├── .merlin ├── .ocamlinit ├── .travis.yml ├── LICENSE ├── Makefile ├── README.md ├── _oasis ├── _tags ├── bugreports └── OneBit2Procs.tla ├── configure ├── docs ├── design │ ├── architecture.dot │ ├── architecture.pdf │ ├── doc.tex │ ├── lambda.dot │ └── lambda.pdf ├── faq.txt ├── instantiation │ ├── drafts │ │ ├── inst-draft-2017-02-17.pdf │ │ ├── inst-draft-2017-02-18.pdf │ │ ├── inst-draft-2017-02-23.pdf │ │ ├── inst-draft-2017-03-02.pdf │ │ └── inst-draft-2017-07-13.pdf │ ├── enabled3.tla │ ├── inst.tex │ ├── measure_ce1.dot │ ├── measure_ce1.pdf │ ├── measure_ce2.dot │ ├── measure_ce2.pdf │ ├── orderings.ml │ ├── tlaops.sty │ └── tlaplus.sty ├── map.txt ├── type_inclusion_hierarchy-full.dot ├── type_inclusion_hierarchy.dot └── type_inclusion_hierarchy.png ├── examples ├── .svnignore ├── Allocator.tla ├── AtomicBakery.tla ├── AtomicBakeryWithoutSMT.tla ├── Bakery.tla ├── BubbleSort.tla ├── EWD840.tla ├── Euclid.tla ├── Makefile ├── OneBit2Procs.tla ├── Peterson.tla ├── Prisoner.tla ├── README ├── SimpleMutex.tla ├── SumAndMax.tla ├── cantor │ ├── Cantor1.tla │ ├── Cantor10.tla │ ├── Cantor2.tla │ ├── Cantor3.tla │ ├── Cantor4.tla │ ├── Cantor5.tla │ ├── Cantor6.tla │ ├── Cantor7.tla │ ├── Cantor8.tla │ └── Cantor9.tla ├── consensus │ ├── Consensus.tla │ ├── PaxosProof.tla │ ├── PaxosTuple.tla │ ├── Sets.tla │ └── Voting.tla ├── data │ ├── GraphTheorem.tla │ ├── SequencesTheorems.tla │ └── Sets.tla ├── paxos │ ├── Consensus.tla │ └── Paxos.tla └── two-phase │ ├── Alternate.tla │ └── TwoPhase.tla ├── generate_test_cases.sh ├── jenkins └── test_script.sh ├── lib ├── sany.jar └── sany.xsd ├── library ├── Bags.tla ├── FiniteSetTheorems.tla ├── FiniteSetTheorems_proofs.tla ├── FiniteSets.tla ├── FunctionTheorems.tla ├── FunctionTheorems_proofs.tla ├── Functions.tla ├── JectionThm.tla ├── Jections.tla ├── NaturalsInduction.tla ├── NaturalsInduction_proofs.tla ├── RealTime.tla ├── SequenceTheorems.tla ├── SequenceTheorems_proofs.tla ├── TLAPS.tla ├── WellFoundedInduction.tla └── WellFoundedInduction_proofs.tla ├── nunchaku ├── path.txt ├── prelude.nun └── set-theory.nun ├── opam ├── run-test.sh ├── setup.ml ├── spec ├── PM-Spec.tex └── toolbox-tlapm interface.txt ├── src ├── README.md ├── arg_handler.ml ├── arg_handler.mli ├── backends │ ├── isabelle.ml │ ├── runners.ml │ └── runners.mli ├── config.ml ├── core │ ├── backend_exceptions.ml │ ├── backend_exceptions.mli │ ├── commons.ml │ ├── commons.mli │ ├── expr_ds.ml │ └── obligation.mli ├── expr │ ├── any_expr.ml │ ├── any_expr.mli │ ├── expr.ml │ ├── expr.mli │ ├── expr_builtins.ml │ ├── expr_builtins.mli │ ├── expr_constructors.ml │ ├── expr_constructors.mli │ ├── expr_correct_lambda.ml │ ├── expr_correct_lambda.mli │ ├── expr_dereference.ml │ ├── expr_dereference.mli │ ├── expr_formatter.ml │ ├── expr_formatter.mli │ ├── expr_map.ml │ ├── expr_map.mli │ ├── expr_map2.ml │ ├── expr_map2.mli │ ├── expr_normalize.ml │ ├── expr_parse_theorems.ml │ ├── expr_parse_theorems.mli │ ├── expr_prover_parser.ml │ ├── expr_prover_parser.mli │ ├── expr_substitution.ml │ ├── expr_substitution.mli │ ├── expr_termdb_utils.ml │ ├── expr_termdb_utils.mli │ ├── expr_utils.ml │ ├── expr_utils.mli │ ├── expr_visitor.ml │ ├── expr_visitor.mli │ ├── extract_obligations.ml │ ├── extract_obligations.mli │ ├── obligation_formatter.ml │ └── obligation_formatter.mli ├── ext.ml ├── ext.mli ├── nunchaku │ ├── nun_mod.ml │ ├── nun_mod.mli │ ├── nun_pb.ml │ ├── nun_pb_fmt.ml │ ├── nun_pb_fmt.mli │ ├── nun_pb_statement.ml │ ├── nun_pb_statement.mli │ ├── nun_sexp.ml │ ├── nun_sexp.mli │ ├── nunchaku.ml │ ├── nunchaku.mli │ ├── simple_expr │ │ ├── any_simple_expr.ml │ │ ├── any_simple_expr.mli │ │ ├── simple_builtins.ml │ │ ├── simple_expr.ml │ │ ├── simple_expr_dereference.ml │ │ ├── simple_expr_dereference.mli │ │ ├── simple_expr_ds.mli │ │ ├── simple_expr_formatter.ml │ │ ├── simple_expr_formatter.mli │ │ ├── simple_expr_prover_parser.ml │ │ ├── simple_expr_prover_parser.mli │ │ ├── simple_expr_utils.ml │ │ ├── simple_expr_utils.mli │ │ ├── simple_expr_visitor.ml │ │ └── simple_expr_visitor.mli │ ├── tla_mod.ml │ ├── tla_mod.mli │ ├── tla_pb.ml │ ├── tla_pb.mli │ ├── tla_simple_pb.ml │ └── tla_simple_pb.mli ├── oldpm │ ├── config.mli │ ├── errors.ml │ ├── errors.mli │ ├── expr.ml │ ├── fpfile.ml │ ├── fpfile.mli │ ├── loc.ml │ ├── loc.mli │ ├── method.ml │ ├── method.mli │ ├── obligations.ml │ ├── obligations.mli │ ├── params.ml │ ├── params.mli │ ├── property.ml │ ├── property.mli │ ├── revision.ml │ ├── revision.mli │ ├── sysconf.ml │ ├── sysconf.mli │ ├── timing.ml │ ├── timing.mli │ ├── tlapm_args.ml │ ├── tlapm_args.mli │ ├── toolbox.ml │ ├── toolbox.mli │ ├── toolbox_msg.ml │ ├── toolbox_msg.mli │ ├── types.ml │ ├── types.mli │ └── version.mli ├── process.ml ├── process.mli ├── sany │ ├── sany.ml │ ├── sany.mli │ ├── sany_builtin_extractor.ml │ ├── sany_builtin_extractor.mli │ ├── sany_ds.mli │ ├── sany_expr.ml │ ├── sany_expr.mli │ ├── sany_visitor.ml │ ├── sany_visitor.mli │ ├── xml_utils.ml │ └── xml_utils.mli ├── scheduler.ml ├── scheduler.mli ├── settings.ml ├── settings.mli ├── test │ ├── test_common.ml │ ├── test_common.mli │ ├── test_correct_lambda.ml │ ├── test_extract_obligations.ml │ ├── test_formatter.ml │ ├── test_formatter.mli │ ├── test_issue2.ml │ ├── test_map.ml │ ├── test_map.mli │ ├── test_nunchaku.ml │ ├── test_parse_theorems.ml │ ├── test_parse_theorems.mli │ ├── test_sany.ml │ ├── test_sany.mli │ ├── test_simple_expr.ml │ ├── test_substitution.ml │ ├── test_substitution.mli │ ├── test_util.ml │ └── test_util.mli ├── tests.ml ├── tlapm.ml ├── tlapm.mli ├── tlapm_api.odocl ├── toolbox.ml ├── toolbox.mli ├── util.ml ├── util.mli └── version.ml ├── test ├── resources │ └── xml │ │ ├── functions.xml │ │ └── nunchaku_tests.xml ├── tla │ ├── Choose.tla │ ├── EWD840_.tla │ ├── Euclid.tla │ ├── NTape1.tla │ ├── NTape2.tla │ ├── NTape3.tla │ ├── NameClashes.tla │ ├── New.tla │ ├── OneBit.tla │ ├── PTL_bug.tla │ ├── SetsAndTuples.tla │ ├── SimpleImport1.tla │ ├── SimpleImport1a.tla │ ├── SimpleImport2.tla │ ├── Temporal1.tla │ ├── Testing.tla │ ├── UserDefOp.tla │ ├── _results.txt │ ├── assume_prove.tla │ ├── at.tla │ ├── baseball.tla │ ├── basic_equality.tla │ ├── bugs │ │ ├── TestBug120116.tla │ │ ├── TestBug121005A.tla │ │ ├── TestBug121005B.tla │ │ ├── TestBug130604.tla │ │ ├── TestBug130619.tla │ │ ├── TestBug130813.tla │ │ ├── TestBug131103.tla │ │ ├── TestBug131128.tla │ │ ├── TestBug131129.tla │ │ ├── TestBug140130.tla │ │ ├── TestBug140131A.tla │ │ ├── TestBug140131B.tla │ │ └── TestBug140521.tla │ ├── builtins.tla │ ├── case_take_use_hide.tla │ ├── cyclic.tla │ ├── empty.tla │ ├── enabled.tla │ ├── enabled2.tla │ ├── enabled3.tla │ ├── enabled4.tla │ ├── expr.tla │ ├── extends_use_def.tla │ ├── extends_use_def_inner.tla │ ├── extends_use_def_outer.tla │ ├── false_proves_false.tla │ ├── fuel.tla │ ├── functions.tla │ ├── globaluse.tla │ ├── homepage.tla │ ├── instance.tla │ ├── instanceA.tla │ ├── lambda.tla │ ├── minilambda.tla │ ├── multi_obligations.tla │ ├── nonleibniz.tla │ ├── nunchaku.tla │ ├── nunchaku_tests_negative.tla │ ├── nunchaku_tests_positive.tla │ ├── obligation_bug1.tla │ ├── overbinding.tla │ ├── overbinding2.tla │ ├── pd.tla │ ├── pick.tla │ ├── priming.tla │ ├── priming_stephan.tla │ ├── proofsteps.tla │ ├── qed.tla │ ├── qed2.tla │ ├── recursiveop.tla │ ├── simple_substitution.tla │ ├── smt2test.tla │ ├── smt2test2.tla │ ├── string.tla │ ├── substitution.tla │ ├── tuples.tla │ └── withsubmodule.tla └── xml │ ├── Choose.xml │ ├── EWD840_.xml │ ├── Euclid.xml │ ├── NTape1.xml │ ├── NTape2.xml │ ├── NTape3.xml │ ├── NameClashes.xml │ ├── New.xml │ ├── OneBit.xml │ ├── Quantifiers.xml │ ├── SetsAndTuples.xml │ ├── SimpleImport1.xml │ ├── SimpleImport1a.xml │ ├── SimpleImport2.xml │ ├── Temporal1.xml │ ├── Testing.xml │ ├── UserDefOp.xml │ ├── assume_prove.xml │ ├── at.xml │ ├── basic_equality.xml │ ├── bug02.xml │ ├── case_take_use_hide.xml │ ├── cyclic.xml │ ├── empty.xml │ ├── enabled.xml │ ├── exec.xml │ ├── expr.xml │ ├── extends_use_def.xml │ ├── extends_use_def_inner.xml │ ├── extends_use_def_outer.xml │ ├── false_proves_false.xml │ ├── fuel.xml │ ├── functions.xml │ ├── globaluse.xml │ ├── homepage.xml │ ├── instance.xml │ ├── instanceA.xml │ ├── lambda.xml │ ├── mailinglist1.xml │ ├── minilambda.xml │ ├── multi_obligations.xml │ ├── nonleibniz.xml │ ├── nunchaku.xml │ ├── nunchaku_tests_negative.xml │ ├── nunchaku_tests_positive.xml │ ├── obligation_bug1.xml │ ├── overbinding.xml │ ├── pd.xml │ ├── pharos.xml │ ├── pick.xml │ ├── possible_bug.xml │ ├── priming.xml │ ├── priming_stephan.xml │ ├── proofsteps.xml │ ├── qed.xml │ ├── qed2.xml │ ├── quantifiers.xml │ ├── recursiveop.xml │ ├── simple_substitution.xml │ ├── smt2test.xml │ ├── smt2test2.xml │ ├── string.xml │ ├── substitution.xml │ ├── tuples.xml │ └── withsubmodule.xml ├── tla2xml.sh └── tlapm /.merlin: -------------------------------------------------------------------------------- 1 | S src 2 | S src/core 3 | S src/expr 4 | S src/sany 5 | S src/test 6 | S src/backends 7 | S src/nunchaku 8 | S src/nunchaku/simple_expr 9 | 10 | B _build/src 11 | B _build/src/core 12 | B _build/src/expr 13 | B _build/src/sany 14 | B _build/src/test 15 | B _build/src/backends 16 | B _build/src/nunchaku 17 | B _build/src/nunchaku/simple_expr 18 | 19 | CMT _build/src 20 | CMT _build/src/core 21 | CMT _build/src/expr 22 | CMT _build/src/sany 23 | CMT _build/src/test 24 | CMT _build/src/backends 25 | CMT _build/src/nunchaku 26 | CMT _build/src/nunchaku/simple_expr 27 | 28 | PKG xmlm 29 | PKG kaputt 30 | PKG sexplib 31 | PKG result 32 | PKG containers 33 | -------------------------------------------------------------------------------- /.ocamlinit: -------------------------------------------------------------------------------- 1 | #directory "_build/src/core" ;; 2 | #directory "_build/src/expr" ;; 3 | #directory "_build/src/sany" ;; 4 | #directory "_build/src/expr" ;; 5 | #directory "_build/src/nunchaku" ;; 6 | #directory "_build/src/test" ;; 7 | #directory "_build/src/oldpm" ;; 8 | #directory "_build/src" ;; 9 | 10 | #require "result" ;; 11 | #require "unix" ;; 12 | #require "containers" ;; 13 | #require "xmlm" ;; 14 | 15 | #load "str.cma" ;; 16 | #load "ext.cmo" ;; 17 | #load "any_expr.cmo" ;; 18 | #load "commons.cmo" ;; 19 | #load "util.cmo" ;; 20 | #load "expr_visitor.cmo" ;; 21 | #load "expr_map.cmo" ;; 22 | #load "expr_builtins.cmo" ;; 23 | #load "expr_correct_lambda.cmo" ;; 24 | #load "expr_utils.cmo" ;; 25 | #load "expr_dereference.cmo" ;; 26 | #load "expr_prover_parser.cmo" ;; 27 | #load "expr_formatter.cmo" ;; 28 | #load "expr_termdb_utils.cmo" ;; 29 | #load "expr_constructors.cmo" ;; 30 | #load "expr_parse_theorems.cmo" ;; 31 | #load "extract_obligations.cmo" ;; 32 | #load "obligation_formatter.cmo" ;; 33 | #load "xml_utils.cmo" ;; 34 | #load "sany.cmo" ;; 35 | #load "sany_visitor.cmo" ;; 36 | #load "sany_expr.cmo" ;; 37 | 38 | open Commons 39 | (* 40 | open Expr_ds 41 | open Expr_constructors 42 | open Expr_builtins 43 | *) 44 | open Expr 45 | open Obligation 46 | 47 | let location = toplevel_loation 48 | let term_db = Tdb.empty_term_db |> B.complete_builtins 49 | ;; 50 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | language: c 2 | sudo: required 3 | install: wget https://raw.githubusercontent.com/ocaml/ocaml-ci-scripts/master/.travis-opam.sh 4 | script: bash -ex .travis-opam.sh 5 | env: 6 | - OCAML_VERSION=4.03 PACKAGE=tlapm2 DEPOPTS="*" EXTRA_DEPS=kaputt 7 | - OCAML_VERSION=4.04 PACKAGE=tlapm2 DEPOPTS="*" EXTRA_DEPS=kaputt 8 | - OCAML_VERSION=4.05 PACKAGE=tlapm2 DEPOPTS="*" EXTRA_DEPS=kaputt 9 | - OCAML_VERSION=4.07 PACKAGE=tlapm2 DEPOPTS="*" EXTRA_DEPS=kaputt 10 | - OCAML_VERSION=4.08 PACKAGE=tlapm2 DEPOPTS="*" EXTRA_DEPS=kaputt 11 | os: 12 | - linux 13 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 2-Clause License 2 | 3 | Copyright (c) 2008-2017, Inria and Microsoft Corporation 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | * Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | * Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 17 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 19 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 20 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 23 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 24 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 25 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 | 27 | CHOICE OF LAW 28 | 29 | This license is governed by the Laws of France. 30 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | # OASIS_START 2 | # DO NOT EDIT (digest: bc1e05bfc8b39b664f29dae8dbd3ebbb) 3 | 4 | BUILDFLAGS= -cflags \"-w -30\" 5 | SETUP = ocaml setup.ml 6 | 7 | build: setup.data 8 | $(SETUP) -build $(BUILDFLAGS) 9 | 10 | doc: setup.data build 11 | $(SETUP) -doc $(DOCFLAGS) 12 | 13 | test: setup.data build 14 | $(SETUP) -test $(TESTFLAGS) 15 | 16 | all: 17 | $(SETUP) -all $(ALLFLAGS) 18 | 19 | install: setup.data 20 | $(SETUP) -install $(INSTALLFLAGS) 21 | 22 | uninstall: setup.data 23 | $(SETUP) -uninstall $(UNINSTALLFLAGS) 24 | 25 | reinstall: setup.data 26 | $(SETUP) -reinstall $(REINSTALLFLAGS) 27 | 28 | clean: 29 | $(SETUP) -clean $(CLEANFLAGS) 30 | 31 | distclean: 32 | $(SETUP) -distclean $(DISTCLEANFLAGS) 33 | 34 | setup.data: 35 | $(SETUP) -configure $(CONFIGUREFLAGS) 36 | 37 | .PHONY: build doc test all install uninstall reinstall clean distclean configure 38 | 39 | # OASIS_STOP 40 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # TLAPM 2 | 3 | [![Build Status](https://travis-ci.org/tlaplus/v2-tlapm.svg?branch=master)](https://travis-ci.org/tlaplus/v2-tlapm) 4 | 5 | This is the next version of the TLA proof manager, which is part of the 6 | TLA+ Tools [1]. Since is still under development, please also refer to the 7 | current version[2]. 8 | 9 | [1] https://github.com/tlaplus/tlaplus 10 | 11 | [2] https://tlaps.codeplex.com 12 | 13 | 14 | ## Installation 15 | The easiest way to install is via opam: 16 | 17 | opam pin add tlapm2 https://github.com/tlaplus/v2-tlapm.git 18 | 19 | If it is already pinned but not installed a simple 20 | 21 | opam install tlapm2 22 | 23 | will suffice. 24 | 25 | ## Compilation 26 | The compilation requirements are: 27 | 28 | * a recent version of ocaml (at least 4.02) 29 | * xmlm (http://erratique.ch/software/xmlm) 30 | * kaputt (http://kaputt.x9c.fr) 31 | * oasis (http://oasis.forge.ocamlcore.org) 32 | * result (if you are running ocaml < 4.03 ) 33 | * sexplib 34 | 35 | The easiest way to install them is via opam (https://opam.ocaml.org): 36 | 37 | opam install oasis xmlm kaputt result sexplib 38 | 39 | To initialize the configuration, call 40 | 41 | oasis setup ; 42 | ./configure --enable-tests --enable-debug 43 | 44 | in the v2-tlapm base directory. For the actual compilation, the usual 45 | 46 | make 47 | 48 | will compile the project, wheras 49 | 50 | make test 51 | 52 | will run the test suite. 53 | 54 | ## Running 55 | 56 | For execution, a Java Runtime Environment (at least 7) is also necessary. 57 | -------------------------------------------------------------------------------- /_oasis: -------------------------------------------------------------------------------- 1 | OASISFormat: 0.4 2 | Name: TLAPM 3 | Version: 0.1 4 | Synopsis: V2 of tlapm 5 | Authors: Damien Doligez, Tomer Libal, Martin Riener 6 | License: BSD-3-clause 7 | Plugins: META (0.3) 8 | AlphaFeatures: ocamlbuild_more_args 9 | 10 | Executable tlapm2 11 | Path: src 12 | BuildTools: ocamlbuild 13 | # CompiledObject: native 14 | MainIs: tlapm.ml 15 | # XOCamlbuildExtraArgs: "-w +44" 16 | BuildDepends: xmlm, 17 | str, 18 | unix, 19 | sexplib, 20 | containers, 21 | result 22 | 23 | 24 | Document tlapm_api 25 | Type: ocamlbuild (0.4) 26 | BuildTools: ocamldoc, ocamlbuild 27 | Title: TLAPM API 28 | # Format: html 29 | # Index: index.html 30 | XOCamlbuildPath: src 31 | XOCamlbuildExtraArgs: 32 | "-docflags '-colorize-code -short-functors -charset utf-8'" 33 | XOcamlBuildModules: Tlapm, Commons, Expr_ds, Expr_visitor, Expr_map, 34 | Expr_formatter, Expr_utils, Expr_dereference, 35 | Expr_substitution, Expr_termdb_utils, 36 | Sany, Sany_ds, Sany_visitor, Sany_expr, 37 | Any_expr, Util, Test_common, Expr_constructors, 38 | Expr_builtins, Extract_obligations 39 | 40 | Executable test 41 | Install: false 42 | Path: src 43 | MainIs: tests.ml 44 | BuildTools: ocamlbuild 45 | # CompiledObject: native 46 | BuildDepends: xmlm, 47 | str, 48 | unix, 49 | kaputt, 50 | sexplib, 51 | containers, 52 | result 53 | 54 | Test "test-runner" 55 | Type: Custom (0.0.1) 56 | Command: $test 57 | -------------------------------------------------------------------------------- /_tags: -------------------------------------------------------------------------------- 1 | # OASIS_START 2 | # DO NOT EDIT (digest: 3c6633ea784d731587ada5ec0efb0704) 3 | # Ignore VCS directories, you can use the same kind of rule outside 4 | # OASIS_START/STOP if you want to exclude directories that contains 5 | # useless stuff for the build process 6 | true: annot, bin_annot 7 | <**/.svn>: -traverse 8 | <**/.svn>: not_hygienic 9 | ".bzr": -traverse 10 | ".bzr": not_hygienic 11 | ".hg": -traverse 12 | ".hg": not_hygienic 13 | ".git": -traverse 14 | ".git": not_hygienic 15 | "_darcs": -traverse 16 | "_darcs": not_hygienic 17 | # Executable tlapm2 18 | "src/tlapm.byte": pkg_containers 19 | "src/tlapm.byte": pkg_result 20 | "src/tlapm.byte": pkg_sexplib 21 | "src/tlapm.byte": pkg_str 22 | "src/tlapm.byte": pkg_unix 23 | "src/tlapm.byte": pkg_xmlm 24 | # Executable test 25 | "src/tests.byte": pkg_containers 26 | "src/tests.byte": pkg_kaputt 27 | "src/tests.byte": pkg_result 28 | "src/tests.byte": pkg_sexplib 29 | "src/tests.byte": pkg_str 30 | "src/tests.byte": pkg_unix 31 | "src/tests.byte": pkg_xmlm 32 | : pkg_containers 33 | : pkg_kaputt 34 | : pkg_result 35 | : pkg_sexplib 36 | : pkg_str 37 | : pkg_unix 38 | : pkg_xmlm 39 | # OASIS_STOP 40 | # this is manually added to support subdirectories 41 | : include 42 | : include 43 | : include 44 | : include 45 | : include 46 | : include 47 | : include 48 | : include 49 | 50 | : pkg_kaputt, pkg_containers 51 | : pkg_containers 52 | : pkg_sexplib 53 | : pkg_containers 54 | : pkg_xmlm, pkg_containers 55 | : pkg_containers, pkg_result 56 | : pkg_result 57 | 58 | #remove warning 8 from sany_expr 59 | "src/sany/sany_expr.ml": warn(+a-4-6-7-8-9-27-29-32..39-41..42-44-45-48-50) 60 | -------------------------------------------------------------------------------- /configure: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # OASIS_START 4 | # DO NOT EDIT (digest: 425187ed8bfdbdd207fd76392dd243a7) 5 | set -e 6 | 7 | FST=true 8 | for i in "$@"; do 9 | if $FST; then 10 | set -- 11 | FST=false 12 | fi 13 | 14 | case $i in 15 | --*=*) 16 | ARG=${i%%=*} 17 | VAL=${i##*=} 18 | set -- "$@" "$ARG" "$VAL" 19 | ;; 20 | *) 21 | set -- "$@" "$i" 22 | ;; 23 | esac 24 | done 25 | 26 | ocaml setup.ml -configure "$@" 27 | # OASIS_STOP 28 | -------------------------------------------------------------------------------- /docs/design/architecture.dot: -------------------------------------------------------------------------------- 1 | digraph architecture { 2 | //rotate=90 3 | rank = same; 4 | rankdir = LR; 5 | node [shape=box]; 6 | javasany [label="SANY\n(java)"]; 7 | xml [label="SANY\n(xml)"]; 8 | sany [label="SANY\n(ocaml: sany_ds.mli)"]; 9 | expr_ds [label="Internal expression datastructure\n(expr_ds.mli)"]; 10 | obligation [label="Proof obligation (?.mli)"]; 11 | backend [label="Backend\n(veriT, Zenon, Isabelle, LS4)"]; 12 | 13 | javasany -> xml -> sany -> expr_ds -> obligation -> backend; 14 | expr_ds -> expr_ds; 15 | obligation -> obligation; 16 | } -------------------------------------------------------------------------------- /docs/design/architecture.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tlaplus/tlapm_alternative_parser_experiment/8cc7103389d2b386982dd5fc85239f8cc02be9de/docs/design/architecture.pdf -------------------------------------------------------------------------------- /docs/design/lambda.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tlaplus/tlapm_alternative_parser_experiment/8cc7103389d2b386982dd5fc85239f8cc02be9de/docs/design/lambda.pdf -------------------------------------------------------------------------------- /docs/instantiation/drafts/inst-draft-2017-02-17.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tlaplus/tlapm_alternative_parser_experiment/8cc7103389d2b386982dd5fc85239f8cc02be9de/docs/instantiation/drafts/inst-draft-2017-02-17.pdf -------------------------------------------------------------------------------- /docs/instantiation/drafts/inst-draft-2017-02-18.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tlaplus/tlapm_alternative_parser_experiment/8cc7103389d2b386982dd5fc85239f8cc02be9de/docs/instantiation/drafts/inst-draft-2017-02-18.pdf -------------------------------------------------------------------------------- /docs/instantiation/drafts/inst-draft-2017-02-23.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tlaplus/tlapm_alternative_parser_experiment/8cc7103389d2b386982dd5fc85239f8cc02be9de/docs/instantiation/drafts/inst-draft-2017-02-23.pdf -------------------------------------------------------------------------------- /docs/instantiation/drafts/inst-draft-2017-03-02.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tlaplus/tlapm_alternative_parser_experiment/8cc7103389d2b386982dd5fc85239f8cc02be9de/docs/instantiation/drafts/inst-draft-2017-03-02.pdf -------------------------------------------------------------------------------- /docs/instantiation/drafts/inst-draft-2017-07-13.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tlaplus/tlapm_alternative_parser_experiment/8cc7103389d2b386982dd5fc85239f8cc02be9de/docs/instantiation/drafts/inst-draft-2017-07-13.pdf -------------------------------------------------------------------------------- /docs/instantiation/enabled3.tla: -------------------------------------------------------------------------------- 1 | ../../test/tla/enabled3.tla -------------------------------------------------------------------------------- /docs/instantiation/measure_ce1.dot: -------------------------------------------------------------------------------- 1 | digraph counterexample { 2 | 1 -> 2; 3 | 1 -> 3; 4 | 2 -> 5; 5 | 5 -> 6; 6 | 6 -> 7; 7 | 2 -> 8; 8 | 1 [label="app"]; 9 | 2 [label="app"]; 10 | 3 [label="e"]; 11 | 5 [label="λx"]; 12 | 6 [label="λy"]; 13 | 7 [label="s"]; 14 | 8 [label="t"]; 15 | } -------------------------------------------------------------------------------- /docs/instantiation/measure_ce1.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tlaplus/tlapm_alternative_parser_experiment/8cc7103389d2b386982dd5fc85239f8cc02be9de/docs/instantiation/measure_ce1.pdf -------------------------------------------------------------------------------- /docs/instantiation/measure_ce2.dot: -------------------------------------------------------------------------------- 1 | digraph counterexample { 2 | 1 -> 2; 3 | 1 -> 3; 4 | 2 -> 5; 5 | 5 -> 6; 6 | 6 -> 7; 7 | 2 -> 8; 8 | 1 [label="app"]; 9 | 2 [label="λy"]; 10 | 3 [label="e"]; 11 | 5 [label="app"]; 12 | 6 [label="λx"]; 13 | 7 [label="s"]; 14 | 8 [label="t"]; 15 | } -------------------------------------------------------------------------------- /docs/instantiation/measure_ce2.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tlaplus/tlapm_alternative_parser_experiment/8cc7103389d2b386982dd5fc85239f8cc02be9de/docs/instantiation/measure_ce2.pdf -------------------------------------------------------------------------------- /docs/instantiation/tlaops.sty: -------------------------------------------------------------------------------- 1 | \NeedsTeXFormat{LaTeX2e} 2 | \ProvidesPackage{tlaops} 3 | 4 | \newcommand{\leibeq}[0]{\ensuremath{=}} 5 | %\newcommand{\lkproves}[0]{\ensuremath{\vdash}} 6 | \newcommand{\then}[0]{\ensuremath{\Rightarrow}} 7 | 8 | \newcommand{\goesto}{\leftarrow} % substitution arrow 9 | \newcommand{\subst}[1]{\ensuremath{\left[ #1 \right]}} % substitution 10 | 11 | \def\tla@while{-\hspace{-.16em}\triangleright} 12 | \def\tlawhilep{\stackrel 13 | {\mbox{\raisebox{-.3em}[0pt][0pt]{$\scriptscriptstyle+\;\,$}}}{\tla@while}} 14 | 15 | %\newcommand{\set}[1]{\ensuremath{\{ #1 \}}} 16 | \newcommand{\WF}{\textrm{WF}} 17 | \newcommand{\SF}{\textrm{SF}} 18 | \newcommand{\ALWAYS}{\ensuremath{\Box}} 19 | \newcommand{\POSSIBLE}{\ensuremath{\Diamond}} 20 | \newcommand{\ENABLED}{\textsc{enabled }} 21 | \newcommand{\INSTANCE}{\textsc{instance }} 22 | \newcommand{\WITH}{\textsc{with }} 23 | \newcommand{\CHOOSE}{\mbox{\sc choose }} 24 | \newcommand{\CONSTANTS}{\mbox{\sc constants }} 25 | \newcommand{\VARIABLES}{\mbox{\sc variables }} 26 | \newcommand{\SUFFICES}{\mbox{\sc suffices }} 27 | \newcommand{\ASSUME}{\mbox{\sc assume }} 28 | \newcommand{\PROVE}{\mbox{\,\sc prove }} 29 | \newcommand{\NEW}{\mbox{\sc new }} 30 | \newcommand{\E}{\ensuremath{\exists}} 31 | \newcommand{\A}{\ensuremath{\forall}} 32 | \renewcommand{\AA}{\makebox{$\raisebox{.05em}{\makebox[0pt][l]{% 33 | $\forall\hspace{-.517em}\forall\hspace{-.517em}\forall$}}% 34 | \forall\hspace{-.517em}\forall \hspace{-.517em}\forall\,$}} 35 | \newcommand{\EE}{\makebox{$\raisebox{.05em}{\makebox[0pt][l]{% 36 | $\exists\hspace{-.517em}\exists\hspace{-.517em}\exists$}}% 37 | \exists\hspace{-.517em}\exists\hspace{-.517em}\exists\,$}} 38 | \renewcommand{\implies}{\Rightarrow} 39 | \newcommand{\defeq}{\;\mathrel{\smash %% keep this symbol from being too tall 40 | {{\stackrel{\scriptscriptstyle\Delta}{=}}}}\;} 41 | \newcommand{\dif}[0]{\,\#\,} 42 | 43 | \endinput 44 | -------------------------------------------------------------------------------- /docs/instantiation/tlaplus.sty: -------------------------------------------------------------------------------- 1 | \NeedsTeXFormat{LaTeX2e} 2 | \ProvidesPackage{tlaplus} 3 | 4 | \makeatletter 5 | \let\ltxxlabel\ltx@label 6 | \makeatother 7 | 8 | \newcommand{\assignment}[1]{\{#1\}} 9 | \newcommand{\inst}[2]{#1 {\leftarrow} #2} 10 | \newcommand{\einst}[3]{#1 \stackrel{#2}{\Leftarrow} #3} 11 | \newcommand{\tlaplus}[0]{{TLA+}} 12 | \newcommand{\tla}[1]{#1} 13 | 14 | \newcommand{\set}[1]{\{#1\}} 15 | \newcommand{\impl}[0]{\,\rightarrow\,} 16 | \newcommand{\liff}[0]{\,\Leftrightarrow\,} 17 | \newcommand{\dor}{\textbf{or}} 18 | \newcommand{\fpsubstin}[1]{\{#1\}} 19 | \newcommand{\fpscat}[0]{\circ} 20 | \newcommand{\substin}[2]{[#1:#2]} 21 | \newcommand{\fpwith}{\leftarrow} 22 | \newcommand{\fpwithout}[0]{\backslash} 23 | \newcommand{\fpwithoutset}[1]{\backslash\{#1\}} 24 | \newcommand{\iwith}{\leftarrow} 25 | \newcommand{\metavar}[1]{\mathbf{#1}} 26 | \newcommand{\rewrites}[0]{\;\rightarrow\;} 27 | \newcommand{\proofstep}[2]{\langle{#1}\rangle{#2}} 28 | 29 | \newcommand{\stshift}{\mbox{\sc shift}} 30 | \newcommand{\stfresh}[1]{\mbox{\sc fresh$_{#1}$}} 31 | 32 | \endinput 33 | -------------------------------------------------------------------------------- /docs/type_inclusion_hierarchy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tlaplus/tlapm_alternative_parser_experiment/8cc7103389d2b386982dd5fc85239f8cc02be9de/docs/type_inclusion_hierarchy.png -------------------------------------------------------------------------------- /examples/.svnignore: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | svn propset -R svn:ignore ' 4 | 5 | *.tlaps 6 | *.toolbox 7 | 8 | ' . 9 | -------------------------------------------------------------------------------- /examples/Euclid.tla: -------------------------------------------------------------------------------- 1 | -------------------- MODULE Euclid -------------------- 2 | EXTENDS Integers, TLAPS 3 | 4 | p | q == \E d \in 1..q : q = p * d 5 | Divisors(q) == {d \in 1..q : d | q} 6 | Maximum(S) == CHOOSE x \in S : \A y \in S : x \geq y 7 | GCD(p,q) == Maximum(Divisors(p) \cap Divisors(q)) 8 | Number == Nat \ {0} 9 | 10 | CONSTANTS M, N 11 | VARIABLES x, y 12 | 13 | ASSUME NumberAssumption == M \in Number /\ N \in Number 14 | 15 | Init == (x = M) /\ (y = N) 16 | 17 | Next == \/ /\ x < y 18 | /\ y' = y - x 19 | /\ x' = x 20 | \/ /\ y < x 21 | /\ x' = x-y 22 | /\ y' = y 23 | 24 | Spec == Init /\ [][Next]_<> 25 | 26 | ResultCorrect == (x = y) => x = GCD(M, N) 27 | 28 | InductiveInvariant == 29 | /\ x \in Number 30 | /\ y \in Number 31 | /\ GCD(x, y) = GCD(M, N) 32 | 33 | USE DEF Number 34 | 35 | THEOREM InitProperty == Init => InductiveInvariant 36 | BY NumberAssumption DEF Init, InductiveInvariant 37 | 38 | AXIOM GCDProperty1 == \A p \in Number : GCD(p, p) = p 39 | AXIOM GCDProperty2 == \A p, q \in Number : GCD(p, q) = GCD(q, p) 40 | AXIOM GCDProperty3 == \A p, q \in Number : (p < q) => GCD(p, q) = GCD(p, q-p) 41 | 42 | THEOREM NextProperty == InductiveInvariant /\ Next => InductiveInvariant' 43 | <1> SUFFICES ASSUME InductiveInvariant, Next 44 | PROVE InductiveInvariant' 45 | OBVIOUS 46 | <1> USE DEF InductiveInvariant, Next 47 | <1>1. (x < y) \/ (y < x) 48 | OBVIOUS 49 | <1>a. CASE x < y 50 | <2>1. (y - x \in Number) /\ ~(y < x) 51 | BY <1>a, SMT DEF Number 52 | <2>2. QED 53 | BY <1>a, <2>1, GCDProperty3 54 | <1>b. CASE y < x 55 | <2>1. (x - y \in Number) /\ ~(x < y) 56 | BY <1>b, SMT DEF Number 57 | <2>2. GCD(y', x') = GCD(y, x) 58 | BY <1>b, <2>1, GCDProperty3 59 | <2>4. QED 60 | BY <1>b, <2>1, <2>2, GCDProperty2 61 | <1> QED 62 | BY <1>1, <1>a, <1>b 63 | 64 | THEOREM Correctness == Spec => []ResultCorrect 65 | <1>1 InductiveInvariant /\ UNCHANGED <> => InductiveInvariant' 66 | BY DEF InductiveInvariant 67 | <1>2 Spec => []InductiveInvariant 68 | BY PTL, InitProperty, NextProperty, <1>1 DEF Spec 69 | <1>3 InductiveInvariant => ResultCorrect 70 | BY GCDProperty1 DEF InductiveInvariant, ResultCorrect 71 | <1> QED 72 | BY PTL, <1>2, <1>3 73 | 74 | ======================================================= 75 | -------------------------------------------------------------------------------- /examples/Makefile: -------------------------------------------------------------------------------- 1 | 2 | 3 | default: 4 | : This makefile only supports 'make clean'. 5 | 6 | clean: 7 | find . -name '*.tlaps' -o -name '*.toolbox' | xargs rm -rf 8 | -------------------------------------------------------------------------------- /examples/README: -------------------------------------------------------------------------------- 1 | Example TLA+ proofs. 2 | 3 | 4 | Allocator.tla: 5 | allocator managing a set of resources 6 | 7 | Bakery.tla 8 | AtomicBakery.tla 9 | AtomicBakeryWithoutSMT.tla 10 | different versions of Lamport's bakery algorithm, 11 | Bakery.tla being the most faithful representation 12 | with non-atomic operations on shared registers 13 | 14 | BubbleSort.tla 15 | the classic BubbleSort algorithm as a PlusCal 16 | algorithm, and its correctness proof 17 | 18 | Euclid.tla 19 | proofs about Euclid's algorithm for computing the 20 | GCD of two positive integers, cf. the TLAPS tutorial 21 | 22 | Peterson.tla: 23 | Peterson's algorithm for mutual exclusion 24 | between two processes using shared memory 25 | 26 | SimpleMutex.tla: 27 | the essence of many mutual exclusion protocols 28 | 29 | SumAndMax.tla: 30 | a simple challenge problem from VSTTE 2010 31 | 32 | ------------------------------------------------------------ 33 | Sub-directories: 34 | 35 | paxos/Paxos.tla 36 | TLA+ specification of the Paxos consensus algorithm 37 | and a proof of its correctness (safety) 38 | 39 | two-phase/*.tla 40 | two-phase handshake 41 | 42 | cantor/Cantor*.tla 43 | several proofs of Cantor's theorem using TLA+'s 44 | hierarchical proof language 45 | 46 | consensus/PaxosProof.tla 47 | high level specification of Consensus with two 48 | refinements implementing an abstract Paxos algorithm 49 | (incomplete and largely superseded by paxos/) 50 | 51 | data/*.tla 52 | various theorems on sets, sequences and graphs (incomplete) 53 | 54 | 55 | -------------------------------------------------------------------------------- /examples/cantor/Cantor1.tla: -------------------------------------------------------------------------------- 1 | (* Contributed by Damien Doligez *) 2 | 3 | -------------- MODULE Cantor1 ----------------- 4 | THEOREM cantor == 5 | \A S : 6 | \A f \in [S -> SUBSET S] : 7 | \E A \in SUBSET S : 8 | \A x \in S : 9 | f [x] # A 10 | PROOF 11 | <1>1. TAKE S 12 | <1>2. TAKE f \in [S -> SUBSET S] 13 | <1>3. DEFINE T == { z \in S : z \notin f[z] } 14 | <1>4. WITNESS T \in SUBSET S 15 | <1>5. TAKE x \in S 16 | <1>6. QED BY x \in T \/ x \notin T 17 | =============================================== 18 | -------------------------------------------------------------------------------- /examples/cantor/Cantor10.tla: -------------------------------------------------------------------------------- 1 | ------------------------------ MODULE Cantor10 ------------------------------ 2 | (***************************************************************************) 3 | (* Cantor's theorem: no function from a set to its powerset is surjective. *) 4 | (***************************************************************************) 5 | THEOREM Cantor == 6 | \A S, f : 7 | \E A \in SUBSET S : 8 | \A x \in S : 9 | f [x] # A 10 | <1> SUFFICES 11 | ASSUME NEW S, NEW f 12 | PROVE \E A \in SUBSET S : \A x \in S : f[x] # A 13 | OBVIOUS 14 | <1> WITNESS { z \in S : z \notin f[z] } \in SUBSET S 15 | <1> QED OBVIOUS 16 | 17 | (***************************************************************************) 18 | (* Corollary: no set is universal. *) 19 | (***************************************************************************) 20 | THEOREM NoSetContainsAllValues == 21 | \A S : \E x : x \notin S 22 | <1>. SUFFICES 23 | ASSUME NEW S, 24 | \A x : x \in S 25 | PROVE FALSE 26 | OBVIOUS 27 | <1>. DEFINE f == [x \in S |-> x] 28 | <1>. ASSUME NEW A \in SUBSET S 29 | PROVE \E x \in S : f[x] = A 30 | <2>. WITNESS A \in S 31 | <2>. QED 32 | OBVIOUS 33 | <1>. QED 34 | BY Cantor 35 | 36 | 37 | ============================================================================= 38 | \* Modification History 39 | \* Last modified Sun Aug 29 17:27:32 PDT 2010 by lamport 40 | \* Created Sun Aug 29 17:25:20 PDT 2010 by lamport 41 | -------------------------------------------------------------------------------- /examples/cantor/Cantor2.tla: -------------------------------------------------------------------------------- 1 | (* Contributed by Leslie Lamport *) 2 | 3 | -------------- MODULE Cantor2 ------------------ 4 | THEOREM cantor == 5 | \A S : 6 | \A f \in [S -> SUBSET S] : 7 | \E A \in SUBSET S : 8 | \A x \in S : 9 | f [x] # A 10 | <1>1. SUFFICES 11 | ASSUME NEW S, 12 | NEW f \in [S -> SUBSET S] 13 | PROVE \E A \in SUBSET S : 14 | \A x \in S : f [x] # A 15 | OBVIOUS 16 | <1>2. DEFINE T == {z \in S : z \notin f [z]} 17 | <1>3. SUFFICES ASSUME NEW x \in S 18 | PROVE f[x] # T 19 | <2>1. WITNESS T \in SUBSET S 20 | <2>2. QED OBVIOUS 21 | <1>4. CASE x \in T 22 | <2>1. x \notin f [x] BY <1>4 23 | <2>2. QED BY <2>1 24 | <1>5. CASE x \notin T 25 | <2>1. x \in f [x] BY <1>3, <1>5 26 | <2>2. QED BY <2>1 27 | <1>6. QED 28 | BY <1>4, <1>5 29 | =============================================== 30 | -------------------------------------------------------------------------------- /examples/cantor/Cantor3.tla: -------------------------------------------------------------------------------- 1 | (* Contributed by Leslie Lamport *) 2 | 3 | -------------- MODULE Cantor3 ------------------ 4 | THEOREM cantor == 5 | \A S : 6 | \A f \in [S -> SUBSET S] : 7 | \E A \in SUBSET S : 8 | \A x \in S : 9 | f [x] # A 10 | <1>1. ASSUME NEW S, 11 | NEW f \in [S -> SUBSET S] 12 | PROVE \E A \in SUBSET S : 13 | \A x \in S : f [x] # A 14 | <2>1. DEFINE T == {z \in S : z \notin f [z]} 15 | <2>2. \A x \in S : f [x] # T 16 | <3>1. ASSUME NEW x \in S 17 | PROVE f[x] # T 18 | <4>1. CASE x \in T 19 | <5>1. x \notin f [x] BY <4>1 20 | <5>2. QED BY <5>1 21 | <4>2. CASE x \notin T 22 | <5>1. x \in f [x] BY <4>2 23 | <5>2. QED BY <5>1 24 | <4>3. QED BY <4>1, <4>2 25 | <3>2. QED BY <3>1 26 | <2>3. QED 27 | <3>1. WITNESS T \in SUBSET S 28 | <3>2. QED BY <2>2 29 | <1>2. QED BY <1>1 30 | =============================================== 31 | -------------------------------------------------------------------------------- /examples/cantor/Cantor4.tla: -------------------------------------------------------------------------------- 1 | (* Contributed by Stephan Merz *) 2 | 3 | -------------- MODULE Cantor4 ------------------ 4 | THEOREM cantor == 5 | \A S : 6 | \A f \in [S -> SUBSET S] : 7 | \E A \in SUBSET S : 8 | \A x \in S : 9 | f [x] # A 10 | <1>. TAKE S 11 | <1>. TAKE f \in [S -> SUBSET S] 12 | <1>. DEFINE T == {z \in S : z \notin f[z]} 13 | <1>1. \A x \in S : f[x] # T 14 | <2>. TAKE x \in S 15 | <2>1. CASE x \in T 16 | <3>1. x \notin f[x] BY <2>1 17 | <3>2. QED BY <3>1 18 | <2>2. CASE x \notin T 19 | <3>1. x \in f[x] BY <2>2 20 | <3>2. QED BY <3>1 21 | <2>3. QED BY <2>1, <2>2 22 | <1>. WITNESS T \in SUBSET S 23 | <1>. QED BY <1>1 24 | =============================================== 25 | -------------------------------------------------------------------------------- /examples/cantor/Cantor5.tla: -------------------------------------------------------------------------------- 1 | (* Contributed by Damien Doligez *) 2 | 3 | -------------- MODULE Cantor5 ------------------ 4 | THEOREM cantor == 5 | \A S, f : 6 | \E A \in SUBSET S : 7 | \A x \in S : 8 | f [x] # A 9 | <1>1. ASSUME NEW S, NEW f 10 | PROVE \E A \in SUBSET S : \A x \in S : f[x] # A 11 | <2> WITNESS { z \in S : z \notin f[z] } \in SUBSET S 12 | <2> QED OBVIOUS 13 | <1> QED BY <1>1 14 | =============================================== 15 | -------------------------------------------------------------------------------- /examples/cantor/Cantor6.tla: -------------------------------------------------------------------------------- 1 | (* Contributed by Damien Doligez *) 2 | 3 | -------------- MODULE Cantor6 ------------------ 4 | THEOREM cantor == 5 | \A S, f : 6 | \E A \in SUBSET S : 7 | \A x \in S : 8 | f [x] # A 9 | <1> TAKE S 10 | <1> TAKE f 11 | <1> WITNESS { z \in S : z \notin f[z] } \in SUBSET S 12 | <1> QED OBVIOUS 13 | =============================================== 14 | -------------------------------------------------------------------------------- /examples/cantor/Cantor7.tla: -------------------------------------------------------------------------------- 1 | (* Contributed by Damien Doligez *) 2 | 3 | -------------- MODULE Cantor7 ------------------ 4 | THEOREM cantor == 5 | \A S, f : 6 | \E A \in SUBSET S : 7 | \A x \in S : 8 | f [x] # A 9 | <1> SUFFICES 10 | ASSUME NEW S, NEW f 11 | PROVE \E A \in SUBSET S : \A x \in S : f[x] # A 12 | OBVIOUS 13 | <1> WITNESS { z \in S : z \notin f[z] } \in SUBSET S 14 | <1> QED OBVIOUS 15 | =============================================== 16 | -------------------------------------------------------------------------------- /examples/cantor/Cantor8.tla: -------------------------------------------------------------------------------- 1 | -------------- MODULE Cantor8 -------------- 2 | 3 | Range (f) == { f[x] : x \in DOMAIN f } 4 | 5 | Surj (f, S) == S \subseteq Range (f) 6 | 7 | THEOREM Cantor == 8 | \A S : ~ \E f \in [S -> SUBSET S] : Surj (f, SUBSET S) 9 | PROOF 10 | <1>1. ASSUME NEW S, 11 | \E f \in [S -> SUBSET S] : Surj (f, SUBSET S) 12 | PROVE FALSE 13 | <2>. PICK f \in [S -> SUBSET S] : Surj (f, SUBSET S) 14 | BY <1>1 15 | <2>2. ~ Surj (f, SUBSET S) 16 | <3>1. DEFINE D == {x \in S : x \notin f[x]} 17 | <3>2. D \in SUBSET S 18 | OBVIOUS 19 | <3>3. D \notin Range (f) 20 | BY DEF Range 21 | <3>4. QED BY <3>2, <3>3 DEF Surj 22 | <2>3. QED BY <2>2 23 | <1>2. QED BY <1>1 24 | 25 | ==== 26 | -------------------------------------------------------------------------------- /examples/cantor/Cantor9.tla: -------------------------------------------------------------------------------- 1 | -------------- MODULE Cantor9 -------------- 2 | 3 | Range (f) == { f[x] : x \in DOMAIN f } 4 | 5 | Surj (f, S) == S \subseteq Range (f) 6 | 7 | THEOREM Cantor == 8 | ~ \E f : Surj (f, SUBSET (DOMAIN f)) 9 | <1>1. SUFFICES ASSUME \E f : Surj (f, SUBSET (DOMAIN f)) 10 | PROVE FALSE 11 | OBVIOUS 12 | <1>. PICK f : Surj (f, SUBSET (DOMAIN f)) 13 | BY <1>1!1!1 14 | <1>3. ~ Surj (f, SUBSET (DOMAIN f)) 15 | <2>1. DEFINE D == {x \in DOMAIN f : x \notin f[x]} 16 | <2>2. D \in SUBSET (DOMAIN f) OBVIOUS 17 | <2>3. D \notin Range (f) BY DEF Range 18 | <2>4. QED BY <2>2, <2>3 DEF Surj 19 | <1>4. QED BY <1>3 20 | 21 | ==== 22 | -------------------------------------------------------------------------------- /examples/consensus/Consensus.tla: -------------------------------------------------------------------------------- 1 | ----------------------------- MODULE Consensus ------------------------------ 2 | EXTENDS Sets, TLAPS 3 | 4 | CONSTANT Value 5 | 6 | VARIABLE chosen 7 | 8 | Init == chosen = {} 9 | Next == /\ chosen = {} 10 | /\ \E v \in Value : chosen' = {v} 11 | Spec == Init /\ [][Next]_chosen 12 | 13 | ----------------------------------------------------------------------------- 14 | 15 | Inv == /\ chosen \subseteq Value 16 | /\ IsFiniteSet(chosen) 17 | /\ Cardinality(chosen) \leq 1 18 | 19 | ----------------------------------------------------------------------------- 20 | 21 | THEOREM Invariance == Spec => []Inv 22 | <1>1 Init => Inv 23 | BY CardinalityZero, SMT DEFS Init, Inv 24 | <1>2. Inv /\ [Next]_chosen => Inv' 25 | BY CardinalityOne, SMT DEFS Next, Inv 26 | <1>3 QED 27 | PROOF BY <1>1,<1>2,PTL DEF Spec 28 | 29 | ============================================================================= 30 | -------------------------------------------------------------------------------- /examples/paxos/Consensus.tla: -------------------------------------------------------------------------------- 1 | ----------------------------- MODULE Consensus ----------------------------- 2 | (***************************************************************************) 3 | (* This is a trivial specification of consensus. It asserts that the *) 4 | (* variable `chosen', which represents the set of values that someone *) 5 | (* might think has been chosen is initially empty and can be changed only *) 6 | (* by adding a single element to it. *) 7 | (***************************************************************************) 8 | CONSTANTS Acceptors, Values 9 | 10 | VARIABLE chosen 11 | 12 | Init == chosen = {} 13 | 14 | Next == /\ chosen = {} 15 | /\ \E v \in Values : chosen' = chosen \cup {v} 16 | 17 | Spec == Init /\ [][Next]_chosen 18 | 19 | ============================================================================= 20 | \* Modification History 21 | \* Last modified Wed Nov 21 11:35:33 PST 2012 by lamport 22 | \* Created Mon Nov 19 15:19:09 PST 2012 by lamport 23 | -------------------------------------------------------------------------------- /examples/two-phase/Alternate.tla: -------------------------------------------------------------------------------- 1 | ------------------------------ MODULE Alternate ----------------------------- 2 | (***************************************************************************) 3 | (* This specifies a system that alternately performs two actions, which *) 4 | (* for now I will call A_0 and A_1. It uses a variable v whose value *) 5 | (* alternates between 0 and 1, performing an A_0 action when v changes *) 6 | (* from 0 to 1, and an A_1 action when v changes from 1 to 0. *) 7 | (* *) 8 | (* We let the variable x to represent the part of the state that is *) 9 | (* changed by the A_0 and A_1 actions. We introduce two constant *) 10 | (* operators XInit and XAct, where XInit(x) is assumed to assert that x *) 11 | (* has a correct initial value, and XAct(i, xInit, xNext) is assumed to *) 12 | (* assert that changing the value of x from xInit to xNext represent an *) 13 | (* A_i action, for i=0, 1. *) 14 | (***************************************************************************) 15 | EXTENDS Naturals 16 | VARIABLE v, x 17 | CONSTANT XInit(_), XAct(_, _, _) 18 | 19 | Init == v = 0 /\ XInit(x) 20 | Next == v' = (v + 1) % 2 /\ XAct(v, x, x') 21 | 22 | Spec == Init /\ [][Next]_<> 23 | 24 | (***************************************************************************) 25 | (* A philosophically correct spec would actually be *) 26 | (* *) 27 | (* \EE v : Spec *) 28 | (* *) 29 | (* which is the specification Spec with v hidden. However, engineers are *) 30 | (* interested in what works, not what is philosophically correct, so we *) 31 | (* don't worry about this. *) 32 | (***************************************************************************) 33 | ============================================================================ 34 | \* Generated at Sat Oct 31 02:58:46 PDT 2009 35 | -------------------------------------------------------------------------------- /generate_test_cases.sh: -------------------------------------------------------------------------------- 1 | #/bin/bash 2 | # runs the sany to xml converter on each file in test/resources/tla/*.tla and writes the 3 | # output to test/resources/xml/*.xml 4 | for I in test/tla/*tla; 5 | do 6 | ./tla2xml.sh -o -I library -I test/tla $I > `echo $I | sed s/tla/xml/g`; 7 | done 8 | -------------------------------------------------------------------------------- /jenkins/test_script.sh: -------------------------------------------------------------------------------- 1 | # OPAM configuration 2 | . /builds/.opam/opam-init/init.sh > /dev/null 2> /dev/null || true 3 | 4 | echo $USER 5 | echo $PATH 6 | 7 | #create xml file instead of stdout test results 8 | export TLAPM_TEST_OUTPUT=xml 9 | 10 | oasis setup 11 | ./configure --enable-tests 12 | make 13 | make test 14 | -------------------------------------------------------------------------------- /lib/sany.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tlaplus/tlapm_alternative_parser_experiment/8cc7103389d2b386982dd5fc85239f8cc02be9de/lib/sany.jar -------------------------------------------------------------------------------- /library/FiniteSets.tla: -------------------------------------------------------------------------------- 1 | ---------------------------- MODULE FiniteSets ----------------------------- 2 | LOCAL INSTANCE Naturals 3 | LOCAL INSTANCE Sequences 4 | (*************************************************************************) 5 | (* Imports the definitions from Naturals and Sequences, but doesn't *) 6 | (* export them. *) 7 | (*************************************************************************) 8 | 9 | IsFiniteSet(S) == 10 | (*************************************************************************) 11 | (* A set S is finite iff there is a finite sequence containing all its *) 12 | (* elements. *) 13 | (*************************************************************************) 14 | \E seq \in Seq(S) : \A s \in S : \E n \in 1..Len(seq) : seq[n] = s 15 | 16 | Cardinality(S) == 17 | (*************************************************************************) 18 | (* Cardinality is defined only for finite sets. *) 19 | (*************************************************************************) 20 | LET CS[T \in SUBSET S] == IF T = {} THEN 0 21 | ELSE 1 + CS[T \ {CHOOSE x : x \in T}] 22 | IN CS[S] 23 | ============================================================================= 24 | -------------------------------------------------------------------------------- /library/RealTime.tla: -------------------------------------------------------------------------------- 1 | ----------------------------- MODULE RealTime ------------------------------- 2 | EXTENDS Reals 3 | VARIABLE now 4 | 5 | RTBound(A, v, D, E) == 6 | LET TNext(t) == t' = IF <>_v \/ ~(ENABLED <>_v)' 7 | THEN 0 8 | ELSE t + (now'-now) 9 | 10 | Timer(t) == (t=0) /\ [][TNext(t)]_<> 11 | 12 | MaxTime(t) == [](t \leq E) 13 | 14 | MinTime(t) == [][A => t \geq D]_v 15 | IN \EE t : Timer(t) /\ MaxTime(t) /\ MinTime(t) 16 | ----------------------------------------------------------------------------- 17 | RTnow(v) == LET NowNext == /\ now' \in {r \in Real : r > now} 18 | /\ UNCHANGED v 19 | IN /\ now \in Real 20 | /\ [][NowNext]_now 21 | /\ \A r \in Real : WF_now(NowNext /\ (now'>r)) 22 | ============================================================================= 23 | -------------------------------------------------------------------------------- /nunchaku/path.txt: -------------------------------------------------------------------------------- 1 | /Users/Matthieu/.opam/system/bin/nunchaku 2 | -------------------------------------------------------------------------------- /nunchaku/prelude.nun: -------------------------------------------------------------------------------- 1 | val u : type [infinite]. 2 | val alpha_u : type [approx_of u]. 3 | val upcast : alpha_u -> u [upcast]. 4 | 5 | include "set-theory.nun". 6 | 7 | spec dom : u -> u 8 | and app : u -> u -> u := 9 | forall f g. (dom (upcast f) = dom (upcast g)) 10 | && (forall x. t_mem x (dom (upcast f)) 11 | => ((app (upcast f) x)=(app (upcast g) x))) 12 | => (f=g). 13 | -------------------------------------------------------------------------------- /nunchaku/set-theory.nun: -------------------------------------------------------------------------------- 1 | # SET THEORY 2 | # u, alpha_u and upcast should already be declared 3 | 4 | val mem_raw : u -> u -> prop. 5 | 6 | # extensionality 7 | axiom forall (A : alpha_u) (B : alpha_u). upcast A = upcast B || (exists (x : alpha_u). ~ (mem_raw (upcast x) (upcast A) = mem_raw (upcast x) (upcast B))). 8 | 9 | rec t_mem : u -> u -> prop := 10 | forall x y. t_mem x y = (mem_raw x y asserting ((exists a. upcast a = x) && (exists b. upcast b = y))). 11 | # forall x y. t_mem x y = unique_unsafe (fun P. P = mem_raw x y && (exists a. upcast a = x) && (exists b. upcast b = y)). 12 | 13 | val t_trans_mem : alpha_u -> alpha_u -> prop. 14 | 15 | # overapproximation of transitive closure 16 | axiom forall x (y : alpha_u). mem_raw (upcast x) (upcast y) => t_trans_mem x y. 17 | axiom forall x y (z : alpha_u). t_trans_mem x y && mem_raw (upcast y) (upcast z) => t_trans_mem x z. 18 | 19 | # acyclicity 20 | axiom forall x. ~ t_trans_mem x x. 21 | 22 | # empty set 23 | rec t_emptyset : u := 24 | t_emptyset = unique_unsafe (fun A. forall a. ~ mem_raw (upcast a) A && (exists a. upcast a = A)). 25 | 26 | # subset 27 | rec t_subset : u -> u -> prop := 28 | forall A B. t_subset A B = (forall a. t_mem (upcast a) A => t_mem (upcast a) B). 29 | 30 | # union 31 | rec t_union : u -> u -> u := 32 | forall A B. t_union A B = unique_unsafe (fun C. forall x. t_mem (upcast x) C = (t_mem (upcast x) A || t_mem (upcast x) B)). 33 | 34 | # intersection 35 | rec t_inter : u -> u -> u := 36 | forall A B. t_inter A B = unique_unsafe (fun C. forall x. t_mem (upcast x) C = (t_mem (upcast x) A && t_mem (upcast x) B)). 37 | 38 | # substraction 39 | rec t_minus : u -> u -> u := 40 | forall A B. t_minus A B = unique_unsafe (fun C. forall x. t_mem (upcast x) C = (t_mem (upcast x) A && ~(t_mem (upcast x) B))). 41 | 42 | # powerset 43 | rec t_Pow : u -> u := 44 | forall B. t_Pow B = unique_unsafe (fun C. forall A. t_mem (upcast A) C = t_subset (upcast A) B). 45 | 46 | # big union 47 | rec t_Union : u -> u := 48 | forall A. t_Union A = unique_unsafe (fun U. forall x. t_mem (upcast x) U = (exists X. t_mem (upcast x) (upcast X) && t_mem (upcast X) A)). 49 | -------------------------------------------------------------------------------- /opam: -------------------------------------------------------------------------------- 1 | opam-version: "1.2" 2 | name: "tlapm2" 3 | version: "dev" 4 | maintainer: "martin.riener@inria.fr" 5 | authors: ["Damien Doligez" "Matthieu Lequesne" "Tomer Libal" "Martin Riener"] 6 | homepage: "https://github.com/tlaplus/v2-tlapm" 7 | bug-reports: "https://github.com/tlaplus/v2-tlapm/issues" 8 | dev-repo: "https://github.com/tlaplus/v2-tlapm.git" 9 | build: [ 10 | ["oasis" "setup"] 11 | ["./configure" 12 | "--prefix" prefix 13 | "--disable-tests" 14 | "--enable-docs" 15 | ] 16 | [make "build"] 17 | ] 18 | build-doc: [ make "doc" ] 19 | build-test: [ make "test" ] 20 | install: [make "install"] 21 | remove: ["ocamlfind" "remove" "tlapm2"] 22 | depends: [ 23 | "ocamlfind" {build} 24 | "base-unix" 25 | "base-threads" 26 | "oasis" {build} 27 | "ocamlbuild" {build} 28 | "xmlm" {>= "1.2.0"} 29 | "sexplib" 30 | "result" 31 | "containers" {>= "1.0"} 32 | "kaputt" {test} 33 | ] 34 | depopts: [ 35 | ] 36 | -------------------------------------------------------------------------------- /run-test.sh: -------------------------------------------------------------------------------- 1 | echo "--- TLA -> XML ---" 2 | /usr/bin/java -jar lib/sany.jar -o -I ./library/ nun/tests.tla > nun/tests.xml 3 | echo "--- Compiling TLA with tests ---" 4 | make test 5 | echo "--- Calling TLA ---" 6 | ./tlapm.byte nun/tests.xml 7 | echo "--- Opening file ---" 8 | open nun/simple.txt 9 | open nun/complex.txt -------------------------------------------------------------------------------- /spec/PM-Spec.tex: -------------------------------------------------------------------------------- 1 | \documentclass[10pt]{article} 2 | \usepackage{latexsym, amssymb, graphics} 3 | \usepackage[colorlinks=true,urlcolor=cyan]{hyperref} 4 | \usepackage{amsmath} 5 | \usepackage[usenames,dvipsnames]{color} 6 | \usepackage[left=1in, right=1in, top=0.4in, bottom=0.4in]{geometry} 7 | 8 | 9 | \usepackage{tikz} 10 | \usetikzlibrary{arrows, decorations.markings} 11 | 12 | \tikzstyle{vecArrow} = [thick, decoration={markings,mark=at position 13 | 1 with {\arrow[semithick]{open triangle 60}}}, 14 | double distance=5pt, shorten >= 5.5pt, 15 | preaction = {decorate}, 16 | postaction = {draw,line width=5pt, white,shorten >= 4.5pt}] 17 | \tikzstyle{innerWhite} = [semithick, white,line width=5pt, shorten >= 4.5pt] 18 | 19 | 20 | \title{TLA+ Proof Manager - Specification} 21 | \author{Jael E. Kriener} 22 | 23 | \begin{document} 24 | 25 | \maketitle 26 | 27 | \section{What} 28 | 29 | The PM interacts with its surroundings as follows: 30 | 31 | 32 | \begin{figure}[h] 33 | 34 | \begin{tikzpicture}[thick, main node/.style={rectangle, thick, draw, rounded corners=5, align=center}] 35 | \node[main node] (I1) [ ] {.tla-file\\ \emph{(not file\bf{s})}}; 36 | \node[main node] (I2) [below of=I1, yshift=-20pt ] {command line}; 37 | \node[main node] (PM) [right of=I1, xshift=150pt, yshift=-25pt, text width=150, minimum size=100pt] {PM}; 38 | \node[main node] (TB) [right of=PM, xshift=150pt, minimum size=50pt] {ToolBox}; 39 | \node[main node] (BEs) [below of=PM, yshift=-75pt, text width=150pt] {Backends}; 40 | \node[main node] (SN) [right of=PM, xshift=-80pt] {\ \\S\\A\\N\\Y\\}; 41 | 42 | 43 | \path[->, rounded corners, thick, draw=blue] 44 | (I1) edge [] node [] {} (PM.160) 45 | (I2) edge [] node [] {} (PM.195) 46 | (PM.230) edge [] node [left] {pretty printed obligations} (BEs.170) 47 | (BEs.10) edge [] node [right] {results} (PM.310) 48 | (TB.210) edge [] node [above, yshift=5pt] {see Sect.~\ref{sect:TB-PM-Comms}} (PM.350) 49 | ; 50 | 51 | \draw[vecArrow, draw=blue] (PM.370) to (TB.160); 52 | \end{tikzpicture} 53 | 54 | 55 | \caption{Overview: Input-Output of the PM} 56 | \end{figure} 57 | 58 | 59 | \subsection{ToolBox - Proof Manager Communications Protocol}\label{sect:TB-PM-Comms} 60 | ToDo: record 61 | 62 | \section{How} 63 | 64 | 65 | 66 | 67 | \section{Code} 68 | 69 | 70 | 71 | \end{document} 72 | -------------------------------------------------------------------------------- /src/README.md: -------------------------------------------------------------------------------- 1 | # A short description of src files 2 | 3 | * commons - data strcutures shared between all layers. Like location, 4 | etc. 5 | * errors 6 | * fpfile 7 | * method 8 | * params 9 | * revision 10 | * sysconf 11 | * tlapm_args 12 | * toolbox 13 | * types 14 | * version 15 | * config 16 | * expr 17 | * ext 18 | * loc - locations, like properties, it should be removed. locations are 19 | now defined in commons. 20 | * obligations - obligations data structures. This layer holds the data 21 | strcuture which form the boligations used to compute the input for 22 | backend theorem provers. 23 | * property - hold mutable data. This file was improted from V1 for 24 | compilation old code but should be removed asap. 25 | * sany - sany data structures. This layer holds the data structure as 26 | imported from sany. It is different from TLA input data as it flatten 27 | and combine the specs, add level information, etc. 28 | * timing 29 | * tlapm - the main file. it lunch the java sany program, reads the 30 | generated xml and create a DS in the sany layer, apply 31 | trransformations between the other layers until reaching the obligations 32 | later and schedule the work of the backend provers on these obligations. 33 | In addition it checks fp, etc. 34 | * toolbox_msg 35 | * util 36 | 37 | -------------------------------------------------------------------------------- /src/arg_handler.mli: -------------------------------------------------------------------------------- 1 | open Settings 2 | 3 | val handle_arguments : string array -> settings 4 | -------------------------------------------------------------------------------- /src/backends/isabelle.ml: -------------------------------------------------------------------------------- 1 | open Expr_ds 2 | open Expr_visitor 3 | open Obligation 4 | open Backend_exceptions 5 | open CCFormat 6 | open Toolbox 7 | 8 | 9 | type ppacc = term_db * op_def list * formal_param list * unit printer 10 | 11 | let unsupported msg = 12 | raise (ExternalToolFailed (Commons.Isabelle, "Unsupported element", msg) ) 13 | 14 | class gen_isa_pp = object(self) 15 | inherit [ppacc] term_visitor as super 16 | 17 | method expr acc = failwith "implement!" 18 | method decimal acc = failwith "implement!" 19 | method numeral acc = failwith "implement!" 20 | method strng acc = failwith "implement!" 21 | method at acc = failwith "implement!" 22 | method op_appl acc = failwith "implement!" 23 | method binder acc = failwith "implement!" 24 | method lambda acc = failwith "implement!" 25 | method op_arg acc = failwith "implement!" 26 | method operator acc = failwith "implement!" 27 | method bound_symbol acc = failwith "implement!" 28 | method bounded_bound_symbol acc = failwith "implement!" 29 | method unbounded_bound_symbol acc = failwith "implement!" 30 | method formal_param acc = failwith "implement!" 31 | method op_decl acc = failwith "implement!" 32 | method op_def acc = failwith "implement!" 33 | method builtin_op acc = failwith "implement!" 34 | method user_defined_op acc = failwith "implement!" 35 | 36 | (* identical: expr_or_op_arg, *) 37 | end 38 | 39 | let encode fmt e = 40 | fprintf fmt "(* here comes the goal *)@,"; 41 | () 42 | 43 | let debug msg = 44 | Format.printf "%s@." msg 45 | 46 | 47 | let fmt_isabelle = ( fun fmt (fn, obl) -> 48 | fprintf fmt "(* automatically generated *)@,"; 49 | fprintf fmt "theory %s imports Constant Zenon begin@," fn; 50 | encode fmt (obl.goal); 51 | fprintf fmt "end"; 52 | fprintf fmt "(* end of file *)@,"; 53 | ) |> CCFormat.vbox 54 | -------------------------------------------------------------------------------- /src/backends/runners.ml: -------------------------------------------------------------------------------- 1 | open Obligation 2 | open Nunchaku 3 | open Isabelle 4 | open Toolbox 5 | open Backend_exceptions 6 | open CCFormat 7 | 8 | let run_nunchaku settings obligation = 9 | let f obligation = 10 | try 11 | let result = nunchaku_result_printer 12 | (nunchaku settings obligation obligation.id) in 13 | match result with 14 | | Some message -> 15 | let toolbox_msg = { 16 | id = obligation.id; 17 | location = obligation.location; 18 | status = Countermodel; 19 | prover = Some Commons.Nunchaku; 20 | meth = None; 21 | already_processed = Some false; 22 | obligation_string = Some message; 23 | } 24 | in 25 | print_string "\n\n"; 26 | fmt_toolbox_msg Format.err_formatter toolbox_msg; 27 | Some toolbox_msg 28 | | None -> None 29 | with 30 | | UnhandledLanguageElement (_, _) -> 31 | None (* fail gracefully for unhandled constructs *) 32 | in 33 | f obligation 34 | 35 | let run_isabelle settings obl = 36 | let file, channel = 37 | Filename.open_temp_file ?mode:(Some [Open_binary]) "isabelle" ".thy" in 38 | let fn = Filename.basename file |> Filename.chop_extension in 39 | let file_quoted = Filename.quote file in 40 | "isabelle tempfile: " ^ file |> debug; 41 | let fmt = Format.formatter_of_out_channel channel in 42 | begin 43 | try 44 | fprintf fmt "%a@." fmt_isabelle (fn, obl) 45 | with 46 | | e -> 47 | close_out channel; 48 | raise e 49 | end; 50 | let cmd = sprintf "cat %s | isabelle tty -l TLA+ " file_quoted in 51 | debug ("executing: '"^cmd^"'"); 52 | match Process.call_exec settings Commons.Isabelle cmd 53 | Process.process_stdout with 54 | | Process.Ok _ -> 55 | debug ("isabelle proved " ^ fn); 56 | Some Proved 57 | | Process.Error (n, m) -> 58 | let msg = 59 | Format.asprintf "isabelle failed for %s with code %d and msg\n%s" fn n m in 60 | debug msg; 61 | Some Failed 62 | -------------------------------------------------------------------------------- /src/backends/runners.mli: -------------------------------------------------------------------------------- 1 | open Settings 2 | open Obligation 3 | open Toolbox 4 | 5 | val run_nunchaku : settings -> obligation -> toolbox_msg option 6 | val run_isabelle : settings -> obligation -> toolbox_status option 7 | -------------------------------------------------------------------------------- /src/config.ml: -------------------------------------------------------------------------------- 1 | (* -*- mode: tuareg; -*- *) 2 | (* variables provided by configure *) 3 | 4 | let ocaml_version = "4.01.0" ;; 5 | 6 | let debug = "no" = "yes" ;; 7 | 8 | let exe = "" ;; 9 | -------------------------------------------------------------------------------- /src/core/backend_exceptions.ml: -------------------------------------------------------------------------------- 1 | open Commons 2 | 3 | exception UnhandledLanguageElement of prover * string 4 | 5 | exception ExternalToolFailed of prover * string * string 6 | -------------------------------------------------------------------------------- /src/core/backend_exceptions.mli: -------------------------------------------------------------------------------- 1 | open Commons 2 | (** This module contains exceptions which are thrown by backends. **) 3 | 4 | exception UnhandledLanguageElement of prover * string 5 | (** A backend usually supports only a subset of TLA. This exception is used to 6 | signal such an unhandled structure. Since enumerating all unhandled types 7 | is unfeasible, a string description of the element is passed. *) 8 | 9 | exception ExternalToolFailed of prover * string * string 10 | (** A backend might fail for some reason - the first argument - and pass 11 | additional debug output - the second argument. 12 | *) 13 | -------------------------------------------------------------------------------- /src/core/commons.mli: -------------------------------------------------------------------------------- 1 | (* Copyright (C) 2014 MSR-INRIA 2 | * Author: TL 3 | *) 4 | open Format 5 | 6 | (** 7 | Tlapm datatypes are constructed in layers, 8 | where each layer is obtained from a previous one 9 | by the use of a transformation. 10 | The first layer is obtained from SANY and the last one 11 | contains the obligations shipped to the backends. 12 | 13 | This file contains common definitions shared by all layers. 14 | *) 15 | 16 | type int_range = { 17 | rbegin : int; 18 | rend : int 19 | } 20 | 21 | type location = { 22 | column : int_range; 23 | line : int_range; 24 | filename: string 25 | } 26 | 27 | type level = 28 | | ConstantLevel 29 | | StateLevel 30 | | TransitionLevel 31 | | TemporalLevel 32 | 33 | type op_decl_kind = 34 | | ConstantDecl 35 | | VariableDecl 36 | | BoundSymbol 37 | | NewConstant 38 | | NewVariable 39 | | NewState 40 | | NewAction 41 | | NewTemporal 42 | 43 | type prover = 44 | | Isabelle 45 | | Zenon 46 | | SMT 47 | | LS4 48 | | Tlaps 49 | | Nunchaku 50 | | Default 51 | 52 | (** Creates a range from 0 to 0. *) 53 | val mkDummyRange : int_range 54 | 55 | (** Creates a location at line 0 to 0, column 0 to 0. *) 56 | val mkDummyLocation : location 57 | 58 | val toplevel_loation : location 59 | (** Location for the toplevel *) 60 | 61 | val format_location : location -> string 62 | val fmt_location : formatter -> location -> unit 63 | 64 | val fmt_location : formatter -> location -> unit 65 | val fmt_int_range : formatter -> int_range -> unit 66 | 67 | val format_prover : prover -> string 68 | 69 | val fmt_prover : formatter -> prover -> unit 70 | 71 | val format_op_decl_kind : op_decl_kind -> string 72 | 73 | val lmax : level -> level -> level 74 | 75 | val level_of_op_decl_kind : op_decl_kind -> (level, string) Result.result 76 | -------------------------------------------------------------------------------- /src/core/obligation.mli: -------------------------------------------------------------------------------- 1 | open Commons 2 | open Expr_ds 3 | 4 | type obligation_type = 5 | | Formula 6 | | Suffices 7 | | Have 8 | | Take 9 | | Witness 10 | | Qed 11 | 12 | type obligation = { 13 | (* obligation id *) 14 | id : int; 15 | 16 | (* actual obligation, without expansion *) 17 | goal : node; 18 | 19 | (* the location of the obligation *) 20 | location : location; 21 | 22 | (* the expanded definitions *) 23 | expanded_defs : op_def list; 24 | 25 | (* the backend provers to handle the obligation *) 26 | provers : prover list; 27 | 28 | (* the term database *) 29 | term_db : term_db; 30 | 31 | (* visible theorems etc. not sure if we need that *) 32 | constants : op_decl list; 33 | variables : op_decl list; 34 | definitions : op_def list ; 35 | assumptions : assume list ; 36 | theorems : theorem list ; 37 | } 38 | -------------------------------------------------------------------------------- /src/expr/expr.ml: -------------------------------------------------------------------------------- 1 | module T = Expr_ds 2 | module C = Expr_constructors.Constr 3 | module B = Expr_builtins.Builtin 4 | module D = Expr_dereference.Deref 5 | module S = Expr_substitution 6 | module U = Expr_utils 7 | module Tdb = Expr_termdb_utils 8 | 9 | -------------------------------------------------------------------------------- /src/expr/expr.mli: -------------------------------------------------------------------------------- 1 | (* module T = Expr_ds *) 2 | module C = Expr_constructors.Constr 3 | module B = Expr_builtins.Builtin 4 | module D = Expr_dereference.Deref 5 | module S = Expr_substitution 6 | module U = Expr_utils 7 | module Tdb = Expr_termdb_utils 8 | -------------------------------------------------------------------------------- /src/expr/expr_builtins.mli: -------------------------------------------------------------------------------- 1 | open Expr_ds 2 | open CCFormat 3 | 4 | module Builtin : sig 5 | exception BuiltinNotFound of string * string 6 | 7 | type builtin_symbol = 8 | (* logical operators *) 9 | | TRUE 10 | | FALSE 11 | | EQ 12 | | NEQ 13 | | NOT 14 | | AND 15 | | OR 16 | (* quantifiers *) 17 | | IMPLIES 18 | | FORALL 19 | | EXISTS 20 | | BFORALL 21 | | BEXISTS 22 | (* temporal operators *) 23 | | PRIME 24 | | ENABLED 25 | | TFORALL 26 | | TEXISTS 27 | | BOX 28 | | DIAMOND 29 | | SQ_BRACK 30 | | ANG_BRACK 31 | | WF 32 | | SF 33 | (* tuples, functions, records *) 34 | | TUPLE 35 | | FUN_APP 36 | | FUN_CONSTR 37 | | RCD_CONSTR 38 | | SET_ENUM 39 | | SET_MEMBER 40 | | IF_THEN_ELSE 41 | 42 | val get : term_db -> builtin_symbol -> builtin_op 43 | (** Fetches a builtin symbol from the term db. Raises BuiltinNotFound if it is 44 | not in the db. *) 45 | 46 | val string_of_builtin : builtin_symbol -> string 47 | (** obtain the sany string representation of builtin *) 48 | val builtin_of_string : string -> builtin_symbol 49 | (** parse a string to a builtin symbol *) 50 | val pp : builtin_symbol printer 51 | (** printer for builtin *) 52 | val complete_builtins : term_db -> term_db 53 | (** Extends the given term db by all missing builtins. *) 54 | end 55 | -------------------------------------------------------------------------------- /src/expr/expr_correct_lambda.mli: -------------------------------------------------------------------------------- 1 | open Commons 2 | open Expr_ds 3 | open Util 4 | 5 | class correct_lambda : object 6 | inherit [term_db * user_defined_op_ IntMap.t] Expr_map2.expr_map 7 | end 8 | 9 | val correct_lambda_context : context -> context 10 | -------------------------------------------------------------------------------- /src/expr/expr_dereference.ml: -------------------------------------------------------------------------------- 1 | open Expr_ds 2 | open Expr_utils 3 | open List 4 | 5 | module Deref = struct 6 | let find_entry unpack entries i = 7 | let elem = try 8 | assoc i entries 9 | with 10 | | Not_found -> 11 | failwith ("Could not find entry for reference " ^ 12 | (string_of_int i) ^ "!") 13 | in 14 | unpack elem 15 | 16 | let builtin_op term_db = function 17 | | BOP_ref r -> 18 | find_entry Unpack.builtin_op_entry term_db r 19 | 20 | let user_defined_op term_db = function 21 | | UOP_ref r -> 22 | find_entry Unpack.user_defined_op_entry term_db r 23 | 24 | let formal_param term_db = function 25 | | FP_ref i -> 26 | find_entry Unpack.fp_entry term_db i 27 | 28 | let op_decl term_db = function 29 | | OPD_ref x -> 30 | find_entry Unpack.opdecl_entry term_db x 31 | 32 | let module_instance term_db = function 33 | | MI_ref x -> 34 | find_entry Unpack.module_instance_entry term_db x 35 | 36 | let theorem_def term_db = function 37 | | TDef_ref x -> 38 | find_entry Unpack.theorem_def_entry term_db x 39 | 40 | let assume_def term_db = function 41 | | ADef_ref x -> 42 | find_entry Unpack.assume_def_entry term_db x 43 | 44 | let theorem term_db = function 45 | | THM_ref x -> 46 | find_entry Unpack.thm_entry term_db x 47 | 48 | let assume term_db = function 49 | | ASSUME_ref x -> 50 | find_entry Unpack.assume_entry term_db x 51 | 52 | let mule term_db = function 53 | | MOD_ref x -> 54 | find_entry Unpack.mod_entry term_db x 55 | 56 | let compare_modulo_deref_formal_param term_db ?cmp:(cmp=(=)) f1 f2 = 57 | let fp1i = formal_param term_db f1 in 58 | let fp2i = formal_param term_db f2 in 59 | cmp fp1i fp2i 60 | end 61 | -------------------------------------------------------------------------------- /src/expr/expr_formatter.mli: -------------------------------------------------------------------------------- 1 | open Expr_ds 2 | open Commons 3 | open CCFormat 4 | 5 | type nesting = Module | Expression | ProofStep of int | By 6 | type fc = Format.formatter * term_db * bool * nesting * int 7 | 8 | class formatter : 9 | object 10 | inherit [fc] Expr_visitor.visitor 11 | method translate_builtin_name : string -> string 12 | 13 | end 14 | 15 | (** An instance of the expression formatter *) 16 | val expr_formatter : formatter 17 | 18 | (** Creates a function which is compatible with printf's %a statement. *) 19 | val mk_printer : (fc -> 'a -> fc) -> 20 | term_db -> out_channel -> 'a -> unit 21 | 22 | 23 | val fmt_expr : term_db -> expr printer 24 | val fmt_assume_prove : term_db -> assume_prove printer 25 | val fmt_node : term_db -> node printer 26 | val fmt_statement : term_db -> statement printer 27 | val fmt_formal_param : term_db -> formal_param printer 28 | val fmt_expr_or_op_arg : term_db -> expr_or_op_arg printer 29 | val fmt_op_decl : term_db -> op_decl printer 30 | val fmt_bound_symbol : term_db -> bound_symbol printer 31 | val fmt_operator : term_db -> operator printer 32 | 33 | val prnt_expr : term_db -> out_channel -> expr -> unit 34 | val prnt_assume_prove : term_db -> out_channel -> assume_prove -> unit 35 | val prnt_statement : term_db -> out_channel -> statement -> unit 36 | -------------------------------------------------------------------------------- /src/expr/expr_parse_theorems.mli: -------------------------------------------------------------------------------- 1 | open Expr_ds 2 | 3 | (** removes all symbolic representations of proof steps 4 | (TAKE, PICK, SUFFICES, etc.) and introduces the explicit steps 5 | instead 6 | *) 7 | val expr_parse_theorems_context : context -> context 8 | -------------------------------------------------------------------------------- /src/expr/expr_prover_parser.mli: -------------------------------------------------------------------------------- 1 | open Commons 2 | open Expr_ds 3 | open Expr_builtins 4 | 5 | type fixity = 6 | | Standard 7 | | UnaryPrefix 8 | | UnaryPostfix 9 | | BinaryInfix 10 | | Special of Builtin.builtin_symbol 11 | 12 | val match_constant : term_db -> expr -> string option 13 | 14 | val match_function : term_db -> expr -> (string * expr_or_op_arg list) option 15 | 16 | val expr_to_prover : term_db -> expr -> prover option 17 | 18 | (* val match_prefix_op : term_db -> operator -> 19 | (string * formal_param * formal_param) option 20 | *) 21 | val match_infix_op : term_db -> operator -> bool 22 | 23 | val match_ternary_op : term_db -> operator -> string option 24 | 25 | val extract_fixity : string -> 'a list -> fixity 26 | val match_fixity_op : term_db -> operator -> fixity 27 | 28 | val prefix_names : string list 29 | val infix_names : string list 30 | val postfix_names : string list 31 | val ternary_names : string list 32 | 33 | val expand_ternary_name : string -> string * string * string 34 | -------------------------------------------------------------------------------- /src/expr/expr_substitution.mli: -------------------------------------------------------------------------------- 1 | open Expr_ds 2 | 3 | module Subst : 4 | sig 5 | type subst = Expr_ds.fp_assignment 6 | type substs = subst list 7 | 8 | val domain : substs -> formal_param list 9 | val range : term_db -> substs -> op_decl list 10 | val formal_params_in_range : term_db -> substs -> formal_param list 11 | 12 | (** rename a formal parameter to a name different from each of the arguments 13 | free, bound and defs *) 14 | val rename : term_db -> ?free:(op_decl list) -> ?bound:(formal_param list) 15 | -> ?defs:(op_def list) -> formal_param -> (term_db * formal_param) 16 | 17 | (** Looks for mapping of fp in substs. Lookups are done in the termdb. 18 | The default comparator is structural equality. 19 | *) 20 | val find_subst : ?cmp:(formal_param_ -> formal_param_ -> bool) -> 21 | term_db -> formal_param -> substs -> expr_or_op_arg option 22 | 23 | (** Removes all passed formal parameters from a substition *) 24 | val remove_from_subst : term_db -> formal_param list -> substs -> substs 25 | end 26 | 27 | module SubFormat : 28 | sig 29 | (** Formatter for a single mapping x <- t *) 30 | val fmt_subst : Expr_ds.term_db -> Format.formatter -> Subst.subst -> unit 31 | 32 | (** Formatter for a substitution x <- s, y <- t *) 33 | val fmt_substs : 34 | ?intro:string -> 35 | Expr_ds.term_db -> Format.formatter -> Subst.subst list -> unit 36 | 37 | val fmt_renaming : 38 | ?intro:string -> 39 | Expr_ds.term_db -> 40 | Format.formatter -> 41 | (Expr_ds.formal_param * Expr_ds.formal_param) list -> unit 42 | end 43 | 44 | val subst_expr : term_db -> Subst.substs -> expr -> expr * term_db 45 | val subst_op : term_db -> Subst.substs -> operator -> operator * term_db 46 | -------------------------------------------------------------------------------- /src/expr/expr_utils.mli: -------------------------------------------------------------------------------- 1 | (** Some basic operations on the expression datastructures. *) 2 | open Commons 3 | open Expr_ds 4 | open Expr_builtins 5 | 6 | module Unpack : sig 7 | (** Extracts the formal parameter from an entry *) 8 | val fp_entry : entry -> formal_param_ 9 | 10 | (** Extracts the module from an entry *) 11 | val mod_entry : entry -> mule_ 12 | 13 | (** Extracts the operator declaration from an entry *) 14 | val opdecl_entry : entry -> op_decl_ 15 | 16 | (** Extracts the operator definition from an entry *) 17 | val module_instance_entry : entry -> module_instance_ 18 | 19 | (** Extracts the operator definition from an entry *) 20 | val user_defined_op_entry : entry -> user_defined_op_ 21 | 22 | (** Extracts the operator definition from an entry *) 23 | val builtin_op_entry : entry -> builtin_op_ 24 | 25 | (** Extracts the operator definition from an entry *) 26 | 27 | val theorem_def_entry : entry -> theorem_def_ 28 | 29 | (** Extracts the operator definition from an entry *) 30 | val assume_def_entry : entry -> assume_def_ 31 | 32 | (** Extracts the theorem from an entry *) 33 | val thm_entry : entry -> theorem_ 34 | 35 | (** Extracts the assume from an entry *) 36 | val assume_entry : entry -> assume_ 37 | end 38 | 39 | (** Extracts a location from an expression *) 40 | val location_of_expr : expr -> location 41 | 42 | (** Extracts a location from an expression *) 43 | val level_of_expr : expr -> level option 44 | 45 | (** Extracts a location from an expression *) 46 | val location_of_expr_or_op_arg : expr_or_op_arg -> location 47 | 48 | (** Extracts a location from an expression *) 49 | val level_of_expr_or_op_arg : expr_or_op_arg -> level option 50 | 51 | 52 | (** Wraps an expression into an assume-prove with empty assumptions *) 53 | val assume_prove_from_expr : bool -> expr -> assume_prove 54 | 55 | (** gets the level of a node *) 56 | val level_of_node : node -> level option 57 | -------------------------------------------------------------------------------- /src/expr/extract_obligations.mli: -------------------------------------------------------------------------------- 1 | open Commons 2 | open Expr_ds 3 | open Expr_visitor 4 | open Obligation 5 | 6 | (* used to track the nesting level throughout a proof *) 7 | type nesting = 8 | | Module 9 | | InProof of int * theorem_ list 10 | 11 | type current_context = { 12 | (* the current goal *) 13 | goal : node option; 14 | 15 | (* the facts currently known *) 16 | usable_facts : node list; 17 | 18 | (* the expanded definitions *) 19 | expanded_defs : op_def list; 20 | 21 | (* the term database *) 22 | term_db : term_db; 23 | 24 | (* visible theorems etc. not sure if we need that *) 25 | constants : op_decl list; 26 | variables : op_decl list; 27 | definitions : op_def list ; 28 | assumptions : assume list ; 29 | theorems : theorem list ; 30 | 31 | (* we keep a list of the actual assume proves a theorem provides, because they 32 | may be different from the actual statement *) 33 | thm_statements : (theorem_def * node list) list; 34 | } 35 | 36 | type ofail = ObligationFail of string * location 37 | 38 | type 'a eoacc = 39 | EOAcc of current_context list * obligation list * ofail list 40 | * nesting * string *'a 41 | 42 | val get_obligations : 'a eoacc -> obligation list 43 | 44 | val emptyCurrentContext : term_db -> current_context 45 | (* val extract_obligation_from_module *) 46 | 47 | class ['a] extract_obligations : 48 | object 49 | inherit ['a eoacc] visitor 50 | end 51 | 52 | val extract_obligations_context : context -> obligation list 53 | -------------------------------------------------------------------------------- /src/expr/obligation_formatter.ml: -------------------------------------------------------------------------------- 1 | open Commons 2 | open Expr_ds 3 | open Expr_formatter 4 | open Format 5 | open Obligation 6 | 7 | let fmt_obligation pp { goal; expanded_defs; provers; term_db; 8 | constants; variables; definitions; 9 | assumptions; theorems; } = 10 | let acc = (pp, term_db, false, Expression, 0) in 11 | ignore (expr_formatter#node acc goal); 12 | print_flush () 13 | -------------------------------------------------------------------------------- /src/expr/obligation_formatter.mli: -------------------------------------------------------------------------------- 1 | open Format 2 | open Obligation 3 | 4 | val fmt_obligation : formatter -> obligation -> unit 5 | -------------------------------------------------------------------------------- /src/nunchaku/nun_mod.mli: -------------------------------------------------------------------------------- 1 | open Nun_sexp 2 | 3 | (** Definition **) 4 | 5 | type term = 6 | | Var of string 7 | | App of string * term list 8 | | Fun of (string*string) list * decision_tree 9 | 10 | and decision_tree = 11 | { 12 | cases: ((string * term) list * term) list; 13 | else_ : term; 14 | } 15 | 16 | type model_entry = 17 | | Type of string * string list 18 | | Const of string * term 19 | 20 | type model = model_entry list 21 | 22 | type nun_mod = UNSAT | UNKNOWN | TIMEOUT | SAT of model 23 | 24 | 25 | (** Translation **) 26 | 27 | val term_to_string : term -> string 28 | 29 | val fun_conditions_to_string : (string*term) list -> string 30 | 31 | val nun_sexp_to_nun_mod : nun_sexp -> nun_mod 32 | 33 | 34 | (** Printer **) 35 | 36 | val nun_mod_to_string : nun_mod -> string 37 | 38 | val print_nun_mod : string -> nun_mod -> unit 39 | -------------------------------------------------------------------------------- /src/nunchaku/nun_pb_statement.ml: -------------------------------------------------------------------------------- 1 | open Format 2 | 3 | type nun_var = string * string 4 | type nun_operator = Operator of string 5 | type nun_declaration = Declaration of nun_var 6 | type nun_comment = Comment of string 7 | type nun_include = Include of string 8 | type nun_binder = Forall | Exists 9 | type nun_operands = nun_expr 10 | and nun_expr = 11 | | Op of nun_operator * nun_operands list 12 | | Binder of nun_binder * nun_var * nun_expr 13 | | Atom of string 14 | type nun_axiom = Axiom of nun_expr 15 | type nun_goal = Goal of nun_expr 16 | 17 | type nun_statement = nun_goal * nun_declaration list * nun_axiom list * nun_comment list * nun_include list 18 | 19 | let newline_formatter channel = 20 | fprintf channel "@,"; 21 | () 22 | 23 | let separation_formatter channel = 24 | fprintf channel "%s@, " "\n# ---------------------------------------------\n"; 25 | () 26 | 27 | let rec ppf_fold_with ppf f = function 28 | | [x] -> f ppf x 29 | | x::xs -> 30 | f ppf x; 31 | newline_formatter ppf; 32 | ppf_fold_with ppf f xs 33 | | [] -> () 34 | 35 | let string_of_var (n,t) = n^" : "^t 36 | 37 | let rec string_of_expr = function 38 | | Atom s -> s 39 | | Binder (Forall, v, e) -> 40 | let sv = string_of_var v in 41 | let se = string_of_expr e in 42 | "forall "^sv^". "^se 43 | | Binder (Exists, v, e) -> 44 | let sv = string_of_var v in 45 | let se = string_of_expr e in 46 | "exists "^sv^". "^se 47 | | Op (Operator s, l) -> 48 | let sl = "" in 49 | "( "^s^"[ "^sl^"] )" 50 | 51 | let print_declaration ppf (Declaration v) = 52 | fprintf ppf "val %s. @," (string_of_var v) 53 | 54 | let print_axiom ppf (Axiom s) = 55 | fprintf ppf "axiom : %s. @," (string_of_expr s) 56 | 57 | let print_goal ppf (Goal s) = 58 | fprintf ppf "goal %s. @," (string_of_expr s) 59 | 60 | let print_comment ppf (Comment s) = 61 | fprintf ppf "# %s @," s 62 | 63 | let print_include ppf (Include s) = 64 | fprintf ppf "include \"%s\". @," s 65 | 66 | let print_statement ppf (go, dec, ax, com, inc) = 67 | ppf_fold_with ppf print_comment com; 68 | separation_formatter ppf; 69 | newline_formatter ppf; 70 | ppf_fold_with ppf print_include inc; 71 | separation_formatter ppf; 72 | ppf_fold_with ppf print_declaration dec; 73 | separation_formatter ppf; 74 | ppf_fold_with ppf print_axiom ax; 75 | separation_formatter ppf; 76 | print_goal ppf go 77 | -------------------------------------------------------------------------------- /src/nunchaku/nun_pb_statement.mli: -------------------------------------------------------------------------------- 1 | open Format 2 | 3 | type nun_var = string * string 4 | type nun_operator = Operator of string 5 | type nun_declaration = Declaration of nun_var 6 | type nun_comment = Comment of string 7 | type nun_include = Include of string 8 | type nun_binder = Forall | Exists 9 | type nun_operands = nun_expr 10 | and nun_expr = 11 | | Op of nun_operator * nun_operands list 12 | | Binder of nun_binder * nun_var * nun_expr 13 | | Atom of string 14 | type nun_axiom = Axiom of nun_expr 15 | type nun_goal = Goal of nun_expr 16 | 17 | type nun_statement = nun_goal * nun_declaration list * nun_axiom list * nun_comment list * nun_include list 18 | 19 | val print_statement : formatter -> nun_statement -> unit 20 | -------------------------------------------------------------------------------- /src/nunchaku/nun_sexp.ml: -------------------------------------------------------------------------------- 1 | (** Definition **) 2 | 3 | type nun_sexp = Sexplib.Type.t;; 4 | 5 | 6 | (** Translation **) 7 | 8 | let sexp_parser input_file = 9 | try 10 | let ic = open_in input_file in 11 | let t = Sexplib.Sexp.input_sexp ic in 12 | 13 | t 14 | with 15 | _ -> failwith ("Unable to parse file "^input_file) 16 | 17 | 18 | (** Printer **) 19 | 20 | let sexp_printer output_file sexp_ast = 21 | let oc = open_out output_file in 22 | Sexplib.Pre_sexp.output_hum oc sexp_ast 23 | -------------------------------------------------------------------------------- /src/nunchaku/nun_sexp.mli: -------------------------------------------------------------------------------- 1 | (** Definition **) 2 | 3 | type nun_sexp = Sexplib.Type.t;; 4 | 5 | 6 | (** Translation **) 7 | 8 | val sexp_parser : string -> nun_sexp 9 | 10 | 11 | (** Printer **) 12 | 13 | val sexp_printer : string -> nun_sexp -> unit 14 | -------------------------------------------------------------------------------- /src/nunchaku/nunchaku.mli: -------------------------------------------------------------------------------- 1 | open Tla_pb 2 | open Tla_simple_pb 3 | open Nun_pb 4 | open Nun_pb_fmt 5 | open Nun_sexp 6 | open Nun_mod 7 | open Tla_mod 8 | 9 | type nunchaku_result = tla_mod 10 | 11 | val nunchaku_result_printer : nunchaku_result -> string option 12 | 13 | val call_nunchaku : statement list -> Settings.settings -> int -> nun_sexp 14 | 15 | val nunchaku : Settings.settings -> tla_pb -> int -> nunchaku_result 16 | -------------------------------------------------------------------------------- /src/nunchaku/simple_expr/simple_builtins.ml: -------------------------------------------------------------------------------- 1 | open Commons 2 | open Simple_expr_ds 3 | 4 | let builtin_location = { 5 | line = mkDummyRange; 6 | column = mkDummyRange; 7 | filename = "--TLA+ BUILTINS--"; 8 | } 9 | 10 | let builtin_true = { level = Some ConstantLevel; 11 | name = "TRUE"; 12 | arity =0; 13 | params = [] 14 | } 15 | 16 | let builtin_false = { level = Some ConstantLevel; 17 | name = "FALSE"; 18 | arity =0; 19 | params = [] 20 | } 21 | 22 | let formal_param i arity = 23 | FP { 24 | location = builtin_location; 25 | level = None; 26 | name = "fparam" ^ (string_of_int i); 27 | arity; 28 | } 29 | 30 | let bounded_exists = 31 | { name = "$BoundedExists"; 32 | level = None; 33 | arity = 1; 34 | params = [(formal_param 0 0, false)]; (* TODO: check if this is correct - in sany the quantifier has arity -1 *) 35 | } 36 | 37 | let unbounded_exists = 38 | { name = "$UnboundedExists"; 39 | level = None; 40 | arity = 1; 41 | params = [(formal_param 0 0, false)]; (* TODO: check if this is correct *) 42 | } 43 | 44 | let set_in = 45 | { name = "\\in"; 46 | level = None; 47 | arity = 2; 48 | params = [(formal_param 0 0, true)] 49 | } 50 | 51 | let tuple = 52 | { name = "$Tuple"; 53 | level = None; 54 | arity = -1; 55 | params = []; 56 | } 57 | 58 | let if_then_else = 59 | { name = "$IfThenElse"; 60 | level = None; 61 | arity = 3; 62 | params = [ 63 | (formal_param 0 0, true); 64 | (formal_param 1 0, true); 65 | (formal_param 2 0, true); 66 | ]; 67 | } 68 | -------------------------------------------------------------------------------- /src/nunchaku/simple_expr/simple_expr_dereference.ml: -------------------------------------------------------------------------------- 1 | open Simple_expr_ds 2 | open Simple_expr_utils 3 | open List 4 | 5 | let find_entry unpack entries i = 6 | let elem = try 7 | assoc i entries 8 | with 9 | | Not_found -> 10 | failwith ("Could not find entry for reference " ^ 11 | (string_of_int i) ^ "!") 12 | in 13 | unpack elem 14 | 15 | let dereference_user_defined_op term_db = function 16 | | UOP d -> d 17 | | UOP_ref r -> 18 | let opd = find_entry unpack_opdef_entry term_db r in 19 | match opd with 20 | | O_user_defined_op (UOP op) -> op 21 | | _ -> failwith ("The id " ^ (string_of_int r) ^ 22 | " does refer to a user defined operator!") 23 | 24 | let dereference_formal_param term_db = function 25 | | FP fp -> fp 26 | | FP_ref i -> 27 | find_entry unpack_fp_entry term_db i 28 | 29 | let dereference_op_decl term_db = function 30 | | OPD opd -> opd 31 | | OPD_ref x -> 32 | find_entry unpack_opdecl_entry term_db x 33 | 34 | let dereference_user_defined_op term_db = function 35 | | UOP d -> d 36 | | UOP_ref x -> 37 | match find_entry unpack_opdef_entry term_db x with 38 | | O_user_defined_op (UOP op) -> op 39 | | O_user_defined_op _ -> 40 | failwith "Self-reference in term db!" 41 | | _ -> 42 | let str = Printf.sprintf 43 | "The id %d does not refer to a user defined operator!" x 44 | in 45 | failwith str 46 | -------------------------------------------------------------------------------- /src/nunchaku/simple_expr/simple_expr_dereference.mli: -------------------------------------------------------------------------------- 1 | (** 2 | This file contains helper function to resolve references to expressions. 3 | *) 4 | open Simple_expr_ds 5 | 6 | 7 | (** retrieves the entry with the given id from the term_db and transforms it. 8 | the dereference function use Expr_utils.unpack_* as transformer. 9 | *) 10 | val find_entry : (simple_entry -> 'a) -> simple_term_db -> int -> 'a 11 | 12 | (** If the passed operator is a reference, it will be retrieved from the 13 | term_db. Otherwise, its content is directly extracted. *) 14 | val dereference_user_defined_op : simple_term_db -> simple_user_defined_op -> simple_user_defined_op_ 15 | 16 | (** If the passed formal parameter is a reference, it will be retrieved from the 17 | term_db. Otherwise, its content is directly extracted. *) 18 | val dereference_formal_param : simple_term_db -> simple_formal_param -> simple_formal_param_ 19 | 20 | (** If the passed operator declaration is a reference, it will be retrieved from 21 | the term_db. Otherwise, it is directly extracted. *) 22 | val dereference_op_decl : simple_term_db -> simple_op_decl -> simple_op_decl_ 23 | 24 | (** If the passed operator definition is a reference, it will be retrieved from 25 | the term_db. Otherwise, it is directly extracted. *) 26 | val dereference_user_defined_op : simple_term_db -> simple_user_defined_op -> simple_user_defined_op_ 27 | -------------------------------------------------------------------------------- /src/nunchaku/simple_expr/simple_expr_prover_parser.mli: -------------------------------------------------------------------------------- 1 | open Commons 2 | open Simple_expr_ds 3 | 4 | val match_constant : simple_term_db -> simple_expr -> string option 5 | 6 | val match_function : simple_term_db -> simple_expr -> (string * simple_expr_or_op_arg list) option 7 | 8 | val expr_to_prover : simple_term_db -> simple_expr -> prover option 9 | 10 | (* val match_prefix_op : simple_term_db -> operator -> 11 | (string * formal_param * formal_param) option 12 | *) 13 | val match_infix_op : simple_term_db -> simple_operator -> bool 14 | 15 | val match_ternary_op : simple_term_db -> simple_operator -> string option 16 | 17 | val prefix_names : string list 18 | val infix_names : string list 19 | (* val postfix_names : string list *) 20 | val ternary_names : string list 21 | 22 | val expand_ternary_name : string -> string * string * string 23 | -------------------------------------------------------------------------------- /src/nunchaku/simple_expr/simple_expr_utils.ml: -------------------------------------------------------------------------------- 1 | open Simple_expr_ds 2 | open Simple_expr_visitor 3 | 4 | let entry_error str = 5 | "Tried to unpack a " ^ str ^ " entry, but it isn't one." 6 | 7 | let unpack_fp_entry = function 8 | | FP_entry x -> x 9 | | _ -> failwith (entry_error "fp") 10 | 11 | let unpack_opdecl_entry = function 12 | | OPDec_entry x -> x 13 | | _ -> failwith (entry_error "opdec") 14 | 15 | let unpack_opdef_entry = function 16 | | OPDef_entry x -> x 17 | | _ -> failwith (entry_error "opdef") 18 | 19 | let extract_location expr = 20 | match expr with 21 | | E_at { location; level } -> location 22 | | E_decimal { location; level; _ } -> location 23 | | E_label { location; level; _ } -> location 24 | | E_let_in { location; level; _ } -> location 25 | | E_numeral { location; level; _ } -> location 26 | | E_op_appl { location; level; _ } -> location 27 | | E_string { location; level; _ } -> location 28 | | E_binder {location; level; _ } -> location 29 | 30 | let extract_level expr = 31 | match expr with 32 | | E_at { location; level; _ } -> level 33 | | E_decimal { location; level; _ } -> level 34 | | E_label { location; level; _ } -> level 35 | | E_let_in { location; level; _ } -> level 36 | | E_numeral { location; level; _ } -> level 37 | | E_op_appl { location; level; _ } -> level 38 | | E_string { location; level; _ } -> level 39 | | E_binder {location; level; _ } -> level 40 | 41 | (** wraps an expression into an assume-prove with empty assumptions *) 42 | let assume_prove_from_expr suffices expr = { 43 | location = extract_location expr; 44 | level = extract_level expr; 45 | assumes = []; 46 | new_symbols = []; 47 | prove = expr; 48 | } 49 | 50 | class free_variables_visitor = object 51 | inherit [simple_op_decl list] visitor as super 52 | 53 | method op_decl acc opd = 54 | super#op_decl (opd::acc) opd 55 | end 56 | 57 | let fv_object = new free_variables_visitor 58 | 59 | let free_variables = fv_object#expr [] 60 | -------------------------------------------------------------------------------- /src/nunchaku/simple_expr/simple_expr_utils.mli: -------------------------------------------------------------------------------- 1 | (** Some basic operations on the expression datastructures. *) 2 | open Commons 3 | open Simple_expr_ds 4 | 5 | (** Extracts the formal parameter from an entry *) 6 | val unpack_fp_entry : simple_entry -> simple_formal_param_ 7 | 8 | (** Extracts the operator declaration from an entry *) 9 | val unpack_opdecl_entry : simple_entry -> simple_op_decl_ 10 | 11 | (** Extracts the operator definition from an entry *) 12 | val unpack_opdef_entry : simple_entry -> simple_op_def 13 | 14 | (** Extracts a location from an expression *) 15 | val extract_location : simple_expr -> location 16 | 17 | (** Extracts a location from an expression *) 18 | val extract_level : simple_expr -> level option 19 | 20 | (** Wraps an expression into an assume-prove with empty assumptions *) 21 | val assume_prove_from_expr : bool -> simple_expr -> simple_assume_prove 22 | 23 | (** Finds all the free variables in an expression *) 24 | val free_variables : simple_expr -> simple_op_decl list 25 | -------------------------------------------------------------------------------- /src/nunchaku/simple_expr/simple_expr_visitor.mli: -------------------------------------------------------------------------------- 1 | open Commons 2 | open Simple_expr_ds 3 | 4 | (** 5 | A visitor pattern for data-structures from the {!module:Expr_ds} module. 6 | 7 | Each data-type has a corresponding method of the same name. A special 8 | visitor for the name field is provided. The default implementation passes 9 | the accumulator down unchanged, the only property which is not explicitly 10 | handled is the arity of operators. 11 | *) 12 | 13 | class ['a] visitor : 14 | object 15 | method expr : 'a -> simple_expr -> 'a 16 | method name : 'a -> string -> 'a 17 | method location : 'a -> location -> 'a 18 | method level : 'a -> level option -> 'a 19 | method decimal : 'a -> simple_decimal -> 'a 20 | method numeral : 'a -> simple_numeral -> 'a 21 | method strng : 'a -> simple_strng -> 'a 22 | method at : 'a -> simple_at -> 'a 23 | method op_appl : 'a -> simple_op_appl -> 'a 24 | method binder : 'a -> simple_binder -> 'a 25 | method lambda : 'a -> simple_lambda -> 'a 26 | method op_arg : 'a -> simple_op_arg -> 'a 27 | method operator : 'a -> simple_operator -> 'a 28 | method expr_or_op_arg : 'a -> simple_expr_or_op_arg -> 'a 29 | method bound_symbol : 'a -> simple_bound_symbol -> 'a 30 | method bounded_bound_symbol : 'a -> simple_bounded_bound_symbol -> 'a 31 | method unbounded_bound_symbol : 'a -> simple_unbounded_bound_symbol -> 'a 32 | method formal_param : 'a -> simple_formal_param -> 'a 33 | method op_decl : 'a -> simple_op_decl -> 'a 34 | method op_def : 'a -> simple_op_def -> 'a 35 | method assume_prove : 'a -> simple_assume_prove -> 'a 36 | method new_symb : 'a -> simple_new_symb -> 'a 37 | method builtin_op : 'a -> simple_builtin_op -> 'a 38 | method user_defined_op : 'a -> simple_user_defined_op -> 'a 39 | method label : 'a -> simple_label -> 'a 40 | method let_in : 'a -> simple_let_in -> 'a 41 | method reference : 'a -> int -> 'a 42 | 43 | method entry : 'a -> (int * simple_entry) -> 'a 44 | 45 | method op_appl_or_binder : 'a -> simple_op_appl_or_binder -> 'a 46 | method expr_or_module_or_module_instance 47 | : 'a -> simple_expr_or_module_or_module_instance -> 'a 48 | method defined_expr 49 | : 'a -> simple_defined_expr -> 'a 50 | method op_def_or_theorem_or_assume 51 | : 'a -> simple_op_def_or_theorem_or_assume -> 'a 52 | 53 | end 54 | -------------------------------------------------------------------------------- /src/nunchaku/tla_mod.mli: -------------------------------------------------------------------------------- 1 | open Nun_mod 2 | 3 | (** Definition **) 4 | 5 | type model = 6 | { 7 | var : (string * string) list ; 8 | mem : (string * (string list)) list ; 9 | app : (string list * decision_tree) option; 10 | dom : (string list * decision_tree) option 11 | } 12 | 13 | and decision_tree = 14 | { 15 | cases: ((string * string) list * string) list; 16 | else_ : string; 17 | } 18 | 19 | type tla_mod = VALID | UNKNOWN | TIMEOUT | REFUTED of model 20 | 21 | 22 | (** Translation **) 23 | 24 | val nun_mod_to_tla_mod : nun_mod -> tla_mod 25 | 26 | 27 | (** Printer **) 28 | 29 | val fmt_tla_mod : Format.formatter -> tla_mod -> unit 30 | 31 | val print_tla_mod : string -> tla_mod -> unit 32 | 33 | val tla_mod_to_string : tla_mod -> string 34 | -------------------------------------------------------------------------------- /src/nunchaku/tla_pb.ml: -------------------------------------------------------------------------------- 1 | open Obligation 2 | open Obligation_formatter 3 | 4 | (** Definition **) 5 | 6 | type tla_pb = obligation 7 | 8 | (** Printer **) 9 | 10 | let fmt_tla_pb = fmt_obligation 11 | 12 | let print_tla_pb file obl = 13 | let oc = open_out file in 14 | let fft = Format.formatter_of_out_channel oc in 15 | Format.fprintf fft "%a" fmt_tla_pb obl; 16 | Format.fprintf fft "@.%!"; 17 | close_out oc 18 | -------------------------------------------------------------------------------- /src/nunchaku/tla_pb.mli: -------------------------------------------------------------------------------- 1 | (** Definition **) 2 | 3 | type tla_pb = Obligation.obligation 4 | 5 | (** Printer **) 6 | 7 | val fmt_tla_pb : Format.formatter -> tla_pb -> unit 8 | 9 | val print_tla_pb : string -> tla_pb -> unit 10 | -------------------------------------------------------------------------------- /src/nunchaku/tla_simple_pb.ml: -------------------------------------------------------------------------------- 1 | open Simple_expr_ds 2 | open Simple_expr 3 | open Tla_pb 4 | open Expr_utils 5 | 6 | (** Definition **) 7 | (* this is defined in Simple_expr_ds 8 | type tla_simple_pb = { 9 | (* actual obligation, without expansion *) 10 | goal : simple_assume_prove; 11 | 12 | (* the term database *) 13 | term_db : simple_term_db; 14 | } 15 | *) 16 | 17 | (** Translation **) 18 | 19 | let tla_pb_to_tla_simple_pb (tla_pb:tla_pb) = 20 | let ob = match tla_pb.Obligation.goal with 21 | | Expr_ds.N_assume_prove ap -> ap 22 | | Expr_ds.N_expr e -> assume_prove_from_expr false e 23 | | Expr_ds.N_ap_subst_in _ -> 24 | failwith "Nunchaku plugin cannot handle ap-substitution nodes!" 25 | in 26 | let (stermdb, ap) = parse_expr tla_pb.Obligation.term_db ob in 27 | {goal = ap; term_db = stermdb;} 28 | 29 | 30 | 31 | (** Printer **) 32 | 33 | let fmt_tla_simple_pb pp { goal; term_db; } = 34 | let acc = (pp, term_db, false, Simple_expr_formatter.Expression, 0) in 35 | ignore(Simple_expr_formatter.expr_formatter#assume_prove acc goal); 36 | Format.print_flush () 37 | 38 | let print_tla_simple_pb file obl = 39 | let oc = open_out file in 40 | let fft = Format.formatter_of_out_channel oc in 41 | Format.fprintf fft "%a" fmt_tla_simple_pb obl; 42 | Format.fprintf fft "@.%!"; 43 | close_out oc 44 | -------------------------------------------------------------------------------- /src/nunchaku/tla_simple_pb.mli: -------------------------------------------------------------------------------- 1 | open Simple_expr_ds 2 | 3 | (** Translation **) 4 | 5 | val tla_pb_to_tla_simple_pb : Tla_pb.tla_pb -> tla_simple_pb 6 | 7 | 8 | (** Printer **) 9 | 10 | val fmt_tla_simple_pb : Format.formatter -> tla_simple_pb -> unit 11 | 12 | val print_tla_simple_pb : string -> tla_simple_pb -> unit 13 | -------------------------------------------------------------------------------- /src/oldpm/config.mli: -------------------------------------------------------------------------------- 1 | (* 2 | * Copyright (C) 2011 INRIA and Microsoft Corporation 3 | *) 4 | 5 | val ocaml_version : string;; 6 | val debug : bool;; 7 | val exe : string;; 8 | -------------------------------------------------------------------------------- /src/oldpm/errors.ml: -------------------------------------------------------------------------------- 1 | (* 2 | * printing error messages 3 | * 4 | * 5 | * Copyright (C) 2008-2010 INRIA and Microsoft Corporation 6 | *) 7 | 8 | Revision.f "$Rev: 28687 $";; 9 | 10 | exception Fatal;; 11 | 12 | let loc_to_string at = 13 | match at with 14 | | None -> "" 15 | | Some w -> 16 | match Util.query_locus w with 17 | | None -> "" 18 | | Some loc -> Loc.string_of_locus loc ^ " :\n" 19 | ;; 20 | 21 | let info ?at fmt = 22 | let k s = Printf.eprintf "%s%s\n%!" (loc_to_string at) s in 23 | Format.ksprintf k fmt 24 | ;; 25 | 26 | let warnbuf = Buffer.create 80;; 27 | Buffer.add_char warnbuf '\n';; 28 | 29 | let warn ?at fmt = 30 | let k s = 31 | Printf.eprintf "%s%s\n%!" (loc_to_string at) s; 32 | Printf.bprintf warnbuf "\\* %s\n" s; 33 | in 34 | Format.ksprintf k fmt 35 | ;; 36 | 37 | let get_warnings () = 38 | let res = Buffer.contents warnbuf in 39 | Buffer.clear warnbuf; 40 | Buffer.add_char warnbuf '\n'; 41 | res 42 | ;; 43 | 44 | let set_warnings s = 45 | Buffer.clear warnbuf; 46 | Buffer.add_string warnbuf s; 47 | ;; 48 | 49 | let aux url ?at msg = 50 | let locus = loc_to_string at in 51 | if !Params.toolbox then 52 | match url with 53 | | None -> Toolbox_msg.print_warning (locus ^ msg); 54 | | Some u -> Toolbox_msg.print_error (locus ^ msg) u; 55 | else begin 56 | Printf.eprintf "%s%s\n%!" locus msg; 57 | match url with 58 | | None -> () 59 | | Some u -> Printf.eprintf "Please report this problem to %s\n%!" u 60 | end; 61 | ;; 62 | 63 | let err ?at fmt = Format.ksprintf (fun x -> aux None ?at x) fmt;; 64 | 65 | let fatal ?at fmt = 66 | let f x = 67 | aux None ?at (x ^ "\nAborting."); 68 | raise Fatal; 69 | in 70 | Format.ksprintf f fmt; 71 | ;; 72 | 73 | let bug ?at msg = 74 | Printf.eprintf "%s%s\n%!" (loc_to_string at) msg; 75 | assert false; 76 | ;; 77 | 78 | (********** old stuff ********* FIXME convert all uses to new stuff *) 79 | 80 | let loc : string option ref = ref None 81 | let msg : string option ref = ref None 82 | let warning = ref false 83 | 84 | let sget v = 85 | match v with 86 | | None -> "" 87 | | Some v -> v 88 | 89 | let set st mesg = 90 | loc := 91 | begin match (Util.query_locus st) with 92 | | None -> 93 | None 94 | | Some loc -> 95 | Some (Loc.string_of_locus ~cap:true loc) 96 | end; 97 | msg := Some (mesg^"\n\n"^(sget !msg)) 98 | ;; 99 | -------------------------------------------------------------------------------- /src/oldpm/errors.mli: -------------------------------------------------------------------------------- 1 | (* 2 | * Copyright (C) 2011 INRIA and Microsoft Corporation 3 | *) 4 | 5 | open Property;; 6 | 7 | exception Fatal;; 8 | 9 | val info : ?at:('a wrapped) -> ('b, unit, string, unit) format4 -> 'b;; 10 | (* Informational message: print on console, but do not display in a 11 | toolbox window. 12 | *) 13 | 14 | val warn : ?at:('a wrapped) -> ('b, unit, string, unit) format4 -> 'b;; 15 | (* Warning: print on console, and store for printing with the obligation 16 | in the toolbox message, but do not pop up a window. 17 | *) 18 | 19 | val get_warnings : unit -> string;; 20 | (* Get the stored warnings so far and empty the store. *) 21 | 22 | val set_warnings : string -> unit;; 23 | (* Reset the warnings store to a previous state. *) 24 | 25 | val err : ?at:('a wrapped) -> ('b, unit, string, unit) format4 -> 'b;; 26 | (* Error: print on console, pop up a window if toolbox mode. *) 27 | 28 | val fatal : ?at:('a wrapped) -> ('b, unit, string, 'c) format4 -> 'b;; 29 | (* Fatal error: print on console, pop up a window if toolbox mode, 30 | raise Fatal. 31 | *) 32 | 33 | val bug : ?at:('a wrapped) -> string -> 'b;; 34 | (* Bug: this is equivalent to assert false but prints the given information 35 | before raising Assert_failure. 36 | *) 37 | 38 | 39 | (********** old stuff ********* FIXME remove **********) 40 | 41 | val loc : string option ref;; 42 | val msg : string option ref;; 43 | val warning : bool ref;; (* FIXME remove this obsolete variable *) 44 | val set : 'a Property.wrapped -> string -> unit;; 45 | -------------------------------------------------------------------------------- /src/oldpm/loc.mli: -------------------------------------------------------------------------------- 1 | (* 2 | * loc.mli --- source locations 3 | * 4 | * 5 | * Copyright (C) 2008-2010 INRIA and Microsoft Corporation 6 | *) 7 | 8 | (** Source locations *) 9 | 10 | (** A location represents a col in a source file *) 11 | type pt_ = { line : int ; 12 | bol : int ; 13 | col : int ; 14 | } 15 | 16 | type pt = Actual of pt_ | Dummy 17 | 18 | (** A location that is always invalid (but both = and == itself). *) 19 | val dummy : pt 20 | 21 | (** The line number of the location, starting from 1. Raises [Failure 22 | "Loc.line"] if the location is a dummy. *) 23 | val line : pt -> int 24 | 25 | (** The column number of the location, starting from 1. Raises 26 | [Failure "Loc.col"] if the location is a dummy. *) 27 | val column : pt -> int 28 | 29 | (** The character offset of a location in a file. Raises [Failure 30 | "Loc.point"] if the location is a dummy. *) 31 | val offset : pt -> int 32 | 33 | (** String representation of a location. The [file] argument is by 34 | default "". *) 35 | val string_of_pt : ?file:string -> pt -> string 36 | 37 | (** The area of a locus is the space between [start] and [end], 38 | excluding both. *) 39 | type locus = { 40 | start : pt ; 41 | stop : pt ; 42 | file : string ; 43 | } 44 | 45 | (** left edge *) 46 | val left_of : locus -> locus 47 | 48 | (** right edge *) 49 | val right_of : locus -> locus 50 | 51 | (** A bogus locus *) 52 | val unknown : locus 53 | 54 | (** Convert a [Lexing.position] to a [locus] of 0 width. *) 55 | val locus_of_position : Lexing.position -> locus 56 | 57 | (** Merge two loci. Raises [Failure "Loc.merge"] if the loci are in 58 | different files. *) 59 | val merge : locus -> locus -> locus 60 | 61 | (** String representation of a locus. Capitalize the first word in the 62 | result iff [cap] is true (the default). *) 63 | val string_of_locus : ?cap:bool -> locus -> string 64 | 65 | (** String representation of a locus without filename. *) 66 | val string_of_locus_nofile : locus -> string 67 | 68 | (** Comparing loci *) 69 | val compare : locus -> locus -> int 70 | -------------------------------------------------------------------------------- /src/oldpm/method.mli: -------------------------------------------------------------------------------- 1 | (* 2 | * Copyright (C) 2011 INRIA and Microsoft Corporation 3 | *) 4 | 5 | (* params.ml *) 6 | type t = 7 | | Isabelle of float * string 8 | | Zenon of float 9 | | SmtT of float 10 | | YicesT of float 11 | | Z3T of float 12 | | Cooper 13 | | Fail (* FIXME remove ? *) 14 | | Cvc3T of float 15 | | LS4 of float 16 | | Smt2lib of float 17 | | Smt2z3 of float 18 | | Smt3 of float 19 | | Z33 of float 20 | | Cvc33 of float 21 | | Yices3 of float 22 | | Verit of float 23 | | Spass of float 24 | | Tptp of float 25 | ;; 26 | 27 | (* expr/fmt.ml *) 28 | val pp_print_method : Format.formatter -> t -> unit;; 29 | 30 | (* backend/isabelle.ml *) 31 | val prover_meth_of_tac : t -> string option * string option;; 32 | 33 | (* backend/prep.ml *) 34 | val timeout : t -> float;; 35 | val scale_time : t -> float -> t;; 36 | val pp_print_tactic : Format.formatter -> t -> unit;; 37 | 38 | (* *) 39 | val default_zenon_timeout : float;; 40 | val default_ls4_timeout : float;; 41 | val default_isabelle_timeout : float;; 42 | val default_isabelle_tactic : string;; 43 | val default_yices_timeout : float;; 44 | val default_z3_timeout : float;; 45 | val default_cvc3_timeout : float;; 46 | val default_smt_timeout : float;; 47 | val default_smt2_timeout : float;; 48 | val default_spass_timeout : float;; 49 | val default_tptp_timeout :float;; 50 | 51 | val is_temporal : t -> bool;; 52 | 53 | type result = 54 | | Proved of string 55 | | Failed of string 56 | | Timedout 57 | | Interrupted 58 | | NotTried of string 59 | ;; 60 | -------------------------------------------------------------------------------- /src/oldpm/obligations.ml: -------------------------------------------------------------------------------- 1 | type obligation = string 2 | -------------------------------------------------------------------------------- /src/oldpm/obligations.mli: -------------------------------------------------------------------------------- 1 | (* This file describe the obligations layer, which is the tla data layer that is sent to the backends *) 2 | 3 | type obligation = string 4 | -------------------------------------------------------------------------------- /src/oldpm/revision.ml: -------------------------------------------------------------------------------- 1 | (* 2 | * Copyright (C) 2012 INRIA and Microsoft Corporation 3 | *) 4 | 5 | (* 6 | Revision.f "$Rev: 29867 $";; 7 | *) 8 | 9 | let rev = ref "";; 10 | let f x = if x > !rev then rev := x;; 11 | 12 | f "$Rev: 29867 $";; 13 | 14 | let get () = String.sub !rev 6 (String.length !rev - 8);; 15 | -------------------------------------------------------------------------------- /src/oldpm/revision.mli: -------------------------------------------------------------------------------- 1 | (* 2 | * Copyright (C) 2012 INRIA and Microsoft Corporation 3 | *) 4 | 5 | (** Store revision information for source files. *) 6 | 7 | val f : string -> unit;; 8 | (** This function should be called as [Revision.f "$Rev$"] in every source 9 | file. It will record the Subversion revision number. *) 10 | 11 | val get : unit -> string;; 12 | (** This function returns the greatest of the revision numbers recorded 13 | by [f]. *) 14 | 15 | -------------------------------------------------------------------------------- /src/oldpm/sysconf.ml: -------------------------------------------------------------------------------- 1 | (* 2 | * sysconf.ml --- thin interface to POSIX.1 sysconf(2) 3 | * 4 | * Author: Kaustuv Chaudhuri 5 | * 6 | * Copyright (C) 2008-2010 INRIA and Microsoft Corporation 7 | *) 8 | 9 | Revision.f "$Rev: 28687 $";; 10 | 11 | (* TODO, fix the line below to work in the new build *) 12 | (*external nprocs_internal : unit -> int = "sysconf_nprocs"*) 13 | let nprocs_internal m = assert false (* this is a dummy function, the above should be fixed *) 14 | 15 | let nprocs ?(default=0) () = 16 | try nprocs_internal () with _ -> default 17 | -------------------------------------------------------------------------------- /src/oldpm/sysconf.mli: -------------------------------------------------------------------------------- 1 | (* 2 | * sysconf.ml --- thin interface to POSIX.1 sysconf(2) 3 | * 4 | * Author: Kaustuv Chaudhuri 5 | * 6 | * Copyright (C) 2008-2010 INRIA and Microsoft Corporation 7 | *) 8 | 9 | val nprocs : ?default:int -> unit -> int;; 10 | -------------------------------------------------------------------------------- /src/oldpm/timing.ml: -------------------------------------------------------------------------------- 1 | (* 2 | * timing.ml --- time tracking 3 | * 4 | * 5 | * Copyright (C) 2008-2010 INRIA and Microsoft Corporation 6 | *) 7 | 8 | Revision.f "$Rev: 32096 $";; 9 | 10 | (**********************************************) 11 | (* Simple timers *) 12 | 13 | type timer = float;; 14 | 15 | let start_timer () = Unix.gettimeofday ();; 16 | 17 | let get_timer t = Unix.gettimeofday () -. t;; 18 | 19 | (**********************************************) 20 | (* Old clock stuff (remove?) *) 21 | 22 | type clock = { desc : string ; 23 | mutable time : float ; 24 | mutable count : int } 25 | 26 | let new_clock desc = { desc = desc ; 27 | time = 0.0 ; 28 | count = 0 } 29 | 30 | let ambient = new_clock "other" 31 | 32 | let beginning_of_the_world = Unix.gettimeofday () 33 | 34 | let last_start = ref (ambient, beginning_of_the_world) 35 | 36 | let start cl = 37 | let now = Unix.gettimeofday () in 38 | cl.count <- cl.count + 1; 39 | let (ocl, before) = !last_start in 40 | ocl.time <- ocl.time +. now -. before; 41 | last_start := (cl, now) 42 | 43 | let stop () = start ambient 44 | 45 | let total desc = { 46 | desc = desc; 47 | time = Unix.gettimeofday () -. beginning_of_the_world; 48 | count = 0; 49 | } 50 | 51 | let string_of_clock cl = 52 | if (fst !last_start).desc == cl.desc then start cl ; 53 | Printf.sprintf "%s | %-13.6f" cl.desc cl.time 54 | -------------------------------------------------------------------------------- /src/oldpm/timing.mli: -------------------------------------------------------------------------------- 1 | (* 2 | * Copyright (C) 2011 INRIA and Microsoft Corporation 3 | *) 4 | 5 | (**********************************************) 6 | (* Simple timers *) 7 | 8 | type timer;; 9 | (** The time of running timers. Note that timers are just data structures, 10 | when a timer is not needed any more, you don't need to do anything to 11 | release it. *) 12 | 13 | val start_timer : unit -> timer;; 14 | (** Allocate and start a new timer. *) 15 | 16 | val get_timer : timer -> float;; 17 | (** Return the elapsed time for the given timer. *) 18 | 19 | (**********************************************) 20 | (* Old clock stuff (remove?) *) 21 | 22 | type clock = { 23 | desc : string; (** description string *) 24 | mutable time : float; (** cumulative time *) 25 | mutable count : int; (** number of time this clock was started *) 26 | };; 27 | (** The type of clocks. *) 28 | 29 | val start : clock -> unit;; 30 | (** [start c] 31 | Stop the current clock and start clock [c]. *) 32 | 33 | val stop : unit -> unit;; 34 | (** Stop the current clock and start the ambient clock. *) 35 | 36 | val new_clock : string -> clock;; 37 | (** [new_clock desc] Create a new clock with description [desc] and 38 | both counters at 0. Do not start the new clock, do not change the 39 | running clock. *) 40 | 41 | val total : string -> clock;; 42 | (** [total desc] 43 | Create a new clock with description [desc], time initialized to 44 | the total running time of the program up to now, and count 45 | initialized to 0. Do not start the new clock, do not change the 46 | running clock. *) 47 | 48 | val ambient : clock;; 49 | (** The default clock that runs before any other clock is started. 50 | It also runs when [stop] is called. *) 51 | 52 | val string_of_clock : clock -> string;; 53 | (** [string_of_clock c] 54 | Return a printable representation of [c] that includes its description 55 | and current total time. *) 56 | -------------------------------------------------------------------------------- /src/oldpm/tlapm_args.mli: -------------------------------------------------------------------------------- 1 | (* 2 | * Copyright (C) 2011 INRIA and Microsoft Corporation 3 | *) 4 | 5 | val init : unit -> string list;; 6 | -------------------------------------------------------------------------------- /src/oldpm/toolbox.mli: -------------------------------------------------------------------------------- 1 | (* 2 | * Copyright (C) 2011 INRIA and Microsoft Corporation 3 | *) 4 | 5 | open Types 6 | open Obligation 7 | 8 | (* backend/isabelle.ml *) 9 | val toolbox_print : 10 | obligation -> 11 | ?temp:bool -> 12 | string -> 13 | string option -> 14 | string option -> 15 | float -> 16 | bool option -> 17 | bool -> 18 | reason option -> 19 | string -> 20 | float option -> 21 | unit 22 | ;; 23 | 24 | (* backend/prep.ml *) 25 | val print_new_res : 26 | obligation -> status_type6 -> string -> float option -> unit 27 | ;; 28 | 29 | val print_message : string -> unit;; 30 | val print_old_res : obligation -> status_type6 -> bool -> unit;; 31 | 32 | (* tlapm.ml *) 33 | val print_ob_number : int -> unit;; 34 | val print_message_url : string -> string -> unit;; 35 | -------------------------------------------------------------------------------- /src/oldpm/toolbox_msg.ml: -------------------------------------------------------------------------------- 1 | (* 2 | * Copyright (C) 2011 INRIA and Microsoft Corporation 3 | *) 4 | 5 | (* This module handles the output of messages to the Toolbox. *) 6 | (* It depends only on Ext and Loc. *) 7 | 8 | Revision.f "$Rev: 28687 $";; 9 | 10 | open Printf;; 11 | 12 | let delim = "@!!";; 13 | 14 | let print_begin typ = 15 | eprintf "%sBEGIN\n" delim; 16 | eprintf "%stype:%s\n" delim typ; 17 | ;; 18 | 19 | let print_string name str = eprintf "%s%s:%s\n" delim name str;; 20 | let print_int name n = eprintf "%s%s:%d\n" delim name n;; 21 | let print_bool name b = eprintf "%s%s:%b\n" delim name b;; 22 | 23 | let print_end () = eprintf "%sEND\n\n%!" delim;; 24 | 25 | 26 | let print_warning msg = 27 | print_begin "warning"; 28 | print_string "msg" msg; 29 | print_end (); 30 | ;; 31 | 32 | let print_error msg url = 33 | print_begin "error"; 34 | print_string "url" url; 35 | print_string "msg" msg; 36 | print_end (); 37 | ;; 38 | 39 | let print_obligationsnumber n = 40 | print_begin "obligationsnumber"; 41 | print_int "count" n; 42 | print_end (); 43 | ;; 44 | 45 | let line loc = Loc.line loc;; 46 | let col loc = Loc.column loc;; 47 | 48 | open Ext;; 49 | 50 | let print_obligation ~id ~loc ~status ~fp ~prover ~meth ~reason ~already ~obl = 51 | print_begin "obligation"; 52 | print_int "id" id; 53 | let start = loc.Loc.start in 54 | let stop = loc.Loc.stop in 55 | eprintf "%sloc:%d:%d:%d:%d\n" delim 56 | (line start) (col start) (line stop) (col stop); 57 | print_string "status" status; 58 | Option.iter (print_string "fp") fp; 59 | Option.iter (print_string "prover") prover; 60 | Option.iter (print_string "meth") meth; 61 | Option.iter (print_string "reason") reason; 62 | Option.iter (print_bool "already") already; 63 | Option.iter (print_string "obl") obl; 64 | print_end (); 65 | ;; 66 | 67 | -------------------------------------------------------------------------------- /src/oldpm/toolbox_msg.mli: -------------------------------------------------------------------------------- 1 | (* 2 | * Copyright (C) 2011 INRIA and Microsoft Corporation 3 | *) 4 | 5 | val print_warning : string -> unit;; 6 | (* Send a "type:warning" message to the toolbox. 7 | Displays the message in a dialog box. 8 | *) 9 | 10 | val print_error : string -> string -> unit;; 11 | (* [print_error msg url] 12 | Send a "type:error" message to the toolbox. 13 | Displays the message in a dialog box along with the (clickable) URL. 14 | *) 15 | 16 | val print_obligationsnumber : int -> unit;; 17 | (* Send a "type:obligationsnumber" message to the toolbox. *) 18 | 19 | val print_obligation : 20 | id : int -> 21 | loc : Loc.locus -> 22 | status : string -> 23 | fp : string option -> 24 | prover : string option -> 25 | meth : string option -> 26 | reason : string option -> 27 | already : bool option -> 28 | obl : string option -> 29 | unit 30 | ;; 31 | (* Send a "type:obligation" message to the toolbox. *) 32 | -------------------------------------------------------------------------------- /src/oldpm/types.ml: -------------------------------------------------------------------------------- 1 | (* 2 | * Backend types 3 | * 4 | * Copyright (C) 2008-2010 INRIA and Microsoft Corporation 5 | *) 6 | 7 | Revision.f "$Rev: 30027 $";; 8 | 9 | type obligation = string 10 | 11 | type reason = 12 | | False 13 | | Timeout 14 | | Cantwork of string 15 | ;; 16 | 17 | type status_type_aux6 = 18 | | RSucc 19 | | RFail of reason option 20 | | RInt 21 | ;; 22 | 23 | type status_type6 = 24 | | Triv 25 | | NTriv of status_type_aux6 * Method.t 26 | ;; 27 | 28 | type package = { 29 | final_form : obligation; 30 | log : string list; 31 | proof : string; 32 | results : status_type6 list; 33 | } 34 | -------------------------------------------------------------------------------- /src/oldpm/types.mli: -------------------------------------------------------------------------------- 1 | (* 2 | * Copyright (C) 2011 INRIA and Microsoft Corporation 3 | *) 4 | 5 | type obligation = string 6 | 7 | type reason = 8 | | False 9 | | Timeout 10 | | Cantwork of string 11 | ;; 12 | type status_type_aux6 = 13 | | RSucc 14 | | RFail of reason option 15 | | RInt 16 | ;; 17 | type status_type6 = 18 | | Triv 19 | | NTriv of status_type_aux6 * Method.t 20 | ;; 21 | 22 | type package = { 23 | final_form : obligation; 24 | (* print_form : Proof.T.obligation; *) 25 | log : string list; 26 | proof : string; 27 | results : status_type6 list; 28 | };; 29 | -------------------------------------------------------------------------------- /src/oldpm/version.mli: -------------------------------------------------------------------------------- 1 | (* 2 | * Copyright (C) 2011 INRIA and Microsoft Corporation 3 | *) 4 | 5 | val major : int;; 6 | val minor : int;; 7 | val micro : int;; 8 | -------------------------------------------------------------------------------- /src/process.ml: -------------------------------------------------------------------------------- 1 | (** Models the run of an external process *) 2 | type 'a exec_result = Ok of 'a | Error of int * 'a 3 | type 'a processor = in_channel -> unit -> 'a 4 | 5 | let call_exec settings tool cmd process_out = 6 | let (channel, stdin, stderr) = 7 | let env = Unix.environment () in 8 | let (jin, jout, jerr) = 9 | Unix.open_process_full cmd env in 10 | (jin, jout, jerr) 11 | in 12 | let result = process_out channel () in 13 | (* close_channels *) 14 | let exit_code = 15 | Unix.close_process_full (channel, stdin, stderr) 16 | in 17 | match exit_code with 18 | | Unix.WEXITED 0 -> Ok result 19 | | Unix.WEXITED code -> Error (code, result) 20 | | Unix.WSIGNALED code -> 21 | let msg = Format.asprintf "process killed with signal %d" code in 22 | raise (Backend_exceptions.ExternalToolFailed (tool, msg, "")) 23 | | Unix.WSTOPPED code -> 24 | let msg = Format.asprintf "process stopped with signal %d" code in 25 | raise (Backend_exceptions.ExternalToolFailed (tool, msg, "")) 26 | 27 | let process_stdout c () = 28 | let buffer = Buffer.create 16 in 29 | let rec aux c = 30 | try 31 | let line = input_line c in 32 | Buffer.add_string buffer line; 33 | aux c; 34 | with 35 | | End_of_file -> 36 | () 37 | in 38 | aux c; 39 | Buffer.contents buffer 40 | -------------------------------------------------------------------------------- /src/process.mli: -------------------------------------------------------------------------------- 1 | (** Models the run of an external process *) 2 | type 'a exec_result = Ok of 'a | Error of int * 'a 3 | type 'a processor = in_channel -> unit -> 'a 4 | 5 | val call_exec : Settings.settings -> Commons.prover -> string 6 | -> 'a processor -> 'a exec_result 7 | (** [call_exec settings prover cmd processor] opens a shell, connects 8 | to stdin, stdout and stderr and executes. It calls processor on stdin 9 | and returns its result, of the command executes with exit code 0. A regular 10 | closure with error code different from 0 results in an Error with the error 11 | code and the result. 12 | *) 13 | 14 | val process_stdout : string processor 15 | (** Processes all output of a childprocess and returns the string. *) 16 | -------------------------------------------------------------------------------- /src/sany/sany.mli: -------------------------------------------------------------------------------- 1 | (* Copyright (C) 2014 MSR-INRIA 2 | * Author: TL 3 | *) 4 | 5 | (** The SANY XML parser. 6 | 7 | It parses an xml file according to the xsd in lib/sany.xsd and creates 8 | datastructures from the {!module:Sany_ds}, which directly mirror the schema. 9 | 10 | *) 11 | open Commons 12 | open Xmlm 13 | open Sany_ds 14 | 15 | val import_xml : Pervasives.in_channel -> context 16 | -------------------------------------------------------------------------------- /src/sany/sany_builtin_extractor.ml: -------------------------------------------------------------------------------- 1 | open Sany_ds 2 | open Commons 3 | 4 | type eacc = (int * Expr_ds.builtin_op_) list * Sany_ds.entry list 5 | let builtins (b, _) = b 6 | let entries (_, e) = e 7 | 8 | class extractor = object(self) 9 | inherit [eacc] Sany_visitor.visitor as super 10 | 11 | method entry acc { uid; reference } = match reference with 12 | | E_builtin_op {location; level; name; arity; params } -> 13 | let params = List.map ( fun param -> 14 | let (x,y) = param in 15 | (Sany_expr.convert_formal_param (entries acc) x, y) 16 | ) params in 17 | let op : Expr_ds.builtin_op_ = { Expr_ds.id = uid; level; name; arity; params; } in 18 | ((uid, op) :: (builtins acc), entries acc) 19 | | _ -> super#entry acc { uid; reference } 20 | 21 | end 22 | 23 | let extractor_instance = new extractor 24 | let extract_from_context c = 25 | extractor_instance#context ([], c.entries) c |> builtins 26 | -------------------------------------------------------------------------------- /src/sany/sany_builtin_extractor.mli: -------------------------------------------------------------------------------- 1 | open Commons 2 | open Sany_ds 3 | 4 | val extract_from_context : context -> (int * Expr_ds.builtin_op_) list 5 | -------------------------------------------------------------------------------- /src/sany/sany_expr.mli: -------------------------------------------------------------------------------- 1 | (** Provides a conversion from the xml datastructures which directly mirror 2 | the sany datastructures to the internal ones defined in Expr_ds.mli 3 | *) 4 | 5 | type builtin_store = (int * Expr_ds.builtin_op) list 6 | type lambda_store = (int * Expr_ds.user_defined_op_) list 7 | 8 | (*val convert_expr : 9 | ?builtins:builtin_store -> Sany_ds.expr -> Expr_ds.expr 10 | *) 11 | val convert_context : 12 | ?builtins:builtin_store -> Sany_ds.context -> Expr_ds.context 13 | (* 14 | val convert_module : 15 | ?builtins:builtin_store -> Sany_ds.mule -> Expr_ds.mule 16 | *) 17 | val convert_formal_param : 18 | ?builtins:builtin_store -> Sany_ds.entry list -> Sany_ds.formal_param 19 | -> Expr_ds.formal_param 20 | -------------------------------------------------------------------------------- /src/scheduler.ml: -------------------------------------------------------------------------------- 1 | open Commons 2 | open Util 3 | open Obligation 4 | open Toolbox 5 | 6 | let schedule settings context o = 7 | List.fold_left (fun l -> function 8 | | Isabelle -> (o, Isabelle, fun () -> 9 | (* debug "starting isabelle\n"; *) 10 | Runners.run_isabelle settings o) :: l 11 | | Nunchaku -> (o, Nunchaku, fun () -> 12 | match Runners.run_nunchaku settings o with 13 | | Some msg -> Some ToBeProved 14 | | None -> Some Failed 15 | ) :: l 16 | | Zenon 17 | | SMT 18 | | LS4 19 | | Tlaps 20 | | Default -> (o, Default, fun () -> None) :: l 21 | ) context o.provers 22 | 23 | let scheduler settings obligations = 24 | let default_msg (o:obligation) prover = 25 | { id = o.id; 26 | location = o.location; 27 | status = Failed; 28 | prover = Some prover; 29 | meth = None; 30 | already_processed = Some false; 31 | obligation_string = None 32 | } in 33 | let tasks = List.fold_left (schedule settings) [] obligations in 34 | let messages = List.fold_left (fun acc -> function 35 | | ((o:obligation), prover, task) -> 36 | let entry = IntMap.get_or o.id acc ~default:(default_msg o prover) in 37 | match entry with 38 | | {status = Proved; _ } -> 39 | (* status is already proved, we don't need to call a backend *) 40 | acc 41 | | _ -> 42 | (* call prover and generate new message *) 43 | begin 44 | match task () with 45 | | Some status -> 46 | let entry = { 47 | id = o.id; 48 | location = o.location; 49 | status; 50 | prover = Some prover; 51 | meth = None; 52 | already_processed = Some false; 53 | obligation_string = None 54 | } in 55 | IntMap.add o.id entry acc 56 | | None -> 57 | (* backend error, ignore *) 58 | acc 59 | end 60 | ) IntMap.empty tasks in 61 | messages 62 | -------------------------------------------------------------------------------- /src/scheduler.mli: -------------------------------------------------------------------------------- 1 | (** The scheduler processing the obligations. Right now just serializes 2 | every call. *) 3 | 4 | val scheduler : Settings.settings -> 5 | Obligation.obligation list -> Toolbox.toolbox_msg Util.IntMap.t 6 | -------------------------------------------------------------------------------- /src/settings.mli: -------------------------------------------------------------------------------- 1 | open Commons 2 | open CCFormat 3 | 4 | (** This module represents the global settings for the PM. *) 5 | 6 | type settings = { 7 | (* SANY/XML related *) 8 | java_executable : string; (* the string to call the java interpreter *) 9 | check_schema : bool; (* check if the xm file conforms to the sany.xsd schema *) 10 | xml_input : bool; (* expect an xml input file instead of tla *) 11 | include_paths : string list; (* list of include directories *) 12 | 13 | (* pm settings *) 14 | verbose : bool; 15 | overlord : bool; 16 | toolbox : int_range; 17 | toolbox_output : bool; 18 | fingerprints : bool; 19 | input_file : string; 20 | pm_path : string; 21 | 22 | (* unchaku backend settings *) 23 | models_in_tla : bool; 24 | nunchaku_executable : string; (* the string to call nunchaku *) 25 | nunchaku_temp_path : string; 26 | } 27 | 28 | val default_settings : settings 29 | val fmt_settings : settings printer 30 | -------------------------------------------------------------------------------- /src/test/test_common.ml: -------------------------------------------------------------------------------- 1 | open Kaputt 2 | 3 | type test_result = { 4 | filename : string; 5 | mutable sany_context : Sany_ds.context option; 6 | mutable expr_context : Expr_ds.context option; 7 | mutable explicit_lambda_context : Expr_ds.context option; 8 | mutable explicit_steps_context : Expr_ds.context option; 9 | mutable obligations : Obligation.obligation list; 10 | mutable simple_obligations : Simple_expr_ds.tla_simple_pb list; 11 | } 12 | 13 | let mkTestResult ?sc ?ec ?lc ?esc ?ob:(ob=[]) ?sob:(sob=[]) name = 14 | { 15 | filename = name; 16 | sany_context = sc; 17 | expr_context = ec; 18 | explicit_lambda_context = lc; 19 | explicit_steps_context = esc; 20 | obligations = ob; 21 | simple_obligations = sob; 22 | } 23 | 24 | let exhandler ?fn:(fn=None) f = 25 | try 26 | Printexc.record_backtrace true; 27 | let ret = f () in 28 | Printexc.record_backtrace false; 29 | ret 30 | with 31 | | Assertion.Failed( {Assertion.expected_value; actual_value; message;} ) as x -> 32 | CCOpt.iter (fun x -> Printf.eprintf "File: %s\n" x) fn; 33 | let bt = Printexc.get_backtrace () in 34 | Printf.eprintf "Assertion Failed: %s\n" (Printexc.to_string x); 35 | Printf.eprintf "Expected:%s\nGot :%s\nmessage:%s\n" 36 | expected_value actual_value message; 37 | Printf.eprintf "Backtrace: %s\n\n" bt; 38 | raise x 39 | | x -> 40 | CCOpt.iter (fun x -> Printf.eprintf "File: %s\n" x) fn; 41 | let bt = Printexc.get_backtrace () in 42 | Printf.eprintf "Exception: %s\n" (Printexc.to_string x); 43 | Printf.eprintf "Backtrace: %s\n\n" bt; 44 | raise x 45 | -------------------------------------------------------------------------------- /src/test/test_common.mli: -------------------------------------------------------------------------------- 1 | open Sany_ds 2 | open Expr_ds 3 | 4 | (** A record storing a test result. The tests update the record 5 | with their results in the tear down phase, because they need 6 | to return the unit type. 7 | *) 8 | type test_result = { 9 | filename : string; 10 | mutable sany_context : Sany_ds.context option; 11 | mutable expr_context : Expr_ds.context option; 12 | mutable explicit_lambda_context : Expr_ds.context option; 13 | mutable explicit_steps_context : Expr_ds.context option; 14 | mutable obligations : Obligation.obligation list; 15 | mutable simple_obligations : Simple_expr_ds.tla_simple_pb list; 16 | } 17 | 18 | (** creates a test result from the filename and optionally the contexts. *) 19 | val mkTestResult : 20 | ?sc:Sany_ds.context -> ?ec:Expr_ds.context 21 | -> ?lc:Expr_ds.context -> ?esc:Expr_ds.context 22 | -> ?ob:Obligation.obligation list 23 | -> ?sob:Simple_expr_ds.tla_simple_pb list 24 | -> string -> test_result 25 | 26 | 27 | (** Evaluates the given function and pretty prints an exception, 28 | if it is raised. In that case, the exception is raised again for 29 | the caller to catch too. 30 | *) 31 | val exhandler : ?fn:(string option) -> (unit -> 'a) -> 'a 32 | -------------------------------------------------------------------------------- /src/test/test_correct_lambda.ml: -------------------------------------------------------------------------------- 1 | open Kaputt.Abbreviations 2 | open Any_expr 3 | open Expr_ds 4 | open Expr_correct_lambda 5 | open Expr_formatter 6 | open Util 7 | open Test_common 8 | 9 | 10 | let test_expr_map record () = 11 | Printf.printf "%s\n" record.filename; 12 | let mapper = new correct_lambda in 13 | let old_context = match record.expr_context with 14 | | Some x -> x 15 | | None -> failwith ("No expression content for " ^ record.filename ^ "!") 16 | in 17 | let new_context, acc = 18 | mapper#context (old_context.entries, IntMap.empty) old_context in 19 | (* 20 | let mids = Expr_termdb_utils.mentioned_ids new_context.entries in 21 | let eids = Expr_termdb_utils.entry_ids new_context.entries in 22 | let incons = Expr_termdb_utils.inconsistent_entries new_context.entries in 23 | let msg = CCFormat.sprintf 24 | "Mids: %a;\nEids: %a;\nConflicts: %a;" 25 | (CCFormat.list CCFormat.int) mids 26 | (CCFormat.list CCFormat.int) eids 27 | (CCFormat.list CCFormat.int) incons 28 | in 29 | Printf.printf "%s\n" msg; 30 | *) 31 | Printf.printf "Lambda conversion test of %s \n" record.filename; 32 | Assert.equal 33 | ~prn:(CCFormat.sprintf "[%a]" (CCFormat.list ~sep:(fun x () -> 34 | CCFormat.string x "; ") CCFormat.int) 35 | ) 36 | ~msg:"Term db after lambda conversion is consistent" 37 | (Expr_termdb_utils.inconsistent_entries new_context.entries) 38 | [] 39 | ; 40 | record.explicit_lambda_context <- Some new_context; 41 | () 42 | 43 | 44 | let test_map record = 45 | Test.make_assert_test 46 | ~title: ("correcting lambda on expr ds trees " ^ record.filename) 47 | (fun () -> ()) 48 | (fun () -> 49 | Assert.no_raise ~msg:"Unexpected exception raised." 50 | (fun () -> exhandler ~fn:(Some record.filename) ( test_expr_map record ) ) 51 | ) 52 | (fun () -> () ) 53 | 54 | 55 | let get_tests records = List.map test_map records 56 | -------------------------------------------------------------------------------- /src/test/test_extract_obligations.ml: -------------------------------------------------------------------------------- 1 | open Kaputt.Abbreviations 2 | open Commons 3 | open Expr_ds 4 | open Extract_obligations 5 | open Util 6 | open Test_common 7 | open Format 8 | open Obligation 9 | open Obligation_formatter 10 | 11 | 12 | let test_extract_obligations record () = 13 | let context = match record.explicit_steps_context with 14 | | Some c -> c 15 | | None -> 16 | failwith ("Test implementation error! No expression context "^ 17 | "with corrected proof steps " ^ 18 | "available in record for file " ^ record.filename ) 19 | in 20 | let cc = emptyCurrentContext context.entries in 21 | let eo = new extract_obligations in 22 | let acc = EOAcc ([cc], [], [], Module, context.root_module, None) in 23 | let acc1 = eo#context acc context in 24 | let obs = get_obligations acc1 in 25 | begin 26 | match obs with 27 | | [] -> Printf.printf "%s no obligations extracted!\n" record.filename; 28 | | _ -> 29 | begin 30 | let total = List.length obs in 31 | let fmt_ps = fmt_list fmt_prover in 32 | let print_obl i o = 33 | Format.printf "Obligation #%d of %d@." i total; 34 | Format.printf "%s obligation provers : %a@." 35 | record.filename fmt_ps o.provers; 36 | (* Printf.printf "%d assumptions\n" (List.length o.goal.assumes); *) 37 | fmt_obligation std_formatter o; 38 | Format.printf "@.(end of obligation)@."; 39 | i+1 40 | in 41 | ignore ( 42 | Format.printf "%s : no of obligations: %d@." record.filename total; 43 | List.fold_left print_obl 1 obs 44 | ) 45 | end 46 | end; 47 | obs 48 | 49 | let create_test record = 50 | Test.make_assert_test 51 | ~title: ("extracting obligations " ^ record.filename) 52 | (fun () -> ()) 53 | ( test_extract_obligations record ) 54 | (fun obs -> record.obligations <- obs; () ) 55 | 56 | 57 | let get_tests records = List.map create_test records 58 | -------------------------------------------------------------------------------- /src/test/test_formatter.ml: -------------------------------------------------------------------------------- 1 | open Kaputt.Abbreviations 2 | open Expr_ds 3 | open Expr_formatter 4 | open Util 5 | open Test_common 6 | open Format 7 | 8 | let test_sany record () = 9 | ignore ( 10 | let err = CCFormat.sprintf 11 | "Test implementation error! Record faulty in file %s." record.filename 12 | in 13 | let context = CCOpt.get_exn record.explicit_steps_context in 14 | (* let fmt = new formatter in *) 15 | (* pp_set_margin std_formatter 80; *) 16 | fprintf str_formatter "@[%s:@\n" record.filename; 17 | let init = (str_formatter, context.entries, true, Module, 0) in 18 | ignore ( expr_formatter#context init context ); 19 | fprintf str_formatter "@]@."; 20 | let text = flush_str_formatter () in 21 | if (String.length text) < 1000 then 22 | (* only print to screen if it is not too big*) 23 | Format.printf "%s@." text 24 | else 25 | Format.printf 26 | "skipping too large pretty printing of test %s@." 27 | record.filename; 28 | () 29 | ) 30 | 31 | let create_test record = 32 | Test.make_assert_test 33 | ~title: ("formatting " ^ record.filename) 34 | (fun () -> ()) 35 | (fun () -> 36 | Assert.no_raise ~msg:"Unexpected exception raised." 37 | (fun () -> exhandler ( test_sany record ) ) 38 | ) 39 | (fun () -> () ) 40 | 41 | 42 | let get_tests records = List.map create_test records 43 | -------------------------------------------------------------------------------- /src/test/test_formatter.mli: -------------------------------------------------------------------------------- 1 | open Kaputt 2 | open Test_common 3 | 4 | val get_tests : test_result list -> Test.t list 5 | -------------------------------------------------------------------------------- /src/test/test_issue2.ml: -------------------------------------------------------------------------------- 1 | open Kaputt 2 | open Kaputt.Abbreviations 3 | open Expr_ds 4 | open Expr_formatter 5 | open Obligation 6 | open Obligation_formatter 7 | open Format 8 | open Util 9 | open Test_common 10 | 11 | let test_map record = 12 | Test.make_assert_test 13 | ~title: ("testing bug of issue 2:" ^ record.filename) 14 | (fun () -> record ) 15 | (function 16 | { obligations; _ } -> 17 | Assert.is_false (obligations = []); 18 | let _ = List.map (function 19 | | { goal = N_expr _; _ } 20 | | { goal = (N_assume_prove { assumes = []; _}); _ } -> 21 | () 22 | | obl -> 23 | let msg = asprintf 24 | "Expected no assumptions in goal of obligation %a" 25 | fmt_obligation obl 26 | in 27 | Assert.fail_msg msg 28 | ) obligations; 29 | in 30 | () 31 | ) 32 | (fun () -> () ) 33 | 34 | 35 | let get_tests records = 36 | let re = Str.regexp ".*obligation_bug1.xml$" in 37 | let record = List.find (fun x -> Str.string_match re x.filename 0) records in 38 | [test_map record] 39 | -------------------------------------------------------------------------------- /src/test/test_map.ml: -------------------------------------------------------------------------------- 1 | open Kaputt.Abbreviations 2 | open Any_expr 3 | open Expr_ds 4 | open Expr_map 5 | open Expr_formatter 6 | open Util 7 | open Test_common 8 | 9 | 10 | let test_expr_map record () = 11 | Printf.printf "%s\n" record.filename; 12 | let mapper = new expr_map in 13 | let context = match record.expr_context with 14 | | Some x -> x 15 | | None -> failwith ("No expression content for " ^ record.filename ^ "!") 16 | in 17 | let me = mapper#get_macc_extractor in 18 | let mapped_context = 19 | me#context (mapper#context (Any_context context, []) context) in 20 | (* let result = context = mapped_context in *) 21 | (* Printf.printf "%s\n%b\n" record.filename result; 22 | expr_formatter#context (Format.std_formatter, context, true, Module, 0) 23 | context; *) 24 | Assert.equal ~msg:"Data-structures must be identical after id map!" 25 | context mapped_context 26 | 27 | 28 | let test_map record = 29 | Test.make_assert_test 30 | ~title: ("mapping on expr ds trees " ^ record.filename) 31 | (fun () -> ()) 32 | (test_expr_map record) 33 | (* (* Assert.equal throws an exception - this only works if there are no 34 | assertions inside *) 35 | (fun () -> 36 | Assert.no_raise ~msg:"Unexpected exception raised." 37 | (fun () -> exhandler ( test_expr_map record ) ) 38 | ) 39 | *) 40 | (fun () -> () ) 41 | 42 | 43 | let get_tests records = List.map test_map records 44 | -------------------------------------------------------------------------------- /src/test/test_map.mli: -------------------------------------------------------------------------------- 1 | open Kaputt 2 | open Test_common 3 | 4 | val get_tests : test_result list -> Test.t list 5 | -------------------------------------------------------------------------------- /src/test/test_parse_theorems.ml: -------------------------------------------------------------------------------- 1 | open Kaputt.Abbreviations 2 | open Expr_ds 3 | open Expr_parse_theorems 4 | open Expr_formatter 5 | open Util 6 | open Test_common 7 | open Expr_visitor 8 | 9 | class suffices_scanner = 10 | object 11 | inherit [int * int] visitor as super 12 | 13 | method statement (flags, constrs) = 14 | let rec aux f = function 15 | | N_assume_prove {suffices = true; _} -> 16 | f+1 17 | | N_assume_prove _ 18 | | N_expr _ -> 19 | f 20 | | N_ap_subst_in {body; _} -> 21 | (* should we also count the instantiated ones? in theory 22 | there should be no assume prove possible in there but who knows 23 | *) 24 | aux f body 25 | in 26 | function 27 | | ST_FORMULA f -> 28 | let flags = aux flags f in 29 | super#statement (flags, constrs) (ST_SUFFICES f) 30 | | ST_SUFFICES f -> 31 | let flags = aux flags f in 32 | super#statement (flags, constrs+1) (ST_SUFFICES f) 33 | | _ as st -> 34 | super#statement (flags, constrs) st 35 | end 36 | 37 | let test_parse_theorems record () = 38 | Printf.printf "%s\n" record.filename; 39 | let context = match record.explicit_lambda_context with 40 | | Some x -> x 41 | | None -> failwith ("No expression content for " ^ record.filename ^ "!") 42 | in 43 | Printf.printf "Theorem correction conversion test of %s \n" record.filename; 44 | let mapped_context = expr_parse_theorems_context context in 45 | let scanner = new suffices_scanner in 46 | let (a, b) = List.fold_left scanner#mule (0,0) context.modules in 47 | let (c, d) = List.fold_left scanner#mule (0,0) mapped_context.modules in 48 | Printf.printf "constr: %d %d -- %d %d\n" a c b d; 49 | record.explicit_steps_context <- Some mapped_context; 50 | () 51 | 52 | let test_map record = 53 | Test.make_assert_test 54 | ~title: ("making proof steps explicit " ^ record.filename) 55 | (fun () -> ()) 56 | (fun () -> 57 | Assert.no_raise ~msg:"Unexpected exception raised." 58 | (fun () -> exhandler ( test_parse_theorems record ) ) 59 | ) 60 | (fun () -> () ) 61 | 62 | 63 | let get_tests records = List.map test_map records 64 | -------------------------------------------------------------------------------- /src/test/test_parse_theorems.mli: -------------------------------------------------------------------------------- 1 | open Kaputt 2 | open Test_common 3 | 4 | val get_tests : test_result list -> Test.t list 5 | -------------------------------------------------------------------------------- /src/test/test_sany.mli: -------------------------------------------------------------------------------- 1 | open Kaputt 2 | open Test_common 3 | 4 | val get_tests : test_result list -> Test.t list 5 | -------------------------------------------------------------------------------- /src/test/test_simple_expr.ml: -------------------------------------------------------------------------------- 1 | open Kaputt.Abbreviations 2 | open Expr_ds 3 | open Simple_expr_ds 4 | open Simple_expr 5 | open Util 6 | open Test_common 7 | open Format 8 | open Tla_simple_pb 9 | open Backend_exceptions 10 | open Obligation_formatter 11 | 12 | let test_simple_expr record () = 13 | let rec obligations_to_string obligations sobligations n = 14 | match (obligations, sobligations) with 15 | | ([], []) -> ("","") 16 | | (obl::tl, sobl::stl) -> 17 | let (s1,s2) = obligations_to_string tl stl (n+1) in 18 | let fft = str_formatter in 19 | fprintf fft "Obligation %d:\n%a\n\n" n 20 | fmt_obligation obl; 21 | let s1' = flush_str_formatter () in 22 | fprintf fft "Obligation %d:\n%a\n\n" n 23 | fmt_tla_simple_pb sobl; 24 | let s2' = flush_str_formatter () in 25 | (s1'^s1,s2'^s2) 26 | | _ -> 27 | failwith "List of obligations and simple obligations are not of equal\ 28 | length!" 29 | in 30 | try 31 | let simple_obs = List.map tla_pb_to_tla_simple_pb record.obligations in 32 | let (s1,s2) = obligations_to_string record.obligations simple_obs 0 in 33 | let msg = sprintf "Comparing expr %s and simple expr %s.@." s1 s2 in 34 | (* note: some language elements are removed, e.g. theorem references in a 35 | term are replaced by the definition. Therefore this assertion doesn't 36 | hold in general. *) 37 | Assert.equal ~msg s1 s2; 38 | simple_obs 39 | with 40 | | UnhandledLanguageElement (_, _)-> [] 41 | 42 | let create_test record = 43 | Test.make_assert_test 44 | ~title: ("Comparing simple_expression to expression in " ^ record.filename) 45 | (fun () -> ()) 46 | (fun () -> 47 | (exhandler ( test_simple_expr record )) 48 | ) 49 | (fun sobs -> 50 | ignore( record.simple_obligations <- sobs ) 51 | ) 52 | 53 | 54 | let get_tests records = List.map create_test records 55 | -------------------------------------------------------------------------------- /src/test/test_substitution.mli: -------------------------------------------------------------------------------- 1 | open Kaputt 2 | open Test_common 3 | 4 | val get_tests : Test.t list 5 | -------------------------------------------------------------------------------- /src/test/test_util.ml: -------------------------------------------------------------------------------- 1 | open Kaputt.Abbreviations 2 | open List 3 | open Util 4 | 5 | let positive = function 6 | (* 1 -- 2 -- 3 7 | \ /- 6 8 | \ 4 -- 5 9 | \- 7 10 | *) 11 | | 1 -> [(1,2);(2,3);(1,4); (4,5); (5,6); (5,7)] 12 | (* 1 -- 2 13 | 4 -- 3 -/ 14 | *) 15 | | 2 -> [(1,2);(3,2);(4,3)] 16 | (* 1 -- 2 17 | 5 -- 4 -- 3 -/ 18 | *) 19 | | 3 -> [(5,4);(1,2);(3,2);(4,3)] 20 | | _ -> failwith "Error in test generation!" 21 | 22 | let negative = function 23 | | 1 -> [(1,1)] 24 | | 2 -> [(1,2);(2,3);(3,1)] 25 | | 3 -> [(1,2);(2,3);(3,2)] 26 | | _ -> failwith "Error in test generation!" 27 | 28 | 29 | let fmtOrdering lst = "[" ^ (mkString ~middle:"; " string_of_int lst) ^ "]" 30 | 31 | let test_positive test_no = 32 | Test.make_simple_test 33 | ~title:("testing acyclic ordering " ^ (string_of_int test_no) ^ 34 | " (expecting success)") 35 | (fun () -> 36 | let list = positive test_no in 37 | let ordering = find_ordering list in 38 | (* Printf.printf "obtained ordering: %s\n" (fmtOrdering ordering); *) 39 | let e = fold_left 40 | (fun errors pair -> 41 | let (x,y) = pair in 42 | match filter (fun v -> (v = x) || (v = y)) ordering with 43 | | [u;v] when u = x && v = y -> errors (* *) 44 | | other -> (pair, other) :: errors 45 | ) [] list 46 | in Assert.equal e [] 47 | ) 48 | 49 | let test_negative test_no = 50 | Test.make_simple_test 51 | ~title:("testing cyclic ordering " ^ (string_of_int test_no) ^ 52 | " (expecting failure)") 53 | (fun () -> 54 | Assert.raises 55 | ~msg:"Expecting failure during ordering cyclic dependencies." 56 | (fun () -> find_ordering @$ negative test_no) 57 | ) 58 | 59 | let get_tests = append (map test_positive [1;2;3]) (map test_negative [1;2;3]) 60 | -------------------------------------------------------------------------------- /src/test/test_util.mli: -------------------------------------------------------------------------------- 1 | open Kaputt 2 | 3 | val get_tests : Test.t list 4 | -------------------------------------------------------------------------------- /src/tlapm.mli: -------------------------------------------------------------------------------- 1 | (* Copyright (C) 2008-2010 INRIA and Microsoft Corporation *) 2 | 3 | (** 4 | The TLA Proof Manager. 5 | 6 | This is the main entry point to TLAPM. 7 | 8 | @author Damien Doligez 9 | @author Jael Kriener 10 | @author Tomer Libal 11 | @author Martin Riener 12 | *) 13 | (* 14 | val main : string list -> unit 15 | *) 16 | -------------------------------------------------------------------------------- /src/tlapm_api.odocl: -------------------------------------------------------------------------------- 1 | # OASIS_START 2 | # DO NOT EDIT (digest: c8388ed77ae119b1a41f1f36ef6ae63e) 3 | Tlapm 4 | Commons 5 | Expr_ds 6 | Expr_visitor 7 | Expr_map 8 | Expr_formatter 9 | Expr_utils 10 | Expr_dereference 11 | Expr_substitution 12 | Expr_termdb_utils 13 | Sany 14 | Sany_ds 15 | Sany_visitor 16 | Sany_expr 17 | Any_expr 18 | Util 19 | Test_common 20 | Expr_constructors 21 | Expr_builtins 22 | Extract_obligations 23 | # OASIS_STOP 24 | -------------------------------------------------------------------------------- /src/toolbox.mli: -------------------------------------------------------------------------------- 1 | open Expr_ds 2 | open Commons 3 | open Format 4 | 5 | (* This implements the datastructures for the toolbox communication protocol. 6 | See also general/docs/tlapm-toolbox-interface.txt in the toolbox code. 7 | *) 8 | 9 | type toolbox_status = | ToBeProved | Proved | Failed | Trivial 10 | | BeingProved | Interrupted | Countermodel 11 | 12 | (* TODO: how many proofs actually use that? *) 13 | type toolbox_method = | Auto | Blast | Force | Fail | Sorry 14 | 15 | type toolbox_msg = { 16 | id : int; (* obligation id *) 17 | location : location; (* location of statement to prove *) 18 | status : toolbox_status; (* proving status of the obligation *) 19 | prover : prover option; (* which prover was used *) 20 | meth : toolbox_method option; (* which method was passed *) 21 | already_processed : bool option; (* fingerprint used *) 22 | obligation_string : string option; 23 | } 24 | 25 | val fmt_toolbox_status : formatter -> toolbox_status -> unit 26 | (** Formatter for a toolbox_status. *) 27 | 28 | val fmt_toolbox_method : formatter -> toolbox_method -> unit 29 | (** Formatter for a toolbox_method. *) 30 | 31 | val fmt_toolbox_msg : formatter -> toolbox_msg -> unit 32 | (** Formatter for a toolbox_msg. Implements the type:obligation toolbox message. *) 33 | 34 | val fmt_toolbox_msg_d : ?prover:prover -> ?meth:toolbox_method -> 35 | ?already_processed:bool -> ?obligation_string:string -> 36 | formatter -> int -> location -> toolbox_status -> unit 37 | (** Alternative formatter to fmt_toolbox_msg without the need to create the record. *) 38 | 39 | val fmt_toolbox_msg_count : formatter -> int -> unit 40 | (** Formatter, implements the type:obligationsnumber toolbox message. *) 41 | -------------------------------------------------------------------------------- /src/version.ml: -------------------------------------------------------------------------------- 1 | (* AUTOMATICALLY GENERATED by tools/newversion.ml -- DO NOT EDIT *) 2 | let (major,minor,micro) = (1,4,1);; 3 | Revision.f "$Rev: 34534 $";; 4 | -------------------------------------------------------------------------------- /test/tla/Choose.tla: -------------------------------------------------------------------------------- 1 | ------------------------------- MODULE Choose ------------------------------- 2 | 3 | CONSTANT A(_), B(_) 4 | 5 | OP == \A x : A(x) \/ B(x) 6 | (* The manual says BY is followed by proof steps and optionally DEF statements. Apparently the parser SANY accepts it otherwise too in some cases. *) 7 | 8 | LEMMA ASSUME NEW VARIABLE x PROVE A(x) => A(CHOOSE n : A(n)) OBVIOUS 9 | LEMMA ASSUME \E x : A(x) PROVE A(CHOOSE n : A(n)) OBVIOUS 10 | 11 | 12 | LEMMA OP => \E n: A(n) \/ B(n) BY DEF OP 13 | 14 | LEMMA ASSUME NEW VARIABLE x PROVE (OP => A(x)) \/ (OP => B(x)) BY DEF OP 15 | 16 | LEMMA \A x : (OP => A(x)) \/ (OP => B(x)) BY DEF OP 17 | 18 | LEMMA ASSUME NEW x, \A y : A(y) PROVE A(x) OBVIOUS 19 | 20 | LEMMA ASSUME NEW x, A(x) PROVE \A y : A(y) OMITTED \* not provable since the new x in the assumption is an existential witness, not a universal one 21 | 22 | LEMMA ASSUME 23 | ASSUME NEW x 24 | PROVE A(x) 25 | PROVE \A y : A(y) OBVIOUS \* but this is provable 26 | 27 | 28 | LEMMA ASSUME NEW VARIABLE x, A(x) PROVE \A y : A(y) OMITTED \* again not provable 29 | 30 | LEMMA ASSUME 31 | ASSUME NEW VARIABLE x 32 | PROVE A(x) 33 | PROVE \A y : A(y) OBVIOUS \* but this is provable 34 | 35 | LEMMA \E u : (CHOOSE x \in {0,1} : (x=0 /\ x /= 0)) = u OBVIOUS \* careful, choose always returns an element, even though it might not be well defined 36 | 37 | LEMMA (\E u : u=(CHOOSE x \in {0,1} : (x=0 /\ x /= 0))) => (\E x \in {0,1} : (x=0 /\ x /= 0)) \* this is not valid 38 | 39 | LEMMA (\E u : u=(CHOOSE x \in {0,1} : (x=0 /\ x /= 0))) /\ \neg (\E x \in {0,1} : (x=0 /\ x /= 0)) OBVIOUS \* .. actually, in this case it is contradictory 40 | 41 | (***************************************************************************) 42 | (* sm: The current version of TLAPM does not handle quantification over *) 43 | (* tuples. It raises a syntax errors if the following lemmas are visible, *) 44 | (* i.e. even when attempting to prove the preceding lemmas. *) 45 | (***************************************************************************) 46 | (* choose with tuples *) 47 | LEMMA \E t : t = CHOOSE <> : x = y OMITTED \* not supported by tlapm v1 48 | LEMMA ASSUME NEW S PROVE \E t : t = CHOOSE <> \in S : x = y OMITTED \* not supported by tlapm v1 49 | 50 | ============================================================================= 51 | \* Modification History 52 | \* Last modified Fri Apr 20 14:21:09 CEST 2018 by merz 53 | \* Last modified Wed Feb 18 16:25:25 CET 2015 by marty 54 | \* Created Tue Jan 20 10:40:06 CET 2015 by marty 55 | -------------------------------------------------------------------------------- /test/tla/Euclid.tla: -------------------------------------------------------------------------------- 1 | -------------------- MODULE Euclid -------------------- 2 | EXTENDS Integers, TLAPS 3 | 4 | p | q == \E d \in 1..q : q = p * d 5 | Divisors(q) == {d \in 1..q : d | q} 6 | Maximum(S) == CHOOSE x \in S : \A y \in S : x \geq y 7 | GCD(p,q) == Maximum(Divisors(p) \cap Divisors(q)) 8 | Number == Nat \ {0} 9 | 10 | CONSTANTS M, N 11 | VARIABLES x, y 12 | 13 | ASSUME NumberAssumption == M \in Number /\ N \in Number 14 | 15 | Init == (x = M) /\ (y = N) 16 | 17 | Next == \/ /\ x < y 18 | /\ y' = y - x 19 | /\ x' = x 20 | \/ /\ y < x 21 | /\ x' = x-y 22 | /\ y' = y 23 | 24 | Spec == Init /\ [][Next]_<> 25 | 26 | ResultCorrect == (x = y) => x = GCD(M, N) 27 | 28 | InductiveInvariant == 29 | /\ x \in Number 30 | /\ y \in Number 31 | /\ GCD(x, y) = GCD(M, N) 32 | 33 | USE DEF Number 34 | 35 | THEOREM InitProperty == Init => InductiveInvariant 36 | BY NumberAssumption DEF Init, InductiveInvariant 37 | 38 | AXIOM GCDProperty1 == \A p \in Number : GCD(p, p) = p 39 | AXIOM GCDProperty2 == \A p, q \in Number : GCD(p, q) = GCD(q, p) 40 | AXIOM GCDProperty3 == \A p, q \in Number : (p < q) => GCD(p, q) = GCD(p, q-p) 41 | 42 | THEOREM NextProperty == InductiveInvariant /\ Next => InductiveInvariant' 43 | <1> SUFFICES ASSUME InductiveInvariant, Next 44 | PROVE InductiveInvariant' 45 | OBVIOUS 46 | <1> USE DEF InductiveInvariant, Next 47 | <1>1. (x < y) \/ (y < x) 48 | OBVIOUS 49 | <1>a. CASE x < y 50 | <2>1. (y - x \in Number) /\ ~(y < x) 51 | BY <1>a, SMT DEF Number 52 | <2>2. QED 53 | BY <1>a, <2>1, GCDProperty3 54 | <1>b. CASE y < x 55 | <2>1. (x - y \in Number) /\ ~(x < y) 56 | BY <1>b, SMT DEF Number 57 | <2>2. GCD(y', x') = GCD(y, x) 58 | BY <1>b, <2>1, GCDProperty3 59 | <2>4. QED 60 | BY <1>b, <2>1, <2>2, GCDProperty2 61 | <1> QED 62 | BY <1>1, <1>a, <1>b 63 | 64 | THEOREM Correctness == Spec => []ResultCorrect 65 | <1>1 InductiveInvariant /\ UNCHANGED <> => InductiveInvariant' 66 | BY DEF InductiveInvariant 67 | <1>2 Spec => []InductiveInvariant 68 | BY PTL, InitProperty, NextProperty, <1>1 DEF Spec 69 | <1>3 InductiveInvariant => ResultCorrect 70 | BY GCDProperty1 DEF InductiveInvariant, ResultCorrect 71 | <1> QED 72 | BY PTL, <1>2, <1>3 73 | 74 | ======================================================= 75 | -------------------------------------------------------------------------------- /test/tla/NTape1.tla: -------------------------------------------------------------------------------- 1 | ------------------------------- MODULE NTape1 ------------------------------- 2 | EXTENDS Naturals, TLAPS 3 | 4 | CONSTANT f 5 | VARIABLES h 6 | 7 | symbols == {"a", "b" } 8 | 9 | TypeOK == f \in [Nat -> symbols] /\ 10 | h \in [Nat -> Nat] 11 | 12 | TwoEqualSymbols(i,j,k) == i1. f[x] = "a" \/ f[x] = "b" 18 | BY DEF TypeOK, symbols, Nat 19 | <1>2. f[y] = "a" \/ f[y] = "b" 20 | BY DEF TypeOK, symbols, Nat 21 | <1>3. f[z] = "a" \/ f[z] = "b" 22 | BY DEF TypeOK, symbols, Nat 23 | <1>. QED BY <1>1,<1>2,<1>3, SMT DEF TypeOK, TwoEqualSymbols, Nat 24 | 25 | LEMMA L2 == ASSUME TypeOK, NEW x \in Nat, NEW y \in Nat, NEW z \in Nat, x < y, y < z PROVE TwoEqualSymbols(x,y,z) 26 | <1>1. f[x] = "a" \/ f[x] = "b" 27 | BY DEF TypeOK, symbols, Nat 28 | <1>2. f[y] = "a" \/ f[y] = "b" 29 | BY DEF TypeOK, symbols, Nat 30 | <1>3. f[z] = "a" \/ f[z] = "b" 31 | BY DEF TypeOK, symbols, Nat 32 | <1>. QED BY <1>1,<1>2,<1>3, SMT DEF TypeOK, TwoEqualSymbols, Nat 33 | 34 | 35 | 36 | 37 | ============================================================================= 38 | \* Modification History 39 | \* Last modified Wed Jan 07 09:46:10 CET 2015 by marty 40 | \* Created Tue Jan 06 11:16:11 CET 2015 by marty 41 | -------------------------------------------------------------------------------- /test/tla/NTape2.tla: -------------------------------------------------------------------------------- 1 | ------------------------------- MODULE NTape2 ------------------------------- 2 | EXTENDS Naturals, TLAPS 3 | 4 | CONSTANT f 5 | VARIABLES x,h 6 | 7 | symbols == {"a", "b" } 8 | 9 | TypeOK == f \in [Nat -> symbols] /\ 10 | h \in [Nat -> Nat] 11 | 12 | TwoEqualSymbols == f[0] = f[1] \/ f[0] = f[2] \/ f[1] = f[2] 13 | 14 | 15 | \*LEMMA L1 == ASSUME TypeOK, (\neg (f[0] = f[1])) /\ (\neg (f[1] = f[2])) PROVE FALSE 16 | LEMMA L1 == ASSUME TypeOK, ~TwoEqualSymbols PROVE FALSE 17 | <1>1. f[0] = "a" \/ f[0] = "b" 18 | BY DEF TypeOK, symbols, Nat 19 | <1>2. f[1] = "a" \/ f[1] = "b" 20 | BY DEF TypeOK, symbols, Nat 21 | <1>3. f[2] = "a" \/ f[2] = "b" 22 | BY DEF TypeOK, symbols, Nat 23 | <1>. QED BY <1>1,<1>2,<1>3, SMT DEF TypeOK, TwoEqualSymbols 24 | 25 | LEMMA L2 == ASSUME TypeOK PROVE TwoEqualSymbols 26 | <1>1. f[0] = "a" \/ f[0] = "b" 27 | BY DEF TypeOK, symbols, Nat 28 | <1>2. f[1] = "a" \/ f[1] = "b" 29 | BY DEF TypeOK, symbols, Nat 30 | <1>3. f[2] = "a" \/ f[2] = "b" 31 | BY DEF TypeOK, symbols, Nat 32 | <1>. QED BY <1>1,<1>2,<1>3, SMT DEF TypeOK, TwoEqualSymbols 33 | 34 | 35 | 36 | 37 | ============================================================================= 38 | \* Modification History 39 | \* Last modified Tue May 19 15:47:07 CEST 2015 by marty 40 | \* Created Tue Jan 06 11:16:11 CET 2015 by marty 41 | -------------------------------------------------------------------------------- /test/tla/NTape3.tla: -------------------------------------------------------------------------------- 1 | ------------------------------- MODULE NTape3 ------------------------------- 2 | EXTENDS Naturals, TLAPS 3 | 4 | CONSTANT f 5 | VARIABLES h0,h1,m 6 | 7 | symbols == {"a", "b" } 8 | 9 | TypeOK == f \in [Nat -> symbols] /\ 10 | h0 \in [Nat -> Nat] /\ 11 | h1 \in [Nat -> Nat] /\ 12 | m \in Nat 13 | 14 | (* expresses that g is monotonic up to n *) 15 | MON(g,n) == \A i, j \in 0 .. n : (i g[i] < g[j]) 16 | (* expresses that s occurs n times up to n *) 17 | NOCC(g,n,s) == \A i \in 0 .. n : (f[g[i]] = s) 18 | 19 | (* main lemma: the function g in is monotonic up to n and indexes n symbols s *) 20 | A(g,n,s) == MON(g,n) \land NOCC(g,n,s) 21 | 22 | I(s) == \A n \in Nat : \E k \in Nat : n < k /\ f[k] = s 23 | 24 | IncM == m' = m+1 25 | 26 | 27 | Init == /\ m = 0 28 | /\ h0[0] = CHOOSE p \in Nat : f[h0[0]] = "a" 29 | /\ h1[0] = CHOOSE p \in Nat : f[h1[0]] = "b" 30 | 31 | Next == /\ m' = m +1 32 | /\ h0' = [h0 EXCEPT ![m+1] = CHOOSE p \in Nat : h0[m]

LemmaInv 43 | <1> SUFFICES ASSUME Init, TypeOK, I("a") \/ I("b"), NEW pos \in Nat PROVE LemmaInv 44 | OBVIOUS 45 | <1>1 f[pos] = "a" \/ f[pos] = "b" BY DEF TypeOK, symbols 46 | <1>2 (f[pos] = "a" /\ CHOOSE p \in Nat : f[h0[0]] = "a") => \E q \in Nat : f[h0[0]] = "a" 47 | <2>1. ASSUME NEW p \in Nat, f[h0[0]] = "a" 48 | PROVE f[h0[0]] = "a" 49 | (* <2>1. (CHOOSE p \in Nat : f[h0[0]] = "a") => f[h0[0]] = "a" OBVIOUS *) 50 | <2>. QED BY <2>1 51 | <1>3 f[pos] = "b" /\ CHOOSE p \in Nat : f[h1[0]] = "b" => \E q \in Nat : f[h1[0]] = "b" 52 | <1> QED BY <1>1, <1>2, <1>3 DEF Init, TypeOK, LemmaInv, I 53 | 54 | 55 | Inv == [](NOCC(h0,m,"a") \/ NOCC(h1,m,"b")) 56 | 57 | LEMMA ASSUME NEW CONSTANT P(_), NEW VARIABLE v PROVE []( [(ENABLED P(v))']_v) 58 | 59 | ============================================================================= 60 | \* Modification History 61 | \* Last modified Fri Mar 20 14:49:26 CET 2015 by marty 62 | \* Created Tue Jan 06 11:16:11 CET 2015 by marty 63 | -------------------------------------------------------------------------------- /test/tla/NameClashes.tla: -------------------------------------------------------------------------------- 1 | ---------------------------- MODULE NameClashes ---------------------------- 2 | 3 | VARIABLE z \* we cannot declare x here 4 | 5 | ---- MODULE sub1 ---- 6 | VARIABLE x 7 | 8 | COMPARE(u) == u = x 9 | ==== 10 | 11 | ---- MODULE sub2 ---- 12 | VARIABLE x,y 13 | 14 | CAP == ENABLED (x' # y') 15 | ==== 16 | 17 | S == INSTANCE sub1 WITH x <- z 18 | T == INSTANCE sub2 WITH x <- 0, y <- 0 19 | 20 | THEOREM T!CAP BY DEF T!CAP 21 | 22 | THEOREM T!CAP BY DEF T 23 | 24 | ============================================================================= 25 | \* Modification History 26 | \* Last modified Wed Apr 01 15:50:43 CEST 2015 by marty 27 | \* Created Tue Mar 31 16:24:25 CEST 2015 by marty 28 | -------------------------------------------------------------------------------- /test/tla/New.tla: -------------------------------------------------------------------------------- 1 | -------------------------------- MODULE New -------------------------------- 2 | 3 | LEMMA CONTRADICTION == ASSUME NEW A PROVE ~A 4 | 5 | LEMMA ASSUME NEW P PROVE ~P BY CONTRADICTION 6 | LEMMA ASSUME VARIABLE P PROVE ~P BY CONTRADICTION 7 | 8 | LEMMA ASSUME 9 | ASSUME NEW A PROVE ~A, 10 | NEW P 11 | PROVE ~P 12 | OBVIOUS 13 | 14 | ============================================================================= 15 | \* Modification History 16 | \* Last modified Tue Jan 20 14:38:43 CET 2015 by marty 17 | \* Created Tue Jan 20 14:38:25 CET 2015 by marty 18 | -------------------------------------------------------------------------------- /test/tla/PTL_bug.tla: -------------------------------------------------------------------------------- 1 | ---- MODULE PTL_bug ---- 2 | EXTENDS Naturals, TLAPS 3 | VARIABLE xyz 4 | 5 | Init == xyz = 0 6 | 7 | Inc(x) == xyz' = xyz+x 8 | Next == \E x \in Nat : Inc(x) 9 | Spec == Init /\ [][Next]_xyz 10 | 11 | LEMMA Spec => []Init 12 | <1>1. Init /\ [Next]_xyz => Init' 13 | <2>. SUFFICES ASSUME Init, Next PROVE Init' BY DEF Init 14 | (* the following step illustrates the error and should not be provable *) 15 | <2>1. ASSUME NEW x \in Nat, Inc(x) PROVE Init' BY SMT \* sm: correctly fails (2018-04-20) 16 | <2>. QED BY <2>1 DEF Next 17 | <1>. QED BY <1>1, PTL DEF Spec 18 | =============================== 19 | -------------------------------------------------------------------------------- /test/tla/SetsAndTuples.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE SetsAndTuples --------------------------- 2 | 3 | VARIABLE x,y 4 | 5 | S1 == {1,2,3} 6 | S2 == {3,4,5} 7 | Set == S1 \times S2 8 | 9 | TYPEOK == /\ x \in S1 10 | /\ y \in S2 11 | 12 | \* QTUPLE == \E <> \in Set : u = v \*cannot be parsed by tlapm v1 13 | 14 | LEMMA x \in { y => y /\ y} 15 | 16 | ============================================================================= 17 | \* Modification History 18 | \* Last modified Tue Jan 27 16:34:24 CET 2015 by marty 19 | \* Created Tue Jan 27 16:07:55 CET 2015 by marty 20 | -------------------------------------------------------------------------------- /test/tla/SimpleImport1.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE SimpleImport1 --------------------------- 2 | 3 | VARIABLES x,y 4 | 5 | EQ1 == x = y 6 | 7 | ============================================================================= 8 | \* Modification History 9 | \* Last modified Tue Jan 27 14:45:07 CET 2015 by marty 10 | \* Created Tue Jan 27 14:33:19 CET 2015 by marty 11 | -------------------------------------------------------------------------------- /test/tla/SimpleImport1a.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE SimpleImport1a --------------------------- 2 | 3 | VARIABLE x 4 | 5 | EQ1 == x =x 6 | 7 | 8 | ============================================================================= 9 | \* Modification History 10 | \* Last modified Tue Jan 27 15:48:10 CET 2015 by marty 11 | \* Created Tue Jan 27 14:59:01 CET 2015 by marty 12 | -------------------------------------------------------------------------------- /test/tla/SimpleImport2.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE SimpleImport2 --------------------------- 2 | 3 | VARIABLE x 4 | 5 | I == INSTANCE SimpleImport1 WITH x <- 123, y <- 123 6 | J == INSTANCE SimpleImport1a WITH x <- 1234 \* level 0 substitution 7 | K == INSTANCE SimpleImport1a WITH x <- x \* level 1 substitution 8 | \* L == INSTANCE SimpleImport1a WITH x <- 1' \* level 2 substitution -- not supposed to parse 9 | \* M == INSTANCE SimpleImport1a WITH x <- [](1=1) \* level 3 substitution -- not supposed to parse 10 | 11 | BOX(z) == []z 12 | PRIME(z) == z' 13 | 14 | LEMMA I!EQ1 BY DEF I!EQ1 15 | LEMMA J!EQ1 BY DEF J!EQ1 16 | LEMMA K!EQ1 BY DEF K!EQ1 17 | 18 | 19 | ============================================================================= 20 | \* Modification History 21 | \* Last modified Tue Jan 27 15:48:27 CET 2015 by marty 22 | \* Created Tue Jan 27 14:34:50 CET 2015 by marty 23 | -------------------------------------------------------------------------------- /test/tla/Temporal1.tla: -------------------------------------------------------------------------------- 1 | ----------------------------- MODULE Temporal1 ----------------------------- 2 | EXTENDS TLAPS 3 | 4 | (* This is an example from the TLA book *) 5 | THEOREM DeductionPrinciple == ASSUME NEW ACTION A, 6 | NEW ACTION B, 7 | ASSUME A PROVE B 8 | PROVE A => B 9 | 10 | THEOREM AddBox == ASSUME NEW STATE P, P PROVE []P 11 | THEOREM RemoveBoxPrime == ASSUME NEW STATE P, []P PROVE P' 12 | 13 | (***************************************************************************) 14 | (* The temporal proof steps in the following lemmas are expected to fail *) 15 | (* because they do not follow the semantics of temporal reasoning in TLA+2.*) 16 | (***************************************************************************) 17 | 18 | VARIABLE x 19 | 20 | THEOREM (x=1) => (x=1)' 21 | <1>1. ASSUME x=1 PROVE (x=1)' 22 | <2>1. [](x=1) BY x=1, AddBox 23 | <2>2. QED BY <2>1, RemoveBoxPrime 24 | <1>2. QED BY <1>1, DeductionPrinciple 25 | 26 | 27 | VARIABLE F 28 | 29 | THEOREM []F => [][]F 30 | <1>1. ASSUME []F PROVE [][]F BY LS4 31 | <1>2. QED BY <1>1 32 | 33 | 34 | ============================================================================= 35 | \* Modification History 36 | \* Last modified Fri Apr 20 15:50:32 CEST 2018 by merz 37 | \* Last modified Fri Jan 16 11:12:28 CET 2015 by marty 38 | \* Created Thu Jan 15 16:04:57 CET 2015 by marty 39 | -------------------------------------------------------------------------------- /test/tla/Testing.tla: -------------------------------------------------------------------------------- 1 | ------------------------------ MODULE Testing ------------------------------ 2 | \* can be used as annotation for the tests to denote failing obligations 3 | \* e.g.: LEMMA \A x: x # x BY ShouldFail 4 | 5 | ShouldFail == TRUE 6 | ShouldSucceed == TRUE 7 | IsTrue == TRUE 8 | IsFalse == TRUE 9 | 10 | ============================================================================= 11 | \* Modification History 12 | \* Last modified Wed Dec 14 15:50:39 CET 2016 by marty 13 | \* Created Wed Oct 07 12:12:00 CEST 2015 by marty 14 | -------------------------------------------------------------------------------- /test/tla/UserDefOp.tla: -------------------------------------------------------------------------------- 1 | ----------------------------- MODULE UserDefOp ----------------------------- 2 | 3 | ConstantOp == TRUE 4 | Operator(x,y) == x = y 5 | 6 | LEMMA Operator(1,1) BY DEF Operator 7 | 8 | ============================================================================= 9 | \* Modification History 10 | \* Last modified Mon Feb 09 13:49:29 CET 2015 by marty 11 | \* Created Mon Feb 09 10:58:26 CET 2015 by marty 12 | -------------------------------------------------------------------------------- /test/tla/assume_prove.tla: -------------------------------------------------------------------------------- 1 | ---------------------------- MODULE assume_prove ---------------------------- 2 | 3 | EXTENDS TLAPS, Naturals 4 | 5 | THEOREM MP == \A p,q : (p /\ (p => q)) => q 6 | <1>6 TAKE C,D 7 | <1>7 (C /\ (C => D)) => D BY Isa 8 | <1> QED BY <1>7 9 | 10 | THEOREM MP2 == \A p,q : (p /\ (p => q)) => q 11 | <1>1 SUFFICES ASSUME NEW P, NEW Q, P, P=>Q PROVE Q OBVIOUS 12 | <1> QED BY <1>1 13 | 14 | THEOREM MP3 == \A p,q : (p /\ (p => q)) => q 15 | <1>1 ASSUME NEW P, NEW Q, P, P=>Q PROVE Q BY <1>1, Isa 16 | <1>2 ASSUME NEW VARIABLE P, NEW VARIABLE Q, P, P=>Q PROVE Q BY <1>2 17 | <1>3 ASSUME NEW STATE P, NEW STATE Q, P/\Q, P=>Q PROVE Q BY <1>3 18 | <1>4 ASSUME NEW TEMPORAL P, NEW TEMPORAL Q, P, P=>Q PROVE Q BY <1>4 19 | <1>5 PICK A,B : (A /\ A => B) => B OBVIOUS 20 | <1>6 TAKE C,D 21 | <1>7 (C /\ (C => D)) => D BY Isa 22 | <1> QED OBVIOUS 23 | 24 | \* sm: this one fails, as it should (e.g. consider p <=> q) 25 | THEOREM INTER == \A p, q : (p => q) => (\E i : (p => i) /\ (i => q) /\ ~(i => p) /\ ~(p => i) ) 26 | <1> QED BY Zenon 27 | 28 | LEMMA ASSUME NEW P \in {} PROVE P OBVIOUS 29 | LEMMA ASSUME NEW P \in {TRUE} PROVE P OBVIOUS 30 | LEMMA ASSUME NEW P \in {FALSE} PROVE ~P OBVIOUS 31 | LEMMA ASSUME NEW P \in {TRUE,FALSE, 0} PROVE ~P \/ P OBVIOUS 32 | 33 | 34 | LEMMA 0 \in {TRUE, FALSE} BY Isa, Zenon 35 | LEMMA ~ (0 \in {TRUE, FALSE}) BY Isa, Zenon 36 | 37 | LEMMA 0 \/ ~ 0 OBVIOUS 38 | LEMMA 1+1 \/ ~ 2 BY Isa 39 | 40 | \* sm: no proof provided, but this one is actually false in ZF set theory 41 | LEMMA \E p : p \in p 42 | 43 | LEMMA ASSUME NEW P, NEW Q, P # Q PROVE P => ~Q OBVIOUS 44 | 45 | ============================================================================= 46 | \* Modification History 47 | \* Last modified Fri Apr 20 13:59:40 CEST 2018 by merz 48 | \* Last modified Thu Sep 03 18:31:38 CEST 2015 by marty 49 | \* Created Thu Sep 03 14:16:58 CEST 2015 by marty 50 | -------------------------------------------------------------------------------- /test/tla/at.tla: -------------------------------------------------------------------------------- 1 | --------------------------------- MODULE at --------------------------------- 2 | 3 | EXTENDS Naturals, TLC 4 | 5 | \* perhaps NoAssign should move to expression testing 6 | NoAssign == [ test |-> "" ] \* testing empty string assignations 7 | LEMMA NoAssign.test = "" BY DEF NoAssign 8 | 9 | VARIABLE f 10 | 11 | Init == f = [r1 |-> 100, r2 |-> 20, r3 |-> "abc"] 12 | 13 | Next == f' = [f EXCEPT !.r1 = @ +2, !.r1 = @+3 ] 14 | Next2 == f' = [f EXCEPT !.r1 = @ +2] @@ [f EXCEPT !.r1 = @+3 ] 15 | 16 | LEMMA [ f EXCEPT ![42] = 2 * @] = [ f EXCEPT ![42] = 2 * f [42] ] OBVIOUS \* this is from the tla book 17 | 18 | LEMMA ASSUME Init, Next PROVE f'.r1 = 103 19 | <1> QED BY DEF Init, Next 20 | 21 | LEMMA ASSUME Init, Next PROVE f'.r1 = 103 22 | <1> QED BY DEF Init, Next 23 | 24 | 25 | ============================================================================= 26 | \* Modification History 27 | \* Last modified Fri Apr 20 14:07:56 CEST 2018 by merz 28 | \* Last modified Tue Apr 04 10:37:14 CEST 2017 by marty 29 | \* Created Fri Feb 20 13:41:37 CET 2015 by marty 30 | -------------------------------------------------------------------------------- /test/tla/basic_equality.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE basic_equality --------------------------- 2 | 3 | \* theorems T1-3 are provable, because TLA has the constants TRUE and FALSE 4 | \* and an axiom stating TRUE # FALSE. Therefore forcing the domain to one 5 | \* element is inconsistent. 6 | THEOREM T1 == (\A x, y : x = y) => (\E u,v : u # v) OBVIOUS 7 | 8 | CONSTANT a,b 9 | THEOREM T2 == (\A x, y : x = y) => a # b OBVIOUS 10 | 11 | THEOREM T3 == (\A x, y : x = y) => FALSE OBVIOUS 12 | 13 | ============================================================================= 14 | \* Modification History 15 | \* Last modified Fri Nov 20 11:57:26 CET 2015 by marty 16 | \* Created Fri Nov 20 11:01:26 CET 2015 by marty 17 | -------------------------------------------------------------------------------- /test/tla/bugs/TestBug120116.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE TestBug120116 --------------------------- 2 | 3 | EXTENDS Integers, TLC 4 | 5 | VARIABLE x 6 | Type == x \in BOOLEAN 7 | Init == x = TRUE 8 | 9 | THEOREM Init => Type 10 | BY DEF Type, Init 11 | 12 | Inv == 13 | /\ IF {i \in {1,3,3,3,4} : i > 1} # {4,3} 14 | THEN Assert(FALSE, "Test (1 Failed") 15 | ELSE Print("Test 1 ]OK)", TRUE) 16 | \* comment this conjunct to make the error disappear 17 | /\ IF {<> \in {1,2} \X {2,3} : j > i} # {<<1,2>>, <<1,3>>, <<2,3>>} 18 | THEN Assert(FALSE, "Test 2 Failed") 19 | ELSE Print("Test 2 OK", TRUE) 20 | 21 | ============================================================================= 22 | \* Modification History 23 | \* Last modified Mon Jan 19 16:05:11 CET 2015 by marty 24 | \* Created Mon Jan 19 16:02:56 CET 2015 by marty 25 | -------------------------------------------------------------------------------- /test/tla/bugs/TestBug121005A.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE TestBug121005A --------------------------- 2 | 3 | EXTENDS Naturals, TLAPS 4 | 5 | CONSTANT n 6 | ASSUME InNat == n \in Nat 7 | 8 | THEOREM TwoN == 2*n \in Nat 9 | BY InNat 10 | 11 | ============================================================================= 12 | \* Modification History 13 | \* Last modified Mon Jan 19 16:14:37 CET 2015 by marty 14 | \* Created Mon Jan 19 16:14:27 CET 2015 by marty 15 | -------------------------------------------------------------------------------- /test/tla/bugs/TestBug121005B.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE TestBug121005B --------------------------- 2 | 3 | EXTENDS Naturals, TLAPS 4 | 5 | P(n) == INSTANCE TestBug121005A 6 | 7 | THEOREM DoubleOne == P(1)!TwoN 8 | BY SMT 9 | 10 | ============================================================================= 11 | \* Modification History 12 | \* Last modified Mon Jan 19 16:15:42 CET 2015 by marty 13 | \* Created Mon Jan 19 16:15:18 CET 2015 by marty 14 | -------------------------------------------------------------------------------- /test/tla/bugs/TestBug130604.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE TestBug130604 --------------------------- 2 | 3 | EXTENDS TLC 4 | 5 | THEOREM Print("abc", TRUE) 6 | BY DEF Print 7 | 8 | 9 | ============================================================================= 10 | \* Modification History 11 | \* Last modified Mon Jan 19 10:14:07 CET 2015 by marty 12 | \* Created Mon Jan 19 10:13:29 CET 2015 by marty 13 | -------------------------------------------------------------------------------- /test/tla/bugs/TestBug130619.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE TestBug130619 --------------------------- 2 | 3 | EXTENDS Naturals 4 | 5 | (* this alone is parsed *) 6 | THEOREM TRUE \in {<> \in (Nat \X Nat) : TRUE} 7 | OBVIOUS \* sm (2018-04-20): it is even proved by SMT -- bug in the SMT backend!! 8 | 9 | (* adding this produces a tlapm parsing error: Operator "T1" not found *) 10 | CONSTANT Bar(_) 11 | Foo(S) == {<> \in Bar(S) \X Bar(S) : (T1 \subseteq T2) /\ (T1 # T2)} 12 | THEOREM <<1, 2>> \in Foo(Nat) 13 | OBVIOUS 14 | 15 | 16 | 17 | ============================================================================= 18 | \* Modification History 19 | \* Last modified Fri Apr 20 16:05:01 CEST 2018 by merz 20 | \* Last modified Mon Jan 19 10:51:37 CET 2015 by marty 21 | \* Created Mon Jan 19 10:49:05 CET 2015 by marty 22 | -------------------------------------------------------------------------------- /test/tla/bugs/TestBug130813.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE TestBug130813 --------------------------- 2 | 3 | EXTENDS Naturals, TLAPS 4 | 5 | A == [i \in {0} |-> 0] 6 | B == [A EXCEPT ![0] = @+1, ![0] = @+2] (* recursive application of @: B[0]=(A[0]+1)+2 = 3 *) 7 | 8 | Good == B[0] = 3 9 | Bad == B[0] # 3 10 | 11 | THEOREM Good BY Isa DEF Good, A, B (* This theorem should be provable *) 12 | THEOREM Bad BY Isa DEF Bad, A, B (* This theorem should not be provable *) 13 | 14 | ============================================================================= 15 | \* Modification History 16 | \* Last modified Mon Jan 19 11:38:10 CET 2015 by marty 17 | \* Created Mon Jan 19 11:35:20 CET 2015 by marty 18 | -------------------------------------------------------------------------------- /test/tla/bugs/TestBug131103.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE TestBug131103 --------------------------- 2 | 3 | VARIABLES x 4 | 5 | F(a) == ENABLED a 6 | 7 | THEOREM F(x')' = F(x)' 8 | OBVIOUS 9 | 10 | ============================================================================= 11 | \* Modification History 12 | \* Last modified Mon Jan 19 11:01:31 CET 2015 by marty 13 | \* Created Mon Jan 19 10:57:36 CET 2015 by marty 14 | -------------------------------------------------------------------------------- /test/tla/bugs/TestBug131128.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE TestBug131128 --------------------------- 2 | EXTENDS Integers, NaturalsInduction 3 | 4 | (* This is exactly GeneralNatInduction unfolded -- it is not proved automatically, because 5 | the NEW CONSTANT introduces two constants P_1 and P in the obligations *) 6 | THEOREM ASSUME NEW CONSTANT P(_), 7 | \A n \in Nat : (\A m \in 0..(n-1) : P(m)) => P(n) 8 | PROVE \A n \in Nat : P(n) 9 | BY GeneralNatInduction \* sm 2018-04-20: adding ", Blast" proves it 10 | 11 | ============================================================================= 12 | \* Modification History 13 | \* Last modified Fri Apr 20 16:10:05 CEST 2018 by merz 14 | \* Last modified Mon Jan 19 14:03:13 CET 2015 by marty 15 | \* Created Mon Jan 19 12:15:23 CET 2015 by marty 16 | -------------------------------------------------------------------------------- /test/tla/bugs/TestBug131129.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE TestBug131129 --------------------------- 2 | 3 | THEOREM TRUE 4 | PROOF 5 | <2>2. TRUE 6 | <2>4. QED 7 | BY <2>2, <2>4 \* sm 2018-04-20: correctly raises a warning about <2>4 being used in its proof despite not having assumptions 8 | 9 | ============================================================================= 10 | \* Modification History 11 | \* Last modified Fri Apr 20 16:12:33 CEST 2018 by merz 12 | \* Last modified Mon Jan 19 14:24:00 CET 2015 by marty 13 | \* Created Mon Jan 19 14:23:19 CET 2015 by marty 14 | -------------------------------------------------------------------------------- /test/tla/bugs/TestBug140130.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE TestBug140130 --------------------------- 2 | VARIABLES A,B,C 3 | 4 | THEOREM C 5 | <3>4a. ASSUME A, B PROVE C BY <3>4a \* sm 2018-04-20: fails – why is this a bug? 6 | <3> QED 7 | 8 | 9 | 10 | ============================================================================= 11 | \* Modification History 12 | \* Last modified Fri Apr 20 16:13:25 CEST 2018 by merz 13 | \* Last modified Mon Jan 19 14:37:38 CET 2015 by marty 14 | \* Created Mon Jan 19 14:34:22 CET 2015 by marty 15 | -------------------------------------------------------------------------------- /test/tla/bugs/TestBug140131A.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE TestBug140131A --------------------------- 2 | 3 | 4 | ============================================================================= 5 | \* Modification History 6 | \* Created Mon Jan 19 15:15:21 CET 2015 by marty 7 | -------------------------------------------------------------------------------- /test/tla/bugs/TestBug140131B.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE TestBug140131B --------------------------- 2 | 3 | (* This produces an error: Module "TestBug140131A" unknown *) 4 | THEOREM FALSE 5 | <1> M == INSTANCE TestBug140131A 6 | <1> QED 7 | 8 | (* This produces a tlapm parsing error 9 | THEOREM FALSE 10 | <1> INSTANCE TestBug140131A 11 | <1> QED 12 | *) 13 | 14 | ============================================================================= 15 | \* Modification History 16 | \* Last modified Mon Jan 19 15:21:35 CET 2015 by marty 17 | \* Created Mon Jan 19 15:15:57 CET 2015 by marty 18 | -------------------------------------------------------------------------------- /test/tla/bugs/TestBug140521.tla: -------------------------------------------------------------------------------- 1 | --------------------------- MODULE TestBug140521 --------------------------- 2 | 3 | EXTENDS TLAPS 4 | 5 | Foo == []TRUE 6 | THEOREM Foo => [](1=1) 7 | \* <1>1. SUFFICES ASSUME []Foo \* uncomment this line first, compile the full proof 8 | <1>1. SUFFICES ASSUME Foo \* then comment the line above and uncomment this one, compile everything again 9 | PROVE [](1=1) 10 | BY PTL DEF Foo 11 | <1>2. 1=1 12 | OBVIOUS 13 | <1>3. QED 14 | BY <1>2, PTL 15 | 16 | 17 | 18 | ============================================================================= 19 | \* Modification History 20 | \* Last modified Fri Apr 20 16:16:59 CEST 2018 by merz 21 | \* Last modified Mon Jan 19 15:51:19 CET 2015 by marty 22 | \* Created Mon Jan 19 15:28:15 CET 2015 by marty 23 | -------------------------------------------------------------------------------- /test/tla/builtins.tla: -------------------------------------------------------------------------------- 1 | ------------------------------ MODULE builtins ------------------------------ 2 | 3 | EXTENDS Naturals 4 | 5 | \* this file tries to enumerate all builtins, the statements themselves are nonsensical 6 | 7 | LEMMA (TRUE \/ FALSE) /\ TRUE 8 | LEMMA (TRUE = TRUE) => (FALSE # TRUE) 9 | LEMMA [] TRUE /\ ~ [] FALSE 10 | LEMMA ASSUME NEW VARIABLE x PROVE ([][x#x']_x) \/ (<><>_x) 11 | LEMMA ASSUME NEW VARIABLE x PROVE TRUE.FALSE \/ TRUE ~> FALSE \/ (WF_<> (x=x')) \/ (SF_<> (x=x')) 12 | LEMMA {} # {0} 13 | LEMMA {} \in SUBSET {} 14 | LEMMA ASSUME NEW P(_) PROVE P(CHOOSE x : P(x)) => \E x : P(x) 15 | LEMMA ASSUME NEW P(_) PROVE (\A x : P(x)) => (\E x : P(x)) 16 | LEMMA ASSUME NEW P(_) PROVE (\AA x : P(x)) => (\EE x : P(x)) 17 | 18 | LEMMA ASSUME NEW P(_) PROVE (\A x \in Nat : P(x)) => (\E x \in Nat: P(x)) 19 | 20 | \* naturals 21 | 22 | LEMMA {1..10} # 1..10 23 | 24 | 25 | 26 | 27 | ============================================================================= 28 | \* Modification History 29 | \* Last modified Wed Apr 12 17:36:26 CEST 2017 by marty 30 | \* Created Mon Apr 10 13:27:00 CEST 2017 by marty 31 | -------------------------------------------------------------------------------- /test/tla/case_take_use_hide.tla: -------------------------------------------------------------------------------- 1 | ------------------------- MODULE case_take_use_hide ------------------------- 2 | 3 | EXTENDS Naturals, TLAPS, Testing 4 | 5 | Even(x) == x % 2 = 0 6 | Odd(x) == x % 2 = 1 7 | 8 | THEOREM \A x \in Nat : Even(x+x) 9 | BY Z3 DEF Even 10 | 11 | MODAxiom(x,y) == (x \in Nat /\ y \in Nat) => ((x % 2) + (y % 2)) % 2 = (x+y)%2 12 | 13 | THEOREM Mod == \A x,y : MODAxiom(x,y) OMITTED 14 | 15 | THEOREM T1 == \A x \in Nat: Even(x+x) 16 | <1>a TAKE x \in Nat 17 | <1>1 CASE Even(x) 18 | <2> USE <1>1, Mod 19 | <2> ((x % 2) + (x % 2)) % 2 = (x+x)%2 BY DEF MODAxiom 20 | <2> DEFINE A == x%2 21 | <2> HIDE DEF A 22 | <2> A = 0 => (A + A) % 2 = (0+0) %2 BY SMT DEF Even 23 | <2> QED BY DEF Even, A 24 | <1>2 CASE Odd(x) 25 | <2> USE <1>2, Mod 26 | <2> ((x % 2) + (x % 2)) % 2 = (x+x)%2 BY DEF MODAxiom 27 | <2> DEFINE A == x%2 28 | <2> HIDE DEF A 29 | <2> A = 1 => (A + A) % 2 = (1+1) %2 BY SMT DEF Even 30 | <2> QED BY DEF Even, Odd, A 31 | <1>3 Even(x) \/ Odd(x) BY DEF Even, Odd 32 | <1> QED BY <1>1, <1>2, <1>3 33 | 34 | \* tests using proof steps as formulas 35 | CONSTANT a,b 36 | THEOREM T2 == TRUE 37 | <1>1 a = b BY ShouldFail 38 | <1>2 <1>1 => (a=b) OBVIOUS 39 | <1> QED OBVIOUS 40 | 41 | 42 | \* tests USE of an unprovable theorem which then is easily provable 43 | THEOREM FALSE 44 | <1> USE \A x : x = 0, ShouldFail \* the resulting obligation must fail 45 | <1> QED OBVIOUS 46 | 47 | THEOREM FALSE 48 | <1>1 1=2 BY ShouldFail 49 | <1> QED 50 | <2> USE <1>1 51 | <2> QED OBVIOUS 52 | 53 | ============================================================================= 54 | \* Modification History 55 | \* Last modified Mon Apr 10 17:45:22 CEST 2017 by marty 56 | \* Created Mon Oct 26 15:01:26 CET 2015 by marty 57 | -------------------------------------------------------------------------------- /test/tla/cyclic.tla: -------------------------------------------------------------------------------- 1 | ------------------------------- MODULE cyclic ------------------------------- 2 | 3 | THEOREM 1=1 4 | <1>1. ASSUME NEW c, c=1 PROVE 1=1 /\ 1=c BY <1>1 5 | <1> QED BY <1>1 6 | 7 | ============================================================================= 8 | \* Modification History 9 | \* Last modified Tue Mar 24 16:13:14 CET 2015 by marty 10 | \* Created Tue Mar 24 15:02:19 CET 2015 by marty 11 | -------------------------------------------------------------------------------- /test/tla/empty.tla: -------------------------------------------------------------------------------- 1 | ------------------------------- MODULE empty ------------------------------- 2 | 3 | 4 | ============================================================================= 5 | \* Modification History 6 | \* Created Wed Feb 04 13:26:54 CET 2015 by marty 7 | -------------------------------------------------------------------------------- /test/tla/enabled.tla: -------------------------------------------------------------------------------- 1 | ------------------------------ MODULE enabled ------------------------------ 2 | EXTENDS TLAPS, Testing 3 | VARIABLE x,y 4 | 5 | LEMMA ENABLED(x'=0 /\ y'=1) BY PTL, IsaT(60) 6 | 7 | CONSTANT s 8 | 9 | Dummy(Op(_),u) == Op(u) 10 | 11 | LEMMA Dummy(LAMBDA v: v = v', s) BY Isa DEF Dummy \* this should be provable 12 | 13 | NextEQ(u) == ENABLED( u # u') 14 | LEMMA \neg NextEQ(0) BY DEF NextEQ 15 | 16 | 17 | ============================================================================= 18 | \* Modification History 19 | \* Last modified Thu Dec 15 14:53:39 CET 2016 by marty 20 | \* Created Tue Jul 07 13:59:12 CEST 2015 by marty 21 | -------------------------------------------------------------------------------- /test/tla/enabled2.tla: -------------------------------------------------------------------------------- 1 | ------------------------------ MODULE enabled2 ------------------------------ 2 | EXTENDS TLAPS, Testing 3 | 4 | \* some (non-)identities about enabled 5 | 6 | ---- MODULE Foo ---- 7 | 8 | VARIABLE bar 9 | D == ENABLED (bar # bar') 10 | 11 | ==== 12 | 13 | E0 == ENABLED (0 # 0') 14 | E(z) == ENABLED (z # z') 15 | I == INSTANCE Foo WITH bar <- 0 16 | 17 | LEMMA I!D # E0 BY DEF E0, I!D, IsTrue, ShouldSucceed 18 | LEMMA E(0) # I!D BY DEF I!D, E, IsTrue, ShouldSucceed 19 | LEMMA E(0) = E0 BY DEF E, E0, IsTrue, ShouldSucceed \* see def of I!G in Specifying Systems 17.8, p336 20 | 21 | LEMMA I!D = E0 BY DEF E0, I!D, IsFalse, ShouldFail \* this is a bug in tlapm v1!!! 22 | LEMMA E(0) = E0 BY DEF E, E0, IsFalse, ShouldFail \* again this is a bug in tlapm v1 23 | 24 | 25 | ============================================================================= 26 | \* Modification History 27 | \* Last modified Mon Feb 13 14:18:37 CET 2017 by marty 28 | \* Created Tue Jul 07 13:59:12 CEST 2015 by marty 29 | -------------------------------------------------------------------------------- /test/tla/enabled3.tla: -------------------------------------------------------------------------------- 1 | ------------------------------ MODULE enabled3 ------------------------------ 2 | 3 | ---- MODULE Foo ---- 4 | VARIABLE x 5 | 6 | S == {1,2} 7 | 8 | D(u) == ENABLED (x' \in S /\ u' \in S /\ x' # u') 9 | Dx == ENABLED (x ' \in S /\ x' \in S /\ x' # x') 10 | 11 | \* E(u) == ENABLED (x' \in S /\ u \in S /\ x' # u) 12 | 13 | Init == x = 1 14 | Next == x' = x 15 | 16 | Spec == Init /\ [][Next]_x 17 | 18 | THEOREM T == Spec => []~D(x) 19 | 20 | THEOREM Dx <=> D(x) 21 | 22 | ==== 23 | 24 | VARIABLE a 25 | 26 | I == INSTANCE Foo WITH x <- a 27 | 28 | THEOREM T2 == I!Spec => [] I!D(a) BY DEF I!Spec, I!Init, I!Next, I!D 29 | 30 | 31 | ============================================================================= 32 | \* Modification History 33 | \* Last modified Wed Mar 01 17:14:15 CET 2017 by marty 34 | \* Created Fri Jan 06 17:32:56 CET 2017 by marty 35 | -------------------------------------------------------------------------------- /test/tla/enabled4.tla: -------------------------------------------------------------------------------- 1 | ------------------------------ MODULE enabled4 ------------------------------ 2 | EXTENDS Naturals, TLC 3 | 4 | VARIABLE x 5 | 6 | S == {1,2} 7 | 8 | ---- MODULE Foo ---- 9 | 10 | VARIABLE v 11 | 12 | D(fp) == ENABLED (fp # v') 13 | E(fp) == ENABLED (fp = v') 14 | 15 | ==== 16 | 17 | VARIABLE a 18 | 19 | I(fp) == INSTANCE Foo WITH v <- fp 20 | 21 | LEMMA I(a)!D(a) BY DEF I!D 22 | 23 | 24 | ============================================================================= 25 | \* Modification History 26 | \* Last modified Fri Apr 20 14:32:02 CEST 2018 by merz 27 | \* Last modified Tue Feb 14 14:32:21 CET 2017 by marty 28 | \* Created Mon Feb 13 18:17:47 CET 2017 by marty 29 | -------------------------------------------------------------------------------- /test/tla/expr.tla: -------------------------------------------------------------------------------- 1 | -------------------------------- MODULE expr -------------------------------- 2 | EXTENDS Naturals 3 | 4 | String == "abcdef" \* string node 5 | EmptyString == "" \* string node 6 | Num == 11233444223 \* numeral node 7 | \* LargeNum == 11233444223123345555555124 \* numeral node \* TODO: handle big int 8 | Decimal == 123.22001 \* decimal 9 | \* LargeDecimal == 1221387687123.2200112287897987 \* decimal \* TODO: handle big int 10 | ite == IF 1 THEN TRUE ELSE "somestring" \* an if then else statement 11 | 12 | tuple0 == <<>> 13 | tuple1 == <<0,1>> 14 | tuple2 == <<0, <<1,2>> >> 15 | tuple3 == <<0, 1, 2 >> 16 | 17 | \* cannot be parsed by TLAPM v1.x 18 | set0 == \A <<>> \in {} : TRUE 19 | set1 == \A <> \in {} : TRUE 20 | \* set3 == \A << <>,<> >> \in {} : TRUE \* sany doesn't allow nested tuples 21 | set4 == \A <> \in {} : TRUE 22 | 23 | qfset1(x) == x \in {} 24 | qfset2(x) == <> \in {} 25 | qfset3(x,y) == <> \in {} 26 | qfset4(x,y) == <> >> \in {} 27 | qfset5(x,y) == << <>, <> >> \in {} 28 | qfset6(x,y) == <> \in {} 29 | 30 | 31 | ============================================================================= 32 | \* Modification History 33 | \* Last modified Tue Dec 08 15:25:44 CET 2015 by marty 34 | \* Created Fri Feb 20 16:04:14 CET 2015 by marty 35 | -------------------------------------------------------------------------------- /test/tla/extends_use_def.tla: -------------------------------------------------------------------------------- 1 | -------------------------- MODULE extends_use_def -------------------------- 2 | 3 | ------- MODULE inner ------ 4 | 5 | D(x) == x' 6 | 7 | USE DEF D 8 | 9 | ==== 10 | 11 | ------- MODULE outer ------- 12 | EXTENDS inner 13 | 14 | LEMMA \A y : (D(y) = y') OBVIOUS 15 | 16 | LEMMA \A y : (D(y) = y') BY DEF D 17 | 18 | ==== 19 | 20 | 21 | ============================================================================= 22 | \* Modification History 23 | \* Last modified Tue Jan 26 17:21:30 CET 2016 by marty 24 | \* Created Tue Jan 26 14:51:48 CET 2016 by marty 25 | -------------------------------------------------------------------------------- /test/tla/extends_use_def_inner.tla: -------------------------------------------------------------------------------- 1 | ----------------------- MODULE extends_use_def_inner ----------------------- 2 | 3 | D(x) == x' 4 | 5 | USE DEF D 6 | 7 | \* fails, obviously 8 | THEOREM T == FALSE OBVIOUS 9 | 10 | USE 1=1 11 | 12 | ============================================================================= 13 | \* Modification History 14 | \* Last modified Fri Apr 20 14:39:04 CEST 2018 by merz 15 | \* Last modified Wed Jan 27 10:51:38 CET 2016 by marty 16 | \* Created Tue Jan 26 15:15:50 CET 2016 by marty 17 | -------------------------------------------------------------------------------- /test/tla/extends_use_def_outer.tla: -------------------------------------------------------------------------------- 1 | ----------------------- MODULE extends_use_def_outer ----------------------- 2 | 3 | EXTENDS extends_use_def_inner 4 | 5 | LEMMA \A y : (D(y) = y') OBVIOUS \* cannot be proved 6 | 7 | LEMMA \A y : (D(y) = y') BY DEF D 8 | 9 | ============================================================================= 10 | \* Modification History 11 | \* Last modified Fri Apr 20 14:40:20 CEST 2018 by merz 12 | \* Last modified Tue Jan 26 15:17:26 CET 2016 by marty 13 | \* Created Tue Jan 26 15:16:36 CET 2016 by marty 14 | -------------------------------------------------------------------------------- /test/tla/false_proves_false.tla: -------------------------------------------------------------------------------- 1 | ------------------------- MODULE false_proves_false ------------------------- 2 | 3 | LEMMA ASSUME FALSE PROVE FALSE OBVIOUS 4 | 5 | 6 | ============================================================================= 7 | \* Modification History 8 | \* Last modified Tue Mar 29 10:49:44 CEST 2016 by marty 9 | \* Created Tue Mar 29 10:49:29 CEST 2016 by marty 10 | -------------------------------------------------------------------------------- /test/tla/fuel.tla: -------------------------------------------------------------------------------- 1 | -------------------------------- MODULE fuel -------------------------------- 2 | EXTENDS Naturals 3 | 4 | \* abstract specification of a car which goes on, but stops at some point 5 | ---- MODULE acar ---- 6 | VARIABLE x 7 | 8 | Spec == x=0 /\ [] [x'=x+1]_x /\ <>[] [FALSE]_x 9 | 10 | ==== 11 | 12 | \* concrete implementation with a fueltank which runs out 13 | ---- MODULE ccar ---- 14 | VARIABLES x 15 | 16 | Spec(t) == t \in Nat /\ x = 0 /\ [][t>0 /\ x' = x +1 /\ t' = t +1]_<> 17 | InterfaceSpec == \EE f : Spec(f) 18 | 19 | \* sm: v1-tlapm throws a syntax error when attempting to prove this 20 | THEOREM ASSUME NEW VARIABLE fuel 21 | PROVE Spec(fuel) => InterfaceSpec BY DEF Spec, InterfaceSpec 22 | 23 | ==== 24 | 25 | VARIABLE x 26 | 27 | Abstract == INSTANCE acar 28 | 29 | Concrete == INSTANCE ccar 30 | 31 | \* sm: v1-tlapm doesn't handle this due to \EE being unimplemented 32 | THEOREM Concrete!InterfaceSpec => Abstract!Spec 33 | BY DEF Concrete!InterfaceSpec, Concrete!Spec, Abstract!Spec 34 | 35 | 36 | ============================================================================= 37 | \* Modification History 38 | \* Last modified Fri Apr 20 14:45:30 CEST 2018 by merz 39 | \* Last modified Wed Oct 07 18:37:55 CEST 2015 by marty 40 | \* Created Tue Oct 06 17:33:10 CEST 2015 by marty 41 | -------------------------------------------------------------------------------- /test/tla/functions.tla: -------------------------------------------------------------------------------- 1 | ----------------------------- MODULE functions ----------------------------- 2 | 3 | EXTENDS Naturals, TLC, TLAPS 4 | 5 | 6 | LEMMA <<1>>[1] = 1 OBVIOUS 7 | LEMMA ASSUME NEW f, \A x : f[x] = IF x = 0 THEN {} ELSE {0} 8 | PROVE f[0] = {} OBVIOUS 9 | LEMMA ASSUME NEW f, f = (0 :> {}) @@ (1 :> {1}) @@ [ x |-> {} ] 10 | PROVE f[2] = {} OBVIOUS \* not provable, fails 11 | 12 | 13 | ============================================================================= 14 | \* Modification History 15 | \* Last modified Fri Apr 20 14:47:53 CEST 2018 by merz 16 | \* Last modified Sat Jul 30 12:13:22 CEST 2016 by marty 17 | \* Created Sat Jul 30 12:11:45 CEST 2016 by marty 18 | -------------------------------------------------------------------------------- /test/tla/globaluse.tla: -------------------------------------------------------------------------------- 1 | ----------------------------- MODULE globaluse ----------------------------- 2 | 3 | USE 1 = 2 \* should fail 4 | 5 | ============================================================================= 6 | \* Modification History 7 | \* Last modified Fri Apr 20 14:49:14 CEST 2018 by merz 8 | \* Last modified Thu Feb 11 15:44:50 CET 2016 by marty 9 | \* Created Mon Feb 01 15:28:14 CET 2016 by marty 10 | -------------------------------------------------------------------------------- /test/tla/homepage.tla: -------------------------------------------------------------------------------- 1 | ------------------------------ MODULE homepage ------------------------------ 2 | EXTENDS Naturals, Integers 3 | 4 | THEOREM ~ \E x \in Nat : x + 1 = 0 5 | <1>1. SUFFICES ASSUME \E x \in Nat : x + 1 = 0 PROVE FALSE OBVIOUS (* new facts: \E x \in Nat : x + 1 = 0 *) (* goal: FALSE *) 6 | <1>2. PICK u \in Nat : u = -1 (* goal: \E u \in Nat : u = -1 *) 7 | <2>1. \A n \in Nat : n + 1 = 0 => n = -1 OBVIOUS 8 | <2>2. QED BY <2>1, <1>1 (* new facts: u \in Nat, u = -1 *) (* goal: FALSE *) 9 | <1> QED BY -1 \notin Nat, <1>2 10 | 11 | 12 | VARIABLE x 13 | A == /\ x = 1 14 | /\ x' = 2 15 | 16 | B == /\ x = 2 17 | /\ x' = 1 18 | 19 | Next == A \/ B 20 | 21 | Inv == x \in {1, 2} 22 | 23 | 24 | THEOREM Inv /\ Next => Inv' 25 | <1>1. ASSUME Inv, Next PROVE Inv' 26 | <2>1. ASSUME A PROVE Inv' 27 | <2>2. ASSUME B PROVE Inv' 28 | <2>3. QED BY <1>1, <2>1, <2>2 DEF Next 29 | <1>2. QED BY <1>1 30 | 31 | THEOREM Inv /\ Next => Inv' 32 | <1>1. SUFFICES /\ Inv /\ A => Inv' 33 | /\ Inv /\ B => Inv' 34 | BY DEF Next 35 | <1>2. ASSUME Inv, A PROVE Inv' 36 | <1>3. ASSUME Inv, B PROVE Inv' 37 | <1>4. QED BY <1>2, <1>3 38 | 39 | 40 | 41 | 42 | ============================================================================= 43 | \* Modification History 44 | \* Last modified Fri Apr 20 14:51:57 CEST 2018 by merz 45 | \* Last modified Wed Apr 12 15:54:09 CEST 2017 by marty 46 | \* Created Mon Mar 16 14:18:20 CET 2015 by marty 47 | -------------------------------------------------------------------------------- /test/tla/instance.tla: -------------------------------------------------------------------------------- 1 | ------------------------------ MODULE instance ------------------------------ 2 | VARIABLE z 3 | 4 | I == INSTANCE instanceA WITH x <- z, y <- z 5 | 6 | LEMMA I!T # ENABLED(z' # z') BY DEF I!T, I!A 7 | 8 | LEMMA I!T2 # ENABLED(z' # z') BY DEF I!T2 9 | 10 | LEMMA I!TH # ENABLED(z' # z') BY DEF I!TH 11 | 12 | 13 | ============================================================================= 14 | \* Modification History 15 | \* Last modified Fri Feb 27 11:35:27 CET 2015 by marty 16 | \* Created Tue Feb 24 11:51:43 CET 2015 by marty 17 | -------------------------------------------------------------------------------- /test/tla/instanceA.tla: -------------------------------------------------------------------------------- 1 | ----------------------------- MODULE instanceA ----------------------------- 2 | 3 | EXTENDS TLAPS 4 | 5 | VARIABLES x,y 6 | 7 | A == x' # y' 8 | 9 | \* THEOREM T == ENABLED A BY DEF A \* not provable at the moment 10 | T == ENABLED A 11 | 12 | T2 == ENABLED (x' # y') 13 | 14 | THEOREM TH == ENABLED (x' # y') 15 | 16 | F == ENABLED (x' = 0 /\ y' = 1) 17 | 18 | ============================================================================= 19 | \* Modification History 20 | \* Last modified Fri Feb 27 11:35:09 CET 2015 by marty 21 | \* Created Tue Feb 24 11:52:12 CET 2015 by marty 22 | -------------------------------------------------------------------------------- /test/tla/lambda.tla: -------------------------------------------------------------------------------- 1 | ------------------------------- MODULE lambda ------------------------------- 2 | 3 | \* Here we test examples of lambda expressions similar to those from the 4 | \* TLA2 document. 5 | 6 | F(Op(_,_)) == Op(1,2) 7 | 8 | Id(a,b) == a=b 9 | 10 | THEOREM F(Id) = F(LAMBDA x,y : x = y) BY DEF F, Id 11 | 12 | 13 | ------ MODULE M ------ 14 | 15 | CONSTANT O(_,_) 16 | 17 | APPLYO(x,y) == O(x,y) 18 | 19 | ====================== 20 | 21 | I == INSTANCE M WITH O <- LAMBDA x,y : x \* clash from importing APPLYO in case of unnamed import 22 | INSTANCE M WITH O <- LAMBDA x,y : y 23 | 24 | THEOREM APPLYO(23,42) = 42 BY DEF APPLYO 25 | THEOREM I!APPLYO(23,42) = 23 BY DEF I!APPLYO 26 | 27 | ============================================================================= 28 | \* Modification History 29 | \* Last modified Wed Aug 23 15:07:42 CEST 2017 by marty 30 | \* Created Wed Mar 25 15:39:39 CET 2015 by marty 31 | -------------------------------------------------------------------------------- /test/tla/minilambda.tla: -------------------------------------------------------------------------------- 1 | ----------------------------- MODULE minilambda ----------------------------- 2 | 3 | EXTENDS Testing 4 | 5 | F(x,Op(_)) == Op(Op(x)) 6 | 7 | LEMMA \A x : F(x, LAMBDA y : y) = x BY ShouldFail 8 | 9 | LEMMA \A x : F(x, LAMBDA y : x) = x BY ShouldFail 10 | 11 | LEMMA \A x : F(x, LAMBDA y : y) = x BY DEF F 12 | 13 | LEMMA \A x : F(x, LAMBDA y : x) = x BY DEF F 14 | 15 | 16 | ============================================================================= 17 | \* Modification History 18 | \* Last modified Wed Oct 07 16:54:23 CEST 2015 by marty 19 | \* Created Tue Jun 09 10:06:40 CEST 2015 by marty 20 | -------------------------------------------------------------------------------- /test/tla/multi_obligations.tla: -------------------------------------------------------------------------------- 1 | ------------------------- MODULE multi_obligations ------------------------- 2 | EXTENDS TLAPS, Naturals, Sequences 3 | 4 | LEMMA 1+1 = 3 BY SMT, Isa, Zenon \* should fail, of course 5 | 6 | LEMMA Head(<<1,2,3>>) = 1 /\ Len(<<1,2,3>>) = 3 OBVIOUS 7 | 8 | ============================================================================= 9 | \* Modification History 10 | \* Last modified Fri Apr 20 15:01:49 CEST 2018 by merz 11 | \* Last modified Tue Jul 05 11:02:32 CEST 2016 by marty 12 | \* Created Sun Jun 26 21:07:35 CEST 2016 by marty 13 | -------------------------------------------------------------------------------- /test/tla/nonleibniz.tla: -------------------------------------------------------------------------------- 1 | ----------------------------- MODULE nonleibniz ----------------------------- 2 | 3 | D(x,y) == x -+-> y 4 | E(x) == ENABLED(x) 5 | F(x,y) == x \cdot y 6 | 7 | LEMMA ASSUME NEW x, NEW y PROVE D(x,y) 8 | LEMMA ASSUME NEW x, NEW y PROVE E(x) 9 | LEMMA ASSUME NEW x, NEW y PROVE F(x,y) 10 | 11 | 12 | ============================================================================= 13 | \* Modification History 14 | \* Last modified Thu Mar 31 17:28:23 CEST 2016 by marty 15 | \* Created Thu Mar 31 16:53:19 CEST 2016 by marty 16 | -------------------------------------------------------------------------------- /test/tla/nunchaku_tests_negative.tla: -------------------------------------------------------------------------------- 1 | ------------------------------- MODULE nunchaku_tests_negative ------------------------------- 2 | 3 | \* all of these lemmas are valid. if nunchaku finds a counter-model, it is wrong. 4 | 5 | EXTENDS Naturals 6 | 7 | VARIABLE u,v,w 8 | CONSTANT a,b,c 9 | 10 | 11 | LEMMA TRUE OBVIOUS 12 | 13 | LEMMA {a,b} \cap {c} = {} OBVIOUS 14 | 15 | LEMMA {{}} # {} OBVIOUS 16 | 17 | LEMMA {a,b} = {b,a} OBVIOUS 18 | 19 | (* valid in the theory of naturals *) 20 | 21 | LEMMA ~ \E x \in Nat : x+x=1 OBVIOUS 22 | 23 | LEMMA ~ \E x \in {0,1,2} : x+x=1 OBVIOUS 24 | 25 | LEMMA 1 # 2 OBVIOUS 26 | 27 | 28 | ============================================================================= 29 | \* Modification History 30 | \* Last modified Fri Apr 20 15:12:28 CEST 2018 by merz 31 | \* Last modified Mon Aug 08 17:13:59 CEST 2016 by marty 32 | \* Last modified Fri Jul 22 13:53:14 CEST 2016 by Matthieu 33 | \* Created Wed Mar 23 16:18:29 CET 2016 by Matthieu 34 | -------------------------------------------------------------------------------- /test/tla/nunchaku_tests_positive.tla: -------------------------------------------------------------------------------- 1 | ------------------------------- MODULE nunchaku_tests_positive ------------------------------- 2 | 3 | THEOREM ASSUME NEW a, NEW b, a#b, NEW S, S = {a,b} PROVE S = b OBVIOUS 4 | 5 | THEOREM ASSUME NEW a, NEW b, NEW S, S = {a,b} PROVE S = b OBVIOUS 6 | 7 | THEOREM ASSUME NEW a, NEW b PROVE a=b OBVIOUS 8 | 9 | THEOREM ASSUME NEW a, NEW b PROVE a # b OBVIOUS 10 | 11 | THEOREM ASSUME NEW a, NEW b, NEW c \in {a,b} PROVE c=a /\ c=b OBVIOUS 12 | 13 | (* 14 | 15 | THEOREM ASSUME NEW a, NEW b, NEW c, a # b, b # c PROVE a # c OBVIOUS 16 | 17 | THEOREM ASSUME NEW a, NEW b, a#b, NEW P PROVE P[a] # P[a] OBVIOUS 18 | 19 | THEOREM ASSUME NEW a, NEW b, a#b, NEW P PROVE P[a] # P[b] OBVIOUS 20 | 21 | THEOREM ASSUME NEW a, NEW b, NEW c \in {a,b} PROVE c=a \/ c=b OBVIOUS 22 | 23 | THEOREM ASSUME NEW a, NEW b, NEW c \in {a,b} PROVE c=a /\ c=b OBVIOUS 24 | 25 | CONSTANT a,b,c,d,S 26 | 27 | LEMMA \A x \in S : \E x0 \in S : x # x0 OBVIOUS 28 | 29 | LEMMA \A x \in {a,b} : \E x0 \in {a,b} : x # x0 OBVIOUS 30 | 31 | LEMMA \A x \in {a,b} : \E x0 \in {b,a} : x = x0 OBVIOUS 32 | 33 | LEMMA \A x \in {a,b} : \E x0 \in {a} : x = x0 OBVIOUS 34 | 35 | *) 36 | 37 | ============================================================================= 38 | \* Modification History 39 | \* Last modified Fri Jul 22 19:12:10 CEST 2016 by marty 40 | \* Last modified Fri Jul 22 13:53:14 CEST 2016 by Matthieu 41 | \* Created Wed Mar 23 16:18:29 CET 2016 by Matthieu 42 | -------------------------------------------------------------------------------- /test/tla/obligation_bug1.tla: -------------------------------------------------------------------------------- 1 | ---- MODULE obligation_bug1 ---- 2 | \* Tests issue 2: https://github.com/tlaplus/v2-tlapm/issues/2 3 | \* the lemmas should fail but the bug introduces additional assumption. 4 | \* For this reason there is no additional BY ShouldFail . 5 | 6 | EXTENDS Testing 7 | 8 | CONSTANT a,b,c 9 | 10 | S == {a,b,c} 11 | 12 | LEMMA \A x \in {a,b,c} : \E x0 \in {a,b,c} : x # x0 OBVIOUS 13 | 14 | LEMMA \A x \in S : \E x0 \in S : x # x0 OBVIOUS 15 | 16 | LEMMA \A x \in S : \E x0 \in S : x # x0 BY DEF S 17 | 18 | LEMMA \A x \in {a,b,c} : \E x0 \in {b,c,a} : x # x0 BY DEF S 19 | 20 | ==== -------------------------------------------------------------------------------- /test/tla/overbinding.tla: -------------------------------------------------------------------------------- 1 | ---------------------------- MODULE overbinding ---------------------------- 2 | CONSTANT P(_) 3 | 4 | 5 | f(x) == \E y : (P(y) /\ x) 6 | 7 | CONSTANT y 8 | 9 | 10 | LEMMA f(f(y)) BY DEF f 11 | 12 | LEMMA f(f(y)) <=> \E u,v : ( P(u) /\ P(v) /\ y) BY DEF f 13 | 14 | LEMMA f(f(y)) <=> \E u : ( P(u) /\ P(u) /\ y) BY DEF f 15 | 16 | 17 | CONSTANT _ + _ 18 | 19 | g(x(_)) == x(0) \/ (\E z : x(z+1)) 20 | 21 | 22 | D(a,b) == a=b 23 | 24 | LEMMA g(LAMBDA x : g(LAMBDA z : 1+z # 0) ) BY DEF g 25 | 26 | LEMMA g(LAMBDA u: D(u,1)) BY DEF g,D 27 | 28 | ============================================================================= 29 | \* Modification History 30 | \* Last modified Thu Mar 31 14:26:34 CEST 2016 by marty 31 | \* Created Wed Mar 30 15:02:21 CEST 2016 by marty 32 | -------------------------------------------------------------------------------- /test/tla/overbinding2.tla: -------------------------------------------------------------------------------- 1 | ---------------------------- MODULE overbinding2 ---------------------------- 2 | 3 | EXTENDS Testing 4 | 5 | \* create a set for bounded quantifications which TLC can evaluate 6 | S == {1,2} 7 | 8 | \* claim that there is a new element x different from the argument u passed 9 | \* then chain x as an argument to the operator v 10 | P(u,v(_)) == \E x \in S: u # x /\ v(x) 11 | 12 | \* all these operators can be a v(_) for A. T projects to TRUE, successive 13 | \* definitions apply P to their predecessor 14 | T(x) == TRUE 15 | A(x) == P(x, T) 16 | B(y) == P(y, A) 17 | C(z) == P(z, B) 18 | 19 | \* claim the existence of a y such that one of the previous definitions of y is true 20 | Check == \E y \in S: C(y) 21 | 22 | (* Unfolding the definitions must lead to renamings 23 | ~(\E y \in {1, 2} : 24 | \E x \in {1, 2} : 25 | y # x 26 | /\ (\E x_1 \in {1, 2} : 27 | x # x_1 /\ (\E x_2 \in {1, 2} : x_1 # x_2 /\ TRUE))) 28 | *) 29 | LEMMA Check BY DEF Check, S, T, P, A, B, C, ShouldSucceed 30 | LEMMA ~Check BY DEF Check, S, T, P, A, B, C, ShouldFail 31 | 32 | 33 | ============================================================================= 34 | \* Modification History 35 | \* Last modified Wed Jul 12 16:20:34 CEST 2017 by marty 36 | \* Created Wed Jul 12 09:56:40 CEST 2017 by marty 37 | -------------------------------------------------------------------------------- /test/tla/pick.tla: -------------------------------------------------------------------------------- 1 | -------------------------------- MODULE pick -------------------------------- 2 | (* Test cases for the pick statement *) 3 | 4 | EXTENDS Testing 5 | 6 | CONSTANT P(_,_), f(_) 7 | CONSTANT A(_), B(_) 8 | 9 | ASSUME Witnesses == A(0) /\ B(0) 10 | 11 | \* both T1 and T2 must be provable 12 | THEOREM T1 == \E x:A(x) /\ B(x) 13 | <1>1 PICK y:B(y) /\ A(y) BY Witnesses 14 | <1> QED BY <1>1 15 | 16 | THEOREM T2 == \E x:A(x) /\ B(x) 17 | <1>1a \E y:B(y) /\ A(y) BY Witnesses 18 | <1>1b SUFFICES ASSUME NEW c, B(c) /\ A(c) PROVE \E x:A(x) /\ B(x) BY <1>1a 19 | <1> QED BY <1>1b 20 | 21 | Goal == FALSE 22 | 23 | THEOREM Goal 24 | <1> PICK x : f(x) BY ShouldFail 25 | <1> QED OBVIOUS 26 | 27 | THEOREM Goal 28 | <1>1 \E x : f(x) BY ShouldFail 29 | <1>2 SUFFICES ASSUME NEW c, f(c) PROVE Goal BY <1>1 30 | <1> QED BY <1>2, ShouldFail 31 | 32 | THEOREM Goal 33 | <1> ASSUME \E x : f(x), 34 | ASSUME NEW c, f(c) 35 | PROVE Goal 36 | PROVE Goal OBVIOUS 37 | <1> QED BY ShouldFail 38 | 39 | 40 | ============================================================================= 41 | \* Modification History 42 | \* Last modified Mon Dec 07 09:21:45 CET 2015 by marty 43 | \* Created Fri Nov 20 10:50:36 CET 2015 by marty 44 | -------------------------------------------------------------------------------- /test/tla/priming.tla: -------------------------------------------------------------------------------- 1 | ------------------------------ MODULE priming ------------------------------ 2 | 3 | EXTENDS Naturals 4 | 5 | CONSTANT x 6 | 7 | Prime[n \in Nat] == IF n = 0 THEN x ELSE Prime[n-1]' 8 | CPrime[n \in Nat] == IF n = 0 THEN x ELSE CPrime[n-1] 9 | 10 | LEMMA \A n : Prime[n] = CPrime[n] BY DEF Prime, CPrime 11 | 12 | 13 | 14 | LEMMA PE == \E P : P = [n \in Nat |-> IF n = 0 THEN x ELSE P[n-1]' ] 15 | 16 | LEMMA ASSUME PE PROVE Prime[0] = 0 17 | <1>1 Prime BY DEF Prime, PE 18 | <1>2 Prime[0] = 0 19 | <1> QED BY <1>2 20 | 21 | 22 | Def(f,n) == IF n = 0 THEN x ELSE f[n-1]' 23 | 24 | \* LEMMA Def(Prime,0) = x BY DEF Def, Prime 25 | LEMMA START == Def(CPrime,0) = x BY DEF Def, CPrime 26 | LEMMA STEP == \A n \in Nat: Def(CPrime, n) = x => Def(CPrime, n+1) = x BY DEF CPrime, Def 27 | 28 | 29 | ============================================================================= 30 | \* Modification History 31 | \* Last modified Thu Feb 19 12:22:43 CET 2015 by marty 32 | \* Created Thu Feb 19 09:37:41 CET 2015 by marty 33 | -------------------------------------------------------------------------------- /test/tla/priming_stephan.tla: -------------------------------------------------------------------------------- 1 | ---------------------------- MODULE priming_stephan ---------------------------- 2 | EXTENDS Naturals, NaturalsInduction 3 | 4 | VARIABLE x 5 | 6 | Prime[n \in Nat] == IF n = 0 THEN x ELSE Prime[n-1]' 7 | 8 | THEOREM Prime = [n \in Nat |-> x] 9 | <1>. DEFINE DefPr(g,n) == IF n = 0 THEN x ELSE g[n-1] 10 | DefPrime(g,n) == IF n = 0 THEN x ELSE g[n-1]' 11 | <1>1. ASSUME NEW n \in Nat, NEW g, NEW h 12 | PROVE DefPrime(g,n) = DefPr(g,n) 13 | OBVIOUS 14 | <1>2. Prime = CHOOSE g : g = [n \in Nat |-> DefPr(g,n)] 15 | BY <1>1 DEF Prime 16 | <1>3. ASSUME NEW n \in Nat, NEW g, NEW h, 17 | \A i \in 0 .. (n-1) : g[i] = h[i] 18 | PROVE DefPr(g,n) = DefPr(h,n) 19 | BY <1>3 20 | <1>. HIDE DEF DefPr 21 | <1>4. Prime = [n \in Nat |-> DefPr(Prime, n)] 22 | BY <1>2, <1>3, RecursiveFcnOfNat, Isa 23 | <1>5. \A n \in Nat : DefPr(Prime, n) = x 24 | <2>1. DefPr(Prime, 0) = x 25 | BY DEF DefPr 26 | <2>2. ASSUME NEW n \in Nat, DefPr(Prime, n) = x 27 | PROVE DefPr(Prime, n+1) = x 28 | <3>1. DefPr(Prime, n+1) = Prime[n] 29 | BY DEF DefPr 30 | <3>2. Prime[n] = DefPr(Prime, n) 31 | BY <1>4 32 | <3>. QED 33 | BY <2>2, <3>1, <3>2 34 | <2>. QED 35 | BY <2>1, <2>2, NatInduction, Isa 36 | <1>. QED 37 | BY <1>4, <1>5 38 | 39 | ============================================================================= 40 | \* Modification History 41 | \* Last modified Tue Mar 24 15:02:53 CET 2015 by marty 42 | \* Last modified Fri Feb 20 13:48:56 CET 2015 by merz 43 | \* Created Fri Feb 20 11:19:19 CET 2015 by merz 44 | -------------------------------------------------------------------------------- /test/tla/qed.tla: -------------------------------------------------------------------------------- 1 | -------------------------------- MODULE qed -------------------------------- 2 | \* tests the qed proof step 3 | EXTENDS Testing, Naturals 4 | 5 | \* test by obvious 6 | LEMMA \A x : x = x 7 | <1> QED OBVIOUS 8 | 9 | 10 | \* test by axiom 11 | AXIOM AX == \A x : (x # x+1) 12 | 13 | LEMMA \A y : 2*y # 2*y +1 14 | <1> QED BY AX 15 | 16 | \* test nested qed 17 | LEMMA 1=2 18 | <1> QED 19 | <2> TRUE 20 | <2> QED BY 3=3, ShouldFail 21 | 22 | \* test qed by def 23 | A == 1 24 | LEMMA 1=A BY DEF A 25 | 26 | 27 | LEMMA \A x \in Nat : (x * (x+1)) >= x OBVIOUS 28 | ============================================================================= 29 | \* Modification History 30 | \* Last modified Thu Feb 11 17:05:37 CET 2016 by marty 31 | \* Created Thu Jan 21 10:26:24 CET 2016 by marty 32 | -------------------------------------------------------------------------------- /test/tla/qed2.tla: -------------------------------------------------------------------------------- 1 | -------------------------------- MODULE qed2 -------------------------------- 2 | \* this is the same as qed, but has everything in one large proof 3 | 4 | \* tests the qed proof step 5 | EXTENDS Testing, Naturals 6 | 7 | AXIOM AX == \A x : (x # x+1) 8 | 9 | A == 1 10 | 11 | LEMMA TRUE 12 | \* test by obvious 13 | <1> \A x : x = x 14 | <2> QED OBVIOUS 15 | \* test by axiom 16 | 17 | <1> \A y : 2*y # 2*y +1 18 | <2> QED BY AX 19 | 20 | \* test nested qed 21 | <1> 1=2 22 | <2> QED 23 | <3> TRUE 24 | <3> QED BY 3=3, ShouldFail 25 | 26 | \* test qed by def 27 | <1> 1=A BY DEF A 28 | 29 | <1> \A x \in Nat : (x * (x+1)) >= x OBVIOUS 30 | <1> QED OBVIOUS 31 | 32 | ============================================================================= 33 | \* Modification History 34 | \* Last modified Thu Feb 11 17:05:46 CET 2016 by marty 35 | \* Created Thu Feb 11 16:54:15 CET 2016 by marty 36 | -------------------------------------------------------------------------------- /test/tla/recursiveop.tla: -------------------------------------------------------------------------------- 1 | ---------------------------- MODULE recursiveop ---------------------------- 2 | 3 | \* This tests recursive operator definitions and proofs with them. 4 | \* The factorial definition is an example from the TLA2 document. 5 | 6 | EXTENDS Naturals 7 | 8 | RECURSIVE fact(_) 9 | fact(n) == IF n = 0 THEN 1 ELSE n*fact(n-1) 10 | 11 | THEOREM fact(3) = 6 12 | <1>1 fact(3) = 3 * fact(2) BY DEF fact 13 | <1>2 fact(2) = 2 * fact(1) BY DEF fact 14 | <1>3 fact(1) = 1 * fact(0) BY DEF fact 15 | <1>4 fact(0) = 1 BY DEF fact 16 | <1> QED BY <1>1, <1>2, <1>3, <1>4 17 | 18 | ============================================================================= 19 | \* Modification History 20 | \* Last modified Tue May 12 11:24:33 CEST 2015 by marty 21 | \* Created Wed Mar 25 10:07:40 CET 2015 by marty 22 | -------------------------------------------------------------------------------- /test/tla/simple_substitution.tla: -------------------------------------------------------------------------------- 1 | ------------------------ MODULE simple_substitution ------------------------ 2 | EXTENDS Sequences, Integers, TLAPS 3 | 4 | VARIABLE NewInv 5 | 6 | CONSTANT _ ** _ 7 | 8 | LEMMA ASSUME NEW CONSTANT Data, 9 | NEW VARIABLE ASndg, 10 | NEW VARIABLE BRcvd, 11 | NEW VARIABLE AtoB, 12 | NEW VARIABLE BtoA, 13 | NewInv , 14 | NEW CONSTANT a \in {0, 1}, 15 | NEW CONSTANT b \in {0, 1}, 16 | NEW CONSTANT f \in Seq({0, 1}), 17 | ASSUME NEW CONSTANT S, 18 | NEW CONSTANT a_1 \in S, 19 | NEW CONSTANT b_1 \in S, 20 | NEW CONSTANT f_1 \in Seq(S) 21 | PROVE f_1 \in a_1 ** b_1 22 | => (\E i \in 0..Len(f_1) : 23 | \A j \in 1..Len(f_1) : 24 | f_1[j] = (IF j =< i THEN a_1 ELSE b_1)) 25 | 26 | PROVE f \in a ** b 27 | => (\E i \in 0..Len(f) : 28 | \A j \in 1..Len(f) : 29 | f[j] = (IF j =< i THEN a ELSE b)) BY IsaM("blast") 30 | 31 | ============================================================================= 32 | \* Modification History 33 | \* Last modified Sat Jul 25 15:54:09 CEST 2015 by marty 34 | \* Created Mon Jul 20 11:02:29 CEST 2015 by marty 35 | -------------------------------------------------------------------------------- /test/tla/smt2test.tla: -------------------------------------------------------------------------------- 1 | ------------------------------ MODULE smt2test ------------------------------ 2 | 3 | EXTENDS Naturals, TLAPS 4 | 5 | LEMMA 6 | ASSUME NEW CONSTANT N, 7 | NEW VARIABLE active, 8 | NEW VARIABLE color, 9 | NEW VARIABLE tpos, 10 | NEW VARIABLE tcolor, 11 | N \in Nat \ {0} 12 | PROVE (/\ active \in [0..N - 1 -> BOOLEAN] 13 | /\ color \in [0..N - 1 -> {"white", "black"}] 14 | /\ tpos = 0 15 | /\ tcolor = "black") 16 | => (/\ active \in [0..N - 1 -> BOOLEAN] 17 | /\ color \in [0..N - 1 -> {"white", "black"}] 18 | /\ tpos \in 0..N - 1 19 | /\ tcolor \in {"white", "black"}) 20 | BY veriT 21 | 22 | 23 | LEMMA 1+2 = 3 BY veriT 24 | 25 | LEMMA \A x \in Nat: (x+1) * x = x*x +x BY Z3 26 | 27 | LEMMA \A x \in Nat, y \in Nat: x + y = y +x BY veriT 28 | 29 | LEMMA \E x \in Nat : x * x + x = 12 BY veriT 30 | 31 | ============================================================================= 32 | \* Modification History 33 | \* Last modified Wed Nov 08 15:13:48 CET 2017 by marty 34 | \* Created Tue Jun 21 16:18:58 CEST 2016 by marty 35 | -------------------------------------------------------------------------------- /test/tla/smt2test2.tla: -------------------------------------------------------------------------------- 1 | ----------------------------- MODULE smt2test2 ----------------------------- 2 | 3 | EXTENDS Naturals, TLAPS 4 | 5 | Even(x) == x % 2 = 0 6 | 7 | THEOREM \A x \in Nat : Even(x+x) 8 | BY Z3 DEF Even 9 | 10 | THEOREM \A x \in Nat : Even(x+x) 11 | BY SMT DEF Even 12 | 13 | ============================================================================= 14 | \* Modification History 15 | \* Last modified Tue Jun 21 16:31:22 CEST 2016 by marty 16 | \* Created Tue Jun 21 16:30:56 CEST 2016 by marty 17 | -------------------------------------------------------------------------------- /test/tla/string.tla: -------------------------------------------------------------------------------- 1 | ------------------------------- MODULE string ------------------------------- 2 | EXTENDS TLAPS 3 | 4 | THEOREM "a" \in STRING 5 | OBVIOUS 6 | 7 | ============================================================================= 8 | \* Modification History 9 | \* Last modified Thu Jul 30 10:05:26 CEST 2015 by marty 10 | \* Created Thu Jul 30 10:04:59 CEST 2015 by marty 11 | -------------------------------------------------------------------------------- /test/tla/substitution.tla: -------------------------------------------------------------------------------- 1 | ---------------------------- MODULE substitution ---------------------------- 2 | 3 | EXTENDS Naturals 4 | 5 | CONSTANT a,b 6 | VARIABLE x,y 7 | 8 | D(u,v) == x+u-v' 9 | App(f(_), value) == f(value) 10 | 11 | LEMMA D(x,x) = x+x-x' BY DEF D 12 | 13 | LEMMA App(LAMBDA u : D(u,u),x ) = x+x-x' BY DEF App, D 14 | 15 | LEMMA App(LAMBDA u : D(u,u),x ) = D(x,x) BY DEF App 16 | 17 | E(u) == \E v : v = u 18 | 19 | LEMMA (\E v : E(v)) = (\E v,u : v=u) BY DEF E \* should work 20 | 21 | LEMMA (\E v : E(v)) # (\E v,u : v=v) BY DEF E \* should fail 22 | 23 | 24 | ============================================================================= 25 | \* Modification History 26 | \* Last modified Fri Apr 20 15:47:26 CEST 2018 by merz 27 | \* Last modified Mon Apr 04 16:42:09 CEST 2016 by marty 28 | \* Created Tue Mar 15 16:06:06 CET 2016 by marty 29 | -------------------------------------------------------------------------------- /test/tla/tuples.tla: -------------------------------------------------------------------------------- 1 | ------------------------------- MODULE tuples ------------------------------- 2 | 3 | VARIABLES x,y,z 4 | LEMMA ASSUME NEW CONSTANT S, 5 | NEW CONSTANT T, 6 | <>>> \in S 7 | PROVE <>>> \in (S \cup T) 8 | 9 | LEMMA ASSUME NEW CONSTANT S, 10 | NEW CONSTANT T, 11 | <>>> \in S 12 | PROVE \E <> \in S : <> \in T \* tlapm v1 does not parse this construct yet 13 | 14 | 15 | ============================================================================= 16 | \* Modification History 17 | \* Last modified Wed Feb 18 16:06:11 CET 2015 by marty 18 | \* Created Tue Feb 10 10:41:20 CET 2015 by marty 19 | -------------------------------------------------------------------------------- /test/tla/withsubmodule.tla: -------------------------------------------------------------------------------- 1 | ----------------------------- MODULE withsubmodule ----------------------------- 2 | 3 | ---- MODULE sub ---- 4 | 5 | VARIABLE x 6 | 7 | \* D(y) == IF TRUE THEN x' ELSE y \* works fine, but we don't need it at the moment 8 | 9 | THEOREM T == x'=x 10 | 11 | THEOREM ASSUME T PROVE FALSE 12 | 13 | THEOREM A == ASSUME TRUE PROVE TRUE 14 | 15 | ==================== 16 | 17 | I == INSTANCE sub WITH x <- 0 18 | 19 | IbT == 0' = 0 20 | 21 | THEOREM T2 == ASSUME NEW CONSTANT x PROVE x'=x 22 | 23 | THEOREM ASSUME IbT PROVE TRUE \* this is not accepted by the toolbox (sm: 20180420 - ??? it should be and is accepted) 24 | 25 | THEOREM ASSUME I!T PROVE TRUE \* should not be accepted by the toolbox too, but it is. leads to malformed xml export. 26 | 27 | \* THEOREM ASSUME I!T!1 = I!T!1 PROVE TRUE \* should not be true \* not exportable at the moment 28 | 29 | 30 | \*THEOREM ASSUME I!D(100) # 0' PROVE TRUE \* exportable 31 | 32 | ============================================================================= 33 | \* Modification History 34 | \* Last modified Fri Apr 20 15:54:15 CEST 2018 by merz 35 | \* Last modified Thu Mar 30 15:09:20 CEST 2017 by marty 36 | \* Created Tue Mar 03 10:57:30 CET 2015 by marty 37 | -------------------------------------------------------------------------------- /test/xml/SimpleImport1a.xml: -------------------------------------------------------------------------------- 1 | SimpleImport1a40000--TLA+ BUILTINS--0=2565Formal_006Formal_1015417718SimpleImport1aSimpleImport1a155159155101033SimpleImport1a1x0315911155SimpleImport1a1EQ1081155SimpleImport1a148855SimpleImport1a1155111155SimpleImport1a1155154 -------------------------------------------------------------------------------- /test/xml/empty.xml: -------------------------------------------------------------------------------- 1 | empty15417714emptyempty154 -------------------------------------------------------------------------------- /test/xml/extends_use_def.xml: -------------------------------------------------------------------------------- 1 | extends_use_def154177121extends_use_defextends_use_def154 -------------------------------------------------------------------------------- /test/xml/false_proves_false.xml: -------------------------------------------------------------------------------- 1 | false_proves_false10000--TLA+ BUILTINS--0FALSE015417716false_proves_falsefalse_proves_false15915913833false_proves_false073033false_proves_false0141833false_proves_false01263033false_proves_false01323833false_proves_false0154 -------------------------------------------------------------------------------- /test/xml/globaluse.xml: -------------------------------------------------------------------------------- 1 | globaluse40000--TLA+ BUILTINS--0=2565Formal_006Formal_1015417715globaluseglobaluse1933globaluse05933globaluse045533globaluse019933globaluse02154 -------------------------------------------------------------------------------- /test/xml/mailinglist1.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tlaplus/tlapm_alternative_parser_experiment/8cc7103389d2b386982dd5fc85239f8cc02be9de/test/xml/mailinglist1.xml -------------------------------------------------------------------------------- /test/xml/possible_bug.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tlaplus/tlapm_alternative_parser_experiment/8cc7103389d2b386982dd5fc85239f8cc02be9de/test/xml/possible_bug.xml -------------------------------------------------------------------------------- /test/xml/quantifiers.xml: -------------------------------------------------------------------------------- 1 | quantifiers15417713quantifiersquantifiers154 -------------------------------------------------------------------------------- /tla2xml.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | /usr/bin/java -jar lib/sany.jar $@ 4 | -------------------------------------------------------------------------------- /tlapm: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | `dirname $0`/tlapm.byte $* 3 | --------------------------------------------------------------------------------