-
-
Notifications
You must be signed in to change notification settings - Fork 187
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SANY incorrectly allows an empty tuple of identifiers in quantifier bounds #888
Comments
Why is this nonsensical? |
Quantifier bounds allow two types of things:
The purpose is to introduce at least one bound identifier into scope; an empty tuple does not do that. I also don't know what kind of set could even produce empty tuples to quantify over and destructure. Maybe ---- MODULE Test ----
ASSUME \A <<>> \in {<<>>} : TRUE
==== produces:
I guess it's possible this is a valid sentence in the language, it's hard to say. Might be a Leslie question, or fall under "silly expressions". |
This comment was marked as outdated.
This comment was marked as outdated.
I just used |
Couldn't one argue that the following should then also be rejected? \A <<i>> \in {1} \X {2} : TRUE or \A <<a,b,c,d>> \in {}: TRUE |
I would say no, because those examples cross the line to runtime/evaluation/semantic errors instead of parse errors. The set from which the elements are drawn can be an arbitrarily complicated expression which is intractable to statically analyze, especially at the syntax/parser level. Whereas if we focus on the syntactic purpose of the quantifier bound - to introduce additional named variables into scope - it could make sense to disallow the empty tuple. Also your second example would just be true by vacuous truth. |
Exactly, and the same can be argued for |
Okay so your vote is in favor of this being a TLC bug and not a SANY bug? |
I suggest to bring this up at one of the monthly community calls. |
Also, how does TLAPS handle it? |
Let me know if I missed something, but... I think the empty-tuple destructuring binder actually does make sense, with semantics (\A <<>> \in set: P) <=> P This is based on a simple "desugaring" rule. Ignoring problems with name-capture and abusing syntax: \A <<a, ...rest...>> \in set:
P(a, ...rest...) is the same as \A a \in {Head(x) : x \in set}:
\A <<...rest...>> \in {Tail(x) : x \in set /\ Head(x) = a}:
P(a, ...rest...) The desugaring rule should still hold even when \A <<a>> \in set: P(a)
<=>
\A a \in {Head(x) : x \in set}: \A <<>> \in {Tail(x) : x \in set /\ Head(x) = a}: P(a)
<=>
\A a \in {Head(x) : x \in set}: P(a) EDIT: looking at it again, I don't think the desugaring rule I proposed is quite right. But I think it's close, and I believe we should be able to assign some meaning to |
I would define pattern matching a tuple as I've tried evaluating some of these expressions in TLC. It accepts My SANY installation is about a year old though. P.S. I just realized the additional variable is not necessary, one could use |
Yes, this feels right. :) Indeed, Lamport's tech report The Operators of TLA+ (unfortunately offline at the moment) spells out essentially that same rule by example. He gives this example on page 6:
So, I would infer that a 0-element tuple is just one that introduces no binders:
|
It looks like TLAPS does not support tuple-binding syntax with any number of arguments. |
Per discussion with Lamport in the google group thread and then later in the March community call, this is being defined as a SANY bug. |
This passes both syntactic & semantic checks:
This seems inherently nonsensical and should be disallowed at the syntax level.
Discovered during work on #882.
The text was updated successfully, but these errors were encountered: