Documentation

LeanPool.Lentil.Tactics.FiniteWindow

This file implements a finite-window reduction for local TLA obligations.

The older simp_finite_exec_goal tactic unfolds a TLA formula on an explicit trace, then tries to discover and generalize the finitely many trace cells that remain. That is fragile: the tactic has to rediscover finite dependence from the unfolded goal shape.

Here the finite dependence is part of the certificate. A FiniteWindow p n contains a curried finite predicate core over exactly n states, together with a theorem saying that evaluating p on a trace is equivalent to evaluating core on the first n states of that trace. The tactic uses instance search to find a HasFiniteWindow p n, applies the certificate theorem, introduces the n state variables, and simplifies the resulting core.

For sequents, tlaFiniteWindow first changes p |-tla- q by definitional equality into |-tla- p → q, so the rest of the pipeline only handles validity goals.

def TLA.IteratedHomPred :
NatType u → Type u

A curried predicate over n consecutive states.

For example, IteratedHomPred 2 σ reduces to σ → σ → ULift Prop. The ULift in the base case is deliberate: for universe-polymorphic σ : Type u, the successor case lives in Type u, so the base proposition also has to be lifted into Type u. The user-facing goals are later simplified through .down.

Equations
Instances For
    def TLA.IteratedHomPred.evalExec {σ : Type u} (n : Nat) :
    IteratedHomPred n σexec σProp

    Evaluate a curried finite predicate on the first n states of a trace.

    Equations
    Instances For
      def TLA.IteratedHomPred.weaken {σ : Type u} (n m : Nat) :
      n mIteratedHomPred n σIteratedHomPred m σ

      View an n-state core as an m-state core when n ≤ m, ignoring the additional trailing states. This is used to combine two formulas with different window sizes into a common max window.

      Equations
      Instances For
        theorem TLA.IteratedHomPred.evalExec_weaken {σ : Type u} {n m : Nat} (h : n m) (p : IteratedHomPred n σ) (e : exec σ) :
        evalExec m (weaken n m h p) e evalExec n p e

        Weakening does not change how a core evaluates on any trace.

        Negate an iterated finite-window predicate.

        Equations
        Instances For
          theorem TLA.IteratedHomPred.evalExec_mkNot {σ : Type u} (n : Nat) (p : IteratedHomPred n σ) (e : exec σ) :
          evalExec n (mkNot n p) e ¬evalExec n p e
          def TLA.IteratedHomPred.mkBinary {σ : Type u} (op : PropPropProp) (n : Nat) :

          Combine two iterated finite-window predicates with a binary connective.

          Equations
          Instances For
            theorem TLA.IteratedHomPred.evalExec_mkBinary {σ : Type u} (op : PropPropProp) (n : Nat) (p q : IteratedHomPred n σ) (e : exec σ) :
            evalExec n (mkBinary op n p q) e op (evalExec n p e) (evalExec n q e)

            Conjoin two iterated finite-window predicates.

            Equations
            Instances For
              theorem TLA.IteratedHomPred.evalExec_mkAnd {σ : Type u} (n : Nat) (p q : IteratedHomPred n σ) (e : exec σ) :
              evalExec n (mkAnd n p q) e evalExec n p e evalExec n q e

              Disjoin two iterated finite-window predicates.

              Equations
              Instances For
                theorem TLA.IteratedHomPred.evalExec_mkOr {σ : Type u} (n : Nat) (p q : IteratedHomPred n σ) (e : exec σ) :
                evalExec n (mkOr n p q) e evalExec n p e evalExec n q e

                Form the implication of two iterated finite-window predicates.

                Equations
                Instances For
                  theorem TLA.IteratedHomPred.evalExec_mkImplies {σ : Type u} (n : Nat) (p q : IteratedHomPred n σ) (e : exec σ) :
                  evalExec n (mkImplies n p q) e evalExec n p eevalExec n q e
                  def TLA.IteratedHomPred.mkBinder {σ : Type u} {α : Sort v} (op : (αProp)Prop) (n : Nat) :
                  (αIteratedHomPred n σ)IteratedHomPred n σ

                  Bind a quantifier over an iterated finite-window predicate.

                  Equations
                  Instances For
                    theorem TLA.IteratedHomPred.evalExec_mkBinder {σ : Type u} {α : Sort v} (op : (αProp)Prop) (n : Nat) (p : αIteratedHomPred n σ) (e : exec σ) :
                    evalExec n (mkBinder op n p) e op fun (x : α) => evalExec n (p x) e
                    def TLA.IteratedHomPred.mkForall {σ : Type u} {α : Sort v} (n : Nat) :
                    (αIteratedHomPred n σ)IteratedHomPred n σ

                    Universally quantify an iterated finite-window predicate.

                    Equations
                    Instances For
                      theorem TLA.IteratedHomPred.evalExec_mkForall {σ : Type u} {α : Sort v} (n : Nat) (p : αIteratedHomPred n σ) (e : exec σ) :
                      evalExec n (mkForall n p) e ∀ (x : α), evalExec n (p x) e
                      def TLA.IteratedHomPred.mkExists {σ : Type u} {α : Sort v} (n : Nat) :
                      (αIteratedHomPred n σ)IteratedHomPred n σ

                      Existentially quantify an iterated finite-window predicate.

                      Equations
                      Instances For
                        theorem TLA.IteratedHomPred.evalExec_mkExists {σ : Type u} {α : Sort v} (n : Nat) (p : αIteratedHomPred n σ) (e : exec σ) :
                        evalExec n (mkExists n p) e (x : α), evalExec n (p x) e
                        def TLA.IteratedForall {σ : Type u} (n : Nat) :

                        Universal closure of a finite core over all its state arguments.

                        Equations
                        Instances For
                          theorem TLA.IteratedForall.evalExec {σ : Type u} {n : Nat} {p : IteratedHomPred n σ} :
                          IteratedForall n p∀ (e : exec σ), IteratedHomPred.evalExec n p e

                          A universally closed finite core holds on the first n states of every trace.

                          structure TLA.FiniteWindow {σ : Type u} (p : pred σ) (n : Nat) :

                          FiniteWindow p n means that p can be represented as a predicate over the first n states of a trace.

                          Instances For
                            class TLA.HasFiniteWindow {σ : Type u} (p : pred σ) (n : outParam Nat) :

                            A computable finite-window certificate.

                            The window is an output parameter so that instance synthesis can compute a canonical bound for p. The certificate itself is data, because tlaFiniteWindow uses its core field to produce the finite-state goal.

                            • finite : FiniteWindow p n

                              The finite-window certificate for the predicate.

                            Instances
                              def TLA.finiteWindowOfHasFiniteWindow {σ : Type u} {p : pred σ} {n : Nat} [h : HasFiniteWindow p n] :

                              Extract the semantic certificate from the tactic-facing class. Keeping this as a definition, not an instance for FiniteWindow, prevents arbitrary FiniteWindow facts from becoming part of instance search.

                              Equations
                              Instances For
                                theorem TLA.FiniteWindow.valid_of_forall {σ : Type u} {p : pred σ} {n : Nat} (h : FiniteWindow p n) :

                                Soundness theorem used by tlaFiniteWindow: proving the finite core for all choices of its state arguments proves validity of the original predicate.

                                def TLA.finiteWindowPure {σ : Type u} (P : Prop) :
                                FiniteWindow [tlafml|P] 0

                                Finite-window certificate for a pure predicate.

                                Equations
                                Instances For
                                  @[implicit_reducible]
                                  instance TLA.hasFiniteWindowPure {σ : Type u} (P : Prop) :
                                  HasFiniteWindow [tlafml|P] 0
                                  Equations
                                  def TLA.finiteWindowTrue {σ : Type u} :
                                  FiniteWindow [tlafml|] 0

                                  Finite-window certificate for .

                                  Equations
                                  Instances For
                                    @[implicit_reducible]
                                    instance TLA.hasFiniteWindowTrue {σ : Type u} :
                                    HasFiniteWindow [tlafml|] 0
                                    Equations
                                    def TLA.finiteWindowFalse {σ : Type u} :
                                    FiniteWindow [tlafml|] 0

                                    Finite-window certificate for .

                                    Equations
                                    Instances For
                                      @[implicit_reducible]
                                      instance TLA.hasFiniteWindowFalse {σ : Type u} :
                                      HasFiniteWindow [tlafml|] 0
                                      Equations
                                      def TLA.finiteWindowState {σ : Type u} (p : σProp) :
                                      FiniteWindow [tlafml|p] 1

                                      Finite-window certificate for a state predicate.

                                      Equations
                                      Instances For
                                        @[implicit_reducible]
                                        instance TLA.hasFiniteWindowState {σ : Type u} (p : σProp) :
                                        HasFiniteWindow [tlafml|p] 1
                                        Equations
                                        def TLA.finiteWindowAction {σ : Type u} (a : action σ) :
                                        FiniteWindow [tlafml|a] 2

                                        Finite-window certificate for an action predicate.

                                        Equations
                                        Instances For
                                          @[implicit_reducible]
                                          instance TLA.hasFiniteWindowAction {σ : Type u} (a : action σ) :
                                          HasFiniteWindow [tlafml|a] 2
                                          Equations
                                          def TLA.finiteWindowEnabled {σ : Type u} (a : action σ) :
                                          FiniteWindow [tlafml|Enabled a] 1

                                          Finite-window certificate for an enabledness predicate.

                                          Equations
                                          Instances For
                                            @[implicit_reducible]
                                            instance TLA.hasFiniteWindowEnabled {σ : Type u} (a : action σ) :
                                            HasFiniteWindow [tlafml|Enabled a] 1
                                            Equations
                                            def TLA.finiteWindowBinary {σ : Type u} (op : PropPropProp) (p q : pred σ) (n m : Nat) (hp : FiniteWindow p n) (hq : FiniteWindow q m) :
                                            FiniteWindow (fun (e : exec σ) => op (p e) (q e)) (max n m)

                                            Finite-window certificate for a binary connective of predicates.

                                            Equations
                                            • One or more equations did not get rendered due to their size.
                                            Instances For
                                              def TLA.finiteWindowAnd {σ : Type u} (p q : pred σ) (n m : Nat) (hp : FiniteWindow p n) (hq : FiniteWindow q m) :
                                              FiniteWindow [tlafml|pq] (max n m)

                                              Finite-window certificate for a conjunction.

                                              Equations
                                              Instances For
                                                @[implicit_reducible]
                                                instance TLA.hasFiniteWindowAnd {σ : Type u} (p q : pred σ) (n m : Nat) [HasFiniteWindow p n] [HasFiniteWindow q m] :
                                                HasFiniteWindow [tlafml|pq] (max n m)
                                                Equations
                                                def TLA.finiteWindowOr {σ : Type u} (p q : pred σ) (n m : Nat) (hp : FiniteWindow p n) (hq : FiniteWindow q m) :
                                                FiniteWindow [tlafml|pq] (max n m)

                                                Finite-window certificate for a disjunction.

                                                Equations
                                                Instances For
                                                  @[implicit_reducible]
                                                  instance TLA.hasFiniteWindowOr {σ : Type u} (p q : pred σ) (n m : Nat) [HasFiniteWindow p n] [HasFiniteWindow q m] :
                                                  HasFiniteWindow [tlafml|pq] (max n m)
                                                  Equations
                                                  def TLA.finiteWindowNot {σ : Type u} (p : pred σ) (n : Nat) (hp : FiniteWindow p n) :
                                                  FiniteWindow [tlafml|¬p] n

                                                  Finite-window certificate for a negation.

                                                  Equations
                                                  Instances For
                                                    @[implicit_reducible]
                                                    instance TLA.hasFiniteWindowNot {σ : Type u} (p : pred σ) (n : Nat) [HasFiniteWindow p n] :
                                                    HasFiniteWindow [tlafml|¬p] n
                                                    Equations
                                                    def TLA.finiteWindowImplies {σ : Type u} (p q : pred σ) (n m : Nat) (hp : FiniteWindow p n) (hq : FiniteWindow q m) :
                                                    FiniteWindow [tlafml|pq] (max n m)

                                                    Finite-window certificate for an implication.

                                                    Equations
                                                    Instances For
                                                      @[implicit_reducible]
                                                      instance TLA.hasFiniteWindowImplies {σ : Type u} (p q : pred σ) (n m : Nat) [HasFiniteWindow p n] [HasFiniteWindow q m] :
                                                      HasFiniteWindow [tlafml|pq] (max n m)
                                                      Equations
                                                      def TLA.finiteWindowLater {σ : Type u} (p : pred σ) (n : Nat) (hp : FiniteWindow p n) :
                                                      FiniteWindow [tlafml|p] (n + 1)

                                                      Finite-window certificate for the modality.

                                                      Equations
                                                      Instances For
                                                        @[implicit_reducible]
                                                        instance TLA.hasFiniteWindowLater {σ : Type u} (p : pred σ) (n : Nat) [HasFiniteWindow p n] :
                                                        HasFiniteWindow [tlafml|p] (n + 1)
                                                        Equations
                                                        def TLA.finiteWindowBinder {σ : Type u} {α : Sort v} (op : (αProp)Prop) (op_congr : ∀ {p q : αProp}, (∀ (x : α), p x q x) → (op p op q)) (p : αpred σ) (n : Nat) (hp : (x : α) → FiniteWindow (p x) n) :
                                                        FiniteWindow (fun (e : exec σ) => op fun (x : α) => p x e) n

                                                        Finite-window certificate for a quantifier binder.

                                                        Equations
                                                        Instances For
                                                          def TLA.finiteWindowForall {σ : Type u} {α : Sort v} (p : αpred σ) (n : Nat) (hp : (x : α) → FiniteWindow (p x) n) :
                                                          FiniteWindow [tlafml|∀ x, (p x)] n

                                                          Finite-window certificate for a universal quantifier.

                                                          Equations
                                                          Instances For
                                                            def TLA.finiteWindowExists {σ : Type u} {α : Sort v} (p : αpred σ) (n : Nat) (hp : (x : α) → FiniteWindow (p x) n) :
                                                            FiniteWindow [tlafml|∃ x, (p x)] n

                                                            Finite-window certificate for an existential quantifier.

                                                            Equations
                                                            Instances For
                                                              @[implicit_reducible]
                                                              instance TLA.hasFiniteWindowForall {σ : Type u} {α : Sort v} (p : αpred σ) (n : Nat) [hp : (x : α) → HasFiniteWindow (p x) n] :
                                                              HasFiniteWindow [tlafml|∀ x, (p x)] n
                                                              Equations
                                                              @[implicit_reducible]
                                                              instance TLA.hasFiniteWindowExists {σ : Type u} {α : Sort v} (p : αpred σ) (n : Nat) [hp : (x : α) → HasFiniteWindow (p x) n] :
                                                              HasFiniteWindow [tlafml|∃ x, (p x)] n
                                                              Equations

                                                              tlaFiniteWindow reduces a finite-window TLA sequent to an ordinary Lean goal over finitely many states.

                                                              The tactic uses HasFiniteWindow instances for every predicate in the sequent. It supports local formulas built from state predicates, action predicates, pure predicates, Boolean connectives, implication, negation, and . It deliberately does not peel genuinely temporal structure such as ; use sequent/modal rules first to expose a finite local obligation.

                                                              Equations
                                                              Instances For