Manifest: added proof runtimes

Recorded runtime details for all existing proofs

Proofs running longer than 1 minute will not be run in CI

Signed-off-by: Andrew Helwer <[email protected]>

Author: ahelwer

.github/scripts/check_manifest_features.py

@@ -164,15 +164,19 @@ def check_features(parser, queries, manifest, examples_root):
             if parse_err:
                 success = False
                 logging.error(f'Module {module["path"]} contains syntax errors')
-            expected_features = get_tree_features(tree, queries)
+            module_features = get_tree_features(tree, queries)
+            expected_features = module_features - {'proof'}
             actual_features = set(module['features'])
             if expected_features != actual_features:
                 success = False
                 logging.error(
                     f'Module {module["path"]} has incorrect features in manifest; '
                     + f'expected {list(expected_features)}, actual {list(actual_features)}'
                 )
-            expected_imports = get_community_imports(examples_root, tree, text, dirname(module_path), 'proof' in expected_features, queries)
+            if 'proof' in module_features and 'proof' not in module:
+                success = False
+                logging.error(f'Module {module["path"]} contains proof but no proof runtime details')
+            expected_imports = get_community_imports(examples_root, tree, text, dirname(module_path), 'proof' in module_features, queries)
             actual_imports = set(module['communityDependencies'])
             if expected_imports != actual_imports:
                 success = False

.github/scripts/check_markdown_table.py

@@ -67,7 +67,7 @@ def from_json(path, spec):
         path,
         set(spec['authors']),
         'beginner' in spec['tags'],
-        any([module for module in spec['modules'] if 'proof' in module['features']]),
+        any([module for module in spec['modules'] if 'proof' in module]),
         any([module for module in spec['modules'] if 'pluscal' in module['features']]),
         any([model for module in spec['modules'] for model in module['models'] if model['mode'] != 'symbolic']),
         any([model for module in spec['modules'] for model in module['models'] if model['mode'] == 'symbolic']),

.github/scripts/check_proofs.py

@@ -3,15 +3,17 @@
 """
 
 from argparse import ArgumentParser
+from datetime import timedelta
 from os.path import dirname, join, normpath
 import logging
 import subprocess
 from timeit import default_timer as timer
 import tla_utils
 
 parser = ArgumentParser(description='Validate all proofs in all modules with TLAPM.')
-parser.add_argument('--tlapm_path', help='Path to TLAPM install dir; should have bin and lib subdirs', required=True)
-parser.add_argument('--examples_root', help='Root directory of the tlaplus/examples repository', required=True)
+parser.add_argument('--tlapm_path', help='Path to TLAPM install dir; should have bin and lib subdirs', required=False, default = 'deps/tlapm')
+parser.add_argument('--examples_root', help='Root directory of the tlaplus/examples repository', required=False, default='.')
+parser.add_argument('--runtime_seconds_limit', help='Only run proofs with expected runtime less than this value', required=False, default=60)
 parser.add_argument('--skip', nargs='+', help='Space-separated list of .tla modules to skip checking', required=False, default=[])
 parser.add_argument('--only', nargs='+', help='If provided, only check proofs in this space-separated list', required=False, default=[])
 parser.add_argument('--verbose', help='Set logging output level to debug', action='store_true')
@@ -22,46 +24,70 @@
 manifest = tla_utils.load_all_manifests(examples_root)
 skip_modules = args.skip
 only_modules = args.only
+hard_timeout_in_seconds = args.runtime_seconds_limit * 2
 
 logging.basicConfig(level = logging.DEBUG if args.verbose else logging.INFO)
 
-proof_module_paths = [
-    module['path']
-    for path, spec in manifest
-    for module in spec['modules']
-        if 'proof' in module['features']
-        and module['path'] not in skip_modules
-        and (only_modules == [] or module['path'] in only_modules)
-]
+proof_module_paths = sorted(
+    [
+        (manifest_dir, spec, module, runtime)
+        for manifest_dir, spec in manifest
+        for module in spec['modules']
+        if 'proof' in module
+            and (runtime := tla_utils.parse_timespan(module['proof']['runtime'])) < timedelta(seconds = args.runtime_seconds_limit)
+            and module['path'] not in skip_modules
+            and (only_modules == [] or module['path'] in only_modules)
+    ],
+    key = lambda m : m[3]
+)
 
 for path in skip_modules:
     logging.info(f'Skipping {path}')
 
 success = True
 tlapm_path = join(tlapm_path, 'bin', 'tlapm')
-for module_path in proof_module_paths:
+for manifest_dir, spec, module, expected_runtime in proof_module_paths:
+    module_path = module['path']
     logging.info(module_path)
     start_time = timer()
-    module_path = tla_utils.from_cwd(examples_root, module_path)
-    module_dir = dirname(module_path)
-    tlapm = subprocess.run(
+    full_module_path = tla_utils.from_cwd(examples_root, module_path)
+    module_dir = dirname(full_module_path)
+    tlapm_result = subprocess.run(
         [
-            tlapm_path, module_path,
+            tlapm_path, full_module_path,
             '-I', module_dir,
             '--stretch', '5'
         ],
-        stdout=subprocess.PIPE,
-        stderr=subprocess.STDOUT,
-        text=True
+        stdout  = subprocess.PIPE,
+        stderr  = subprocess.STDOUT,
+        text    = True,
+        timeout = hard_timeout_in_seconds
     )
     end_time = timer()
-    logging.info(f'Checked proofs in {end_time - start_time:.1f}s')
-    if tlapm.returncode != 0:
-        logging.error(f'Proof checking failed in {module_path}:')
-        logging.error(tlapm.stdout)
-        success = False
-    else:
-        logging.debug(tlapm.stdout)
+    actual_runtime = timedelta(seconds = end_time - start_time)
+    match tlapm_result:
+        case subprocess.CompletedProcess():
+            output = ' '.join(tlapm_result.args) + '\n' + tlapm_result.stdout
+            logging.info(f'Checked proofs in {tla_utils.format_timespan(actual_runtime)} vs. {tla_utils.format_timespan(expected_runtime)} expected')
+            if tlapm_result.returncode != 0:
+                logging.error(f'Proof checking failed for {module_path}:')
+                logging.error(output)
+                success = False
+            else:
+                if 'proof' not in module or module['proof']['runtime'] == 'unknown':
+                    module['proof'] = { 'runtime' : tla_utils.format_timespan(actual_runtime) }
+                    manifest_path = join(manifest_dir, 'manifest.json')
+                    tla_utils.write_json(spec, manifest_path)
+                logging.debug(output)
+        case subprocess.TimeoutExpired():
+            logging.error(f'{module_path} hit hard timeout of {hard_timeout_in_seconds} seconds')
+            args, _ = tlapm_result.args
+            output = ' '.join(args) + '\n' + tlapm_result.stdout
+            logging.error(output)
+            success = False
+        case _:
+            logging.error(f'Unhandled TLAPM result type {type(tlapm_result)}: {tlapm_result}')
+            success = False
 
 exit(0 if success else 1)
 

.github/scripts/generate_manifest.py

@@ -35,9 +35,20 @@ def get_tla_files(examples_root, dir_path):
     Gets paths of all .tla files in the given directory, except for error
     trace specs.
     """
-    return [
-        path for path in glob.glob(f'{dir_path}/**/*.tla', root_dir=examples_root, recursive=True)
+    return sorted(
+        path
+        for path in glob.glob(f'{dir_path}/**/*.tla', root_dir=examples_root, recursive=True)
         if '_TTrace_' not in path
+    )
+
+def get_tla_file_features(examples_root, dir_path, parser, queries):
+    """
+    Gets paths of all .tla files in a given directory, along with their
+    features.
+    """
+    return [
+        (path, get_module_features(examples_root, path, parser, queries))
+        for path in get_tla_files(examples_root, dir_path)
     ]
 
 def get_cfg_files(examples_root, tla_path):
@@ -73,7 +84,7 @@ def generate_new_manifest(examples_root, spec_path, spec_name, parser, queries):
             {
                 'path': tla_utils.to_posix(tla_path),
                 'communityDependencies': sorted(list(get_community_module_imports(examples_root, parser, tla_path, queries))),
-                'features': sorted(list(get_module_features(examples_root, tla_path, parser, queries))),
+                'features': sorted(list(module_features - {'proof'})),
                 'models': [
                     {
                         'path': tla_utils.to_posix(cfg_path),
@@ -83,8 +94,8 @@ def generate_new_manifest(examples_root, spec_path, spec_name, parser, queries):
                     }
                     for cfg_path in sorted(get_cfg_files(examples_root, tla_path))
                 ]
-            }
-            for tla_path in sorted(get_tla_files(examples_root, spec_path))
+            } | ({'proof' : {'runtime': 'unknown'}} if 'proof' in module_features else {})
+            for tla_path, module_features in get_tla_file_features(examples_root, spec_path, parser, queries)
         ]
     }
 
@@ -107,9 +118,13 @@ def find_corresponding_module(old_module, new_spec):
     return modules[0] if any(modules) else None
 
 def integrate_module_info(old_module, new_module):
-    fields = []
-    for field in fields:
+    required_fields = []
+    for field in required_fields:
         new_module[field] = old_module[field]
+    optional_fields = ['proof']
+    for field in optional_fields:
+        if field in old_module:
+            new_module[field] = old_module[field]
 
 def find_corresponding_model(old_model, new_module):
     models = [

.github/scripts/tla_utils.py

@@ -108,6 +108,17 @@ def parse_timespan(unparsed):
     pattern = '%H:%M:%S'
     return timedelta.max if unparsed == 'unknown' else datetime.strptime(unparsed, pattern) - datetime.strptime('00:00:00', pattern)
 
+def format_timespan(t):
+    """
+    Formats the given timedelta into a HH:MM:SS string. If a timespan of
+    nonzero length, rounds up to minimum of one second.
+    """
+    if t < timedelta(seconds = 1):
+        return '00:00:01' if t > timedelta.min else '00:00:00'
+    else:
+        seconds = int(t.total_seconds())
+        return f'{seconds // 3600:02d}:{seconds % 3600 // 60:02d}:{seconds % 3600 % 60:02d}'
+
 def get_run_mode(mode):
     """
     Converts the model run mode found in manifest.json into TLC CLI

.github/workflows/CI.yml

@@ -136,23 +136,9 @@ jobs:
       - name: Check proofs
         if: matrix.os != 'windows-latest' && !matrix.unicode
         run: |
-          SKIP=(
-            # Long-running; see https://github.com/tlaplus/tlapm/issues/85
-            specifications/ewd998/EWD998_proof.tla
-            specifications/Bakery-Boulangerie/Bakery.tla
-            specifications/Bakery-Boulangerie/Boulanger.tla
-            specifications/LoopInvariance/Quicksort.tla
-            specifications/LoopInvariance/SumSequence.tla
-            specifications/lamport_mutex/LamportMutex_proofs.tla
-            specifications/bcastByz/bcastByz.tla
-            # specifications/MisraReachability/ReachabilityProofs.tla
-            specifications/byzpaxos/VoteProof.tla
-            specifications/byzpaxos/BPConProof.tla # Takes about 30 minutes
-          )
           python $SCRIPT_DIR/check_proofs.py       \
             --tlapm_path $DEPS_DIR/tlapm           \
-            --examples_root .                      \
-            --skip "${SKIP[@]}"
+            --examples_root .
       - name: Smoke-test manifest generation script
         run: |
           python $SCRIPT_DIR/generate_manifest.py \

CONTRIBUTING.md

@@ -45,6 +45,8 @@ Steps:
    - Spec authors: a list of people who authored the spec
    - Spec tags:
      - `"beginner"` if your spec is appropriate for TLA⁺ newcomers
+   - Module proof runtime: if module contains formal proofs, record the approximate time necessary to check the proofs with TLAPM on an ordinary workstation; add `"proof" : { "runtime" : "HH:MM:SS" }` to the module fields at the same level as the `communityDependencies` and `models`
+     - If less than one minute, proof will be checked in its entirety by the CI
    - Model runtime: approximate model runtime on an ordinary workstation, in `"HH:MM:SS"` format
      - If less than 30 seconds, will be run in its entirety by the CI; otherwise will only be smoke-tested for 5 seconds
    - Model mode:
@@ -68,7 +70,7 @@ Steps:
    - A checkmark indicating whether the spec is appropriate for beginners
      - Checked IFF (if and only if) `beginner` is present in the `tags` field of your spec in `manifest.json`
    - A checkmark indicating whether the spec contains a formal proof
-     - Checked IFF a `proof` tag is present in the `features` field of least one module under your spec in `manifest.json`
+     - Checked IFF `proof` runtime details are present in at least one module under your spec in `manifest.json`
    - A checkmark indicating whether the spec contains PlusCal
      - Checked IFF a `pluscal` tag is present in the `features` field of least one module under your spec in `manifest.json`
    - A checkmark indicating whether the spec contains a TLC-checkable model

manifest-schema.json

@@ -29,14 +29,25 @@
           },
           "features": {
             "type": "array",
-            "items": {"enum": ["pluscal", "proof", "action composition"]}
+            "items": {"enum": ["pluscal", "action composition"]}
+          },
+          "proof": {
+            "type": "object",
+            "required": ["runtime"],
+            "additionalProperties": false,
+            "properties": {
+              "runtime": {
+                "type": "string",
+                "pattern": "^(([0-9][0-9]:[0-9][0-9]:[0-9][0-9])|unknown)$"
+              }
+            }
           },
           "models": {
             "type": "array",
             "items": {
               "type": "object",
-              "additionalProperties": false,
               "required": ["path", "runtime", "mode", "result"],
+              "additionalProperties": false,
               "properties": {
                 "path": {"type": "string"},
                 "runtime": {
@@ -53,13 +64,13 @@
                     },
                     {
                       "type": "object",
-                      "additionalProperties": false,
                       "required": ["simulate"],
+                      "additionalProperties": false,
                       "properties": {
                         "simulate": {
                           "type": "object",
-                          "additionalProperties": false,
                           "required": ["traceCount"],
+                          "additionalProperties": false,
                           "properties": {
                             "traceCount": {"type": "number"}
                           }

specifications/Bakery-Boulangerie/manifest.json

@@ -10,19 +10,23 @@
       "path": "specifications/Bakery-Boulangerie/Bakery.tla",
       "communityDependencies": [],
       "features": [
-        "pluscal",
-        "proof"
+        "pluscal"
       ],
-      "models": []
+      "models": [],
+      "proof": {
+        "runtime": "00:00:01"
+      }
     },
     {
       "path": "specifications/Bakery-Boulangerie/Boulanger.tla",
       "communityDependencies": [],
       "features": [
-        "pluscal",
-        "proof"
+        "pluscal"
       ],
-      "models": []
+      "models": [],
+      "proof": {
+        "runtime": "00:00:01"
+      }
     },
     {
       "path": "specifications/Bakery-Boulangerie/MCBakery.tla",

specifications/FiniteMonotonic/manifest.json

@@ -20,10 +20,11 @@
     {
       "path": "specifications/FiniteMonotonic/CRDT_proof.tla",
       "communityDependencies": [],
-      "features": [
-        "proof"
-      ],
-      "models": []
+      "features": [],
+      "models": [],
+      "proof": {
+        "runtime": "00:00:01"
+      }
     },
     {
       "path": "specifications/FiniteMonotonic/DistributedReplicatedLog.tla",