143 | BY SMT DEF TypeOK, Inv, Next, ProcSet, p, vars, a, b, cs 144 | ---------------------------------------------------------------------- 145 | (***************************************************************************) 146 | (* The following is a trivial consequence of the Invariance theorem, the *) 147 | (* definition of [Next]_vars, and the fact that UNCHANGED vars implies *) 148 | (* that none of the declared variables changes. *) 149 | (***************************************************************************) 150 | THEOREM TLAInvariance == TypeOK /\ Inv /\ [Next]_vars => TypeOK' /\ Inv' 151 | BY Invariance DEF TypeOK, Inv, Next, ProcSet, p, vars 152 | 153 | (***************************************************************************) 154 | (* The following theorem asserts that the mutual exclusion property is *) 155 | (* always verified by the system. *) 156 | (***************************************************************************) 157 | THEOREM Safety == Spec => []MutualExclusion 158 | BY Initialization, TLAInvariance, Mutex, PTL DEF Spec 159 | 160 | ============================================================================= 161 | -------------------------------------------------------------------------------- /SumAndMax/SumAndMax.tla: -------------------------------------------------------------------------------- 1 | ----------------------------- MODULE SumAndMax ----------------------------- 2 | EXTENDS Integers, TLAPS 3 | 4 | (***************************************************************************) 5 | (* This is the PlusCal/TLAPS solution to the first problem in the VSTTE *) 6 | (* 2010 Competition. See: *) 7 | (* *) 8 | (* http://www.macs.hw.ac.uk/vstte10/Competition.html *) 9 | (* http://www.macs.hw.ac.uk/vstte10/Competition_files/Competition.pdf *) 10 | (* *) 11 | (* Three of us (Damien Doligez, Stephan Merz, and Leslie Lamport) spent *) 12 | (* about an hour producing the solution--not counting the time spent *) 13 | (* fixing problems with TLAPS that we found. (We were testing a newly *) 14 | (* released SMT backend.) Afterwards, a slight simplification of the proof *) 15 | (* was made. *) 16 | (* *) 17 | (* Here is the pseudocode of the algorithm: *) 18 | (* *) 19 | (* int sum, max = 0; *) 20 | (* int i; *) 21 | (* for (i=0; i Nat] 37 | 38 | (*************************************************************************** 39 | --fair algorithm SumAndMax { 40 | variables sum = 0, max = 0, i = 0; { 41 | while (i < N) { 42 | if (max < a[i]){max := a[i]} ; 43 | sum := sum + a[i]; 44 | i := i+1; 45 | } 46 | } 47 | } 48 | ***************************************************************************) 49 | \* BEGIN TRANSLATION 50 | VARIABLES sum, max, i, pc 51 | 52 | vars == << sum, max, i, pc >> 53 | 54 | Init == (* Global variables *) 55 | /\ sum = 0 56 | /\ max = 0 57 | /\ i = 0 58 | /\ pc = "Lbl_1" 59 | 60 | Lbl_1 == /\ pc = "Lbl_1" 61 | /\ IF i < N 62 | THEN /\ IF max < a[i] 63 | THEN /\ max' = a[i] 64 | ELSE /\ TRUE 65 | /\ max' = max 66 | /\ sum' = sum + a[i] 67 | /\ i' = i+1 68 | /\ pc' = "Lbl_1" 69 | ELSE /\ pc' = "Done" 70 | /\ UNCHANGED << sum, max, i >> 71 | 72 | Next == Lbl_1 73 | \/ (* Disjunct to prevent deadlock on termination *) 74 | (pc = "Done" /\ UNCHANGED vars) 75 | 76 | Spec == /\ Init /\ [][Next]_vars 77 | /\ WF_vars(Next) 78 | 79 | Termination == <>(pc = "Done") 80 | 81 | \* END TRANSLATION 82 | 83 | Correctness == pc = "Done" => sum =< N*max 84 | 85 | TypeOK == /\ sum \in Nat 86 | /\ max \in Nat 87 | /\ i \in 0..N 88 | /\ pc \in {"Lbl_1", "Done"} 89 | Inv == /\ TypeOK 90 | /\ sum =< i * max 91 | /\ (pc = "Done") => (i = N) 92 | 93 | THEOREM Spec => []Correctness 94 | <1>1. Init => Inv 95 | BY NType, SMT DEF Init, Inv, TypeOK 96 | <1>2. Inv => Correctness 97 | BY NType DEF Correctness, Inv, TypeOK 98 | <1>3. Inv /\ [Next]_vars => Inv' 99 | <2> SUFFICES ASSUME Inv, Lbl_1 100 | PROVE Inv' 101 | BY DEF vars, Inv, TypeOK, Next 102 | <2>1. CASE i = N 103 | BY <2>1, NType, aType, SMT DEF Inv, TypeOK, Lbl_1 104 | <2>2. CASE i < N 105 | <3> i' * max' >= i * max + max' 106 | BY NType, aType, <2>2, SMT DEF Inv, TypeOK, Lbl_1 107 | <3> QED 108 | BY <2>2, NType, aType, SMT DEF Inv, TypeOK, Lbl_1 109 | <2> QED 110 | BY <2>1, <2>2, NType, SMT DEF Inv, TypeOK 111 | <1>4. QED 112 | BY <1>1, <1>2, <1>3, PTL DEF Spec 113 | 114 | 115 | ============================================================================= 116 | \* Modification History 117 | \* Last modified Wed Mar 12 16:00:40 CET 2014 by doligez 118 | \* Last modified Wed Nov 21 20:10:44 GMT-03:00 2012 by merz 119 | \* Last modified Wed Nov 21 20:01:30 GMT-03:00 2012 by merz 120 | \* Last modified Thu Oct 06 06:34:01 PDT 2011 by lamport 121 | \* Created Mon Oct 03 03:11:15 PDT 2011 by lamport 122 | 123 | Writing algorithm and model checking: 15 min 124 | Writing proof, before stopping to check for tlapm bug: 24 min 125 | Writing proof: 12 min. 126 | Writing proof: 12 min. 127 | -------------------------------------------------------------------------------- /TeachingConcurrency/README.md: -------------------------------------------------------------------------------- 1 | # TeachingConcurrency 2 | 3 | See [the paper: Teaching Concurrency](https://www.microsoft.com/en-us/research/uploads/prod/2016/12/Teaching-Concurrency.pdf) for the problem. 4 | 5 | See [What is the inductive invariant of the simple concurrent program?](https://stackoverflow.com/a/46108331/1833118) for the TLA+ specification and TLAPS proof. 6 | 7 | ## TODO 8 | - [x] Learn the spec and proof. 9 | -------------------------------------------------------------------------------- /TeachingConcurrency/Simple.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hengxin/tlaps-examples/daf7c662fa1dcd7686d9b5c8dadcde6b55990f95/TeachingConcurrency/Simple.pdf -------------------------------------------------------------------------------- /TeachingConcurrency/Simple.tla: -------------------------------------------------------------------------------- 1 | ------------------------------- MODULE Simple ------------------------------- 2 | (* 3 | See the paper "Teaching Concurrency" by Leslie Lamport for the problem 4 | (https://www.microsoft.com/en-us/research/uploads/prod/2016/12/Teaching-Concurrency.pdf). 5 | 6 | See also the StackOverflow post "What is the inductive invariant of the simple concurrent program?" 7 | (https://stackoverflow.com/q/24989756/1833118). 8 | 9 | See the answer (https://stackoverflow.com/a/46108331/1833118) to the post above 10 | for the TLA+ specification and TLAPS proof. 11 | *) 12 | EXTENDS Integers, TLAPS 13 | ------------------------------------------------------------------------------ 14 | CONSTANTS N \* the number of processes 15 | ------------------------------------------------------------------------------ 16 | (* 17 | --algorithm Simple 18 | 19 | variables 20 | x = [i \in 0 .. N-1 |-> 0]; 21 | y = [i \in 0 .. N-1 |-> 0]; 22 | 23 | process Proc \in 0 .. N-1 24 | begin 25 | s1: x[self] := 1; 26 | s2: y[self] := x[(self - 1) % N] 27 | end process 28 | 29 | end algorithm 30 | *) 31 | ------------------------------------------------------------------------------ 32 | \* BEGIN TRANSLATION 33 | VARIABLES x, y, pc 34 | 35 | vars == << x, y, pc >> 36 | 37 | ProcSet == (0 .. N-1) 38 | 39 | Init == (* Global variables *) 40 | /\ x = [i \in 0 .. N-1 |-> 0] 41 | /\ y = [i \in 0 .. N-1 |-> 0] 42 | /\ pc = [self \in ProcSet |-> "s1"] 43 | 44 | s1(self) == /\ pc[self] = "s1" 45 | /\ x' = [x EXCEPT ![self] = 1] 46 | /\ pc' = [pc EXCEPT ![self] = "s2"] 47 | /\ y' = y 48 | 49 | s2(self) == /\ pc[self] = "s2" 50 | /\ y' = [y EXCEPT ![self] = x[(self - 1) % N]] 51 | /\ pc' = [pc EXCEPT ![self] = "Done"] 52 | /\ x' = x 53 | 54 | Proc(self) == s1(self) \/ s2(self) 55 | 56 | (* Allow infinite stuttering to prevent deadlock on termination. *) 57 | Terminating == /\ \A self \in ProcSet: pc[self] = "Done" 58 | /\ UNCHANGED vars 59 | 60 | Next == (\E self \in 0 .. N-1: Proc(self)) 61 | \/ Terminating 62 | 63 | Spec == Init /\ [][Next]_vars 64 | 65 | Termination == <>(\A self \in ProcSet: pc[self] = "Done") 66 | 67 | \* END TRANSLATION 68 | ------------------------------------------------------------------------------ 69 | AtLeastOneYWhenDone == (\A i \in 0 .. N-1 : pc[i] = "Done") => \E i \in 0 .. N-1 : y[i] = 1 70 | 71 | TypeOK == 72 | /\ x \in [0 .. N-1 -> {0, 1}] 73 | /\ y \in [0 .. N-1 -> {0, 1}] 74 | /\ pc \in [ProcSet -> {"s1", "s2", "Done"}] 75 | 76 | Inv == 77 | /\ TypeOK 78 | /\ \A i \in 0 .. N-1 : (pc[i] \in {"s2", "Done"} => x[i] = 1) 79 | /\ AtLeastOneYWhenDone 80 | ------------------------------------------------------------------------------ 81 | ASSUME NIsInNat == N \in Nat \ {0} 82 | 83 | \* TLAPS doesn't know this property of modulus operator 84 | AXIOM ModInRange == \A i \in 0 .. N-1: (i-1) % N \in 0 .. N-1 85 | 86 | THEOREM Spec => []AtLeastOneYWhenDone 87 | <1> USE DEF ProcSet, Inv 88 | <1>1. Init => Inv 89 | BY NIsInNat DEF Init, Inv, TypeOK, AtLeastOneYWhenDone 90 | <1>2. Inv /\ [Next]_vars => Inv' 91 | <2> SUFFICES ASSUME Inv, [Next]_vars 92 | PROVE Inv' 93 | OBVIOUS 94 | <2>1. CASE Next 95 | <3>1. CASE \E self \in 0..N-1: Proc(self) 96 | <4> SUFFICES ASSUME NEW self \in 0..N-1, Proc(self) 97 | PROVE Inv' 98 | BY <3>1 99 | <4>1. CASE s1(self) 100 | BY <4>1, NIsInNat DEF s1, TypeOK, AtLeastOneYWhenDone 101 | <4>2. CASE s2(self) 102 | BY <4>2, NIsInNat, ModInRange DEF s2, TypeOK, AtLeastOneYWhenDone 103 | <4>3. QED 104 | BY <3>1, <4>1, <4>2 DEF Proc 105 | <3>2. CASE (\A self \in ProcSet: pc[self] = "Done") /\ UNCHANGED vars 106 | BY <3>2 DEF TypeOK, vars, AtLeastOneYWhenDone 107 | <3>3. QED 108 | BY <2>1, <3>1, <3>2 DEF Next, Terminating 109 | <2>2. CASE UNCHANGED vars 110 | BY <2>2 DEF TypeOK, vars, AtLeastOneYWhenDone 111 | <2>3. QED 112 | BY <2>1, <2>2 113 | <1>3. Inv => AtLeastOneYWhenDone 114 | OBVIOUS 115 | <1>4. QED 116 | BY <1>1, <1>2, <1>3, PTL DEF Spec 117 | ============================================================================= 118 | \* Modification History 119 | \* Last modified Wed Aug 07 17:32:20 CST 2019 by hengxin 120 | \* Created Fri Aug 02 13:28:48 CST 2019 by hengxin -------------------------------------------------------------------------------- /TeachingConcurrency/Simple.tlaps/Simple.thy: -------------------------------------------------------------------------------- 1 | (* automatically generated -- do not edit manually *) 2 | theory Simple imports Constant Zenon begin 3 | ML_command {* writeln ("*** TLAPS PARSED\n"); *} 4 | consts 5 | "isReal" :: c 6 | "isa_slas_a" :: "[c,c] => c" 7 | "isa_bksl_diva" :: "[c,c] => c" 8 | "isa_perc_a" :: "[c,c] => c" 9 | "isa_peri_peri_a" :: "[c,c] => c" 10 | "isInfinity" :: c 11 | "isa_lbrk_rbrk_a" :: "[c] => c" 12 | "isa_less_more_a" :: "[c] => c" 13 | 14 | end 15 | -------------------------------------------------------------------------------- /Two-Phase/Alternate.tla: -------------------------------------------------------------------------------- 1 | ------------------------------ MODULE Alternate ----------------------------- 2 | (***************************************************************************) 3 | (* This specifies a system that alternately performs two actions, which *) 4 | (* for now I will call A_0 and A_1. It uses a variable v whose value *) 5 | (* alternates between 0 and 1, performing an A_0 action when v changes *) 6 | (* from 0 to 1, and an A_1 action when v changes from 1 to 0. *) 7 | (* *) 8 | (* We let the variable x to represent the part of the state that is *) 9 | (* changed by the A_0 and A_1 actions. We introduce two constant *) 10 | (* operators XInit and XAct, where XInit(x) is assumed to assert that x *) 11 | (* has a correct initial value, and XAct(i, xInit, xNext) is assumed to *) 12 | (* assert that changing the value of x from xInit to xNext represent an *) 13 | (* A_i action, for i=0, 1. *) 14 | (***************************************************************************) 15 | EXTENDS Naturals 16 | VARIABLE v, x 17 | CONSTANT XInit(_), XAct(_, _, _) 18 | 19 | Init == v = 0 /\ XInit(x) 20 | Next == v' = (v + 1) % 2 /\ XAct(v, x, x') 21 | 22 | Spec == Init /\ [][Next]_<> 23 | 24 | (***************************************************************************) 25 | (* A philosophically correct spec would actually be *) 26 | (* *) 27 | (* \EE v : Spec *) 28 | (* *) 29 | (* which is the specification Spec with v hidden. However, engineers are *) 30 | (* interested in what works, not what is philosophically correct, so we *) 31 | (* don't worry about this. *) 32 | (***************************************************************************) 33 | ============================================================================ 34 | \* Generated at Sat Oct 31 02:58:46 PDT 2009 35 | --------------------------------------------------------------------------------