Missing assignments

[timimin]

Hello, all.

Finally I've managed to type all expressions and operators in my specs, and replaced all recursive operators by FoldSet (FoldSeq) . Static analyzer produces no errors. TLC works fine on my model.
But Apalache still doesn't work ))). This time it fails on stage #9

Please help.
specs.zip

Thanks in advance.

[Kukovec]

TLC only cares about assignments as it explores a branch of execution, whereas Apalache requires that all possible syntactic branches have guaranteed assignments (even if they're unreachable), which is why there's often a discrepancy.

In your particular instance, it's the use of CASE. Apalache does not support CASE-as-control-flow, and won't look for assignments inside. The reason for this is that it is possible to "overlap" cases, unlike ITE. See here for a more detailed explanation of assignments.

As for a solution, you should be able to replace CASE p1 -> q1 [] ... [] pn -> qn with

\/ /\ p1
   /\ q1 
...
\/ /\ pn
   /\ qn

[timimin]

Hello. Happy New Year!
Still not working... And even more questions appeared. Rely on your help ). I understand it's better to fully comprehend the technology before starting to use it. But I'm really eager to find first if Apalache can increase the performance of invariant safety checking for my project. I've spent already a lot of time transforming initial specs to the form admissible by Apalache (added type annos, eliminated recursive operators and lambdas, substituted CASE control flow constructions with lor and land equivalents).
So...

1. It seems that I've replaced all CASE control flow statements with lors and lands. The only CASEs remained are expressions which seems to have nothing to do with assignments. The missing assignment problem (stage # 9) didn't disappear. I carefully checked that assignment to each variable occurs at least once in each slice. Again I've successfully verified the updated specs with TLC (just in case).

2. When i changed the CASE-style dispatch operator with the one recommended i found that one disjunct produces lor and land precedence problem (it is commented bellow):

dispatch(id,st) ==
	LET 
	   \* @type:[pc: <<Str, Str>>, fp: Int];
	   h == 
	       Head(st)
	IN
      \/ /\ h.pc[1] = "p_submit_paper" 
         /\ Sessions[id]["SessionM"] = <<>>
            /\ p_submit_paper_load (id)
            /\ Trace' := Append(Trace,<<id,"p_submit_paper_load">>)
      \/ /\ h.pc[1] = "p_submit_paper" 
         /\ Sessions[id]["SessionM"] # <<>> 
		    /\ p_submit_paper(id,st)     
      ...
	  (*\/ /\ h.pc[1] = "p_allocate" 
         /\ Sessions[id]["SessionM"] = <<>> 
            /\ p_allocate_load(id)
            /\ Trace' := Append(Trace, <<id, "p_allocate_load">>)
	  *)
      \/ /\ h.pc[1] = "p_allocate" 
         /\ Sessions[id]["SessionM"] # <<>> 
		    /\ p_allocate(id,st)		 
      \/ /\ h.pc[1] = "f_get_section_program" 
         /\ Sessions[id]["SessionM"] = <<>> 
      ...

Can not understand why it is so. It looks pretty much the same as dozen of other disjuncts...

3. Finally i decided to maximally simplify the spec

...
Next_test == UNCHANGED vars

\*SpecFS == Init /\ [] [Next]_vars 

SpecFS == Init /\ [] [Next_test]_vars

This time it gives an error on stage # 12 :
Operator t_6l$1 has a parameterized type, while polymorphism is disabled:

I believe it happens because of some of these kind of operators :

\* @type: ((a190 -> a191), (a190 -> a191)) => (a190 -> a191);
f @@ g == [x \in (DOMAIN f) \cup (DOMAIN g) |->
            IF x \in DOMAIN f THEN f[x] ELSE g[x]]

Thanks in advance.

ConferenceProcFS_final.tla is the main spec

specs01.zip

[Kukovec]

1. It seems that I've replaced all CASE control flow statements with  lors and lands. The only CASEs remained are expressions which seems to have nothing to do with assignments. The missing assignment problem (stage # 9) didn't disappear. I carefully checked that assignment to each variable occurs at least once in each slice. Again I've successfully verified the updated specs with TLC (just in case).

I've taken a more thorough look at the spec, and the tool is right to complain in this case, but I'm not surprised this was hard to catch.
The reason is the following code (and others like it) in dispatch:

      \/ /\ h.pc[1] = "p_submit_paper" 
         /\ Sessions[id]["SessionM"] = <<>>
         /\ p_submit_paper_load (id) \* <--- HERE
         /\ Trace' := Append(Trace,<<id,"p_submit_paper_load">>)

I assume your thought process was as follows: p_submit_paper_load defines primes for all variables except Trace, so conjoined with the like Trace' := ..., all variables are assigned. Except that is not the case. If you look at the definition of p_submit_paper_load, you see:

p_submit_paper_load (id) ==
    IF ...
    THEN ...       
    ELSE UNCHANGED vars

Because vars is the tuple of all variables, including Trace, the assignment solver detects an imbalance: one branch of ITE assigns to Trace (else) and one does not (then). Since the assignment solver considers conjunctions in syntax order, by the time it would have considered the Trace' =... in dispatch, it has already found lacking assignment coverage. The solution is to change UNCHANGED vars in all the sub-methods of dispatch to UNCHANGED varsNoTrace, where varsNoTrace is a tuple containing all the variables except Trace.

Also on the topic of assignments, I saw that your Next is defined as:

Next == 
        \/  ...
        \/ \A  s \in S : 
            /\ Sessions[s]["StateRegs"] = <<>>
            /\ UNCHANGED vars

In Apalache, assignments are never under \A quantifiers, so you might want to rewrite it to

Next == 
        \/  ...
        \/ /\ \A s \in S : Sessions[s]["StateRegs"] = <<>>
           /\ UNCHANGED vars 
           

2. When i changed the CASE-style dispatch operator with the one recommended i found that one disjunct produces lor and land precedence problem (it is commented bellow):

From what I can tell, the issue is that some lines are indented with spaces and some with tab characters. SANY, the parser (which we don't control), is quite picky with whitespace, so your best bet is probably to convert all tabs to spaces. I'd also suggest aligning /\ in cases like

      \/ /\ h.pc[1] = "p_submit_paper" 
         /\ Sessions[id]["SessionM"] = <<>>
            /\ p_submit_paper_load (id)
            /\ Trace' := Append(Trace,<<id,"p_submit_paper_load">>)

though such indents shouldn't cause problems.

3. Finally i decided to maximally simplify the spec

...
Next_test == UNCHANGED vars

\*SpecFS == Init /\ [] [Next]_vars 

SpecFS == Init /\ [] [Next_test]_vars

This time it gives an error on stage # 12 : Operator t_6l$1 has a parameterized type, while polymorphism is disabled:

I couldn't reproduce this one, can you post the exact CLI call? Or maybe upgrade to the latest version and try again.

[timimin]

Thanks a lot for your time. I guess how much time it might take scrutinizing one's specification. It's obvious i would have never found the solution myself (though i read about the balance).

The second issue occurred due to tab characters as you guessed ).

As for the polymorphic types... I've upgraded to the version 0_19 (it was o_16) and now it produces:

Found a polymorphic type: Set((Str -> a3087))                     E@23:03:25.495
Probable causes: an empty set { } needs a type annotation or an incorrect record field is used E@23:03:25.495
Paralocks.tla:235:38-235:38: type input error: Found a polymorphic type: Set((Str -> a3087)) E@23:03:25.546

i added a type anno:

substMap4(uu, u) == 
	LET
		substMap4_OP(x,y) == x \cup {[u1 \in uu |-> y]}
	IN
                IF uu = {} 
                    THEN 
					\* @type: Set(U -> U);
					{}
                    ELSE
                        FoldSet(substMap4_OP,{[u1 \in uu |-> u1]}, u)         

but it didn't take an effect. Though i have not thought about it much. If you have any ideas... it would be of great help as usual.

The exact cli is

java -jar -jar /home/user-sc/apalache/apalache_0_19/apalache/mod-distribution/target/apalache-pkg-0.19.0-full.jar check --config=/home/user-sc/apalache/apalache_0_19/plif/MC.cfg /home/user-sc/apalache/apalache_0_19/apalache/plif/ConferenceProcFS_final.tla

Thanks in advance.
specs02.zip

[Kukovec]

I tried running your specs with both v0.17 and v0.19, and both times I get no type error and the checker goes to pass 13, so I can't reproduce the above.
I was going to suggest annotating the substMap4 declaration (annotating the set does nothing), but it is already annotated in the zip. The line number in the exception corresponds to the declaration of substMap4_OP, which has no annotation (neither in the above example, nor in the zip), so the best advice I can give is to try with:

\* @type: (Set(U), Set(U)) => Set(U -> U);
substMap4(uu, u) == 
    LET
        \* @type: ( Set(U -> U), U ) => Set(U -> U);
        substMap4_OP(x,y) == x \cup {[u1 \in uu |-> y]}
    IN ...

[timimin]

Very strange (. Checked everything a number of times.

1. Downloaded apalache 0_19

https://github.com/informalsystems/apalache/releases

2. unziped my specs02.zip into plif_spec and made plif_spec the current folder in cli

cd ./apalache_0_19/apalache/plif_spec

3. launched apalache for ConferenceProcFS_final.tla

java -jar /home/user-sc/apalache_0_19/apalache/mod-distribution/target/apalache-pkg-0.19.0-full.jar check --config=MC.cfg ConferenceProcFS_final.tla

4. Got the error as described above (The same error appears in version 0_17).

Adding the anno to substMap4_OP

\* @type: ( Set(U -> U), U ) => Set(U -> U);
        substMap4_OP(x,y) == x \cup {[u1 \in uu |-> y]}

gives

If for you it goes to stage #13... then you see the invariant violation?

[Kukovec]

Hmm, the only other thing I see us doing differently is that I build from source whereas you use the jar. Can you try cloning unstable, running
mvn install -DskipTests
and calling
<DIR>/bin/apalache-mc check ConferenceProcFS_final.tla ? I don't expect this to work differently, but lets try to eliminate variables.

[timimin]

Short of a miracle. This time i built it from source.

git clone https://github.com/informalsystems/apalache.
mvn install -DskipTests

user-sc@usersc-Nitro:~/apalache_unstable/plif_spec$ /home/user-sc/apalache_unstable/apalache/bin/apalache-mc check --config=MC.cfg ConferenceProcFS_final.tla

version 0.19.1. All specs are from my last archive spec02.zip

Please, any guess (((

[Kukovec]

I'm currently on vacation, but I'll be back to my standard dev environment by Monday, unfortunately I can't offer too much help before then. Let me know if this project is time-sensitive, and I can try to find someone on our team who is available sooner, otherwise I'll try to get to the bottom of this when I'm back.

[timimin]

Oh, sorry. Have a nice vacation! Certainly i will wait for you. It is not time-sensitive.

I have just managed to get to the next stage #13 ... after i removed --config=MC.cfg (or equivalently --init=Init --next=Next --inv=ParalocksInv). But certainly its not the solution.

Thank you very much. Later (if it is interesting) i will write more about our perspective project and why we pin our hopes on apalache.

[timimin]

Hi. If you have time to help i describe the progress I've made in the remainder of the post.

First of all I've finally succeeded in making a spec which successfully passes all preliminary checks and make it to the stage # 13.
After that as it had been expected i faced the situation when the system seemed to be incapable of handling (verifying the satisfiability of) all constraints generated (.
May be some optimization could be applied. Or systems with huge states (even with relatively small number of states) don't fit...

As result i have the spec simplified to some small part of the desired transitions which is successfully played by TLC (few seconds) and leads to resource exhaustion (if killed message means so) when launched by Apalache.

In the archive i put the ready to start specs (in both TLC and Apalache).

To understand better let me briefly describe the scenario.

We are developing the information flow control mechanism for pl/sql blocks (db stored procedures). The idea is simple: values from high sensitive sources can not flow to low sensitive sinks. Something like taint tracking but much more stronger.
Sensitivity levels are described by the non trivial lattice (not just {high, low} set).
Sources and sinks are different elements (constants, variables, exceptions, table columns etc) of the evaluation environment. Each statement leads to information flow described by the predefined abstract semantics.

Information flow control is actively embedded into programming platforms. Thus the task described is usually solved using SAST or DAST. This approach though implies code markup
(via annotations or comments or even security types). The analysis results requires interpretation which is hard.

So we are trying to shift IFC problem into the area of formal verification. DB blocks seems to be appropriate platform. The are relatively small, don't include redundant algorithms, we can leverage dependency control mechanism (standard in dbs) for extracting restricted number of procedures which have something to do with sensitive data processing.

So we have developed plsql2tla utility. Our specs implement information flow abstract semantics in multi-session db environment.

The simplified specs (ConferenceProcFS_final is the main) work as follows.
We have just one session S == {"allen"} and restrict ourself to only one procedure:

pc_start ==              
                 {<<"p_add_paper", "lbl_4">>(*,
                  <<"p_submit_paper", "lbl_4">>,
                  <<"p_change_status", "lbl_4">>,
                  <<"f_is_accepted", "lbl_5">>,
                  <<"p_allocate","lbl_7">>,
                  <<"f_get_paper","lbl_5">>,
                  <<"f_get_section_program","lbl_5">>*)}

the first transition leads us through dispatch compound operator to p_add_paper_load (id) operator.
Then the local dispatcher

p_add_paper(id,st)  ==    
	LET 
	   \* @type:[pc: <<Str, Str>>, fp: Int];
	   h == 
	       Head(st)
	IN  
        \/ /\ h.pc[2] = "lbl_4"
		   /\ p_add_paper4(id)
        \/ /\ h.pc[2]   = "exit"
		   /\ p_add_paper_exit(id)        
        \/ /\ ~(h.pc[2] \in {"lbl_4", "exit"})
           /\ UNCHANGED vars

sequentially forwards the system to new states via p_add_paper4, p_add_paper_exit operators.

RuntimeFS implements the rules of the abstract semantics such as insert (in our case). The rules update security labels of env elements (vars, columns etc) and fill New2Old structure which is used by the security invariant.

ParametersFS holds security labels of formal arguments and other parameters.
ParalocksFS implements the lattice and extra operations on labels (policies).

The fact is TLC replays the model (invariant disabled) with three parallel sessions and all procedures (7 plsql blocks) in 6 seconds (on my laptop) > 100000 states.

But Apalache dies with just one session and one proc (3 states). Unfortunately in TLC performance dramatically falls with the number of sessions, i.e increasing the sessions number to 5 leads to 20 m delay (with the same tlc settings).

I read that Apalache is not yet optimized well for sequences which are hardly used in our specs...

Any help would be appreciated.

Thanks.

specs_simplified_universal.zip

[Kukovec]

Hi @timimin, I've started looking into your specs, and I'm in the middle of compiling a list of suggestions/strategies (e.g. "replace pattern X with Y", and the like), which should help performance. I should hopefully have a rewritten version of Paralocks.tla for you by tomorrow or Wednesday, with comments on what causes performance issues in that file and rewritings of problematic expressions which work well with Apalache (it's not really about sequences). You should be able to extrapolate to tweak the rest.
In the meantime, if you're experiencing java.lang.OutOfMemoryError, you can try and adjust the memory allocation with -Xmx (though I suspect that ultimately won't help, as there are a lot of reasons why your specs in their current iteration are slow with Apalache).

If you're interested, we could also set up a user interview over Zoom; it's very helpful for us to know who our users and their backgrounds are, and what problem domains they operate in, and we could answer additional questions you might have directly.

[timimin]

Hello. We appreciate your participation.

Certainly i tried to increase the maximum java heap size, it had no effect. java.lang.OutOfMemoryError fatal error changed for killed message.

I can imagine how hard it might be optimizing one's code. It would be great if you manage to show me the principle in a manner you wrote, certainly i can then extrapolate for the sake of improving the rest part of my spec.
You are right about the most problematic module - it's Paralocks. But some hard parts meet in Runtime. When testing it's better to use cfg or to specify explicitly --inv = ParalocksInv. Though i switched of invariant checking initially.

As for the user interview ... seems interesting. But everything is quite simple. We represent a small research group in Russian Technological University
https://english.mirea.ru/
and are currently working on the project i have described. Next few of our department's directions are following: software vulnerability analysis, formal models of computer security, methods of computer attacks detection . Some partners of ours have deep interest in formal verification methods and instruments and use them for proving advanced access control models which are embedded into secure operation systems (mostly linux based). They are aware of our research.

Specification tuning with respect to performance issues has special value for our project. The approach i depicted will only work in practice iff the model checking process takes acceptable time for real size procedures. Deduction is quite tedious and not applicable for successive small projects.
My guess is if we optimize our small part of the spec the performance will not fall dramatically with increasing number of emulated sessions as in the case with TLC.

And certainly when we make our project public (though it may remain in the academic field for quite a while) we will enjoy to see it in the list of your examples.

Thank you again.

[Kukovec]

I've attached a reworked version of Paralocks, that contains some comments within.
In short, the primary reason why Apalache is slow on your examples, is that you're frequently using what effectively amounts to anti-patterns in Apalache - iterative object mutation. This is not uncommon for people who come to TLA+ with previous experience in programming languages.

In other words, when defining an expression Y from X, instead of saying "Y is an expression with properties a,b,c,...", you tend to define all the intermediate steps of transforming X into Y: "X is slightly changed into X1 (e.g. by adding one element to a set, or via EXCEPT), which is changed into X2, etc. until Xn = Y".
TLC likes these sorts of specifications, because it manipulates programming-language objects in its own implementation.
This makes it easy to construct temporary mutable objects, manipulate them (e.g. via for-loops) and garbage-collect them after they stop being useful.
For constraint-based approaches, like Apalache, the story is different. Not only are these intermediate steps not directly useful (since Apalache is not modeling TLA+ expressions as objects in Sacala), they actually hurt performance, since they can generate a massive amount of constraints, which are all about describing data structures (e.g. two functions being almost equal, except at one point).
Essentially, Apalache is spending its resources not on state-space exploration, but on in-state value computation, which is not its strong suit.

Concretely, a common anti-pattern I've found is that, when trying to define e.g. a function,
you start with an initial value f, then apply FoldSet(Op, f, S), where
Op has the shape Op(g, x) == [g EXCEPT ![x] = A(x)]. The attached file contains an explanation of how/why this affects performance and how to fix it.
In general, every time you use Fold(Set|Seq), I recommend you consider whether it is a actually necessary to fold (because each step depends on the value computed in the previous step), or whether it is possible to define the resulting value directly (see example in e.g. specifyWithSub).

Another is the frequent use of @@ (e.g. in Init). This is a TLC-specific operator, and its behavior is naturally tailored to TLC-style model checking. It's slow for the same reason unnecessary folding is - instead of defining the result via the properties it has, it explicitly encodes the computation of the result step-by-step, which doesn't play to the strengths of constraint-based approaches. There is a similarly simple fix:
Instead of doing (k1 :> f(k1)) @@ (k2 :> f(k2)) @@ ... @@ (kn :> f(kn)), writing
[ x \in {k1, k2, ..., kn} |-> f(x) ] should be faster (much faster, if n is large) and, in my opinion, clearer.

TLDR - Replace iteration (@@ chains or fold) with direct values whenever possible.

Paralocks.txt

[timimin]

Thanks a lot. Now i need time to reflect on everything you wrote and experiment myself.
Actually I'm a bit confused. I think I have misunderstood you again ). In the previous discussion i wrote:

It seems i have two options:

I can do it algorithmically:

LUB4Set (s) == FoldSet(LAMBDA x, y: LUB(x,y), min, s)

Or declaratively using the formal definition, smth like:

LUB4Seq (s) == CHOOSE p \in PolSet: /\  \A x \in s: compareItem(x, p)
                                    /\ ~\E y \in PolSet: y # p
                                              /\ \A z \in s: compareItem(z, y)
                                              /\ compareItem(y, p)

and got an answer:

IMO, folds are the vastly superior choice here. They have a direct encoding (i.e. they are treated by Apalache as if they were language-level operators and are not expanded to an equivalent TLA+ definition and then encoded) and are probably the most efficient way of doing iteration.

I hope we can stay in touch. I will write later.

Thanks.

[Kukovec]

That is because the issue at hand is not that folds are being used, but how they are being used (I suppose the TLDR is a bit reductive in this aspect). Consider the following examples:

\* (1)

\* Assume S \subseteq Nat and S /= {}
MaxOr0(S) ==
	LET Max2(a,b) == IF b < a THEN a ELSE b
	IN FoldSet(Max2, 0, S)

\* (2)

\* assume N > 0
FirstNSquares(N) ==
	LET Add(S, i) == S \union {i * i}
	IN FoldSet(Add, {}, 1..N)

In (1), the following is true:
a) Fold computes an integer at every step (a less complex expression)
b) MaxOr0 doesn't have a closed-form solution
c) If we expressed MaxOr0(S) as CHOOSE x \in S: P, then P is a quantified FOL formula: \A y \in S: x >= y

Conversely, in (2):
a) Fold computes a set at every step, monotonically increasing in cardinality
b) FirstNSquares does have a closed-form solution: {i * i: i \in 1..N}
c) There is no convenient CHOOSE-based characterization

(a) is important, because a k-step fold in (1) generates O(k) constraints - the evaluation of the ITE predicate and the chosen value at each step. In (2), however, the value at each step (k) is a set, which has O(k) elements. So to describe just the elements of each set, we need \sum_i=1^k O(k) constraints, which totals to O(k^2).
This is not particularly noticeable in the above toy example, but in your large spec with sets of sets, and values more complex than i * i, this adds up.

(b) is important, because it tells us whether folding is redundant. If a closed-form solution exists, it's the better choice 99.99% of the time.

(c) is important, because it is often the case that FoldSet(Op, v, S) = CHOOSE x \in S: P
for some Op, v, P. To answer the question which form is more efficient, a good rule of thumb is to look at how quantified P is. Each quantifier is roughly equivalent to one nested for-loop over S, in terms of complexity, and the call to CHOOSE x \in S: P itself is roughly equivalent to an additional nested loop over S.
In the LUB case, a LUB for a set S \subseteq T is a value w with the property:

/\ IsUB(w, S)
/\ \A y \in T: IsUB(y, S) => y >= w

where IsUB(r, Q) == \A x \in Q: r >= x. This property is doubly universally quantified, so computing LUB with CHOOSE is roughly as complex as a triply-nested for-loop over S, which is slow.

For all of the above reasons, fold is efficient in (1) (and the LUB case), and redundant in (2).

So it's not fold that is the source of slowdowns in your spec, it's the sets/functions that are being spuriously constructed using fold.

[timimin]

Thank you for such a detailed explanation. I think i got the idea. It will take sometime to reconstruct the specs. Later I'll share the results. -- Отправлено из Mail.ru для Android четверг, 13 января 2022г., 13:02 +03:00 от Kukovec ***@***.*** :

…

That is because the issue at hand is not that folds are being used, but how they are being used (I suppose the TLDR is a bit reductive in this aspect). Consider the following examples: \* (1) \* Assume S \subseteq Nat and S /= {} MaxOr0(S) == LET Max2(a,b) == IF b < a THEN a ELSE b IN FoldSet(Max2, 0, S) \* (2) \* assume N > 0 FirstNSquares(N) == LET Add(S, i) == S \union {i * i} IN FoldSet(Add, {}, 1..N) In (1), the following is true: a) Fold computes an integer at every step (a less complex expression) b) MaxOr0 doesn't have a closed-form solution c) If we expressed MaxOr0(S) as CHOOSE x \in S: P, then P is a quantified FOL formula: \A y \in S: x > = y Conversely, in (2): a) Fold computes a set at every step, monotonically increasing in cardinality b) FirstNSquares does have a closed-form solution: {i * i: i \in 1..N} c) There is no convenient CHOOSE-based characterization (a) is important, because a k-step fold in (1) generates O(k) constraints - the evaluation of the ITE predicate and the chosen value at each step. In (2), however, the value at each step (k) is a set, which has O(k) elements. So to describe just the elements of each set, we need \sum_i=1^k O(k) constraints, which totals to O(k^2). This is not particularly noticeable in the above toy example, but in your large spec with sets of sets, and values more complex than i * i, this adds up. (b) is important, because it tells us whether folding is redundant. If a closed-form solution exists, it's the better choice 99.99% of the time. (c) is important, because it is often the case that FoldSet(Op, v, S) = CHOOSE x \in S: P for some Op, v, P. To answer the question which form is more efficient, a good rule of thumb is to look at how quantified P is. Each quantifier is roughly equivalent to one nested for-loop over S, in terms of complexity, and the call to CHOOSE x \in S: P itself is roughly equivalent to an additional nested loop over S. In the LUB case, a LUB for a set S \subseteq T is a value w with the property: /\ IsUB(w, S) /\ \A y \in T: IsUB(y, S) => y >= w where IsUB(r, Q) == \A x \in Q: r > = x. This property is doubly universally quantified, so computing LUB with CHOOSE is roughly as complex as a triply-nested for-loop over S, which is slow. For all of the above reasons, fold is efficient in (1) (and the LUB case), and redundant in (2). So it's not fold that is the source of slowdowns in your spec, it's the sets/functions that are being spuriously constructed using fold. — Reply to this email directly, view it on GitHub , or unsubscribe . Triage notifications on the go with GitHub Mobile for iOS or Android . You are receiving this because you were mentioned. Message ID: @ github . com>

[timimin]

Hi, I'm currently upgrading my specs according to your recommendations. To see real effect i think we must revise not only paralocks.tla, but all other specifications (the current version diverges also).

Comparing closed forms against CHOOSE (fold)... One argument for using folds was my concern about the sizes of underlying sets. I thought its better to build necessary structures in nested loops with countable iterations then
define them on enormous sets. Some of such sets could be Users or Policies. Is it really true that for the underlying solvers only the number of constraints matters?

[timimin]

‌Hi, all. I would like to express my gratitude for all your efforts and useful recommendations concerning writing friendly to Apalache specifications. For the last few days i have been trying to revise my project. I found an incremental antipattern in Runtime.tla.

Unfortunately all improvements had partial effect. The simplified version of the model (with just one session and one procedure) still diverges. After several minutes of work it produces killed message. The profiler shows hundreds of thousands of constraints generated for the next operator.

I believe the problem is in the number and types of the state variables. As i said our transition system is based on the abstract semantics of information flows. So we model some typical memory structures (the stack, the program counter, the global variables section etc) and the state is represented by a number of compound elements such as tuples and sequences of relatively large sisize

‌If we play the model for some small number of parallel sessions TLC works fine. May be it happens because it doesn't store entire states but instead it keeps track of their signatures.
‌
‌Any ideas would be greatly appreciated.
‌
‌Thanks.

[Kukovec]

Could I ask you to post the latest versions of your specs, with the recent changes? I can tell you more once I run them myself.

[timimin]

Certainly. Here they are.

Now we remain:
2 sessions - S == {"allen", "bob"} (Parameters.tla),
1 procedure - p_add_paper (ConferenceProcFS_final.tla)

Init ==      
 LET 
		    \* @type: () => Set(<<Str, Str>>);
			pc_start ==              
                 {<<"p_add_paper", "lbl_4">>(*,
                  <<"p_submit_paper", "lbl_4">>,
                  <<"p_change_status", "lbl_4">>,
                  <<"f_is_accepted", "lbl_5">>,
                  <<"p_allocate","lbl_7">>,
                  <<"f_get_paper","lbl_5">>,
                  <<"f_get_section_program","lbl_5">>*)}
        IN
...          

the invariant which is always true (RuntimeFS.tla)

ParalocksInv == TRUE

cli:

java -Xmx8192m -jar /home/user-sc/apalache_0_19/apalache/mod-distribution/target/apalache-pkg-0.19.0-full.jar --length=10 check --config=MC.cfg ConferenceProcFS_final.tla

specs25122022.zip

[timimin]

Hi. Anything on my issue? Are there chances of success )?

[Kukovec]

I have a couple of observations:

1. There are still several Apalache antipatterns (e.g. in Init)
2. There's dead code: You can run the TLC profiler (model -> TLC options -> profiling -> ON), and it will show you areas of the spec that never get explored. In Apalache, since there is no state exploration, these represent needless constraints, that always evaluate to FALSE, but that get propagated and solved anyway, whereas TLC can short-circuit quit out of exploration when it encounters such expressions. There's also the problem that a lack of invariant violation in the presence of dead code does not necessarily mean that the system being modeled satisfies the invariant. More likely, this points to a specification error, since the dead code is usually intended to represent some reachable scenario in the protocol/algorithm, which is unreachable in the specification as-written.
3. This one is more subjective, but it feels like there is very little abstraction/modularity. This makes solving much more difficult than it needs to be to determine invariant violation, because the solver has to do imperative program bookkeeping, instead of what it is designed to do: finding solutions to logical formulas (or proofs of absence thereof). I can't say more without understanding the base algorithm/protocol (for instance, looking at ParalocksInv, I have no idea what this property is actually about), but my experience with specs is telling me there are likely a lot of unnecessary (from the perspective of the desired invariant) constructs being modeled.
4. You've written ~1k lines of spec without running the tool at all. This is, I'd estimate, is like writing 10k lines of C code, before running the compiler for the first time - I would not be surprised to find that it's much more difficult than incrementally verifying the spec as it's being written.

Regarding 2. and 3. (these are Apalache/TLC agnostic), I would suggest inquiring in the TLA+ Google group: https://groups.google.com/g/tlaplus
There's a lot of people there that can help come up with improvements to your specifications.

[timimin]

Sorry, for taking your time
Just few remarks.

1. Dead code certainly presents in my spec. I'm aware of some operators which are never used. They usually represent alternative methods of computations. May be it would be better to hide them behind comments... But they have no effect on TLC Model checker (obviously they badly impact the productivity of the solver).

‌2. The objectives of using formal verification approach in our case is slightly different from common cases. We cannot abstract away the large part of the verified algorithm because what we are actually doing is implementing the abstract semantics of information flows in the program code. Abstract operations are done on almost all evaluation environment elements (vars, exceptions etc) the way concrete operations are applied. Though unlike concrete operations abstract counterparts deal with elements of finite lattice (security levels or policies). Knowing that direct program2tla+ mapping is a bad idea we found arguments to justify ourselves:

1. Unlike real server-side apps stored procedures (we model) usually have small size. They never implement garbage algorithms.
2. Modern dbms usually provide convenient interfaces for determining explicit and implicit dependencies between program blocks and other objects.
   So placing db program units in focus we abstract away the rest part of the complex enterprise application.
3. Speaking about using the tool after writing ~ 1 k lines of specs... It's natural. I didn't plan to use Apalache initially. I have been creating specs for TLC and then decided to try Apalache (which goes well in compliance with all recommendations). Actually it is obviously a bad idea converting existing specs for using in Apalache, if you want to leverage the tool you need to rewrite everything from the very begining. TLC is tolerant to algorithmic style of behaviour description, Apalache is not.
   Thanks for all your efforts.