Merge pull request #3255 from apalache-mc/igor/variants3248

konnov · web-flow · commit 4064dfa4c398 · 2026-01-29T13:11:33.000+01:00
Make Variants compatible with TLC
diff --git a/.unreleased/bug-fixes/tlc3255.md b/.unreleased/bug-fixes/tlc3255.md
@@ -0,0 +1 @@
+Make Variants compatible with TLC (#3255)
diff --git a/Makefile b/Makefile
@@ -39,6 +39,7 @@ test-coverage:
 # Run the integration tests
 integration: package
 	test/mdx-test.py --debug "$(TEST_FILTER)"
+	test/mdx-test.py --test_file=test/tla/tlc-integration-tests.md --debug "$(TEST_FILTER)"
 
 # Generate fixtures needed to test quint integration
 quint-fixtures: tla-io/src/test/resources/tictactoe.json tla-io/src/test/resources/clockSync3.json test/tla/booleans.qnt.json
diff --git a/src/tla/Apalache.tla b/src/tla/Apalache.tla
@@ -8,7 +8,8 @@
  * encoded inside Apalache. For the moment, these operators are mirrored in
  * the class at.forsyte.apalache.tla.lir.oper.ApalacheOper.
  *                                                                          
- * Igor Konnov, Jure Kukovec, Informal Systems 2020-2022                    
+ * Igor Konnov, Jure Kukovec, Informal Systems 2020-2022
+ * Igor Konnov, konnov.phd, 2026
  *)
 
 (**
@@ -77,6 +78,9 @@ SetAsFun(__S) ==
 LOCAL INSTANCE Integers
 MkSeq(__N, __F(_)) ==
     \* This is the TLC implementation. Apalache does it differently.
+    \* If __F is not defined on i \in 1..__N, TLC fails.
+    \* Apalache evaluates symbolically. This is why definitions
+    \* like `FunAsSeq` work.
     [ __i \in (1..__N) |-> __F(__i) ]
 
 \* required by our default definition of FoldSeq and FunAsSeq
diff --git a/src/tla/Variants.tla b/src/tla/Variants.tla
@@ -9,6 +9,7 @@
  * variants.
  *
  * Igor Konnov, Informal Systems, 2021-2022
+ * Igor Konnov, konnov.phd, 2026
  *)
 
 (**
@@ -32,8 +33,9 @@ UNIT == "U_OF_UNIT"
  *   (Str, a) => Tag(a) | b
  *)
 Variant(__tagName, __value) ==
-    \* default untyped implementation
-    [ tag |-> __tagName, value |-> __value ]
+    \* Default untyped implementation.
+    \* See the discussion in https://github.com/tlaplus/tlaplus/pull/1284
+    [ t \in { __tagName } |-> __value ]
 
 (**
  * Filter a set of variants with the provided tag value.
@@ -48,7 +50,7 @@ Variant(__tagName, __value) ==
  *)
 VariantFilter(__tagName, __S) ==
     \* default untyped implementation
-    { __d.value : __d \in { __e \in __S: __e.tag = __tagName } }
+    { __f[__tagName]: __f \in { __e \in __S: __tagName \in DOMAIN __e } }
 
 (**
  * Get the tag name that is associated with a variant.
@@ -62,7 +64,7 @@ VariantFilter(__tagName, __S) ==
  *)
 VariantTag(__variant) ==
     \* default untyped implementation
-    __variant.tag
+    CHOOSE __tag \in DOMAIN __variant: TRUE
 
 (**
  * Return the value associated with the tag, when the tag equals to __tagName.
@@ -79,8 +81,8 @@ VariantTag(__variant) ==
  *)
 VariantGetOrElse(__tagName, __variant, __defaultValue) ==
     \* default untyped implementation
-    IF __variant.tag = __tagName
-    THEN __variant.value
+    IF __tagName \in DOMAIN __variant
+    THEN __variant[__tagName]
     ELSE __defaultValue
 
 
@@ -100,6 +102,6 @@ VariantGetOrElse(__tagName, __variant, __defaultValue) ==
  *)
 VariantGetUnsafe(__tagName, __variant) ==
     \* the default untyped implementation
-    __variant.value
+    __variant[__tagName]
 
 ===============================================================================
diff --git a/test/tla/TestApalache.tla b/test/tla/TestApalache.tla
@@ -0,0 +1,177 @@
+---------------------------- MODULE TestApalache -----------------------------
+(*
+ * Test the module Apalache against TLC.
+ *
+ * Igor Konnov, 2026
+ *)
+
+EXTENDS Sequences, Integers, Apalache
+
+VARIABLE
+    \* This is needed for TLC to work
+    \* @type: Int;
+    xxx
+
+Init == xxx = 0
+Next == UNCHANGED xxx
+
+(********************* DEFINITIONS ********************************)
+\* @type: Seq(Int);
+seq345 == <<3, 4, 5>>
+
+\* @type: Seq(Int);
+seqEmpty == <<>>
+
+\* @type: Seq(Int);
+seq26970 == <<2, 6, 9, 7, 0>>
+
+Add(i, j) == i + j
+
+IsOdd(i) == i % 2 = 1
+
+Concat(s, t) == s \o t
+
+\* The set { 1, 2, 3, 5, 6, 7 }
+\* that has duplicates in its internal representation
+Set123567 ==
+    LET one == 1 IN
+    LET two == 2 IN
+    LET three == one + two IN
+    \* 3 and three are equal but the set constructor will miss that
+    { one, two, 3, three, three, 5, 6, 7, 7 }
+
+\* The set { 1, 3, 5, 7 }
+\* that has ghost cells 2, 6 in its internal representation
+Set1357 ==
+    { i \in Set123567: i % 2 /= 0 }
+
+\* The set { 2, 6 }
+\* that has ghost cells 1, 3, three, 5 in its internal representation
+Set26 ==
+    { i \in Set123567: i % 2 = 0 }
+
+\* The set { 2, 3, 6 }
+\* that has ghost cells 1, 3, three, 5 and non-ghost cells 2, 3, 6
+Set263 ==
+    Set26 \union { 3 }
+
+SetEmpty ==
+    \* create an empty set yet avoiding constant propagation
+    LET x == 1 IN
+    { 1 } \ { x }
+
+(********************* TESTS ********************************)
+
+TestFoldSeq26970 ==
+    ApaFoldSeqLeft(Add, 0, seq26970) = 2 + 6 + 9 + 7
+
+TestFoldSeq697 ==
+    ApaFoldSeqLeft(Add, 0, SubSeq(seq26970, 2, 4)) = 6 + 9 + 7
+
+TestFoldSeq345 ==
+    ApaFoldSeqLeft(Add, 0, Tail(seq345)) = 4 + 5
+
+TestFoldSeqEmpty ==
+    ApaFoldSeqLeft(Add, 0, seqEmpty) = 0
+
+TestFoldSeqFlatten ==
+    ApaFoldSeqLeft(Concat, <<>>, <<seq345, seqEmpty, seq26970>>) = <<3, 4, 5, 2, 6, 9, 7, 0>>
+
+TestMkSeqDouble ==
+    LET Double(i) == 2 * i IN
+    MkSeq(4, Double) = <<2, 4, 6, 8>>
+
+TestMkSeqEmpty ==
+    LET Double(i) == 2 * i IN
+    MkSeq(0, Double) = << >>
+
+TestMkSeqConcat ==
+    LET Double(i) == 2 * i IN
+    LET Triple(i) == 3 * i IN
+    MkSeq(2, Double) \o MkSeq(3, Triple) = <<2, 4, 3, 6, 9>>
+
+TestMkSeqSubSeq ==
+    LET Triple(i) == 3 * i IN
+    SubSeq(MkSeq(5, Triple), 2, 3) = <<6, 9>>
+
+TestMkSeqLen ==
+    LET Double(i) == 2 * i IN
+    Len(MkSeq(4, Double)) = 4
+
+TestMkSeqFold ==
+    LET Double(i) == 2 * i IN
+    ApaFoldSeqLeft(Add, 0, MkSeq(4, Double)) = 20
+
+TestFoldSeqOverSelectSeq ==
+    ApaFoldSeqLeft(Add, 0, SelectSeq(seq345, IsOdd)) = 3 + 5
+
+TestFunAsSeq3 ==
+    LET f == [ i \in 1..3 |-> i + 1 ] IN
+    FunAsSeq(f, 3, 3) = <<2, 3, 4>>
+
+TestFunAsSeqEmpty ==
+    LET
+        \* @type: Int -> Int;
+        f == [ i \in {} |-> i ]
+    IN
+    FunAsSeq(f, 0, 0) = << >>
+
+\* TLC fails here, so we do not include this test
+TestFunAsSeqLargerCapacity ==
+    LET f == [ i \in 1..3 |-> i + 1 ] IN
+    \* provide a larger upper bound
+    FunAsSeq(f, 3, 10) = <<2, 3, 4>>
+
+TestGuessSet ==
+    LET S ==
+        Guess({ T \in { SetEmpty, Set263, Set1357 }: 6 \in T })
+    IN
+    S = Set263
+
+TestGuessSetFromTwo ==
+    LET S ==
+        Guess({ T \in { SetEmpty, Set263, Set1357 }: 3 \in T })
+    IN
+    S \in { Set263, Set1357 }
+
+TestGuessInSingleton ==
+    LET x == Guess({ 3 }) IN
+    x = 3
+
+TestGuessEmpty ==
+    LET x == Guess(SetEmpty) IN
+    \* This expression is equivalent to TRUE.
+    \* We are using to avoid constant simplification of TRUE.
+    x <= 0 \/ x > 0
+
+TestApaFoldSet ==
+    LET \* @type: (Set(Int), Int) => Set(Int);
+        A(p,q) == p \union {q}
+    IN
+    ApaFoldSet( A, {4,4}, {1,1,2,2,3,3} ) = {1,2,3,4}
+
+\* this test is a disjunction of all smaller tests
+AllTests ==
+    /\ TestFoldSeq26970
+    /\ TestFoldSeq697
+    /\ TestFoldSeq345
+    /\ TestFoldSeqEmpty
+    /\ TestFoldSeqFlatten
+    /\ TestFoldSeqOverSelectSeq
+    /\ TestMkSeqDouble
+    /\ TestMkSeqEmpty
+    /\ TestMkSeqConcat
+    /\ TestMkSeqSubSeq
+    /\ TestMkSeqLen
+    /\ TestMkSeqFold
+    /\ TestFunAsSeq3
+    /\ TestFunAsSeqEmpty
+    /\ TestGuessSet
+    /\ TestGuessSetFromTwo
+    /\ TestGuessInSingleton
+    /\ TestApaFoldSet
+    \* TLC fails here
+    \*/\ TestGuessEmpty
+    \*/\ TestFunAsSeqLargerCapacity
+
+===============================================================================
diff --git a/test/tla/TestVariants.tla b/test/tla/TestVariants.tla
@@ -2,12 +2,20 @@
 (*
  * Functional tests for operators over variants.
  * We introduce a trivial state machine and write tests as state invariants.
+ *
+ * Igor Konnov, Informal Systems, 2022
+ * Igor Konnov, konnov.phd, 2026
  *)
 
 EXTENDS Integers, FiniteSets, Apalache, Variants
 
-Init == TRUE
-Next == TRUE
+VARIABLE
+    \* This is needed for Apalache to work
+    \* @type: Int;
+    x
+
+Init == x = 0
+Next == UNCHANGED x
 
 (* DEFINITIONS *)
 
@@ -38,7 +46,11 @@ TestVariantTag ==
 
 TestVariantGetUnsafe ==
     \* The unsafe version gives us only a type guarantee.
-    VariantGetUnsafe("A", VarB) \in Int
+    /\ VariantGetUnsafe("A", VarA) = 1
+    \* TLC fails on the expression below.
+    \* Apalache works, as the second condition holds true.
+    \*/\ \/ VariantTag(VarB) = "A"
+    \*   \/ VariantGetUnsafe("B", VarB) \in Int
 
 TestVariantGetOrElse ==
     \* When the tag name is different from the actual one, return the default value.
diff --git a/test/tla/test.cfg b/test/tla/test.cfg
@@ -0,0 +1,3 @@
+INIT Init
+NEXT Next
+INVARIANT AllTests
diff --git a/test/tla/tlc-integration-tests.md b/test/tla/tlc-integration-tests.md

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Make Variants compatible with TLC (#3255)`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+INIT Init`
	`2`	`+NEXT Next`
	`3`	`+INVARIANT AllTests`