RFC006: proposal on unit-testing and property-based testing for TLA+

[konnov]

This is an RFC to discuss unit testing and PBT for TLA+. Once we agreed on that internally, we should get the feedback from a wider audience.

Compiled version in pdf.

To see the code in the RFC, run the following:

git clone https://github.com/informalsystems/apalache -b igor/rfc-unit && cargo install mdbook \
  && cd apalache/docs && mdbook serve

• Tests added for any new code
• Ran make fmt-fix (or had formatting run automatically on all files edited)
• Documentation added for any new functionality
• Entry added to UNRELEASED.md for any new functionality

[vitorenesduarte]

It's great to see this! I'll do another pass later, but here are some initial comments. I really like the idea of apalache-mc example!!

[vitorenesduarte]

Would it make sense to have a way to define generators that are useful and then invoke them here?

[konnov]

Can you elaborate? Do you want to have generators in TypeOK?

[vitorenesduarte]

Could we go with @test instead of @testStateless? Or do we predict that @test could be used in the future for something else?

[konnov]

I don't know. I think this is actually a rare case, when we have a stateless operator. When I was writing this text, it was not even clear to me, why cannot we directly tag succ with @require and @ensure.

[vitorenesduarte]

In the MBT for IBC, we have a single module changing the state: IBC
The remaining modules (ICS02 and ICS03) only contain stateless operators that are then invoked by the IBC one.

I don't know if this is a common idiom, however.

[konnov]

It's reasonable to expect that people would write larger specs like this. So far, I have not seen it often. It may also be a difference between people who come from imperative and functional languages.

[vitorenesduarte]

Why do we need to import Apalache?

[konnov]

We are using Gen, which is defined in Apalache. If you are not using Gen, you would not need it.

[konnov]

I have added a section on testing executions

[vitorenesduarte]

I really like this idea!

I wonder if it would be possible to somehow write the following:

IfExec(trace) ==
   /\ trace[0].action.name = "create_client"
   /\ trace[0].action.id = 1
   /\ trace[0].action.height = 3
   /\ trace[1].action.name = "update_client"
   /\ trace[1].action.id = 1
   /\ trace[1].action.height = 2

ThenExec(trace) ==
   /\ trace[0].outcome = "ok" 
   /\ trace[1].outcome = "invalid_height"

\* @require("IfExec")
\* @ensure("ThenExec")
\* @testExecution(2, "Init", "Next")
\* the execution doesn't have to start at `Init`;
\* instead, the execution can start from any state reachable from `Init` by applying `Next`

I don't think I'm using @require and @ensure correctly (i.e. as in the other examples), but I believe that it conveys the idea.

If something like this was supported, it could probably also be used to generate MBT tests in a much nicer way.

[konnov]

Do you like to refer to the intermediate states in a trace? The idea was the you can talk about the variables of the first state and the last state. Otherwise, we are quickly approaching temporal logic :)

[konnov]

@andrey-kuprianov what is your take on that? How far is it from the tests you need in MBT?

[vitorenesduarte]

Do you like to refer to the intermediate states in a trace?

Yes. My example is bad in that sense. I should have used a trace with more than 2 states.

[konnov]

I think @shonfeder and you are asking about more or less the same thing. I don't like the idea of having trace explicitly. I guess what you are asking for is a temporal property. Instead of giving an explicit index, we could write A /\ []B /\ <>C. This would be the syntax for advanced users :-)

[lemmy]

Related: Trace operator in CommunityModules https://github.com/tlaplus/CommunityModules/blob/4337afb74653cedcc2a24107759bf1613812db34/modules/TLCExt.tla#L42-L56

Also seems related to state- and action-constraints.

[konnov]

Yep. I don't like the idea of exposing the trace explicitly. Once you do that, the users will write arbitrary code involving traces, which makes it much harder to analyze for symbolic techniques.

[konnov]

I am also not sure what to do about the primed and unprimed variables in this test. It would be nice to make it less of a hack.

[lemmy]

Yep. I don't like the idea of exposing the trace explicitly. Once you do that, the users will write arbitrary code involving traces, which makes it much harder to analyze for symbolic techniques.

Power to the People tools. ✊

[shonfeder]

Exciting stuff! Our discussion with @istoilkovska today seems to really confirm the utility of this stuff.

I posed some questions, just to help us consider different angles.

[shonfeder]

Is it impossible to express this effectively without the require and ensure annotations? E.g., is it impossible for this to be expressed as something like?

TestAction_n0 ==
  /\ Require(ConstInit)
  /\ Require(Prepare_n0)
  /\  \E self \in Node:
          n0(self)
  /\ Ensure(Assert_n0)

I ask because, imo, it's generally not great when a parallel system of annotations starts to emerge, and preferable to express things within the language as much as possible. Of course, if it's really essential, then worth pursuing.

If it is essential, we should maybe work out a coherent syntax for the annotations. E.g., the annotations here don't really fit with the type annotations: here we're missing a trailing ; and we use a quoted argument, rather than a colon an unquoted term.

[konnov]

If it is essential, we should maybe work out a coherent syntax for the annotations. E.g., the annotations here don't really fit with the type annotations: here we're missing a trailing ; and we use a quoted argument, rather than a colon an unquoted term.

We have two kinds of syntax for single-argument string annotations: https://apalache.informal.systems/docs/adr/004adr-annotations.html

[konnov]

I ask because, imo, it's generally not great when a parallel system of annotations starts to emerge, and preferable to express things within the language as much as possible. Of course, if it's really essential, then worth pursuing.

I know what you mean. Several times we tried to express a DSL in TLA+ itself, and it happened to be a disaster. I think there are two reasons for that: (1) TLA+ is not an imperative language, (2) formulas have a very flexible structure, so it is tempting to combine things in unexpected ways.

Another reason for having @require and @ensure in annotations is that you can see them like that in contracts for verification tools, e.g., see Dafny, Ivy, VeriFast. So I am just copying what works well :-)

[shonfeder]

I see! Thanks for explaining. This seems well motivated to me.

I'd be in favor of adding a section to the RFC to record the motivation for putting this in annotations instead of as a DSL.

[shonfeder]

again, I think we can probably settle on either having to quote args or not? If ConstInit is an operator name, then it shouldn't be a string, right? Or else, what happens when we want to supply a string to one of these annotations?

[konnov]

True, annotations are another layer. Some languages support contracts right in the language, e.g., Scala has requires as part of the language. Maybe one day TLA+ will have it too, but for the moment annotations would work too.

[shonfeder]

I think this reply may have meant for a different comment? (But I am convinced :))

[shonfeder]

With the invariants in particular, couldn't this just be in the body of the operator as well?

[konnov]

I will add a discussion on that in the document. The problem is that all of these annotations can be written directly in TLA by writing temporal formulas. However, this often leads to confusion. Moreover, people start writing very powerful formulas right away. What we need in a test: (1) How to initialize the system, (2) what to execute, (3) what to check. Decomposing a formula into these three components is surprisingly hard, unless people are following a very rigid syntax, which nobody wants to follow.

[shonfeder]

This is a good reason. Let's do record these motivations, along with #741 (comment) into the RFC>

[shonfeder]

Here I'm wondering why we are not using Gen or aren't putting this constraint in a Prepare prerequisite. Not that those would be better, but it seems to me that we have like 3 different ways of accomplishing the same thing? If that's right, I think it'd be good to clarify which way is the preferred one and why. If not, it might help (at least a noob like me) to provide a paragraph justifying why we need these three different ways of stating constraints.

[konnov]

Gen is a bit of a hack for testing. I just realized that it is not explained in the document at all.

[shonfeder]

I think this should be a link to the file hosted by github, otherwise the link will be broken when this is served from the generated site.

[konnov]

Good point. I will have to update the link, once this PR is merged.

[konnov]

I have pushed more explanations. The discussions section is not finished yet. Also, added a pdf version of the file, so it is easy to read

[konnov]

Added discussions on the issues raised by @shonfeder and I guess also by @vitorenesduarte

[shonfeder]

These sections make the particular feature set and approach very well motivated, IMO. Thanks for adding them!

[konnov]

I was actually surprised how hard it was to express such a simple test in a dedicated operator, instead of creating a test in a separate file.

[konnov]

@andrey-kuprianov do you like to comment on this RFC? My plan was to post it on reddit, to see if TLA+ users would like to see a testing framework like that.

[Isaac-DeFrain]

@konnov you'll probably have better luck emailing the google group, I have not found many TLA+ people on Reddit

[konnov]

@Isaac-DeFrain, yeah, the tla mailing list too. I just want to do it in stages, so we don't get a storm of replies :)

[konnov]

Let's continue the discussion in #817