Fix proofs (tlaplus#175)

* fixed proof in Paxos/Consensus.tla

Signed-off-by: Stephan Merz <[email protected]>

* fixed proofs of Bakery-Boulangerie

Signed-off-by: Stephan Merz <[email protected]>

* fixed proofs in lamport_mutex

Signed-off-by: Stephan Merz <[email protected]>

* fixed proofs in byzpaxos

Signed-off-by: Stephan Merz <[email protected]>

* more fixed proofs of examples

Signed-off-by: Stephan Merz <[email protected]>

* pass over example proofs

Signed-off-by: Stephan Merz <[email protected]>

* exclude fewer proofs from CI checking

Signed-off-by: Stephan Merz <[email protected]>

* fixed proofs also on Linux

Signed-off-by: Stephan Merz <[email protected]>

* fixed manifest

Signed-off-by: Stephan Merz <[email protected]>

* fixed manifest

Signed-off-by: Stephan Merz <[email protected]>

* remove unused Functions from lamport_mutex

Signed-off-by: Stephan Merz <[email protected]>

* more manifest errors

Signed-off-by: Stephan Merz <[email protected]>

* corrected author attribution for sum_even

Signed-off-by: Stephan Merz <[email protected]>

* fixed errors detected by SANY but not tlapm

Signed-off-by: Stephan Merz <[email protected]>

* fixed state count for MCBakery.cfg (???)

Signed-off-by: Stephan Merz <[email protected]>

* excluding EWD840.cfg due to parsing error

Signed-off-by: Stephan Merz <[email protected]>

* increase timeout for some proof steps

Signed-off-by: Stephan Merz <[email protected]>

* longer timeout for another step that failed on two instances of the CI

Signed-off-by: Stephan Merz <[email protected]>

* due to seemingly random CI failures, remove individual timeouts but add a stretch factor when running tlapm on GitHub servers

Signed-off-by: Stephan Merz <[email protected]>

* fix syntax error

Signed-off-by: Stephan Merz <[email protected]>

* fixed proofs also on Linux

Signed-off-by: Stephan Merz <[email protected]>

* Fixed (and simplified) proof in byzpaxos/Consensus.tla (tlaplus#163)

* Fixed (and simplified) proof in byzpaxos/Consensus.tla
* Also fixed minor failure in LoopInvariance/BinarySearch.tla
* Check fixed proofs in CI

Signed-off-by: Stephan Merz <[email protected]>

* Docs: added CONTRIBUTING.md and DEVELOPING.md
These expand on the steps necessary to contribute a spec to this repo,
or use/extend the CI validation scripts.

Signed-off-by: Andrew Helwer <[email protected]>

* CI: smoke-test state space script

Signed-off-by: Andrew Helwer <[email protected]>

* Re-generate manifest from script
Enacts formatting and ordering changes on manifest.json
It's good to run this script once in a while, as the manifest accrues
pecularities due to people manually adding specs; this enables future
users to run the script to add their own specs without introducing
irrelevant changes.

Signed-off-by: Andrew Helwer <[email protected]>

* Removed hyperlink to tlaplus-standard repo

Signed-off-by: Andrew Helwer <[email protected]>

* added microwave example as submodule

Signed-off-by: Konstantin Läufer <[email protected]>

* pulled latest updates to microwave example

Signed-off-by: Konstantin Läufer <[email protected]>

* added entry for microwave example to readme and manifest

Signed-off-by: Konstantin Läufer <[email protected]>

* Clone submodules for automation to be happy.

* This should not be this complicated

Signed-off-by: Markus Alexander Kuppe <[email protected]>

* Moved submodule spec to .ciignore for reproducibility

Signed-off-by: Andrew Helwer <[email protected]>

* Removed microwave submodule example from manifest.json

Signed-off-by: Andrew Helwer <[email protected]>

* Add a variant of the Prisoner's puzzle

This version has a single switch. There are two variants, one where
the initial position of the light switch is known, and another one
where it is not.

Signed-off-by: Florian Schanda <[email protected]>

* Another puzzle example

You have N boxes and a cat moves from one to another. Each day
you can check a single box. Can you find the cat?

Signed-off-by: Florian Schanda <[email protected]>

* fixed manifest

Signed-off-by: Stephan Merz <[email protected]>

* remove unused Functions from lamport_mutex

Signed-off-by: Stephan Merz <[email protected]>

* more manifest errors

Signed-off-by: Stephan Merz <[email protected]>

* corrected author attribution for sum_even

Signed-off-by: Stephan Merz <[email protected]>

* fixed errors detected by SANY but not tlapm

Signed-off-by: Stephan Merz <[email protected]>

* fixed state count for MCBakery.cfg (???)

Signed-off-by: Stephan Merz <[email protected]>

* excluding EWD840.cfg due to parsing error

Signed-off-by: Stephan Merz <[email protected]>

* increase timeout for some proof steps

Signed-off-by: Stephan Merz <[email protected]>

* longer timeout for another step that failed on two instances of the CI

Signed-off-by: Stephan Merz <[email protected]>

* due to seemingly random CI failures, remove individual timeouts but add a stretch factor when running tlapm on GitHub servers

Signed-off-by: Stephan Merz <[email protected]>

* fix syntax error

Signed-off-by: Stephan Merz <[email protected]>

---------

Signed-off-by: Stephan Merz <[email protected]>
Signed-off-by: Andrew Helwer <[email protected]>
Signed-off-by: Konstantin Läufer <[email protected]>
Signed-off-by: Markus Alexander Kuppe <[email protected]>
Signed-off-by: Florian Schanda <[email protected]>
Co-authored-by: Andrew Helwer <[email protected]>
Co-authored-by: Konstantin Läufer <[email protected]>
Co-authored-by: Markus Alexander Kuppe <[email protected]>
Co-authored-by: Florian Schanda <[email protected]>

Author: 5 people

.github/scripts/check_proofs.py

@@ -48,7 +48,8 @@
     tlapm = subprocess.run(
         [
             tlapm_path, module_path,
-            '-I', module_dir
+            '-I', module_dir,
+            '--stretch', '5'
         ],
         stdout=subprocess.PIPE,
         stderr=subprocess.STDOUT,

.github/workflows/CI.yml

@@ -108,7 +108,9 @@ jobs:
       - name: Check small models
         run: |
           # Need to have a nonempty list to pass as a skip parameter
-          SKIP=("does/not/exist")
+          # SKIP=("does/not/exist")
+          # strange issue with parsing TLC output
+          SKIP=("specifications/ewd840/EWD840.cfg")
           if [ ${{ matrix.unicode }} ]; then
             # Apalache does not yet support Unicode
             SKIP+=("specifications/EinsteinRiddle/Einstein.cfg")
@@ -143,21 +145,16 @@ jobs:
         if: matrix.os != 'windows-latest' && !matrix.unicode
         run: |
           SKIP=(
-            ## ATD/EWD require TLAPS' update_enabled_cdot branch
-            specifications/ewd998/AsyncTerminationDetection_proof.tla
+            # Long-running; see https://github.com/tlaplus/tlapm/issues/85
             specifications/ewd998/EWD998_proof.tla
-            # Failing; see https://github.com/tlaplus/Examples/issues/67
             specifications/Bakery-Boulangerie/Bakery.tla
             specifications/Bakery-Boulangerie/Boulanger.tla
-            specifications/Paxos/Consensus.tla
-            specifications/PaxosHowToWinATuringAward/Consensus.tla
-            specifications/lamport_mutex/LamportMutex_proofs.tla
-            specifications/byzpaxos/VoteProof.tla
-            # Long-running; see https://github.com/tlaplus/tlapm/issues/85
             specifications/LoopInvariance/Quicksort.tla
             specifications/LoopInvariance/SumSequence.tla
+            specifications/lamport_mutex/LamportMutex_proofs.tla
             specifications/bcastByz/bcastByz.tla
-            specifications/MisraReachability/ReachabilityProofs.tla
+            # specifications/MisraReachability/ReachabilityProofs.tla
+            specifications/byzpaxos/VoteProof.tla
             specifications/byzpaxos/BPConProof.tla # Takes about 30 minutes
           )
           python $SCRIPT_DIR/check_proofs.py       \

README.md

@@ -29,7 +29,7 @@ Here is a list of specs included in this repository, with links to the relevant
 | [Loop Invariance](specifications/LoopInvariance)                                                    | Leslie Lamport                                      |    ✔     |      ✔      |    ✔    |     ✔     |          |
 | [Learn TLA⁺ Proofs](specifications/LearnProofs)                                                     | Andrew Helwer                                       |    ✔     |      ✔      |    ✔    |     ✔     |          |
 | [Boyer-Moore Majority Vote](specifications/Majority)                                                | Stephan Merz                                        |    ✔     |      ✔      |         |     ✔     |          |
-| [Proof x+x is Even](specifications/sums_even)                                                       | Stephan Merz                                        |    ✔     |      ✔      |         |     ✔     |          |
+| [Proof x+x is Even](specifications/sums_even)                                                       | Martin Riener                                       |    ✔     |      ✔      |         |     ✔     |          |
 | [The N-Queens Puzzle](specifications/N-Queens)                                                      | Stephan Merz                                        |    ✔     |             |    ✔    |     ✔     |          |
 | [The Dining Philosophers Problem](specifications/DiningPhilosophers)                                | Jeff Hemphill                                       |    ✔     |             |    ✔    |     ✔     |          |
 | [The Car Talk Puzzle](specifications/CarTalkPuzzle)                                                 | Leslie Lamport                                      |    ✔     |             |         |     ✔     |          |
@@ -48,11 +48,11 @@ Here is a list of specs included in this repository, with links to the relevant
 | [Byzantizing Paxos by Refinement](specifications/byzpaxos)                                          | Leslie Lamport                                      |          |      ✔      |    ✔    |     ✔     |          |
 | [EWD840: Termination Detection in a Ring](specifications/ewd840)                                    | Stephan Merz                                        |          |      ✔      |         |     ✔     |          |
 | [EWD998: Termination Detection in a Ring with Asynchronous Message Delivery](specifications/ewd998) | Stephan Merz, Markus Kuppe                          |          |      ✔      |   (✔)   |     ✔     |          |
-| [The Paxos Protocol](specifications/Paxos)                                                          | Leslie Lamport                                      |          |      ✔      |         |     ✔     |          |
+| [The Paxos Protocol](specifications/Paxos)                                                          | Leslie Lamport                                      |          |     (✔)     |         |     ✔     |          |
 | [Asynchronous Reliable Broadcast](specifications/bcastByz)                                          | Thanh Hai Tran, Igor Konnov, Josef Widder           |          |      ✔      |         |     ✔     |          |
 | [Distributed Mutual Exclusion](specifications/lamport_mutex)                                        | Stephan Merz                                        |          |      ✔      |         |     ✔     |          |
 | [Two-Phase Handshaking](specifications/TwoPhase)                                                    | Leslie Lamport, Stephan Merz                        |          |      ✔      |         |     ✔     |          |
-| [Paxos (How to Win a Turing Award)](specifications/PaxosHowToWinATuringAward)                       | Leslie Lamport                                      |          |      ✔      |         |     ✔     |          |
+| [Paxos (How to Win a Turing Award)](specifications/PaxosHowToWinATuringAward)                       | Leslie Lamport                                      |          |     (✔)     |         |     ✔     |          |
 | [Dijkstra's Mutual Exclusion Algorithm](specifications/dijkstra-mutex)                              | Leslie Lamport                                      |          |             |    ✔    |     ✔     |          |
 | [The Echo Algorithm](specifications/echo)                                                           | Stephan Merz                                        |          |             |    ✔    |     ✔     |          |
 | [The TLC Safety Checking Algorithm](specifications/TLC)                                             | Markus Kuppe                                        |          |             |    ✔    |     ✔     |          |

manifest.json

@@ -46,8 +46,8 @@
                 "ignore deadlock"
               ],
               "result": "success",
-              "distinctStates": 598608,
-              "totalStates": 3141768,
+              "distinctStates": 655200,
+              "totalStates": 3403584,
               "stateDepth": 1
             }
           ]
@@ -587,6 +587,20 @@
           "features": [],
           "models": []
         },
+        {
+          "path": "specifications/FiniteMonotonic/Functions.tla",
+          "communityDependencies": [],
+          "tlaLanguageVersion": 2,
+          "features": [],
+          "models": []
+        },
+        {
+          "path": "specifications/FiniteMonotonic/Folds.tla",
+          "communityDependencies": [],
+          "tlaLanguageVersion": 2,
+          "features": [],
+          "models": []
+        },
         {
           "path": "specifications/FiniteMonotonic/MCCRDT.tla",
           "communityDependencies": [
@@ -3297,15 +3311,6 @@
             }
           ]
         },
-        {
-          "path": "specifications/TwoPhase/TLAPS.tla",
-          "communityDependencies": [],
-          "tlaLanguageVersion": 2,
-          "features": [
-            "proof"
-          ],
-          "models": []
-        },
         {
           "path": "specifications/TwoPhase/TwoPhase.tla",
           "communityDependencies": [],
@@ -4528,7 +4533,8 @@
               "size": "small",
               "mode": "exhaustive search",
               "features": [
-                "ignore deadlock"
+                "ignore deadlock",
+                "liveness"
               ],
               "result": "success",
               "distinctStates": 302,
@@ -4614,12 +4620,10 @@
           ]
         },
         {
-          "path": "specifications/ewd840/TLAPS.tla",
+          "path": "specifications/ewd840/SyncTerminationDetection_proof.tla",
           "communityDependencies": [],
           "tlaLanguageVersion": 2,
-          "features": [
-            "proof"
-          ],
+          "features": ["proof"],
           "models": []
         }
       ]
@@ -4671,7 +4675,6 @@
         {
           "path": "specifications/ewd998/EWD998.tla",
           "communityDependencies": [
-            "Functions",
             "SequencesExt"
           ],
           "tlaLanguageVersion": 2,
@@ -4684,7 +4687,8 @@
               "mode": "exhaustive search",
               "features": [
                 "ignore deadlock",
-                "state constraint"
+                "state constraint",
+                "liveness"
               ],
               "result": "success"
             },
@@ -4879,6 +4883,20 @@
           ],
           "models": []
         },
+        {
+          "path": "specifications/ewd998/Functions.tla",
+          "communityDependencies": [],
+          "tlaLanguageVersion": 2,
+          "features": [],
+          "models": []
+        },
+        {
+          "path": "specifications/ewd998/Folds.tla",
+          "communityDependencies": [],
+          "tlaLanguageVersion": 2,
+          "features": [],
+          "models": []
+        },
         {
           "path": "specifications/ewd998/SmokeEWD998.tla",
           "communityDependencies": [
@@ -4925,19 +4943,9 @@
             }
           ]
         },
-        {
-          "path": "specifications/ewd998/TLAPS.tla",
-          "communityDependencies": [],
-          "tlaLanguageVersion": 2,
-          "features": [
-            "proof"
-          ],
-          "models": []
-        },
         {
           "path": "specifications/ewd998/Utils.tla",
           "communityDependencies": [
-            "Functions",
             "SequencesExt"
           ],
           "tlaLanguageVersion": 2,
@@ -5033,13 +5041,6 @@
       ],
       "tags": [],
       "modules": [
-        {
-          "path": "specifications/lamport_mutex/Functions.tla",
-          "communityDependencies": [],
-          "tlaLanguageVersion": 2,
-          "features": [],
-          "models": []
-        },
         {
           "path": "specifications/lamport_mutex/LamportMutex.tla",
           "communityDependencies": [],
@@ -5076,36 +5077,6 @@
               "stateDepth": 61
             }
           ]
-        },
-        {
-          "path": "specifications/lamport_mutex/NaturalsInduction.tla",
-          "communityDependencies": [],
-          "tlaLanguageVersion": 2,
-          "features": [],
-          "models": []
-        },
-        {
-          "path": "specifications/lamport_mutex/SequenceTheorems.tla",
-          "communityDependencies": [],
-          "tlaLanguageVersion": 2,
-          "features": [],
-          "models": []
-        },
-        {
-          "path": "specifications/lamport_mutex/TLAPS.tla",
-          "communityDependencies": [],
-          "tlaLanguageVersion": 2,
-          "features": [
-            "proof"
-          ],
-          "models": []
-        },
-        {
-          "path": "specifications/lamport_mutex/WellFoundedInduction.tla",
-          "communityDependencies": [],
-          "tlaLanguageVersion": 2,
-          "features": [],
-          "models": []
         }
       ]
     },
@@ -5220,7 +5191,7 @@
       "description": "Two proofs that x+x is even for every natural number x",
       "sources": [],
       "authors": [
-        "Stephan Merz"
+        "Martin Riener"
       ],
       "tags": [
         "beginner"
@@ -5245,15 +5216,6 @@
             }
           ]
         },
-        {
-          "path": "specifications/sums_even/TLAPS.tla",
-          "communityDependencies": [],
-          "tlaLanguageVersion": 2,
-          "features": [
-            "proof"
-          ],
-          "models": []
-        },
         {
           "path": "specifications/sums_even/sums_even.tla",
           "communityDependencies": [],