OPEN SYSTEM SPECIFICATIONS

9.1 Assume-guarantee specifications .1 Forms of stepwise implication.1Forms of stepwise implication

Open-system specifications constrain the behavior of component variables in presence of appropriate environment behavior. This kind of relation resembles logical implication (⇒), suggesting defining a binary operator. In this section, we compare two operators of this kind:

• The TLA⁺ operator −⁺▷ (namedWhilePlus below)

• A quinary operator based on work by Klein and Pnueli [96, Eq. 3 on p. 163].

Klein and Pnueli defined the (PastRTLA⁺) formula KP =^∆ ∨ ¬EnvInit

∨ ∧SysInit

∧2(UpToNow(EnvNext)⇒SysNext) Stepwise implication

∧ ∨3¬EnvNext Environment error (“liveness gap”)

∨ ∃i ∈ 0. .n : 32P(i) generalized Streett pair

∨ ∀j ∈ 0. .m : 23R(j)

The formula UpToNow(EnvNext) is true when the action EnvNext has been true in all previous steps and the current step. In LTL, UpToNow is called

“historically” [128].

The “assume-guarantee” character of RawWhile is manifest in the stepwise implication and the environment error. The “GR(1)” character is manifest in the Streett pair that constrains the component. Thus, the assume-guarantee form we choose is orthogonal to whether the liveness part is a GR(1) or GR(k) property, so we can lump all liveness in order to obtain the general form RawWhile(EnvInit, SysInit, EnvNext, SysNext, Liveness) =^∆

∨ ¬EnvInit

∨ ∧SysInit

∧2(UpToNow(EnvNext)⇒SysNext)

∧ ∨3¬EnvNext

∨Liveness

For reasons discussed in Section 9.6 we study the operator RawWhilePlus, instead of RawWhile, defined as follows:

RawWhilePlus(IeP( , ), EnvInit, SysInit, EnvNext, SysNext, Le, Ls) =^∆

∨ ¬∃p, q : IeP(p, q) satisfiability ofEnvInit

∨ ∧SysInit

∧EnvInit ⇒ ∧2(Earlier(EnvNext)⇒SysNext)

∧(2EnvNext∧Le)⇒Ls

The main difference betweenRawWhile and RawWhilePlus is in using the op- eratorEarlierinstead ofUpToNow [67, 65, 88]. The expressionEarlier(EnvNext) is true when the actionEnvNext has been true in all previous steps (omitting the current step). We use the operator RawWhilePlus with the argument EnvInit defined as IeP(x,y), where x,y are variables declared in the relevant context. So the argument EnvInit could be omitted, but that would require adding x and y as arguments, and thus cluttering this definition.

It can be shown thatRawWhilePlus is expressible with the quinary operator RawWhilePlusDisj(InitC, InitD, EnvNext, SysNext,Liveness) =^∆

InitC ⇒ ∧InitD

∧2(Earlier(EnvNext)⇒SysNext)

∧Liveness ∨3¬EnvNext

It does not matter whether the main operator is disjunction. Any property ex- pressed with the operatorRawWhilePlusDisj is expressible using the following operator:

RawWhilePlusConj(InitA, InitB, EnvNext, SysNext, Liveness) =^∆

∧InitB

∧InitA⇒ ∧2(Earlier(EnvNext)⇒SysNext)

∧Liveness∨3¬EnvNext

The previous operators are in raw TLA⁺ with past operators (PastRTLA⁺) (see Section 3.2). The operator RawWhilePlus is suitable for algorithmic im- plementation [153]. We next examine the relation between WhilePlus and RawWhilePlus, which has also been examined under more restrictive assump- tions in [88].

9.1.2 Stepwise form of −⁺▷

Arguments represented as machine-closed pairs Machine-closure of the pair

EnvInit∧2[EnvNext]v, Le and of the pair

InitSys ∧2[SysNext]v, Ls

imply equivalence of the properties defined using the operators RawWhilePlus and−⁺▷, as implied by the below theorem. In absence of machine-closure, these two operators are not equivalent, as discussed in more detail in Section 9.2.¹

A syntactic definition of closure [113, 11]

MustUnstep(b) =^∆ ∧b =true

∧2[b^′ =false]_b

∧3(b =false) SamePrefix(b, u, x) =^∆ 2(b ⇒(u =x))

Front(P( , ), x, b) =^∆ ∃∃∃∃∃∃u : P(u)∧SamePrefix(b, u, x) Cl(P( ), x) =^∆ ∀∀∀∀∀∀b : MustUnstep(b)⇒Front(P, x, b)

Each property is decomposable into safety and liveness [12].

SafetyPart(P( ),x) =^∆ Cl(P,x)

LivenessPart(P( ), x) =^∆ SafetyPart(P, x)⇒P(x) [88, Sec. 2.3 on p. 54]

Below we use this operator with adapted arity.

IsMachineClosed(S( ),L( )) =^∆ let SL(u) =^∆ S(u)∧L(u) in ∀∀∀∀∀∀x : S(x)≡Cl(SL, x) theorem PhiEquivRawPhi =^∆

assume

variable x, variable y, new sigma,

IsABehavior(sigma), constant IeP( , ), constant IsP( , ), constant NeP( , , , ),

1 A proof of the theoremPhiEquivRawPhi is in the moduleWhilePlusTheorems.

constant NsP( , , , ),

temporal Le, temporal Ls, thus TLA+ formulas

∧ ∀u, v : IeP(u,v) ∈ boolean

∧ ∀u, v : IsP(u, v) ∈ boolean

∧ ∀a, b, c, d : NeP(a, b, c, d) ∈ boolean

∧ ∀a, b, c, d : NsP(a, b, c, d) ∈ boolean , let

v =^∆ ⟨x, y⟩ Is =^∆ IsP(x, y) Ie =^∆ IeP(x, y)

Ne =^∆ NeP(x, y, x^′, y^′) Ns =^∆ NsP(x,y, x^′, y^′) in

∧IsMachineClosed(Ie ∧2[Ne]_v, Le)

∧IsMachineClosed(Is ∧2[Ns]_v, Ls) prove

let

v =^∆ ⟨x, y⟩ Is =^∆ IsP(x, y) Ie =^∆ IeP(x, y)

Ne =^∆ NeP(x, y, x^′, y^′) Ns =^∆ NsP(x,y, x^′, y^′) A =^∆ Ie∧2[Ne]v ∧Le G =^∆ Is ∧2[Ns]_v ∧Ls Phi =^∆ A−⁺▷G

EnvNext = [Ne]^∆ v

SysNext = [Ns]^∆ _v

RawPhi =^∆ RawWhilePlus(

IeP,Ie,Is,

EnvNext,SysNext, Le, Ls) in

(sigma,0|=RawPhi) ≡ (sigma |=Phi) proof

by RawPhiImpliesPhi, PhiImpliesRawPhi

9.1.3 Shifting liveness around

It is of practical interest to know when we can shift liveness conjuncts from the environment to the component property, or vice versa. Shifts of this kind negate the liveness, turning recurrence into persistence, and vice versa.

The specifier usually imagines an “environment”

Env =^∆ EnvInit ∧2[EnvNext]v

and a “component”

Sys =^∆ SysInit ∧2[SysNext]_v ∧Liveness

However,RawWhilePlusDisj depends on five arguments (EnvInit, . . . ,Liveness);

not two (Env,Sys). This difference is essential, in that there are properties expressible with RawWhilePlusDisj but inexpressible with any binary oper- ator that takes Env and Sys as arguments (we show this inexpressibility in Section 9.2).

One pitfall is to change any of the formulasEnvInit, . . . ,Liveness, while keep- ing Env and Sys the same. If such a change leads from a machine-closed to machine-unclosed representation of either Env or Sys, then in general the property RawWhilePlusDisj changes.

Assume that both Aand G are written using machine-closed representations.

If we shift the property Le to G, then the closure of A −⁺▷ G remains un- changed. More precisely

theorem assume

∧A≡(Ie∧2[Ne]v ∧Le)

∧Cl(A)≡(Ie∧2[Ne]_v) The pairIe∧2[Ne]v,Le is machine-closed.

∧G ≡(Is∧2[Ns]_v ∧Ls)

The pairIs∧2[Ns]v,Ls is machine-closed. This implies that the pairIs∧2[Ns]v,Ls∨ ¬Le is machine-closed (seeQ below).

∧Cl(G)≡(Is ∧2[Ns]_v) prove

let

P =^∆ Ie∧2[Ne]_v

Q =^∆ Is ∧2[Ns]v ∧(Le ⇒Ls) in

A−⁺▷G ≡ P −⁺▷Q

This theorem can be used in the reverse direction too, i.e., to shift Le to the first argument (the “environment” property). In that case, persistence dis- juncts from the formula (Le ⇒Ls) withinQ are shifted to become recurrence conjuncts in the formula Le within the formula that represents A.

In absence of machine-closure, the above rewriting can change the open-system property. There are two cases in GR(1):

1. Shifting recurrence fromAto persistence inQ. If the pairIe∧2[Ne]_v,Le is machine-unclosed, then Cl(P) is weaker than Cl(A) (because Le im- poses a safety constraint onIe∧2[Ne]_v), so this transformation relaxes the assumption’s closure.

If the pairIs∧2[Ns]_v,Ls is machine-unclosed, then relaxing the liveness to (Ls∨¬Le) can weaken the closure (not necessarily). Thus,Cl(Q) may be weaker than Cl(G).

The combined effect of relaxingAtoP and changingG toQ in this way is nontrivial.

2. Shifting persistence from Q to recurrence in A. This transformation strengthens the guarantee fromQ toG. If the pairIs∧2[Ns]v,Ls is not machine-closed, then the closure Cl(G) may be stronger than Cl(Q).

This shift conjoinsLe toIe∧2[Ne]_v insideA, so Cl(A) is stronger than Cl(P) if the pair Ie ∧2[Ne]_v,Le is machine-unclosed.

To summarize, in absence of machine-closure, shifting liveness from assump- tion to guarantee relaxes the closure of the assumption and possibly of the guarantee. Shifting liveness from the guarantee to the assumption strengthens the closure of the assumption, and possibly of the guarantee too.

In both cases, the combined effect from changing both arguments appears to have a nontrivial effect on the open-system property that the two properties define when fed to the operator −⁺▷.

Remark 10. Lamport defined the operator “as long as” directly in seman- tics [110, ⊴ on p. 220]. This operator is similar to RawWhile. The operator

“one step longer” [110,◁ on p. 220] is equivalent to StepwiseImpl.² □

2 The operatorStepwiseImpl is defined in the moduleWhilePlusTheorems.

Remark 11. A reusable definition of −⁺▷within TLA⁺ has to include at least one argument for variables, because there is no way to refer to all declared

variables from within TLA⁺. □

Remark 12. The operator WhilePlus(A,G,x,y) does differ from −⁺▷ if A or G depend on variables other than x and y. This is a potential cause of errors

by the specifier when using WhilePlus. □

9.2 Degrees of freedom needed for representation