-
|
Is there any way to create and validate inductive proofs with Quint? I'm still new to TLA+, but I've heard that there's a way to make inductive proofs in it. I've also written basic proofs in Coq and Lean, and I really like the idea of being able to prove safety invariants in my protocols. Does Quint have anything along the lines of proofs instead of just model checking? Also, is there a way to know if a model checker has indeed checked every possible combination and essentially represents a proof of correctness? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
In model checking, we have the concept of inductive invariants, which has a similar basis as inductive proofs, but you don't need to construct an inductive proof yourself - the model checker verifies it for you. I like this section on the Apalache manual explaining inductive invariants. So, for TLA+, you can use model checkers to verify inductive invariants. If you need inductive proofs, then you'd have to use TLAPM (which is a proof assistant just like Coq and Lean). Quint should also support inductive invariants. Right now it is kinda flaky, but this is on our list of priorities for the next few months. The issue #1430 tracks work on it but also describes how one could do it currently. Now for the last questions:
Not really. You can transpile Quint to TLA+ and use proofs there, that's the closest you can get. Quint is not really targeted for people who can write proofs, so I don't see we adding that in the future. There are already pretty great proof languages, and you can't escape mathematics when doing proofs 😅.
Yes. If the model checker finishes executing (that is, |
Beta Was this translation helpful? Give feedback.
-
|
Perfect, thanks! It took me a little looking around before I understood inductive invariants, but now I get it. The idea is to validate that the inductive invariant holds:
If you can verify that, you only have to run the model checker one level deep and you can validate that the property hold for an infinite sequence of steps.
Yeah, that's a great point. I suppose what I'm looking for is something like a bounded model checker and easy state machine syntax for Lean, but I think that's asking for a lot. 😁 |
Beta Was this translation helpful? Give feedback.
In model checking, we have the concept of inductive invariants, which has a similar basis as inductive proofs, but you don't need to construct an inductive proof yourself - the model checker verifies it for you. I like this section on the Apalache manual explaining inductive invariants.
So, for TLA+, you can use model checkers to verify inductive invariants. If you need inductive proofs, then you'd have to use TLAPM (which is a proof assistant just like Coq and Lean).
Quint should also support inductive invariants. Right now it is kinda flaky, but this is on our list of priorities for the next few months. The issue #1430 tracks work on it but also describes how one could do it currently.
N…