

# SYSTEM SPECIFICATION AND VERIFICATION

## Why Specify?

The purpose of writing a specification is to prevent errors

- Specification is not an end in itself
- Engineers should be able to apply specification techniques as appropriate

- Writing a specification can guide the design process

- Having to describe a design precisely often reveals problems
- Start early!

- As system ideas are being considered
  - Spec will be incomplete and incorrect

- Specifications can provide a clear, concise way of communicating design intent
- Guide to implement and test a system

Writing a spec helps you think clearly. Thinking clearly is hard!

## Specification Preliminaries

### abstraction

- Specification is an abstraction of a system
  - Described as an algorithm or building blueprints
  - Distinction between hardware and software blurred
  - Specifying first helps think about problem before writing the code
- Levels of formalism/verification
  - Back-of-the-envelope
  - Writing prose
  - Formal specification
  - Formal verification

Ricky Butler, NASA, experience/gut-feel: “80% boost by just b-o-t-e, then diminishing returns”

- Smaller/simpler is better
  - Short spec easier to understand
    - e.g. 10 lines rather than 10,000
  - Debugging actual code not as efficient as debugging spec
    - specification process guides development
  - Easier to evaluate future changes
  - Easier to evaluate potential options <- on the fly!

## Specification Preliminaries

### TLA+

- We'll focus on distributed systems
  - communication between collaborative agents using a protocol
- TLA+: Temporal Logic of Actions
  - A TLA+ specification is a formal description
  - Not a programming language---specs aren't executed
  - Specifications can be model checked
    - determine if all possible behaviors of system satisfy desired properties
  - Stylized (mathematical) way of writing abstract definitions
- PlusCal language
  - write spec as algorithm that can be translated into a TLA+ spec (and then checked by TLA+ tools)

## TLA+

Leslie B. Lamport ... is best known for his seminal work in distributed systems and as the initial developer of the document preparation system LaTeX.<sup>[2]</sup> Leslie Lamport was the winner of the 2013 Turing Award<sup>[3]</sup> for imposing clear, well-defined coherence on the seemingly chaotic behavior of distributed computing systems, in which several autonomous computers communicate with each other by passing messages. He devised important algorithms and developed formal modeling and verification protocols that improve the quality of real distributed systems. These contributions have resulted in improved correctness, performance, and reliability of computer systems. [Wikipedia]

- Read
  - Lamport paper: "Use of Formal Methods at Amazon Web Services"
  - Lamport, Specifying Systems Chapter 1-3
- Complete Principles and Specification Track Tutorial sections covering:
  - Open a new spec
    - Add simple 1 bit clock: Init1 and Next1
  - Saving a module causes the toolbox to parse it.
    - See the errors, add declaration for variable b
  - Try the pretty printer
  - Create a new model to check the design
    - Identify Init1 and Next1 and run TLC
    - Replace 0 in def with string and rerun TLC
    - Observe statistics: diameter
  - Add type invariant property
    - On the model overview page and rerun TLC
    - As a definition in the spec.
  - Another language: PlusCal

## Propositional Logic

### Unary operations

| in | Result |     |     |      |
|----|--------|-----|-----|------|
| F  | NOT    | NOP | ONE | ZERO |
| 0  | 1      | 0   | 1   | 0    |
| 1  | 0      | 1   | 1   | 0    |

\*Convenient to use 1 and 0 in place of *True* and *False*

# Propositional Logic

## Unary operations

| in | Result |
|----|--------|
| F  | NOT    |
| 0  | NOP    |
| 1  | ONE    |
|    | ZERO   |

$$\neg F$$

## Binary operations

| Input | Result |
|-------|--------|
| F G   | NOR    |
| 0 0   | 0      |
| 0 1   | 1      |
| 1 0   | 1      |
| 1 1   | 0      |

$$F \vee G$$

$$F \wedge G$$

| Input | Result |
|-------|--------|
| F G   | NXOR   |
| 0 0   | 0      |
| 0 1   | 1      |
| 1 0   | 1      |
| 1 1   | 0      |

$$(F \Rightarrow G) \equiv \neg F \vee G$$

$$F \Rightarrow G$$

EQ

IMP

| Input | Result |
|-------|--------|
| F G   | NXNOR  |
| 0 0   | 1      |
| 0 1   | 0      |
| 1 0   | 0      |
| 1 1   | 1      |

$$F \equiv G$$

$$F = G$$

## Basic Boolean Laws

|                     |                               |                               |
|---------------------|-------------------------------|-------------------------------|
| Commutative Laws    | $x * y = y * x$               | $x + y = y + x$               |
| Associative Laws    | $x * (y * z) = (x * y) * z$   | $x + (y + z) = (x + y) + z$   |
| Distributive Laws   | $x * (y + z) = x * y + x * z$ | $x * (y + z) = x * y + x * z$ |
| Inverse Laws        | $x * \bar{x} = 0$             | $x + \bar{x} = 1$             |
| Identity Laws       | $x * 1 = x$                   | $x + 0 = x$                   |
|                     | $x * x = x$                   | $x + x = x$                   |
|                     | $x * 0 = 0$                   | $x + 1 = 1$                   |
| DeMorgan's Law      | $x * y = \bar{x} \bar{y}$     | $x + y = \bar{x} \bar{y}$     |
| Double Negation Law | $\bar{\bar{x}} = x$           |                               |

\* operator is conjunction/AND  
+ operator is disjunction/OR

## Sets

|             |                  |
|-------------|------------------|
| $\cap$      | Intersection     |
| $\cup$      | Union            |
| $\subseteq$ | Subset           |
| $\setminus$ | Set difference   |
| $\in$       | Is an element of |

$\text{Cardinality}(S)$  the number of elements in set  $S$ , if  $S$  is finite  
 $\text{IsFiniteSet}(S)$  True iff  $S$  is a finite set

## Predicate Logic

|           |                                           |
|-----------|-------------------------------------------|
| $\forall$ | Universal Quantification (for all)        |
| $\exists$ | Existential Quantification (there exists) |

## Formulas and Language

$2*x > x$  is this a formula or a statement of fact?

## TLA+ is untyped

- Lamport:

*For programming languages the benefits [of types] seem to outweigh the costs.  
For writing specifications, I have found the costs outweigh the benefits.*

```
x == 18
x == "leaf"
x == T
x == 3.14
x == <1,2,5>
```

- Every syntactically well formed expression has a meaning
- We will need to add constraints that restrict what values a variable may take

## Ch 2: Specifying a simple clock

**System Behavior:** a sequence of states

- State: assignment of values to variables
- Function from time to state:
  - $[hr = 11] \rightarrow [hr = 12] \rightarrow [hr = 1] \rightarrow [hr = 2] \rightarrow \dots$
  - $F(0)$  is the initial condition

### An Hour Clock Specification

- Define the state:  $hr \in \{1, \dots, 12\}$

$$HCini \triangleq hr \in \{1, \dots, 12\}$$

- Define the next-state relation (action)

$$HCnxt \triangleq hr' = \text{IF } hr \neq 12 \text{ THEN } hr+1 \text{ ELSE } 1$$

### Temporal Operators

- after each future step (*box*)
- ◇ eventually

### First Specification

$$HCini \wedge \square HCnxt$$

## Building a larger system

- Multiple variables and multiple clocks

$$\begin{aligned} & [hr=11, \text{tmp}=23.5] \rightarrow [hr=12, \text{tmp}=23.5] \rightarrow [hr=12, \text{tmp}=23.4] \rightarrow \\ & [hr=12, \text{tmp}=23.3] \rightarrow [hr=1, \text{tmp}=23.5] \rightarrow \dots \end{aligned}$$

- $\square HCnxt$  requires  $hr$  to change every step

- Another example



- Stuttering steps

$$[HCnxt]_{hr} \triangleq HCnxt \vee (hr' = hr)$$

- Revised Specification  
 $HCini \wedge \square [HCnxt]_{hr}$

# TLA Specification

----- MODULE Hour Clock -----

EXTENDS Naturals  
VARIABLE hr

HCini == hr \in (1 .. 12)

HCnxt == HCini \wedge IF hr # 12 THEN hr+1 ELSE 1

HC == HCini \wedge [] [HCnxt] \_hr

THEOREM HC => []HCini

=====

## Ch3: An Asynchronous Interface

- Two-phase handshake protocol



----- MODULE AsynchInterface -----  
EXTENDS Naturals  
CONSTANT Data  
VARIABLES val, rdy, ack  
TypeInvariant == \ val \in Data  
/ rdy \in {0, 1}  
/ ack \in {0, 1}  
-----  
Init == \ val \in Data  
/ rdy \in {0, 1}  
/ ack = rdy  
-----  
Send == \ rdy = ack  
/ val \in Data  
/ rdy' = 1 - rdy  
/ UNCHANGED ack  
-----  
Rcv == \ rdy # ack  
/ ack' = 1 - ack  
/ UNCHANGED <> val, rdy, ack>>  
-----  
Next == Send \ Rcv  
-----  
Spec == Init \ /\ [] [Next]\_<> val, rdy, ack>>  
-----  
THEOREM Spec => [] TypeInvariant  
=====

## Conventions

Send ==  $\wedge \text{rdy} = \text{ack}$   
 $\wedge \text{val}' \in \text{Data}$   
 $\wedge \text{rdy}' = 1 - \text{rdy}$   
 $\wedge \text{UNCHANGED ack}$

Guard first

What conditions must be true for the action to *potentially* occur?

- State using  $\text{current}$  variable values
- Future variable values

Next variable value as relates to current values

Variables that don't change

## Choice

Next == Send  $\vee$  Rcv

If "guards" for Send and Rcv are TRUE,  
either option is acceptable

The definitions of Send and Rcv include guards whose conditions are mutually exclusive:

Send ==  $\wedge \text{rdy} = \text{ack} \dots$   
Rcv ==  $\wedge \text{rdy} \# \text{ack} \dots$

Other examples:

$\wedge \text{val}' \in \text{Data}$

$\wedge \text{rdy} \in \{0, 1\}$  ← note the set notation using {}

HCini == hr  $\in \{1 \dots 12\}$  ← note the set creation using ..

CoinFlip ==  $\bigvee \text{coin}' = \text{"heads"}$   
 $\bigvee \text{coin}' = \text{"tails"}$

## Two-phase handshake spec improvements

Package up functionality as a reusable module: Channel

- Data structure: replace 3 variables ( $rdy$ ,  $val$ , and  $ack$ ) with 1 variable
  - as an ordered triple:  
 $chan = <-1/2, 1, 0 >$
  - or better as a record:  
 $chan = [val:Data, rdy:{0,1}, ack:{0,1}]$
- Characterize sending a specific value

```
Send(d) ==  
  /\ chan.rdy = chan.ack  
  /\ chan' = [val /-> d, rdy /-> 1-chan.rdy, ack /-> chan.ack]  
  
Send(d) ==  
  /\ chan.rdy = chan.ack  
  /\ chan' = [chan EXCEPT !.val=d, !.rdy=1-@]
```

```
Next == (\E d \in Data: Send(d)) \vee Rcv
```

Prev definition  
Send == /\ rdy = ack  
 /\ val \in Data  
 /\ rdy' = 1 - rdy  
 /\ UNCHANGED ack

Prev definition  
Next == Send \vee Rcv

## New two-phase handshake spec

```
----- MODULE Channel -----  
EXTENDS Naturals  
CONSTANT Data  
VARIABLE chan  
  
TypeInvariant == chan \in [val : Data, rdy : {0, 1}, ack : {0, 1}]  
  
Init == /\ TypeInvariant  
      /\ chan.ack = chan.rdy  
  
Send(d) == /\ chan.rdy = chan.ack  
          /\ chan' = [chan EXCEPT !.val = d, !.rdy = 1 - @]  
  
Rcv == /\ chan.rdy # chan.ack  
      /\ chan' = [chan EXCEPT !.ack = 1 - @]  
  
Next == (\E d \in Data : Send(d)) \vee Rcv  
  
Spec == Init \wedge [] [Next]_chan  
-----  
THEOREM Spec => [] TypeInvariant  
=====
```

Two-phase handshake spec

**Name spec parameter that won't change**

**A named reference that can change**

**Definition names don't mandate use**

**MODULE Channel**

**EXTENDS Naturals**

**CONSTANT Data**

**VARIABLE chan**

**Type invariant**

**Init**

**Send(d)**

**Rcv**

**Next**

**Spec**

**Theorem Spec**

**Define new specification**

**Explicitly state what other definitions will be used.**

**By convention, definitions usually in order:**

**Initial State Condition**

**Actions**

**Variable type restrictions**

**Next State definition**

**Complete set of specification requirements**

**Specification Type Correctness**

## Two-phase handshake spec

Restrict variable to reference an element of a set

Record fields and restrictions

Reference to field in record

Reference to current record

Reference to current field value

MODULE Channel -

EXTENDS Naturals  
CONSTANT Data  
VARIABLE chan

TypeInvariant ==  $\langle \text{chan} \setminus \{\text{val} : \text{Data}\}, \text{rdy} : \{0, 1\}, \text{ack} : \{0, 1\} \rangle$

$\text{Init} = \langle \wedge \text{TypeInvariant}$

$\wedge \text{chan.ack} = \text{chan.rdy} \rangle$

$\text{Send(d)} == \wedge \text{chan.rdy} = \text{chan.ack}$

$\wedge \text{chan}' = [\text{chan EXCEPT } !.\text{ack}]$

$!.\text{val} = \text{d}, !.\text{rdy} = 1 - @]$

$\text{Rcv} == \wedge \text{chan.rdy} \# \text{chan.ack}$

$\wedge \text{chan}' = [\text{chan EXCEPT } !.\text{ack} = 1 - @]$

$\text{Next} == \langle \forall \text{d} \setminus \{\text{Data}\}. \text{Send}(\text{d}) \rangle \vee \text{Rcv}$

$\text{Spec} == \text{Init} \wedge \langle [] \text{[Next]} \rangle_{\text{chan}}$

THEOREM Spec ==  $\langle [] \text{TypeInvariant}$

ShortWaitToKeep

variables unchanged

Future value of variable

Some unspecified element of set

## Original Specification

```

----- MODULE AsyncInterface -----
EXTENDS Naturals
CONSTANT Data
VARIABLES val, rd़y, ack

TypeInvariant == /\\ val \in Data
  /\\ rd़y \in {0, 1}
  /\\ ack \in {0, 1}

Init == /\\ val \in Data
  /\\ rd़y \in {0, 1}
  /\\ ack = rd़y

Send == /\\ rd़y = ack
  /\\ val' \in Data
  /\\ rd़y' = 1 - rd़y
  /\\ UNCHANGED ack

Rcv == /\\ rd़y # ack
  /\\ ack' = 1 - ack
  /\\ UNCHANGED <<val, rd़y>>

Next == Send \vee Rcv

Spec == Init \wedge [] [Next]_chan

THEOREM Spec => [] TypeInvariant
=====
```

## New Specification

```

----- MODULE Channel -----
EXTENDS Naturals
CONSTANT Data
VARIABLE chan

TypeInvariant == chan \in [val : Data, rd़y : {0, 1}, ack : {0, 1}]

Init == /\\ TypeInvariant
  /\\ chan.ack = chan.rdy

Send(d) == /\\ chan.rdy = chan.ack
  /\\ chan' = [chan EXCEPT !.val = d, !.rd़y = 1 - @]

Rcv == /\\ chan.rdy # chan.ack
  /\\ chan' = [chan EXCEPT !.ack = 1 - @]

Next == (\\E d \\in Data : Send(d)) \vee Rcv

Spec == Init \wedge [] [Next]_chan

THEOREM Spec => [] TypeInvariant
=====
```



## Ch 4: A FIFO

### New built-in module: Sequences

`Seq(set)`  
 $\langle 3, 2, 7 \rangle$  is an element of  $\text{Seq}(\text{Nat})$

#### Operations:

|                          |                                                                                  |
|--------------------------|----------------------------------------------------------------------------------|
| <code>Head(s)</code>     | $\text{Head}(\langle 1, 2, 3 \rangle) = 1$                                       |
| <code>Tail(s)</code>     | $\text{Tail}(\langle 1, 2, 3 \rangle) = 3$                                       |
| <code>Append(s,e)</code> | $\text{Append}(\langle 1, 2, 3 \rangle, 4) = \langle 1, 2, 3, 4 \rangle$         |
| <code>s o t</code>       | $\langle 1, 2, 4 \rangle o \langle 3, 5 \rangle = \langle 1, 2, 4, 3, 5 \rangle$ |
| <code>Len(s)</code>      | $\text{Len}(\langle 1, 4, 5 \rangle) = 3$                                        |

# Module Instantiation

- Channel
  - Data structure: [val : Data, rdy : {0, 1}, ack : {0, 1}]
  - Operations: Send(d), Rcv

- Instantiation of Channel

*myChan == INSTANCE Channel WITH Data <- Message, chan <- in*

- Operations

*myChan!Send(msg)*

*myChan!Rcv*

```
MODULE Channel
EXTENDS Naturals
CONSTANT Data
VARIABLE chan

TypeInvariant == chan \in [val : Data, rdy : {0, 1}, ack : {0, 1}]

Init == ∧ TypeInvariant
      ∧ chan.ack = chan.rdy

Send(d) == ∧ chan.rdy = chan.ack
          ∧ chan' = [chan EXCEPT !val = d, !rdy = 1 - @]

Rcv == ∧ chan.rdy ≠ chan.ack
      ∧ chan' = [chan EXCEPT !ack = 1 - @]

Next == ∃ d \in Data : Send(d) ∨ Rcv

Spec == Init ∧ !Next_chan

THEOREM Spec => [] TypeInvariant
```



# FIFO Specification

- Definitions for:

- Instantiations of Channel
  - In-Channel
  - Out-Channel
- Type invariant
  - channel invariants
  - message queue invariant
- Initial state
- Actions: send/receive per channel
  - Reuse of channel operations with message queue update operations
- Next action
- Complete specification



*SSend(msg), BufRcv, BufSend, RRcv*

## InnerFIFO Specification

```

EXTENDS Naturals, Sequences
CONSTANT Message
VARIABLES in, out, q

InChan == INSTANCE Channel WITH Data <- Message, chan <- in
OutChan == INSTANCE Channel WITH Data <- Message, chan <- out
=====
Init == / \ InChan!Init
          \ \ OutChan!Init
          \ \ q = <<>>

TypeInvariant == / \ InChan!TypeInvariant
                  \ \ OutChan!TypeInvariant
                  \ \ q \in Seq(Message)
=====

MODULE InnerFIFO
EXTENDS Sequences
VARIABLES Sender, Buffer, Receiver
CONSTANT BufRcv, BufSend, RRecv
=====
Sender --> in
Buffer --> out
Receiver --> RRecv
BufRcv --> BufSend
BufSend --> RRecv
=====

SSend(msg) == / \ InChan!Send(msg)
          \ \ UNCHANGED <<out, q>>
=====

BufRcv == / \ InChan!Rcv
          \ \ q' = Append(q, in.val)
          \ \ UNCHANGED out
=====

Receive message from channel in
and append it to tail of q

BufSend == / \ q # <<>>
          \ \ OutChan!Send(Head(q))
          \ \ q' = Tail(q)
          \ \ UNCHANGED in
=====

Enabled only if q is nonempty
Send Head(q) on channel out
and remove it from q

RRcv == / \ OutChan!Rcv
          \ \ UNCHANGED <<in, q>>
=====

Receive message from channel out

Next == / \ \ E msg \in Message : SSend(msg)
          \ \ BufRcv
          \ \ BufSend
          \ \ RRecv
=====

Spec == Init / \ D[Next]_<<in, out, q>>
=====

THEOREM Spec -> []TypeInvariant
=====
```

## Hiding the Queue

- The queue is an internal variable and should be hidden in the final specification
- Use existential quantifier

```

----- MODULE FIFO -----
CONSTANT Message
VARIABLES in, out
Inner(q) == INSTANCE InnerFIFO WITH q<-q, in<-in, out<-out, Message <-Message
Spec == \EE q : Inner(q)!Spec
=====
```

## A Bounded FIFO

- Disable receiving messages when FIFO is full
  - Add constraint to  $\text{BufRcv}$ :  $\text{Len}(q) < N$
- Create new Module using InnerFIFO

```
----- MODULE BoundedFIFO -----
EXTENDS Naturals, Sequences
VARIABLES in, out
CONSTANT Message, N
ASSUME ( N \in Nat ) /\ (N>0)

Inner(q) == INSTANCE InnerFIFO

Bnext(q) == /\ Inner(q)!Next
           /\ Inner(q)!BufRcv => (Len(q) < N)

Spec == \E q : Inner(q)!Init /\ [] [Bnext(q)]_<<in,out,q>>
=====
```

## Closed-system Specification

- *FIFO* describes the buffer, the sender, and receiver
- May wish to explicitly define system and environment actions separately

$\text{Next} == \text{SysNext} \vee \text{EnvNext}$

$\text{SysNext} == \text{BufRcv} \vee \text{BufSend}$   
 $\text{EnvNext} == \text{\E msg } \text{\in Message : SSend(msg)} \vee \text{RRcv}$

Consider a traffic light.....



## Virtual Traffic Light Project

<http://www.cnn.com/2015/01/14/tech/virtual-traffic-lights-windshield/index.html>

Researchers at Carnegie Mellon University claim they can reduce the commute times of urban workers by 40% by replacing physical traffic lights with virtual traffic lights.



<http://users.ece.cmu.edu/~tonguz/vtl/about.html>

```

----- MODULE traffic_light1 -----
(* This first example considers an intersection where traffic is moving in
2 directions--either North-South (Dir1) or East-West (Dir2)

Variables
  light  a two-tuple with the first value the color of the Dir1 lights and
          the second value the color of the Dir2 lights.
  state  an index into a sequence of safe values (LightSequence)

*)
EXTENDS Naturals

VARIABLE state, light

Dir1Green == <<"green", "red">>
Dir1Yellow == <<"yellow", "red">>
Dir2Green == <<"red", "green">>
Dir2Yellow == <<"red", "yellow">>
Allstop == <<"red", "red">>

LightSequence == <<Dir1Green, Dir1Yellow, Allstop, Dir2Green, Dir2Yellow, AllStop>>
LightSequenceLen == 6

TypeInvariant == /\
  light \in {Dir1Green, Dir1Yellow, Dir2Green, Dir2Yellow, Allstop}
  /\ state \in {1..LightSequenceLen}

Init == /\ light = Dir1Green
      /\ state = 1

Next == LET nextState == IF state # LightSequenceLen THEN state+1 ELSE 1
       IN
         /\ state' = nextState
         /\ light' = LightSequence[nextState]

Spec == Init /\ [] [Next]_<<state, light>>
=====

THEOREM Spec => [] TypeInvariant
=====
```

----- MODULE traffic\_light1 -----

This first example considers an intersection where traffic is moving in 2 directions— either North-South (Dir1) or East-West (Dir2)

Variables light as a two-tuple with the first value the color of the Dir1 lights and the second value the color of the Dir2 lights.

state an index into a sequence of safe values (LightSequence)

To avoid accidents, lights will change only in the order defined in LightSequence

EXTENDS Naturals

VARIABLE state, light

$$\begin{aligned}
\text{Dir1Green} &\triangleq \langle "green", "red" \rangle \\
\text{Dir1Yellow} &\triangleq \langle "yellow", "red" \rangle \\
\text{Dir2Green} &\triangleq \langle "red", "green" \rangle \\
\text{Dir2Yellow} &\triangleq \langle "red", "yellow" \rangle \\
\text{AllStop} &\triangleq \langle "red", "red" \rangle
\end{aligned}$$

$$\text{LightSequence} \triangleq \langle \text{Dir1Green}, \text{Dir1Yellow}, \text{AllStop}, \text{Dir2Green}, \text{Dir2Yellow}, \text{AllStop} \rangle$$

$$\text{LightSequenceLen} \triangleq 6$$

$$\begin{aligned}
\text{TypeInvariant} &\triangleq \wedge \text{light} \in \{\text{Dir1Green}, \text{Dir1Yellow}, \text{Dir2Green}, \text{Dir2Yellow}, \text{AllStop}\} \\
&\wedge \text{state} \in \{1.. \text{LightSequenceLen}\}
\end{aligned}$$

$$\begin{aligned}
\text{Init} &\triangleq \wedge \text{light} = \text{Dir1Green} \\
&\wedge \text{state} = 1
\end{aligned}$$

$$\begin{aligned}
\text{Next} &\triangleq \text{LET } \text{nextState} \triangleq \text{IF } \text{state} \neq \text{LightSequenceLen} \text{ THEN } \text{state} + 1 \text{ ELSE } 1 \\
&\text{IN} \\
&\quad \wedge \text{state}' = \text{nextState} \\
&\quad \wedge \text{light}' = \text{LightSequence}[\text{nextState}]
\end{aligned}$$

$$\begin{aligned}
\text{Spec} &\triangleq \text{Init} \wedge \square [\text{Next} \wedge \text{TypeInvariant}]
\end{aligned}$$

THEOREM Spec  $\Rightarrow$   $\square \text{TypeInvariant}$