The Operators of TLA+

SRC Technical Note 1997 - 006a April 12, 1997 Corrected June 8, 1997

Leslie Lamport

d i g i t a l

Systems Research Center 130 Lytton Avenue Palo Alto, California 94301 http://www.research.digital.com/SRC/

12 April 1997 Minor correction: 8 June 1997

This document is an introduction to the syntax and semantics of the operators of TLA+. It assumes that you are familiar with ordinary mathematics (sets and functions) and are at least acquainted with TLA. It should enable you to understand the expressions that appear in TLA+ speciﬁcations.

This is a preliminary document; suggestions are welcome.

L Contents

1 The Constant Operators 2 1.1Untypes...... 2 1.2Logic...... 5 1.2.1 Propositional Logic ...... 5 1.2.2 PredicateLogic...... 5 1.2.3 The CHOOSE Operator...... 6 1.2.4 TypelessLogic...... 7 1.3MiscellaneousOperators...... 7 1.3.1 Constructs Stolen from Programming Languages ..... 7 1.3.2 The let Construct...... 8 1.3.3 JunctionLists...... 8 1.4Sets...... 9 1.4.1 InfixandPrefixOperators...... 9 1.4.2 SetConstructors...... 9 1.5Functions...... 10 1.5.1 FunctionsandtheirDomains...... 10 1.5.2 The EXCEPT Construct...... 11 1.5.3 RecursiveFunctionDefinitions...... 12 1.5.4 FunctionsVersusOperators...... 13 1.6 Tuples and Functions of Multiple Arguments ...... 13 1.7StringsandNumbers...... 14 1.8Records...... 15

2 Action Operators 15

3 Temporal Operators 17

Index 19

1 The operators of TLA+ can be classiﬁed as constant operators, action operators, and temporal operators. For convenience, all these operators are listed in Figures 1–4 on the next page through page 4. They are described in three separate sections. The ASCII versions of typeset special characters are shown in Figure 5 on page 5. In the absence of a reasonable alternative, TLA+ uses the TEX command name for a symbol. (Sometimes there is more than one ASCII version for the same symbol; the different versions are synonymous.)

1 The Constant Operators

All the constant operators of TLA+ are listed in Figure 1 on page 3 and Figure 2 on

p p x h h i

page 4. In these ﬁgures, and i are formulas, is a bound variable, and are

d i sequences of characters, the c i are characters, the are digits, and all other letters are terms. The operators are explained below, in more or less the order in which they appear in the figures. (The “miscellaneous operators” are defined earlier so they can be used in defining other operators.)

The ﬁgures show the simple forms of the operators. Some operators have more

y p x y p general forms. For example, you can write x , : instead of : : . ∃ ∃ ∃ The more general forms are described with the individual operators.

1.1 Untypes

TLA+ is based on ZFC (Zermelo-Fraenkel set theory with the axiom of choice). This is an untyped formalism. In an untyped formalism, every syntactically well- formed expression, no matter how silly, has a meaning—for example, the expression 3 √“abc”. If the expression is silly, its meaning is probably unspeciﬁed. ∈ All we can tell about the expression 3 √“abc” is that it is a Boolean, so it equals ∈ either TRUE or FALSE.

Mathematicians write silly expressions all the time. For example the expression x 1/0 is a silly expression. But if you substitute 0 for x in the formula ( 0)

6= ⇒ x (x (1/ ) 1), you get the valid formula (0 0) (0 (1/0) 1) that ∗ = 6= ⇒ ∗ = contains the silly expression 1/0. A correct formula can contain silly expressions. However, the validity of a correct formula cannot depend on the meaning of a silly expression.

2 Logic TRUE FALSE

∧∨¬⇒≡

p x p x S p x S p x : : : :

∀ ∃ ∀ ∈ ∃ ∈

p x p CHOOSE x : [Equals some satisfying ] Sets / [set difference]

=6=∈∈∪∩⊆\

e e e i 1,..., n [Set consisting of elements ]

{ }

S p x S p x : [Set of elements in satisfying ]

{ ∈ }

x S e x S e : [Set of elements such that in ]

{ ∈ } S

SUBSET S [Set of subsets of ] S UNION S [Union of all elements of ]

Functions e

f [ ] [Function application] f

DOMAIN f [Domain of function ]

S e f f x e x S [x ] [Function such that [ ] for ]

∈ 7→ = ∈

T f f x T x S [S ] [Set of functions with [ ] for ]

→ ∈ ∈

e e f f f e e [f EXCEPT ![ 1] 2] [Function equal to except [ 1] 2]

= =

e S f f f e S [f EXCEPT ![ ] ] [Set of functions equal to except [ ] ] { ∈ } b b ∈ Records

b b

h h e

e . [The -component of record ]

h e h e h e

i i n [ 1 1,..., n ] [The record whose component is ]

7→ 7→

h S h S h S

i i n

[ 1 : 1,..., n : ] [Set of all records with component in ]

h e r r r h e [r EXCEPT !. ] [Record equal to except . ]

= =

h S r r r h S [r EXCEPT !. ] [Set of records equal to except . ] { ∈ } ∈ Tuples b b

th b b

i i e e [ ] [The component of tuple ]

e e n i e i 1,..., n [The -tuple whose component is ]

h i th

S S n i S i 1 ... n [The set of all -tuples with component in ] × ×

Strings and Numbers n

“c1 ...cn ” [A literal string of characters]

STRING [The set of all strings]

d d d d d d

n n m 1 ... n 1 ... . 1 ... [Numbers] +

Figure 1: Simple forms of the constant operators of TLA+.

Miscellaneous

e e e p e

if p then 1 else 2 [Equals 1 if true, else 2]

p e 2 2 p e e p

i i n case 1 1 ... n [Equals if true]

1 → 1 →

x e x e e e n let 1 1 ... n in [Equals in the context of the deﬁnitions]

= =

p p p p p p n 1 [the conjunction 1 ... n ] 1 [the disjunction 1 ... ] ∧ ∧ ∨ ∨

∧ ... ∨ ...

p p n ∧ n ∨

Figure 2: Simple forms of the constant operators of TLA+ (continued). p

p 0 [ true in ﬁnal state of step]

A A e e

[ ]e [ ( 0 )]

∨ =

A A e e

e [ ( 0 )]

h i ∧ 6= A

ENABLED A [An step is possible]

e e UNCHANGED e [ ]

0 = B A [Composition of actions] ·

Figure 3: The action operators of TLA+.

F F

2 [ is always true]

F F

3 [ is eventually true]

A A

WF e ( ) [Weak fairness for action ]

A A

SFe ( ) [Strong fairness for action ]

; G F G

F [ leads to ]

G F G F + [ guarantees ]

−F F x : [Temporal existential quantiﬁcation (hiding).]

∃ F x : [Temporal universal quantiﬁcation.] ∀ Figure 4: The temporal operators of TLA+.

4 /\ \E \equiv ∧ \/ ∃ \A ≡ <=> ∨ ∀ ≡ => \in CHOOSE CHOOSE ⇒ ∈ # / \notin SUBSET SUBSET 6= ∈ /= ˜ UNION UNION 6= ¬ << < < DOMAIN DOMAIN h >> > > EXCEPT EXCEPT i -> \leq STRING STRING → ≤ |-> \geq case CASE 7→ ≥ “ " 1 == other OTHER =

” " 2 [] if IF \cdot \o then THEN · ◦ let LET in IN else ELSE \cap \X \subseteq ∩ × ⊆ \cup [ {| ] |} ∪ { } Figure 5: ASCII versions of typeset special characters.

1.2 Logic 1.2.1 Propositional Logic

In TLA+, we use the ordinary operators of propositional logic. Negation is denoted by (˜ in ASCII), implication by (=>), and logical equivalence by (\equiv

¬ ⇒ ≡

B A B B A or <=>), where A equals ( ) ( ). ≡ ⇒ ∧ ⇒ Among the propositional-logic operators, has highest precedence, and ¬ ∧ ∨ have next lower precedence, then comes ,and has lowest precedence. Because

≡ ⇒

B C and have equal precedence, an expression like A is illegal; parentheses ∧ ∨ ∨ ∧ must be used to disambiguate it.

1.2.2 Predicate Logic We also use the ordinary universal quantifier (\A) and existential quantifier ∀ ∃ (\E) of predicate logic. Bounded quantifiers are defined in terms of unbounded ones in the usual way:

S p x x S p x : :( )

∀ ∈ =∀1 ∈ ⇒

S p x x S p x : :( )

∃ ∈ =∃ ∈ ∧ S In these expressions, the bound variable x may not occur in the expression .

TLA+ uses the customary abbreviations for multiple quantiﬁcation:

x x p x x p n 1,..., n : and 1,..., : . For example ∀ ∃

y z P x y z P x , , : : : : ∀ =∀ ∀ ∀

The general form of bounded universal quantiﬁcation is

q S q S p n 1 1,..., n :

∀ ∈ ∈

q x x x x

m m where each i is either a list 1, ..., of variables or a tuple 1,..., h i

of variables. (See Section 1.6 for a discussion of tuples.) None of these bound S

variables may appear in any of the i . Existential quantiﬁcation is similar. For example,

y S z w T p x , , , :

∃h i∈ ∈ =

y z w x y S z T w T p x , , , : ( , ) ( ) ( )

∃ h i∈ ∧ ∈ ∧ ∈ ∧

y z w S T where neither x , , , nor may appear in or . An expression begun by or , is terminated by the end of the statement or ∀ ∃ expression that contains it. The containing expression may be ended by some form of right parenthesis, by indentation rules (see Section 1.3.3), or by the end of a statement containing the expression.

1.2.3 The CHOOSE Operator

The CHOOSE operator is known to logicians as Hilbert’s ε [4]. If there is an x such

x p x

that p holds, then CHOOSE : equals some such . If there is more than one x

such x , it is not speciﬁed which one is chosen. If there is no such , then the value p of CHOOSE x : is unspeciﬁed.

The most common use for the CHOOSE operator is to “name” a uniquely spec-

eal iﬁed value. For example, one possible deﬁnition of the operator / on the set R of real numbers is:

s v v Real v s r r / CHOOSE : ( ) ( )

= ∈ ∧ ∗ =

v v r If r is a nonzero real number, then there is no real such that 0 . Therefore, ∗ = r /0 has a completely unspeciﬁed value. We don’t know what a real number times

a string equals, so we cannot say whether or not there is a real number v such that

r r v “abc” equals . Hence, we don’t know what the value of /“abc”is. ∗

The CHOOSE operator is often used in the following idiom, which deﬁnes

nS S notA to be some arbitrary element not in .

nS x x S notA CHOOSE : / = ∈ 6

The CHOOSE operator cannot be used to introduce nondeterminism. If q is

x q x p equivalent to p ,thenCHOOSE : equals CHOOSE : . Hence, CHOOSE “chooses the same value every time.” A CHOOSE expression, like a quantiﬁer expression, is ended by the end of the expression or statement that contains it.

1.2.4 Typeless Logic Because TLA is completely untyped, an expression like 3 “abc”islegal.We + ∧ can therefore ask whether it equals “abc” 3, and whether (3 “abc”) (3 ∧ ∧ ∨¬ ∧ “abc”) equals TRUE? There are two reasonable ways to deﬁne the semantics of the Boolean operators which give two sets of answers to such questions.

In the weak semantics, one knows nothing about the meaning of an expression

b a b like a if and are not both Booleans. With this semantics, 3 “abc” need ∧ ∧ not be a Boolean, and there is no reason to expect it to equal “abc” 3. We can ∧

reason about logical operators only when applied to Booleans.

b a b In the strong semantics, a is a Boolean regardless of what and are, and

∧

b b a logical operators obey most of the usual laws. In particular, a equals

∧ ∧ b

for any a and . The easiest way to deﬁne the strong semantics is to assume an

e e e e

operator 9 such that 9(e ) is a Boolean for every ,and9( ) equals if is a b Boolean. We then deﬁne the logical operators so that, for example, a equals

∧

b a b 9(a ) 9( ),forall and . ∧ The strong semantics is more convenient to use when writing proofs, because we can apply the laws of logic without having first to prove that the arguments of Boolean operators are Booleans. However, when writing specifications, we should assume only the weak semantics. The meaning of a specification should never depend on the value obtained by applying a Boolean operator to a nonBoolean.

1.3 Miscellaneous Operators 1.3.1 Constructs Stolen from Programming Languages

The expression

e e

if p then 1 else 2

p e equals e 1 if is true, otherwise it equals 2.Thecase expression is deﬁned by

p e 2 2p e n case 1 1 ... n

→ → =

x p x e p x e n CHOOSE $ : ( 1 ($ 1)) ... ( n ($ ))

⇒ = ∧ ∧ ⇒ =

p p

In the case expression, n can be other, which is an abbreviation for ( 1 ...

¬ ∨ ∨ p

n 1). −

7 Like a quantiﬁer expression, an else clause or the ﬁnal arm of a case expression is terminated by the end of the statement or expression that contains it. This rule means that if one case expression appears within another, then the inner case

encompasses as much of the expression as possible. For example

a p e 2 p e 2 p e case p 1 case 2 2 3 3 4 4 → + → → →

is parsed as

a p e 2 p e 2 p e case p 1 (case 2 2 3 3 4 4)

→ + → → →

p p if none of the i are other expressions. If 3 is other, then the only possible

parsing is

a p e 2 e 2 p e case p 1 (case 2 2 other 3) 4 4 → + → → → It is good practise to enclose an inner case in parentheses to avoid ambiguity. (Per- haps this practise should be required by the language syntax, but at the moment it isn’t.)

1.3.2 The let Construct The let construct allows one to make and use local deﬁnitions within an expression. For example

a c let x

= 1 ∗

n a b c n F ( ) ( )ˆ

= + +

F F F x in x (1) (2) (2 ) ∗ + + +

equals

c a b c a b c a b c a c ( a ) ( )ˆ1 ( )ˆ2 ( )ˆ(2 ( ))

∗ ∗ + + + + + + + + + ∗ F The identiﬁers x and must not have a meaning in the context where the let expression appears.

1.3.3 Junction Lists

TLA+ uses the notation for conjunctions and disjunctions explained in [2]. A list of formulas preﬁxed by or denotes the conjunction or disjunction of the formulas, ∧ ∨

and indentation is used to eliminate parentheses. For example: B ∧∨A ∨ ∨C

∧∨D F ∨E ∧ ∨G 8

B C D E F G equals ((A ) ) ( ( ) ). The following are the precise rules ∨ ∨ ∧ ∨ ∧ ∨ for parsing a bulleted list of conjuncts or disjuncts, where general parentheses pairs are (), ,[],and . {} hi The or tokens must line up. • ∧ ∨ Each conjunct or disjunct is terminated by either the end of the entire ex- • pression or else the ﬁrst token, not appearing inside general parentheses, that appears at the same vertical position or to the left of its or . (In the ASCII ∧ ∨ representation, the position of a symbol is that of its ﬁrst character.)

1.4 Sets 1.4.1 Infix and Prefix Operators TLA uses the conventional infix operators for sets: (\in), / (\notin), + ∈ ∈ (\cap), (\cup), and (\subseteq). The operator denotes set differ-

∩ ∪ ⊆ \

B A B ence; A is the set of elements in that are not in . \ The operators and (# or /=) should be used for equality and inequality of = 6= nonBoolean values. Although can be used for equality of Boolean values, we = prefer to use in that case. (The precedence rules encourage this use.) ≡

In TLA+, SUBSET is the powerset operator, so SUBSET S is the set of all sub-

S T S T S sets of S . Thus, SUBSET is equivalent to . We write UNION

∈ ⊆ S

(instead of the more conventional S ) for the union of all the elements of .For

T S T S S example, UNION S , equals ,andUNION (SUBSET ) equals ,forany

{ } S∪ T sets S and .TheUNION and SUBSET operators can be confusing. Until you get used to them, you may want to write comments describing typical elements of each set in each subexpression in which they appear in your speciﬁcations. The operators , , , SUBSET ,andUNION all have equal precedence, which ∩ ∪ \ is higher than the precedence shared by , , ,and . That precedence is in = 6= ∈ ⊆ turn lower than the precedence of (the highest-precedence Boolean operator). ¬ TLA+ adopts the principle that eliminating ambiguity is more important than sav- ing keystrokes. Therefore, operators are given equal precedence if there is any reasonable doubt about their relative precedence.

1.4.2 Set Constructors

Finite sets can be enumerated explicitly with an expression of the form

e e e i 1,..., n , which denotes the set whose elements are the . For example, { } 1, 2, 1, 3, 2, 3 is the set consisting of the three elements 1, 2, and 3. The empty { } set is written . {}

TLA+ provides two set-constructing operators that are often confused. The

S p ﬁrst is the subset constructor x : , which denotes the set of all elements of

{ ∈ }

p x Nat x Nat S satisfying . For example, : 3 equals 0, 1, 2, 3 ,where is

{ ∈ ≤ } { }

x S the set of natural numbers. The second is the set-of-all constructor e : ,

{ ∈ }

x S

which denotes the set of expressions of the form e ,forall in . For example,

n Nat x S p 2 n : is the set of even natural numbers. In the expressions :

{ ∗ ∈ } { ∈ }

x S x S and e : , the bound variable may not occur in . { ∈ }

The subset constructor also has the form

x x S p

1,..., n : {h i∈ }

which is deﬁned to equal

x S x x x x x p n : 1,..., n : ( 1,..., )

{ ∈ ∃ =h i ∧ }

x S

where the i are variables that may not appear in . The set-of-all constructor has

the general form

e q S q S n : 1 1,..., n

{ ∈ ∈ }

q S q

i i where the i and are the same as for bounded quantiﬁers—each is either a

list or a tuple of variables, and none of these bound variables may appear in any of S

the i . For example,

x S y T e x S y T e : , UNION : : { ∈ ∈ } = {{ ∈ } ∈ } In set theory, logical inconsistencies (such as Russell’s paradox) are avoided by restricting the kinds of collections that are sets. These restrictions are built into the TLA+ operators, which make it impossible to build sets that are “too big”. For example, the collection of all ﬁnite sets is not a set. However, the set of all ﬁnite sets of natural numbers is a set, and can be written using the TLA+ operators.

1.5 Functions 1.5.1 Functions and their Domains In conventional mathematics, a function is a set of ordered pairs satisfying certain properties. In TLA+, we do not specify any particular set-theoretic representation

of functions. We simply assume that there is a certain kind of set called a function e

that has a domain. Function application is denoted by square brackets, so f [ ]is

e f e e

the value obtained by applying f to . The expression [ ] is meaningful even if f

is not in the domain of f ,orif is not a function; but we have no way of specifying

e f e what the meaning of f [ ] is unless is a function and is in its domain.

f f

The expression DOMAIN f equals the domain of ,if is a function. The

T S expression [ S ] denotes the set of all functions with domain and range a

→

f S T S subset of T . In other words, is in [ ] iff it is a function with domain

→

x T x S such that f [ ] for all . ∈ ∈

The TLA+ notation for a “lambda expression” is the function constructor

S e f S [x ], which equals the function whose domain is the set , such that

∈ 7→

x e x S i Nat i f [ ] equals for each in . For example, [ 1] deﬁnes the succes-

∈ 7→ + f

sor function on the set Nat of natural numbers. An expression denotes a function

x f f x x iff f equals [ DOMAIN [ ]], where is a variable that does not occur in ∈ 7→ f .

1.5.2 The EXCEPT Construct

f e e f Functions If f is a function, then [ EXCEPT ![ 1] 2] equals the function

f e e that is the same as f except with [ 1] 2. Formally, =

1 b

e e x f x e e [f EXCEPT ![ 1] 2] [ DOMAIN if 1 then 2

= b= ∈ 7→ = x

else f [ ]]

f e e

where x is a variable that does not occur in the expressions , 1,or 2. Think

e e f of [ f EXCEPT ![ 1] 2] as the function obtained from by the assignment

e e f [ 1]: 2.

f e

The character @ appearing in the expression e 2 stands for [ 1]. For example,

f Fcn [ Fcn EXCEPT ![3] @ 5] is the function that is the same as except that

= ∗

Fcn f f [3] equals [3] 5. Think of @ as an abbreviation for the “old value” of ∗ applied to e 1. b

b The EXCEPT notation is generalized in two ways. First, we let

f e e e f

[ EXCEPT ![ 1]...[ n ] ] be the function obtained from by the as-

f e e e e f e e n signment [ 1]...[ n ]: ,where@in denotes [ 1]...[ ]. Formally,

f e e e

[ EXCEPT ![ 1]...[ n ] ] equals

f e e e e

[ EXCEPT ![ 1] [@ EXCEPT ![ 2] [@ ... EXCEPT ![ n ] ]...]

= = =

f e e

Next, we let [ EXCEPT ![...] 1, ... , ![...] n ] be an abbreviation for

= =

f e e

[...[ EXCEPT ![...] 1] EXCEPT ... ![...] n ]...] = =

Think of [f EXCEPT ![2][7] @ 1, ![3][5] @ 2] as the array obtained from = + = +

f by performing the two assignments

f f f f [2][7] : [2][7] 1 [3][5] : [3][5] 2 = + ; = +

11 Sets of Functions It is also convenient to have a notation for sets of functions

that differ from f only in their value on some element in their domain. We let

e S [ f EXCEPT ![ ] ] { ∈ }

be the set of all functions

e x [ f EXCEPT ![ ] ]

S x f S with x (assuming does not appear in the expression or ). This set is ∈ written in ASCII as { f EXCEPT ![e] \in S } | |

There is a similar @ convention to the one described above. For example, Fcn [ Fcn EXCEPT ![3] @,@ 1] is the set consisting of the functions and { ∈{ + }}

[ Fcn EXCEPT ![3] @ 1].

= +

e e We generalize the [f EXCEPT ![ 1] 2] construct in the same ways we

{ ∈ }

e e generalized the construct [f EXCEPT ![ 1] 2] above. For example,

a b S c T [ f EXCEPT ![ ][ ] , ![ ] ] { ∈ ∈ }

is the set of all functions

a b s c t [ f EXCEPT ![ ][ ] , ![ ] ]

= =

S t T with s and . There is also one additional abbreviation: we can write

∈ ∈ e “ e ” instead of “ ”. For example,

= ∈{ }

a S b g [f EXCEPT ![ ][7] , ![ ] ] { ∈ = }

is the set

a s b g s S [f EXCEPT ![ ][7] , ![ ] ]: { = = ∈ } 1.5.3 Recursive Function Deﬁnitions

TLA+ does not allow recursive definitions of operators. However, using CHOOSE, it is easy to write recursive function definitions. For example, the classic recursive definition of the factorial function on the set of natural numbers can be written as

act f f n Nat n F CHOOSE : [ if 0 then 1

= = ∈ 7→ =

f n else n [ 1] ] ∗ − TLA+ provides the following abbreviation for this deﬁnition:

act n Nat n F [ : ] if 0 then 1

= =

Fact n else n [ 1] ∗ − 12

x S e In general, f [ : ] is an abbreviation for =

f f x S e f CHOOSE : [ ]

= = ∈ 7→ S The bound variable x may not appear in . Although TLA+ does not allow recursive operator deﬁnitions, recursive func-

tion deﬁnitions can often be used to deﬁne operators. For example, the following

dinality S Cardinality S deﬁnes the operator Car so that if is a ﬁnite set, then ( ) is

the number of elements in S .

1 1

dinality S F T S Car ( ) let [ : SUBSET ] = =

if T ={}

then 0

T t t T else 1 F [ CHOOSE : ]

+ \{ ∈ } S in F [ ]

1.5.4 Functions Versus Operators dinality

It is important to understand the distinction between an operator like Car

act f f f x

and a function like F .If is a function, then and [ ] are both expressions.

x f Hence, both 1 f [ ]and1 are syntactically legal expressions. (What they + + mean will depend on the deﬁnition of .) If O is an operator that takes a single

e e O

argument, then O ( ) is an expression, for any expression .However, by itself

e O is not an expression. One can write 1 O ( ),but1 is nonsense—it is not + + a syntactically valid expression. Writing “1 O ” makes as little sense as writing +

“1 (”or“C ”. + ++ Since functions are expressions, they are often more convenient to use than

operators. However, a function has a domain, which is a set, and it is possible to

x x f

specify the value of f [ ] only for in its domain. One cannot deﬁne a function

S Cardinality S S such that f [ ] equals ( ) for every ﬁnite set . The domain of such a function would have to be the collection of all ﬁnite sets, and that collection is not aset. The most common use of functions is as the values of variables. In a program

written in a conventional programming language, one often declares a variable x x to be an array variable indexed by some set S . In a TLA+ speciﬁcation, one lets

be a variable whose value is always a function with domain S .

1.6 Tuples and Functions of Multiple Arguments

e e n

In TLA , 1,..., n denotes an ordered -tuple. TLA provides the usual

+ h i +

S S n

Cartesian product notation, where 1 ... n is the set of all -tuples × × 13

e e e S

i i 1,..., n with each in . Unlike conventional mathematics, TLA deﬁnes

h i +

n e e n i the -tuple 1,..., n to be the function with domain 1,..., that maps to

h i { }

e e i e i i

i . Thus, if is a tuple with at least components, then [ ] is its th component,

for any positive integer i . In particular, the zero-tuple is the unique function with empty domain. hi

A function of multiple arguments is a function whose domain is a Cartesian

f e e f e e n product. We can write [ 1,..., n ] as an abbreviation for [ 1,..., ]. The h i

general form of an explicit function constructor is

q S q S e n [ 1 1,..., n ]

∈ ∈ 7→

q S q

i i where the i and are the same as for bounded quantiﬁers—each is either a

list or a tuple of variables, and none of these bound variables may appear in any of S

the i . For example,

y S z T e [ x , , ] h i∈ ∈ 7→ is equivalent to

1 1 1

S T x w y w z w [w let [1][1] [1][2] [2] ∈ × 7→ = = =

in e ]

S T e if w does not occur in , ,or . The EXCEPT construct and recursive function deﬁnitions extend in the obvi- ous way to functions of multiple arguments. For example, the general form of a function deﬁnition is

f q S q S e n [ 1 : 1,..., n : ]

q S i where the i and are as before.

1.7 Strings and Numbers A string is written “...”, as in “abc”. Formally, the string “abc” is a 3-tuple, so it equals “abc”[1], “abc”[2], “abc”[3] . The elements of this 3-tuple (the three h i letters making up the string “abc”) are unspeciﬁed. Of course, “ ” equals .The hi set of all strings is written STRING.

A sequence of digits is a number. Formally, the sequence 376 of digits de-

al Numeral Naturals

notes Numer (“376”),where must be a deﬁned operator. The

al Numeral

module deﬁnes Numer so that (“376”) equals the number 376. (More al

precisely, Numer (“376”) equals the value that represents the number 376 in the als

particular representation of the natural numbers deﬁned by the Natur module.) al Since 376 is equivalent to writing Numer (“376”), it is an error to write 376 in

14 al

a module where Numer is not deﬁned—which usually means in a module that als

does not extend or instance Natur or some other module that deﬁnes numbers.

als Nat The Natur module also deﬁnes the set of natural numbers, and the following inﬁx operators:

(substraction) (times) ˆ (exponentiation) < >

+− ∗ ≤ ≥ cimal

Decimal numbers are deﬁned in terms of the De operator. For example,

cimal Reals

3.14159 is an abbreviation for De (“3”, “14159”).The module deﬁnes cimal De appropriately.

1.8 Records

TLA+ provides notation for records, which are like the records of conven- r

tional programming languages. The xyz component of a record is written

r xyz h e h e r n . . The expression [ 1 1,..., n ] is the record with compo-

7→ 7→

h h r h e i n

i i nents 1, ..., n such that . equals ,for 1,..., . The expression

h S h S r h h

n n

[ 1 : 1,..., n : ]isthesetofallrecords with components 1, ...,

r h S i n i such that . i is an element of the set ,for 1,..., . In other words, =

h S h S n [ 1 : 1,..., n : ]

h e h e e S e S

n n n [ 1 1,..., n ]: 1 1,..., { 7→ 7→ ∈ ∈ }

In both of these notations, n has to be at least one; [ ] is not a legal expression.

In TLA+, a record is a function whose domain is a ﬁnite set of strings, and

xyz r xyz r . is an abbreviation for [“xyz”]. Taking !. to be an abbreviation for

![“xyz”], the EXCEPT notation applies to records as well as functions. For ex-

h e r r r h ample [ r EXCEPT !. [ ] @ 1] is the record that is the same as , except .

= +

h r h e r h e is the function that is the same as r . except . [ ] equals . [ ] 1.

r foo Because records are functions, one can alwaysb write r [“foo”] instead of .b and can use function constructors for expressingb records. This can be quite useful at times.

2 Action Operators

The action operators of TLA+ come from TLA. They are listed in Figure 3 on page 4. Except for “ ”, these operators are all described in [3]. · TLA has two classes of variables: rigid variables and ﬂexible variables. Rigid variables are called constants in TLA+. They are the variables of ordinary predicate logic. The bound variables introduced by the constant operators of Section 1 are rigid variables. Flexible variables are called simply variables in TLA+.

15 An action is a Boolean formula that may contain primed and unprimed ﬂexible variables. In an action, an unprimed instance of a variable denotes its value in

“the current state”, and a primed instance denotes its value in “the next state”. For x action reasoning, x and 0 can be considered to be completely unrelated variables. The action operators of TLA+ can be deﬁned in terms of primed variables as follows. (These deﬁnitions are applied from the inside out, replacing the arguments

of an operator by their deﬁnitions and then replacing the operator by its deﬁnition.)

p x x

p 0 Equals with every ﬂexible variable replaced by its primed version 0.

A A e e

[ ]e Equals ( ).

∨ 0 =

A A e e

e Equals ( ).

h i ∧ 0 6=

A x x A

ENABLED Let 1, ..., n be the ﬂexible variables that occur primed in ,let

x x A A

1, ..., n be new rigid variables that do not occur in ,andlet be

A x x

the formula obtained from by replacing each occurrence of by i ,for

i n A x x A

1,... .ThenENABLED equals 1,..., n : . For exampleb b= c ∃ b

x y z x y x x y z ENABLED (x 0 0 ) b, :c b

∗ = ∗ =∃ ∗ = ∗

e e UNCHANGED e Equals .

0 = bb b b

B A B A Equals the composition of the actions and . Intuitively, it is the action

A B x x

that ﬁrst does then . More formally, let 1, ..., n be all the ﬂexible

A B x x

variables that occur primed in or unprimed in ,let 1, ..., n be new

B A A x rigid variables that do not occur in A or ,let equal with each

x B B x x A B

i i replaced by i ,and equal with each replaced by .Then

b c ·

x x A B

equals 1,..., n : . For example, b ∃ ∧

b e b

x y w

b c b e z 0 0 0

y x z

x 0 ∧ − ∗ ∈ 1 w

∧ + − = y / y

z > 0 7 · ∧ ∈  =

y z ∧ + x >

∧ 0 +

x y w

 z 0 0 0

y x z

x ∧ − ∗ ∈

x y z y w

w , , , : ∧ + − = / y

∃ z > 7 ∧ ∧ ∈ 

y z ∧ + x 0 >b b ∧ + b b b b  b b  b (The TLA+ convention of using bulleted lists of conjunctsb andb disjuncts is explained in Section 1.3.)

16 3 Temporal Operators

A temporal formula is one that is true or false of a behavior, which is an inﬁnite sequence of states. The TLA operators for writing temporal formulas are listed in

Figure 4 on page 4. The temporal quantiﬁers have the same generalizations as the

x x F unbounded predicate-logic quantiﬁers—for example, 1,..., n : . ∃ The temporal operators of TLA are all described in [3] except for + ,which + −F is introduced in [1]. (This operator is used only for assumption/guarantee speciﬁ-

cations.) They are deﬁned in terms of 2,and as follows.

∃

F 2 F 3 Equals .

¬ ¬

A 23 A 23 A

e e WF e ( ) Equals ( ENABLED ) ( ).

¬ h i ∨ h i

A 32 A 23 A

e e SFe ( ) Equals ( ENABLED ) ( ).

¬ h i ∨ h i

; G 2 F 3G F Equals ( ).

⇒

F x F x : Equals : .

∀ ¬∃ ¬

G G F F + This formula asserts that remains true at least one step longer than

−F

F H does. (And G remains true forever if does.) A formula is true for

the ﬁrst k steps of a behavior iff there is some way to continue those steps

to a complete behavior for which H is true. This leads to the following G formal deﬁnition of F + .

−F

x x

Let x be the tuple 1,..., n of all ﬂexible variables that occur free

h i

F G n x x

in or ;letxbe an -tuple of ﬂexible variables 1,..., n distinct

h i

G F G

from any variables appearing (bound or free) in F or ;let and be

F G x

the formulas obtainedb from and by substitutingb the variablesc i for

x b

the corresponding variables i ,andlet be a ﬂexible variableb distinctb

x F G

x + i from the i and .Then is deﬁned to equal

−F b

b b 2 b

: ( TRUE) [ FALSE]b

∀ ∧ = b ∧ 0 =

x x F 2 b

1,..., n : ( (x x))

∧ ∃ ∧ ⇒ =

x x G 2 b b 1,..., n : (x x) [ (x0 x0)] ,x,x ⇒ ∃ ∧ = ∧ ⇒ = h i b c b b b b c b b b References

[1] Mart´ın Abadi and Leslie Lamport. Conjoining speciﬁcations. ACM Transac- tions on Programming Languages and Systems, 17(3):507–534, May 1995.

17 [2] Leslie Lamport. How to write a long formula. Formal Aspects of Computing, 6:580–584, 1994. First appeared as Research Report 119, Digital Equipment Corporation, Systems Research Center.

[3] Leslie Lamport. The temporal logic of actions. ACM Transactions on Pro- gramming Languages and Systems, 16(3):872–923, May 1994.

[4]A.C.Leisenring. Mathematical Logic and Hilbert’s ε-Symbol. Gordon and Breach, New York, 1969.

Index

e e . (period), 15 [ f EXCEPT ![ 1] 2], 11

e e 0 (prime), 16 [ f EXCEPT ![ 1] 2],12

{ 1 ∈ }

x S e (action composition), 16 f [ : ] ,12

· =

h e h e n @, 11, 12 [ 1 1,..., n ], 15

7→ 7→

h S h S n “...”, 14 [ 1 : 1,..., n : ], 15 ,13 × ,15 action operators, 15–16 ∗ ,15 + bound variable, 5, 10 ,15 − ˆ,15 Cartesian product, 13 <,15 case,7 ,15 ≤ CHOOSE,6 >,15 conjunctions, list of, 8 ,15 ≥ constant operators, 2–15 ,9

\ cimal ,9 De ,15 = ,9 decimal number, 15 6=

;,17 disjunctions, list of, 8 ,8 DOMAIN,11 ∧ ,8 ∨ ,5 empty set, 9 ⇒,5 ENABLED,16 ¬ EXCEPT, 11, 12, 15 2,17

3,17 function, 10–13 ,5,6 ∀ of multiple arguments, 14 ,17 ∀ tuple as, 14 ,5,6 ∃ versus operator, 13 ,17

∃ A

[ ]e ,16 Hilbert’s ε,6 A

e ,16

h i e e if,7 1,..., n ,13 h i + ,17 implication, 5

−F e e inconsistency, avoiding, 10 1,..., n ,9

{ }

S p x : ,10 indentation used to eliminate

{ ∈ }

x S e : ,10 parentheses, 8

{ ∈ } T [S ], 11

→ lambda expression, 11

S e [ x ], 11 ∈ 7→

19 let,8 list of conjunctions or disjunctions, 8 logic operators, 5–7

Nat ,15 als Natur module, 15 negation, 5 nondeterminism not introduced by CHOOSE,7 number, 14–15 operator versus function, 13 parentheses, eliminated by indentation, 8 primed variable, 16 record operators, 15 recursive deﬁnition of function, 12–13 set operators, 9–10 SF, 17 silly expression, 2 string, 14 SUBSET,9 temporal operators, 17 tuples, 13 types, 2

UNCHANGED,16 UNION,9 untyped, 2 variable primed, 16

WF, 17