# Towards formal proof of the TaskProcessing specification

This notebook documents the thought process and attempts made to derive a proof for the **TaskProcessing** specification.

The goal is to write this proof formally in **TLA+** and verify it using **TLAPS**. However, achieving such a proof may require extensive trial and error.

This notebook aims to record this iterative process.

In particular, some steps—such as finding inductive invariants—may require using **TLC** with specific models (or configurations). Keeping a record of these models is essential. It allows for:
- Maintaining a history of the work,
- Re-running verifications, and
- Continuing the work later.

## Proving invariants

Apart from the type invariant, the specification declares three invariants: *AllocConsistent*, *AllocStateConsistent* and *ExclusiveAssignment*. The recommanded approach for proving invariants is to find an inductive invariant that implies these invariants. Before seeking for the inductive invariant we first convince ourselves that non of these three invariants are inductive by presenting a counterexample for each of them.

**Remark:** The type invariant (TypeInv) is likely inductive but not imply any of the invariants of interest. It must be conjuct with additional expressions to be turned into a useful inductive invariant.

### Checking invariants on induction

Here we use TLC to check whether any of the three invariants is inductive.

#### ExclusiveAssignment

In [4]:
---- MODULE ExclusiveAssignmentIndInv ----
EXTENDS TaskProcessing

Inv == TypeInv /\ ExclusiveAssignment

ISpec == Inv /\ [][Next]_vars
====

In [5]:
%tlc:ExclusiveAssignmentIndInv -deadlock
CONSTANTS
    AgentId = {a, b}
    TaskId = {t}

SPECIFICATION
    ISpec

INVARIANT
    Inv

TLC2 Version 2.17 of 02 February 2022 (rev: 3c7caa5)
Running breadth-first search Model-Checking with fp 63 and seed 6965937538770037433 with 12 workers on 12 cores with 6238MB heap and 64MB offheap memory [pid: 278188] (Linux 6.6.87.2-microsoft-standard-WSL2 amd64, Ubuntu 21.0.9 x86_64, MSBDiskFPSet, DiskStateQueue).
Parsing file /tmp/tmp3jqdzc6y/ExclusiveAssignmentIndInv.tla
Parsing file /tmp/TaskProcessing.tla
Parsing file /tmp/TaskStates.tla
Parsing file /tmp/FiniteSets.tla
Parsing file /tmp/Naturals.tla
Parsing file /tmp/Sequences.tla
Semantic processing of module Naturals
Semantic processing of module Sequences
Semantic processing of module FiniteSets
Semantic processing of module TaskStates
Semantic processing of module TaskProcessing
Semantic processing of module ExclusiveAssignmentIndInv
Starting... (2025-11-25 17:45:18)
Computing initial states...
Computed 2 initial states...
Computed 4 initial states...
Computed 8 initial states...
Finished computing initial states: 15 disti

Failed command was: 'java -XX:+UseParallelGC -Dtlc2.TLC.ide=tlaplus_jupyter -cp /home/qdelamea/tools/tlaplus_jupyter/tlaplus_jupyter/vendor/tla2tools.jar:/home/qdelamea/projects/ArmoniK.Spec/specs tlc2.TLC -workers 12 -config run.cfg -deadlock ExclusiveAssignmentIndInv.tla'

#### AllocStateConsistent

In [None]:
---- MODULE AllocStateConsistentIndInv ----
EXTENDS TaskProcessing

Inv == TypeInv /\ AllocStateConsistent

ISpec == Inv /\ [][Next]_vars
====

In [None]:
%tlc:AllocStateConsistentIndInv -deadlock
CONSTANTS
    AgentId = {a, b}
    TaskId = {t}

SPECIFICATION
    ISpec

INVARIANT
    Inv

TLC2 Version 2.17 of 02 February 2022 (rev: 3c7caa5)
Running breadth-first search Model-Checking with fp 52 and seed 260930302292062275 with 12 workers on 12 cores with 6238MB heap and 64MB offheap memory [pid: 249540] (Linux 6.6.87.2-microsoft-standard-WSL2 amd64, Ubuntu 21.0.9 x86_64, MSBDiskFPSet, DiskStateQueue).
Parsing file /tmp/tmp4yyimz83/AllocStateConsistentIndInv.tla
Parsing file /tmp/TaskProcessing.tla
Parsing file /tmp/TaskStates.tla
Parsing file /tmp/FiniteSets.tla
Parsing file /tmp/Naturals.tla
Parsing file /tmp/Sequences.tla
Semantic processing of module Naturals
Semantic processing of module Sequences
Semantic processing of module FiniteSets
Semantic processing of module TaskStates
Semantic processing of module TaskProcessing
Semantic processing of module AllocStateConsistentIndInv
Starting... (2025-11-25 17:20:11)
Computing initial states...
Computed 2 initial states...
Computed 4 initial states...
Finished computing initial states: 7 distinct states generated at 2025-

Failed command was: 'java -XX:+UseParallelGC -Dtlc2.TLC.ide=tlaplus_jupyter -cp /home/qdelamea/tools/tlaplus_jupyter/tlaplus_jupyter/vendor/tla2tools.jar:/home/qdelamea/projects/ArmoniK.Spec/specs tlc2.TLC -workers 12 -config run.cfg -deadlock AllocStateConsistentIndInv.tla'

#### AllocConsistent

In [6]:
---- MODULE AllocConsistentIndInv ----
EXTENDS TaskProcessing

Inv == TypeInv /\ AllocConsistent

ISpec == Inv /\ [][Next]_vars
====

In [7]:
%tlc:AllocConsistentIndInv -deadlock
CONSTANTS
    AgentId = {a, b, c}
    TaskId = {t, u, v}

SPECIFICATION
    ISpec

INVARIANT
    Inv

TLC2 Version 2.17 of 02 February 2022 (rev: 3c7caa5)
Running breadth-first search Model-Checking with fp 75 and seed 4215500323593355637 with 12 workers on 12 cores with 6238MB heap and 64MB offheap memory [pid: 278570] (Linux 6.6.87.2-microsoft-standard-WSL2 amd64, Ubuntu 21.0.9 x86_64, MSBDiskFPSet, DiskStateQueue).
Parsing file /tmp/tmp0ug3vt_0/AllocConsistentIndInv.tla
Parsing file /tmp/TaskProcessing.tla
Parsing file /tmp/TaskStates.tla
Parsing file /tmp/FiniteSets.tla
Parsing file /tmp/Naturals.tla
Parsing file /tmp/Sequences.tla
Semantic processing of module Naturals
Semantic processing of module Sequences
Semantic processing of module FiniteSets
Semantic processing of module TaskStates
Semantic processing of module TaskProcessing
Semantic processing of module AllocConsistentIndInv
Starting... (2025-11-25 17:45:48)
Computing initial states...
Computed 2 initial states...
Computed 4 initial states...
Computed 8 initial states...
Computed 16 initial states...
Computed 32 initial s

#### Conclusion

The previous verifications demonstrate that *AllocStateConsistent* and *ExclusiveAssignment* are not inductive invariants. However, *AllocConsistent* conjucted with *TypeInv* seems to be an inductive invariant. This last observation is ultimately not surprising, since *AllocConsistent" results directly from the type invariant. This invariant can therefore be removed from the specification.

### Looking for a useful invariant

Here, we attempt to find an inductive invariant that implies both *AllocStateConsistent* and *ExclusiveAssignment*. Conjoining the two invariants appears promising, as the counterexamples identified earlier would be ruled out due to the additional constraints introduced by the second invariant. Therefore, we propose using the conjunction of the two invariants as our candidate.

In [11]:
---- MODULE IndInv1 ----
EXTENDS TaskProcessing

Inv == TypeInv /\ AllocStateConsistent /\ ExclusiveAssignment

ISpec == Inv /\ [][Next]_vars
====

In [15]:
%tlc:IndInv1 -deadlock
CONSTANTS
    AgentId = {a, b, c}
    TaskId = {t, u, v, w, x}

SPECIFICATION
    ISpec

INVARIANT
    Inv

TLC2 Version 2.17 of 02 February 2022 (rev: 3c7caa5)
Running breadth-first search Model-Checking with fp 2 and seed -2772008903836201340 with 12 workers on 12 cores with 6238MB heap and 64MB offheap memory [pid: 287591] (Linux 6.6.87.2-microsoft-standard-WSL2 amd64, Ubuntu 21.0.9 x86_64, MSBDiskFPSet, DiskStateQueue).
Parsing file /tmp/tmpk6w87f3r/IndInv1.tla
Parsing file /tmp/TaskProcessing.tla
Parsing file /tmp/TaskStates.tla
Parsing file /tmp/FiniteSets.tla
Parsing file /tmp/Naturals.tla
Parsing file /tmp/Sequences.tla
Semantic processing of module Naturals
Semantic processing of module Sequences
Semantic processing of module FiniteSets
Semantic processing of module TaskStates
Semantic processing of module TaskProcessing
Semantic processing of module IndInv1
Starting... (2025-11-25 17:53:18)
Computing initial states...
Computed 2 initial states...
Computed 4 initial states...
Computed 8 initial states...
Computed 16 initial states...
Computed 32 initial states...
Computed 64 initial

TLC found no counter-example which may indicate that this invariant is an inductive invariant. So we continue working with it to gain more confidence. Next step we need to verify that this invariant is true in the initial state.

In [16]:
---- MODULE IndInv1Init ----
EXTENDS IndInv1

InitSpec == Init /\ [][UNCHANGED vars]_vars
====

In [18]:
%tlc:IndInv1Init -deadlock
CONSTANTS
    AgentId = {a, b}
    TaskId = {t, u}

SPECIFICATION
    InitSpec

INVARIANT
    Inv

TLC2 Version 2.17 of 02 February 2022 (rev: 3c7caa5)
Running breadth-first search Model-Checking with fp 27 and seed 9025357209010229339 with 12 workers on 12 cores with 6238MB heap and 64MB offheap memory [pid: 323034] (Linux 6.6.87.2-microsoft-standard-WSL2 amd64, Ubuntu 21.0.9 x86_64, MSBDiskFPSet, DiskStateQueue).
Parsing file /tmp/tmp92kzm4x8/IndInv1Init.tla
Parsing file /tmp/tmp92kzm4x8/IndInv1.tla
Parsing file /tmp/TaskProcessing.tla
Parsing file /tmp/TaskStates.tla
Parsing file /tmp/FiniteSets.tla
Parsing file /tmp/Naturals.tla
Parsing file /tmp/Sequences.tla
Semantic processing of module Naturals
Semantic processing of module Sequences
Semantic processing of module FiniteSets
Semantic processing of module TaskStates
Semantic processing of module TaskProcessing
Semantic processing of module IndInv1
Semantic processing of module IndInv1Init
Starting... (2025-11-25 22:28:40)
Computing initial states...
Finished computing initial states: 1 distinct state generated at 2025-11-25 22

The last step would be to check if this invariant implies the two others but as it is the conjunction of them this step is not required. What comes next is to write a formal proof using TLAPS.

## Conclusion

The previous candidate was proven to be an inductive invariant using TLAPS. This result was used to demonstrate the other properties of the specification. The proofs can be found in the [TaskProcessing_proof](../specs/TaskProcessing_proof.tla) module.

## References

* [Proving Safet Properties](https://lamport.azurewebsites.net/tla/proving-safety.pdf) by Leslie Lamport
* [Using TLC to Check Inductive Invariants](https://lamport.azurewebsites.net/tla/inductive-invariant.pdf) by Leslie Lamport