{<<x, y>> \in S \X T :
...}
). Note that this produces a really obscure error
message, or sometimes a silent crash of TLAPS.ENABLED
, \cdot
(action composition),
and many temporal operators are unsupported...
operator, but you can reason about it with
SMT solvers. In general, proof obligations involving arithmetic
can usually only be proved by the SMT backend.
TLC
standard module, and it cannot
use their definitions either.
While the following features are supported, the back-end provers do not provide much automatic proving and require a lot of guidance.
CASE
construct,
strings, tuples, and
records. For records, the provers usually need to be told
explicitly to use a fact of the form r.f = e
even
when they are given the fact r = [f |-> e, ...]
.e
of the
form CHOOSE x : P(x)
,
you will have to explicitly
state P(e)
and prove it (by proving \E x :
P(x)
).The following limitations and problems of TLAPS and its backends are known to us and will hopefully be removed in a future version. We welcome your feedback on problems that you encounter. Why not subscribe to the Google TLA+ group where such issues are discussed?
CHOOSE
expressions. In
particular, the axioms for
determinacy of CHOOSE
stating
tlapm
crashing with a stack
backtrace that starts with
.tlaps
directory.ASSUME
, tlapm
accepts NEW
STATE
, NEW
VARIABLE
, NEW
ACTION
, and NEW
TEMPORAL
declarations but does not handle them
correctly.ASSUME
... PROVE
.