Documentation

LeanPool.Lentil.Basic

A Shallow-Embedding of TLA #

NOTE: There are multiple ways to formalize the concept of infinite sequences. Here, we follow the definition from coq-tla, while an alternative is to define infinite sequence as a coinductive datatype (like Stream in Rocq/Agda).

Lean also comes with a definition of `Stream`, but it is a type class instead of
a datatype, and the sequences generated from it are not necessarily infinite
(in the sense that it may generate finite sequences). So here we do not use it.
def TLA.exec (σ : Type u) :

An execution: an infinite sequence of states indexed by Nat.

Equations
Instances For
    def TLA.pred (σ : Type u) :

    A temporal predicate: a property of executions.

    Equations
    Instances For
      def TLA.statePred {σ : Type u} (f : σProp) :
      pred σ

      Lift a state property to the temporal predicate that holds at the first state.

      Equations
      • e |=tla= f = f (e 0)
      Instances For
        def TLA.action (σ : Type u) :

        An action: a binary relation between the current and next state.

        Equations
        Instances For
          def TLA.actionPred {σ : Type u} (a : action σ) :
          pred σ

          Lift an action to the temporal predicate that holds on the first two states.

          Equations
          • e |=tla= a = a (e 0) (e 1)
          Instances For
            def TLA.purePred {α : Type u} (p : Prop) :
            pred α

            Lift a Prop to the temporal predicate that holds iff the Prop does.

            Equations
            • (p) =tla= (fun (x : α) => p)
            Instances For
              def TLA.tlaTrue {α : Type u} :
              pred α

              The temporal predicate that always holds.

              Equations
              Instances For
                def TLA.tlaFalse {α : Type u} :
                pred α

                The temporal predicate that never holds.

                Equations
                Instances For
                  def TLA.tlaAnd {α : Type u} (p q : pred α) :
                  pred α

                  Conjunction of temporal predicates.

                  Equations
                  • σ |=tla= pq = (p σ q σ)
                  Instances For
                    def TLA.tlaOr {α : Type u} (p q : pred α) :
                    pred α

                    Disjunction of temporal predicates.

                    Equations
                    • σ |=tla= pq = (p σ q σ)
                    Instances For
                      def TLA.tlaImplies {α : Type u} (p q : pred α) :
                      pred α

                      Implication of temporal predicates.

                      Equations
                      • σ |=tla= pq = (p σq σ)
                      Instances For
                        def TLA.tlaNot {α : Type u} (p : pred α) :
                        pred α

                        Negation of a temporal predicate.

                        Equations
                        • σ |=tla= ¬p = ¬p σ
                        Instances For
                          def TLA.tlaForall {α : Sort u} {β : Type v} (p : αpred β) :
                          pred β

                          Universal quantification over temporal predicates.

                          Equations
                          • σ |=tla= ∀ x, (p x) = ∀ (x : α), p x σ
                          Instances For
                            def TLA.tlaExists {α : Sort u} {β : Type v} (p : αpred β) :
                            pred β

                            Existential quantification over temporal predicates.

                            Equations
                            • σ |=tla= ∃ x, (p x) = (x : α), p x σ
                            Instances For
                              def TLA.exec.drop {α : Type u} (k : Nat) (σ : exec α) :
                              exec α

                              Drop the first k states of an execution.

                              Equations
                              Instances For
                                def TLA.exec.take {α : Type u} (k : Nat) (σ : exec α) :
                                List α

                                The list of the first k states of an execution.

                                Equations
                                Instances For
                                  def TLA.exec.takeFrom {α : Type u} (start k : Nat) (σ : exec α) :
                                  List α

                                  The list of k states of an execution starting at index start.

                                  Equations
                                  Instances For
                                    def TLA.always {α : Type u} (p : pred α) :
                                    pred α

                                    The always (box) modality: p holds on every suffix.

                                    Equations
                                    Instances For
                                      def TLA.eventually {α : Type u} (p : pred α) :
                                      pred α

                                      The eventually (diamond) modality: p holds on some suffix.

                                      Equations
                                      Instances For
                                        def TLA.later {α : Type u} (p : pred α) :
                                        pred α

                                        The later (next) modality: p holds on the suffix dropping one state.

                                        Equations
                                        Instances For
                                          def TLA.exec.satisfies {α : Type u} (p : pred α) (σ : exec α) :

                                          An execution satisfies a temporal predicate.

                                          Equations
                                          Instances For
                                            def TLA.valid {α : Type u} (p : pred α) :

                                            A temporal predicate is valid: it holds on every execution.

                                            Equations
                                            Instances For
                                              def TLA.predImplies {α : Type u} (p q : pred α) :

                                              Entailment between temporal predicates over all executions.

                                              Equations
                                              Instances For
                                                def TLA.enabled {α : Type u} (a : action α) (s : α) :

                                                An action is enabled at a state if some successor state exists.

                                                Equations
                                                Instances For
                                                  def TLA.tlaEnabled {α : Type u} (a : action α) :
                                                  pred α

                                                  The temporal predicate asserting that an action is enabled.

                                                  Equations
                                                  Instances For
                                                    def TLA.tlaBigwedge {α : Type u} {β : Type v} {c : Type v → Type u_1} [Foldable c] (f : βpred α) (s : c β) :
                                                    pred α

                                                    Big conjunction of temporal predicates over a foldable collection.

                                                    Equations
                                                    Instances For
                                                      def TLA.tlaBigvee {α : Type u} {β : Type v} {c : Type v → Type u_1} [Foldable c] (f : βpred α) (s : c β) :
                                                      pred α

                                                      Big disjunction of temporal predicates over a foldable collection.

                                                      Equations
                                                      Instances For
                                                        def TLA.tlaUntil {α : Type u} (p q : pred α) :
                                                        pred α

                                                        The until modality: p holds until q becomes true.

                                                        Equations
                                                        Instances For

                                                          Syntax for TLA Notations #

                                                          Our notations for TLA formulas intersect with those for plain Lean terms,
                                                          so to avoid potentially ambiguity(?), we define a new syntax category `tlafml`
                                                          for TLA formulas and define macro rules for expanding formulas in `tlafml` into
                                                          Lean terms.
                                                          
                                                          Equations
                                                          • One or more equations did not get rendered due to their size.
                                                          Instances For

                                                            Syntax category for TLA formulas.

                                                            Equations
                                                            Instances For

                                                              Embed a term as a TLA formula.

                                                              Equations
                                                              Instances For

                                                                Parenthesized TLA formula.

                                                                Equations
                                                                • One or more equations did not get rendered due to their size.
                                                                Instances For

                                                                  State-predicate TLA formula ⌜ p ⌝.

                                                                  Equations
                                                                  • One or more equations did not get rendered due to their size.
                                                                  Instances For

                                                                    Pure-predicate TLA formula ⌞ p ⌟.

                                                                    Equations
                                                                    • One or more equations did not get rendered due to their size.
                                                                    Instances For

                                                                      Action-predicate TLA formula ⟨ a ⟩.

                                                                      Equations
                                                                      • One or more equations did not get rendered due to their size.
                                                                      Instances For

                                                                        The TLA formula.

                                                                        Equations
                                                                        Instances For

                                                                          The TLA formula.

                                                                          Equations
                                                                          Instances For

                                                                            Unary heading operators on TLA formulas (¬, , , ).

                                                                            Equations
                                                                            • One or more equations did not get rendered due to their size.
                                                                            Instances For

                                                                              Apply a unary heading operator to a TLA formula.

                                                                              Equations
                                                                              Instances For

                                                                                The Enabled a TLA formula.

                                                                                Equations
                                                                                Instances For

                                                                                  Implication of TLA formulas.

                                                                                  Equations
                                                                                  Instances For

                                                                                    Conjunction of TLA formulas.

                                                                                    Equations
                                                                                    Instances For

                                                                                      Disjunction of TLA formulas.

                                                                                      Equations
                                                                                      Instances For

                                                                                        Leads-to () of TLA formulas.

                                                                                        Equations
                                                                                        Instances For

                                                                                          Until (𝑈) of TLA formulas.

                                                                                          Equations
                                                                                          Instances For

                                                                                            Always-implies () of TLA formulas.

                                                                                            Equations
                                                                                            Instances For

                                                                                              Weak-fairness (𝒲ℱ) of an action as a TLA formula.

                                                                                              Equations
                                                                                              Instances For

                                                                                                Universally quantified TLA formula.

                                                                                                Equations
                                                                                                • One or more equations did not get rendered due to their size.
                                                                                                Instances For

                                                                                                  Existentially quantified TLA formula.

                                                                                                  Equations
                                                                                                  • One or more equations did not get rendered due to their size.
                                                                                                  Instances For

                                                                                                    Big-operator heads (, ) for TLA formulas.

                                                                                                    Equations
                                                                                                    • One or more equations did not get rendered due to their size.
                                                                                                    Instances For

                                                                                                      Big conjunction/disjunction of a TLA formula over a collection.

                                                                                                      Equations
                                                                                                      • One or more equations did not get rendered due to their size.
                                                                                                      Instances For

                                                                                                        Elaborate a TLA formula into a term.

                                                                                                        Equations
                                                                                                        • One or more equations did not get rendered due to their size.
                                                                                                        Instances For
                                                                                                          def TLA.leadsTo {α : Type u} (p q : pred α) :
                                                                                                          pred α

                                                                                                          The leads-to operator p ↝ q, defined as □ (p → ◇ q).

                                                                                                          Equations
                                                                                                          Instances For
                                                                                                            def TLA.alwaysImplies {α : Type u} (p q : pred α) :
                                                                                                            pred α

                                                                                                            The always-implies operator p ⇒ q, defined as □ (p → q).

                                                                                                            Equations
                                                                                                            Instances For
                                                                                                              def TLA.weakFairness {α : Type u} (a : action α) :
                                                                                                              pred α

                                                                                                              Weak fairness of an action.

                                                                                                              Equations
                                                                                                              • (𝒲ℱ a) =tla= ((Enabled aa))
                                                                                                              Instances For

                                                                                                                Sequent notation p |-tla- q for entailment.

                                                                                                                Equations
                                                                                                                • One or more equations did not get rendered due to their size.
                                                                                                                Instances For

                                                                                                                  Validity notation |-tla- p.

                                                                                                                  Equations
                                                                                                                  Instances For

                                                                                                                    Equality notation p =tla= q between TLA formulas.

                                                                                                                    Equations
                                                                                                                    • One or more equations did not get rendered due to their size.
                                                                                                                    Instances For

                                                                                                                      Satisfaction notation e |=tla= p.

                                                                                                                      Equations
                                                                                                                      Instances For

                                                                                                                        Pretty-Printing for TLA Notations #

                                                                                                                        def TLA.syntaxTermToTlafml {m : TypeType} [Monad m] [Lean.MonadQuotation m] (stx : Lean.TSyntax `term) :
                                                                                                                        m (Lean.TSyntax `tlafml)

                                                                                                                        Converting a syntax in term category into tlafml. This is useful in the cases where we want to eliminate the redundant [tlafml| ... ] wrapper of some sub-formula when it is inside a tlafml.

                                                                                                                        Equations
                                                                                                                        • One or more equations did not get rendered due to their size.
                                                                                                                        Instances For
                                                                                                                          def TLA.syntaxTlafmlToTerm {m : TypeType} [Monad m] [Lean.MonadQuotation m] (stx : Lean.TSyntax `tlafml) :
                                                                                                                          m (Lean.TSyntax `term)

                                                                                                                          Converting a syntax in term category into tlafml, by inserting [tlafml| ... ] wrapper if needed.

                                                                                                                          Equations
                                                                                                                          • One or more equations did not get rendered due to their size.
                                                                                                                          Instances For

                                                                                                                            Annotate the syntax with term info for the delaborator.

                                                                                                                            Equations
                                                                                                                            Instances For

                                                                                                                              Delaborate the current expression into tlafml syntax. fuel bounds the recursion depth; each recursive call descends into a strict subexpression, so seeding it with the expression's depth always suffices.

                                                                                                                              Instances For

                                                                                                                                Extract the binder name and body of a delaborated lambda.

                                                                                                                                Equations
                                                                                                                                • One or more equations did not get rendered due to their size.
                                                                                                                                Instances For

                                                                                                                                  Delaborate the current expression into tlafml syntax, seeding the depth fuel from the expression's own approximate depth.

                                                                                                                                  Equations
                                                                                                                                  Instances For

                                                                                                                                    Delaborator turning TLA predicate applications back into tlafml notation.

                                                                                                                                    Equations
                                                                                                                                    • One or more equations did not get rendered due to their size.
                                                                                                                                    Instances For

                                                                                                                                      Unexpander rendering predImplies as the |-tla- sequent notation.

                                                                                                                                      Equations
                                                                                                                                      • One or more equations did not get rendered due to their size.
                                                                                                                                      Instances For

                                                                                                                                        Unexpander rendering valid as the |-tla- notation.

                                                                                                                                        Equations
                                                                                                                                        • One or more equations did not get rendered due to their size.
                                                                                                                                        Instances For

                                                                                                                                          Unexpander rendering satisfies as the |=tla= notation.

                                                                                                                                          Equations
                                                                                                                                          • One or more equations did not get rendered due to their size.
                                                                                                                                          Instances For

                                                                                                                                            Unexpander rendering equalities between TLA formulas with =tla=.

                                                                                                                                            Equations
                                                                                                                                            • One or more equations did not get rendered due to their size.
                                                                                                                                            Instances For
                                                                                                                                              Equations
                                                                                                                                              • One or more equations did not get rendered due to their size.
                                                                                                                                              Instances For

                                                                                                                                                Wrap a piece of syntax in parentheses.

                                                                                                                                                Equations
                                                                                                                                                • One or more equations did not get rendered due to their size.
                                                                                                                                                Instances For

                                                                                                                                                  Basic lemmas about executions and entailment #

                                                                                                                                                  theorem TLA.exec.take_length {α : Type u} (k : Nat) (σ : exec α) :
                                                                                                                                                  (take k σ).length = k
                                                                                                                                                  theorem TLA.exec.drop_drop {α : Type u} (k l : Nat) (σ : exec α) :
                                                                                                                                                  drop l (drop k σ) = drop (k + l) σ
                                                                                                                                                  theorem TLA.pred_implies_refl {α : Type u} (p : pred α) :
                                                                                                                                                  theorem TLA.pred_implies_trans {α : Type u_1} {p q r : pred α} :