Remove subexpressions from examples?

[ahelwer]

Lamport thinks anonymous subexpressions were a mistake and should be removed from the language. Given that these specs are "example" TLA+ specs, it perhaps makes sense to keep them from being examples of things you should not use. There are a few specs in this repo which use anonymous subexpressions:

Examples/specifications/Paxos/MCPaxos.tla

Lines 53 to 61 in aaf4954

	(***************************************************************************)
	(* TLC only tells you if an invariant is violated, not what part is *)
	(* violated. To help locate an error, it's useful to give TLC the *)
	(* conjuncts of an invariant as separate invariants to check. *)
	(***************************************************************************)
	Inv1 == Inv!1
	Inv2 == Inv!2
	Inv3 == Inv!3
	Inv4 == Inv!4

Examples/specifications/Paxos/MCVoting.tla

Lines 41 to 45 in aaf4954

	MCInv == /\ AllSafeAtZero!:
	/\ ChoosableThm!:
	/\ OneValuePerBallot => OneVote
	/\ VotesSafeImpliesConsistency!:
	/\ ShowsSafety!:

This one uses labels, thus is not anonymous, although for the same purpose of addressing specific conjuncts in a conjunction list:

Examples/specifications/ewd840/EWD840_proof.tla

Lines 72 to 75 in aaf4954

	<1>2. ~ Inv!P2 BY tcolor = "white" DEF Inv
	<1>3. ~ Inv!P1 BY <1>1 DEF Inv
	<1>. QED
	<2>1. Inv!P0 BY Inv, <1>2, <1>3 DEF Inv

The byzpaxos specs use many conjunction list subaddresses, nested even!

Examples/specifications/byzpaxos/BPConProof.tla

Lines 586 to 588 in aaf4954

	<1>2. \A self : leader(self) <=> NextDef!2!2!(self)
	BY DEF leader, Phase1a, Phase1c
	<1>3. \A self : facceptor(self) <=> NextDef!2!3!(self)

Examples/specifications/byzpaxos/PConProof.tla

Lines 432 to 435 in aaf4954

	PROVE acceptor(self) <=> TLANext!1!(self)
	BY <1>2, BallotAssump DEF acceptor, ProcSet, Phase1b, Phase2b
	<1>3. ASSUME NEW self \in Ballot
	PROVE leader(self) <=> TLANext!2!(self)

Examples/specifications/byzpaxos/VoteProof.tla

Line 353 in aaf4954

PROVE SafeLemma!2

[muenchnerkindl]

Thank you, this is an issue that the Specification Language Committee should discuss. It would probably help if you could explain if you believe subexpression references to be just hard to read or if they significantly complicate the code, in particular of parsers.

Incidentally, I don't think that Leslie's opinion on the issue is as clear-cut as you state: he designed the syntax for naming subexpressions and, except for the one occurrence in EWD840_proof, he wrote all the examples that you list, so I am assuming that he found those names useful at least while writing those proofs.

[muenchnerkindl]

Oh, I think I read too much into your proposal. If you'd just like to remove subexpression references from the collection of examples, that could certainly be done at the expense of additional operator definitions. But for as long as these references are part of TLA+ syntax, why should we do that? Leave them in and let readers decide if they think that references are useful or hamper readability?

[ahelwer]

It would probably help if you could explain if you believe subexpression references to be just hard to read or if they significantly complicate the code, in particular of parsers.

They certainly complicate parser code; a significant chunk of the tla2sany.semantic.Generator.java class deals with resolving them. It should be noted that TLC also does not really fully support them.

I don't really mind them one way or the other, but if I had to pick a current language feature that should be cut that would be it. They are always the last thing I ever implement in a parser or AST translation, because they are simultaneously very complicated and almost never used.

If we want to keep the subexpressions in the examples until they are removed from the language (if that indeed happens) then that is fine. This one at least would be replaced by implementing feature #803 in TLC:

Examples/specifications/Paxos/MCPaxos.tla

Lines 53 to 61 in aaf4954

	(***************************************************************************)
	(* TLC only tells you if an invariant is violated, not what part is *)
	(* violated. To help locate an error, it's useful to give TLC the *)
	(* conjuncts of an invariant as separate invariants to check. *)
	(***************************************************************************)
	Inv1 == Inv!1
	Inv2 == Inv!2
	Inv3 == Inv!3
	Inv4 == Inv!4