Abstract
TLA+ is a language for formal specification of all kinds of computer systems. System designers use this language to specify concurrent, distributed, and fault-tolerant protocols, which are traditionally presented in pseudo-code. TLA+ is extremely concise yet expressive: The language primitives include Booleans, integers, functions, tuples, records, sequences, and sets thereof, which can be also nested. This is probably why the only model checker for TLA+ (called TLC) relies on explicit enumeration of values and states.
In this paper, we present APALACHE -- a first symbolic model checker for TLA+. Like TLC, it assumes that all specification parameters are fixed and all states are finite structures. Unlike TLC, APALACHE translates the underlying transition relation into quantifier-free SMT constraints, which allows us to exploit the power of SMT solvers. Designing this translation is the central challenge that we address in this paper. Our experiments show that APALACHE outperforms TLC on examples with large state spaces.
- Ali Abbassi, Amin Bandali, Nancy Day, and Jose Serna. 2018. A Comparison of the Declarative Modelling Languages B, Dash, and TLA+. In 2018 IEEE 8th International Model-Driven Requirements Engineering Workshop (MoDRE). IEEE, 11–20.Google Scholar
Cross Ref
- Jean-Raymond Abrial. 2005. The B-book: assigning programs to meanings. Cambridge University Press.Google Scholar
Digital Library
- ABZ. 2018. 6th International ABZ Conference ASM, Alloy, B, TLA, VDM, Z, 2018.Google Scholar
- Hagit Attiya and Jennifer Welch. 2004. Distributed Computing: Fundamentals, Simulations and Advanced Topics, Second Edition . John Wiley & Sons, Inc.Google Scholar
Digital Library
- Noran Azmy, Stephan Merz, and Christoph Weidenbach. 2018. A machine-checked correctness proof for Pastry. Sci. Comput. Program. 158 (2018), 64–80.Google Scholar
Cross Ref
- Thomas Ball, Rupak Majumdar, Todd D. Millstein, and Sriram K. Rajamani. 2001. Automatic Predicate Abstraction of C Programs. In PLDI. 203–213.Google Scholar
Digital Library
- Mike Barnett, Bor-Yuh Evan Chang, Robert DeLine, Bart Jacobs, and K Rustan M Leino. 2005. Boogie: A modular reusable verifier for object-oriented programs. In International Symposium on Formal Methods for Components and Objects. Springer, 364–387.Google Scholar
- Mike Barnett, K Rustan M Leino, and Wolfram Schulte. 2004. The Spec# programming system: An overview. In International Workshop on Construction and Analysis of Safe, Secure, and Interoperable Smart Devices . Springer, 49–69.Google Scholar
- Clark Barrett, Pascal Fontaine, and Cesare Tinelli. 2017. The SMT-LIB Standard: Version 2.6. Technical Report. Department of Computer Science, The University of Iowa. Available at www.SMT-LIB.org.Google Scholar
- Patrick Behm, Paul Benoit, Alain Faivre, and Jean-Marc Meynadier. 1999. METEOR: A successful application of B in a large project. In International Symposium on Formal Methods. Springer, 369–387.Google Scholar
Cross Ref
- Idan Berkovits, Marijana Lazic, Giuliano Losa, Oded Padon, and Sharon Shoham. 2019. Verification of Threshold-Based Distributed Algorithms by Decomposition to Decidable Logics. In CAV. 245–266.Google Scholar
- Yves Bertot and Pierre Castéran. 2013. Interactive theorem proving and program development: Coq’Art: the calculus of inductive constructions . Springer Science & Business Media.Google Scholar
Digital Library
- Jasmin Christian Blanchette, Sascha Böhme, and Lawrence C Paulson. 2013. Extending Sledgehammer with SMT solvers. Journal of automated reasoning 51, 1 (2013), 109–128.Google Scholar
Cross Ref
- Mats Carlsson, Johan Widen, Johan Andersson, Stefan Andersson, Kent Boortz, Hans Nilsson, and Thomas Sjöland. 1988. SICStus Prolog user’s manual . Vol. 3. Swedish Institute of Computer Science Kista, Sweden.Google Scholar
- Roberto Cavada, Alessandro Cimatti, Michele Dorigatti, Alberto Griggio, Alessandro Mariotti, Andrea Micheli, Sergio Mover, Marco Roveri, and Stefano Tonetta. 2014. The nuXmv symbolic model checker. In International Conference on Computer Aided Verification . Springer, 334–342.Google Scholar
Digital Library
- Adrien Champion, Alain Mebsout, Christoph Sticksel, and Cesare Tinelli. 2016. The Kind 2 model checker. In International Conference on Computer Aided Verification . Springer, 510–517.Google Scholar
Cross Ref
- Kaustuv Chaudhuri, Damien Doligez, Leslie Lamport, and Stephan Merz. 2010. The TLA + proof system: Building a heterogeneous verification platform. In Theoretical aspects of computing. Springer-Verlag, 44–44.Google Scholar
- Alessandro Cimatti, Edmund Clarke, Enrico Giunchiglia, Fausto Giunchiglia, Marco Pistore, Marco Roveri, Roberto Sebastiani, and Armando Tacchella. 2002. Nusmv 2: An opensource tool for symbolic model checking. In International Conference on Computer Aided Verification . Springer, 359–364.Google Scholar
Cross Ref
- Edmund Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith. 2003. Counterexample-guided abstraction refinement for symbolic model checking. J. ACM 50, 5 (2003), 752–794.Google Scholar
Digital Library
- Ernie Cohen, Markus Dahlweid, Mark Hillebrand, Dirk Leinenbach, Michał Moskal, Thomas Santen, Wolfram Schulte, and Stephan Tobies. 2009. VCC: A practical system for verifying concurrent C. In International Conference on Theorem Proving in Higher Order Logics . Springer, 23–42.Google Scholar
Digital Library
- Ernie Cohen and Leslie Lamport. 1998. Reduction in TLA. In CONCUR (LNCS). 317–331.Google Scholar
- Maximiliano Cristiá and Gianfranco Rossi. 2016. A Decision Procedure for Sets, Binary Relations and Partial Functions. In CAV . 179–198.Google Scholar
- Andrei Damian, Cezara Dragoi, Alexandru Militaru, and Josef Widder. 2019. Communication-Closed Asynchronous Protocols. In CAV. 344–363.Google Scholar
- Leonardo De Moura and Nikolaj Bjørner. 2008. Z3: An efficient SMT solver. In TACAS. LNCS, Vol. 1579. 337–340.Google Scholar
- Giorgio Delzanno, Michele Tatarek, and Riccardo Traverso. 2014. Model Checking Paxos in Spin. In Proceedings Fifth International Symposium on Games, Automata, Logics and Formal Verification, GandALF 2014, Verona, Italy, September 10-12, 2014. 131–146.Google Scholar
Cross Ref
- Cezara Drăgoi, Thomas A. Henzinger, Helmut Veith, Josef Widder, and Damien Zufferey. 2014. A Logic-based Framework for Verifying Consensus Algorithms. In VMCAI (LNCS), Vol. 8318. 161–181.Google Scholar
- Cezara Drăgoi, Thomas A. Henzinger, and Damien Zufferey. 2016. PSync: a partially synchronous language for fault-tolerant distributed algorithms. In POPL. 400–415.Google Scholar
- Burak Ekici, Alain Mebsout, Cesare Tinelli, Chantal Keller, Guy Katz, Andrew Reynolds, and Clark Barrett. 2017. SMTCoq: A plug-in for integrating SMT solvers into Coq. In International Conference on Computer Aided Verification. Springer, 126–133.Google Scholar
Cross Ref
- Aboubakr Achraf El Ghazi and Mana Taghdiri. 2011. Relational reasoning via SMT solving. In International Symposium on Formal Methods . Springer, 133–148.Google Scholar
Cross Ref
- Azadeh Farzan, Zachary Kincaid, and Andreas Podelski. 2016. Proving Liveness of Parameterized Programs. In LICS. 185–196.Google Scholar
- Eli Gafni and Leslie Lamport. 2003. Disk Paxos. Distributed Computing 16, 1 (2003), 1–20.Google Scholar
Digital Library
- Stephen J Garland and Nancy A Lynch. 1998. The IOA language and toolset: Support for designing, analyzing, and building distributed systems . Technical Report. Technical Report MIT/LCS/TR-762, Laboratory for Computer Science.Google Scholar
- Jim Gray and Leslie Lamport. 2006. Consensus on transaction commit. ACM Trans. Database Syst. 31, 1 (2006), 133–160.Google Scholar
Digital Library
- Rachid Guerraoui, Nikola Knežević, Vivien Quéma, and Marko Vukolić. 2010. The next 700 BFT protocols. In Proceedings of the 5th European conference on Computer systems . ACM, 363–376.Google Scholar
Digital Library
- Jason Gustafson. 2019. Kafka Improvement Proposal 320. https://cwiki.apache.org/confluence/display/KAFKA/KIP-320%3A+Allow+fetchers+to+detect+and+handle+log+truncationGoogle Scholar
- Dominik Hansen and Michael Leuschel. 2012. Translating TLA + to B for Validation with ProB. In IFM. 24–38.Google Scholar
- Chris Hawblitzel, Jon Howell, Manos Kapritsos, Jacob R. Lorch, Bryan Parno, Michael L. Roberts, Srinath Setty, and Brian Zill. 2017. IronFleet: Proving Safety and Liveness of Practical Distributed Systems. Commun. ACM 60, 7 (June 2017), 83–92.Google Scholar
- Charles Antony Richard Hoare. 1969. An axiomatic basis for computer programming. Commun. ACM 12, 10 (1969), 576–580.Google Scholar
Digital Library
- Gerard Holzmann. 2003. The SPIN Model Checker. Addison-Wesley.Google Scholar
- Heidi Howard, Dahlia Malkhi, and Alexander Spiegelman. 2016. Flexible Paxos: Quorum Intersection Revisited. In OPODIS. 25:1–25:14.Google Scholar
- Daniel Jackson. 2012. Software Abstractions: logic, language, and analysis. MIT press.Google Scholar
- Cliff B Jones. 1990. Systematic software development using VDM. Vol. 2. Prentice Hall Englewood Cliffs.Google Scholar
Digital Library
- Igor Konnov, Jure Kukovec, and Thanh-Hai Tran. 2019. APALACHE Model Checker. https://github.com/konnov/apalache .Google Scholar
- Igor Konnov, Marijana Lazic, Helmut Veith, and Josef Widder. 2017a. Para 2 : Parameterized Path Reduction, Acceleration, and SMT for Reachability in Threshold-Guarded Distributed Algorithms. Formal Methods in System Design 51, 2 (2017), 270–307.Google Scholar
Digital Library
- Igor Konnov, Marijana Lazić, Helmut Veith, and Josef Widder. 2017b. A Short Counterexample Property for Safety and Liveness Verification of Fault-tolerant Distributed Algorithms. In POPL. 719–734.Google Scholar
- Sebastian Krings, Joshua Schmidt, Carola Brings, Marc Frappier, and Michael Leuschel. 2018. A Translation from Alloy to B. In International Conference on Abstract State Machines, Alloy, B, TLA, VDM, and Z. Springer, 71–86.Google Scholar
Cross Ref
- Jure Kukovec, Thanh-Hai Tran, and Igor Konnov. 2018. Extracting Symbolic Transitions from TLA+ Specifications. In Abstract State Machines, Alloy, B, TLA, VDM, and Z . 89–104.Google Scholar
- Viktor Kuncak, Huu Hai Nguyen, and Martin C. Rinard. 2005. An Algorithm for Deciding BAPA: Boolean Algebra with Presburger Arithmetic. In CADE. 260–277.Google Scholar
- Leslie Lamport. 1994. The Temporal Logic of Actions. ACM Trans. Program. Lang. Syst. 16, 3 (1994), 872–923.Google Scholar
Digital Library
- Leslie Lamport. 2002. Specifying systems: The TLA+ language and tools for hardware and software engineers. Addison-Wesley.Google Scholar
Digital Library
- Leslie Lamport. 2011. Byzantizing Paxos by Refinement. In DISC (LNCS), Vol. 6950. Springer, 211–224.Google Scholar
- Leslie Lamport. 2018. TLA +2 : A Preliminary Guide. https://lamport.azurewebsites.net/tla/tla2-guide.pdfGoogle Scholar
- Leslie Lamport et al. 2001. Paxos made simple. ACM Sigact News 32, 4 (2001), 18–25.Google Scholar
- Butler Lampson and Howard E Sturgis. 1979. Crash recovery in a distributed data storage system. (1979).Google Scholar
- K Rustan M Leino. 2008. This is boogie 2. manuscript KRML 178, 131 (2008), 9.Google Scholar
- K Rustan M Leino. 2010. Dafny: An automatic program verifier for functional correctness. In International Conference on Logic for Programming Artificial Intelligence and Reasoning . Springer, 348–370.Google Scholar
Digital Library
- Michael Leuschel and Michael Butler. 2008. ProB: an automated analysis toolset for the B method. International Journal on Software Tools for Technology Transfer 10, 2 (2008), 185–203.Google Scholar
Digital Library
- Richard J. Lipton. 1975. Reduction: A Method of Proving Properties of Parallel Programs. Commun. ACM 18, 12 (1975), 717–721.Google Scholar
Digital Library
- Nancy A Lynch. 1996. Distributed algorithms. Morgan Kaufmann.Google Scholar
- Nancy A. Lynch and Eugene W. Stark. 1989. A Proof of the Kahn Principle for Input/Output Automata. Inf. Comput. 82, 1 (1989), 81–92.Google Scholar
Digital Library
- Nuno Macedo, Julien Brunel, David Chemouil, Alcino Cunha, and Denis Kuperberg. 2016. Lightweight specification and analysis of dynamic systems with rich configurations. In Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering . ACM, 373–383.Google Scholar
Digital Library
- Nuno Macedo and Alcino Cunha. 2016. Alloy meets TLA+: An exploratory study. arXiv preprint arXiv:1603.03599 (2016).Google Scholar
- Ognjen Maric, Christoph Sprenger, and David A. Basin. 2017. Cutoff Bounds for Consensus Algorithms. In CAV. 217–237.Google Scholar
- Kenneth L McMillan. 1993. The SMV system. In Symbolic Model Checking. Springer, 61–85.Google Scholar
- Simon Meier, Benedikt Schmidt, Cas Cremers, and David Basin. 2013. The TAMARIN prover for the symbolic analysis of security protocols. In International Conference on Computer Aided Verification. Springer, 696–701.Google Scholar
Cross Ref
- Baoluo Meng, Andrew Reynolds, Cesare Tinelli, and Clark Barrett. 2017. Relational constraint solving in SMT. In International Conference on Automated Deduction . Springer, 148–165.Google Scholar
Cross Ref
- Stephan Merz. 2008. The Specification Language TLA + . In Logics of Specification Languages, Dines Bjørner and Martin C. Henson (Eds.). Springer, Berlin-Heidelberg, 401–451.Google Scholar
- Stephan Merz. 2012. On the Logic of TLA + . Computing and Informatics 22, 3-4 (2012), 351–379.Google Scholar
- Stephan Merz and Hernán Vanzetto. 2012. Automatic Verification of TLA + Proof Obligations with SMT Solvers.. In LPAR, Vol. 7180. Springer, 289–303.Google Scholar
- Stephan Merz and Hernán Vanzetto. 2018. Encoding TLA+ into unsorted and many-sorted first-order logic. Science of Computer Programming 158 (2018), 3–20.Google Scholar
Cross Ref
- Iulian Moraru, David G Andersen, and Michael Kaminsky. 2013. There is more consensus in egalitarian parliaments. In SOSP . ACM, 358–372.Google Scholar
- Chris Newcombe. 2014. Why amazon chose TLA+. In International Conference on Abstract State Machines, Alloy, B, TLA, VDM, and Z . Springer, 25–39.Google Scholar
Digital Library
- Chris Newcombe, Tim Rath, Fan Zhang, Bogdan Munteanu, Marc Brooker, and Michael Deardeuff. 2015. How Amazon web services uses formal methods. Comm. ACM 58, 4 (2015), 66–73.Google Scholar
Digital Library
- Tobias Nipkow, Lawrence C Paulson, and Markus Wenzel. 2002. Isabelle/HOL: a proof assistant for higher-order logic. Vol. 2283. Springer Science & Business Media.Google Scholar
Digital Library
- Diego Ongaro. 2014. Consensus: Bridging theory and practice. Ph.D. Dissertation. Stanford University.Google Scholar
- Oded Padon, Giuliano Losa, Mooly Sagiv, and Sharon Shoham. 2017. Paxos made EPR: decidable reasoning about distributed protocols. PACMPL 1, OOPSLA (2017), 108:1–108:31.Google Scholar
Digital Library
- Lawrence C Paulson and Kong Woei Susanto. 2007. Source-level proof reconstruction for interactive theorem proving. In International Conference on Theorem Proving in Higher Order Logics . Springer, 232–245.Google Scholar
Cross Ref
- Daniel Plagge and Michael Leuschel. 2012. Validating B, Z and TLA+ using ProB and Kodkod. In International Symposium on Formal Methods . Springer, 372–386.Google Scholar
Cross Ref
- Vincent Rahli, David Guaspari, Mark Bickford, and Robert L. Constable. 2017. EventML: Specification, verification, and implementation of crash-tolerant state machine replication systems. Sci. Comput. Program. 148 (2017), 26–48.Google Scholar
Cross Ref
- Michel Raynal. 2010. Communication and Agreement Abstractions for Fault-Tolerant Asynchronous Distributed Systems. Morgan & Claypool Publishers.Google Scholar
- Ilya Sergey, James R. Wilcox, and Zachary Tatlock. 2018. Programming and proving with distributed protocols. PACMPL 2, POPL (2018), 28:1–28:30.Google Scholar
Digital Library
- J Michael Spivey and JR Abrial. 1992. The Z notation. Prentice Hall Hemel Hempstead.Google Scholar
- Nikhil Swamy, Cătălin Hriţcu, Chantal Keller, Aseem Rastogi, Antoine Delignat-Lavaud, Simon Forest, Karthikeyan Bhargavan, Cédric Fournet, Pierre-Yves Strub, Markulf Kohlweiss, et al. 2016. Dependent types and multi-monadic effects in F. In ACM SIGPLAN Notices, Vol. 51. ACM, 256–270.Google Scholar
Digital Library
- Cesare Tinelli, Andrew Reynolds, Clark Barrett, and Kshitij Bansal. 2018. Reasoning with Finite Sets and Cardinality Constraints in SMT. Logical Methods in Computer Science 14 (2018).Google Scholar
- TLAPlus. 2019. A collection of TLA+ specifications of varying complexities. https://github.com/tlaplus/ExamplesGoogle Scholar
- Emina Torlak and Daniel Jackson. 2007. Kodkod: A relational model finder. In International Conference on Tools and Algorithms for the Construction and Analysis of Systems . Springer, 632–647.Google Scholar
Cross Ref
- Klaus von Gleissenthall, Nikolaj Bjørner, and Andrey Rybalchenko. 2016. Cardinalities and universal quantifiers for verifying parameterized systems. In PLDI. 599–613.Google Scholar
- Klaus von Gleissenthall, Rami Gökhan Kici, Alexander Bakst, Deian Stefan, and Ranjit Jhala. 2019. Pretend synchrony: synchronous verification of asynchronous distributed programs. PACMPL 3, POPL (2019), 59:1–59:30.Google Scholar
- Hillel Wayne. 2018. Practical TLA+. Apress.Google Scholar
- James R. Wilcox, Doug Woos, Pavel Panchekha, Zachary Tatlock, Xi Wang, Michael D. Ernst, and Thomas E. Anderson. 2015. Verdi: a framework for implementing and formally verifying distributed systems. In PLDI. 357–368.Google Scholar
- Kuat Yessenov, Ruzica Piskac, and Viktor Kuncak. 2010. Collections, Cardinalities, and Relations. In VMCAI. 380–395.Google Scholar
- Yuan Yu, Panagiotis Manolios, and Leslie Lamport. 1999. Model checking TLA + specifications. In Correct Hardware Design and Verification Methods . Springer, 54–66.Google Scholar
- Pamela Zave. 2012. Using lightweight modeling to understand Chord. ACM SIGCOMM Computer Communication Review 42, 2 (2012), 49–57.Google Scholar
Digital Library
- Pamela Zave. 2015. A practical comparison of Alloy and Spin. Formal Aspects of Computing 27, 2 (2015), 239–253.Google Scholar
Cross Ref
Index Terms
TLA+ model checking made symbolic
Recommendations
Specifying and verifying PLC systems with TLA+: A case study
We report on a method for formally specifying and verifying programmable logic controllers (PLCs) in the specification language TLA^+. The specification framework is generic. It separates the description of the environment from that of the controller ...
Specifying and Verifying PLC Systems with TLA+
TASE '09: Proceedings of the 2009 Third IEEE International Symposium on Theoretical Aspects of Software EngineeringWe report on a method for formally specifying and verifying programmable logic controllers (PLCs) in the specification language TLA+. Our specification is generic in that it separates the description of the environment from that of the controller itself ...
Specifying Time-Sensitive Systems with TLA+
COMPSAC '10: Proceedings of the 2010 IEEE 34th Annual Computer Software and Applications ConferenceWe present a pattern-based method to express time specifications in the language TLA+. A real-time module RealTimeNew is introduced to encapsulate the definitions of commonly used time patterns. We present a general framework to differentiate the ...






Comments