A program can branch from START to either LEFT or RIGHT branch. How can I check that there is an execution path for LEFT branch and the other execution path for RIGHT branch?
------------------------------ MODULE WFBranch ------------------------------
VARIABLE state
START == "start"
LEFT == "left"
RIGHT == "right"
Init == state = START
Next ==
\/ /\ state = START
/\ \/ state' = LEFT
\/ state' = RIGHT
\/ /\ state \in {LEFT, RIGHT}
/\ state' = START
Spec ==
/\ Init
/\ [][Next]_<<state>>
/\ WF_<<state>>(Next) \* Avoid stuttering at start
(*
This passes, but it does not ensure that there exist different paths covering both
branches - e.g. state might never be LEFT.
*)
CheckEventualStates == \/ (state = START) ~> (state = RIGHT)
\/ (state = START) ~> (state = LEFT)
=============================================================================
In the completely general case, there's no way to check that for every state, at least one behavior eventually reaches it. This is because TLA+ is based off linear temporal logic, which doesn't have a means of expressing a property that holds between multiple different behaviors.
Depending on the specific case, there's sometimes subsitutes you can make. For example, we could write
Then you could check there are two branches with