research-article

Open Access

TLA+ model checking made symbolic

Authors:
Igor Konnov

Inria, France / LORIA, France / University of Lorraine, France / CNRS, France

Inria, France / LORIA, France / University of Lorraine, France / CNRS, France
View Profile

,
Jure Kukovec

TU Vienna, Austria

TU Vienna, Austria
View Profile

,
Thanh-Hai Tran

TU Vienna, Austria

TU Vienna, Austria
View Profile

Proceedings of the ACM on Programming Languages Volume 3 Issue OOPSLAArticle No.: 123pp 1–30https://doi.org/10.1145/3360549

Published:10 October 2019Publication History

Related Artifact: Artifact - TLA+ Model Checking Made Symbolic September 2019 software https://doi.org/10.5281/zenodo.3370063

Proceedings of the ACM on Programming Languages

Abstract

TLA+ is a language for formal specification of all kinds of computer systems. System designers use this language to specify concurrent, distributed, and fault-tolerant protocols, which are traditionally presented in pseudo-code. TLA+ is extremely concise yet expressive: The language primitives include Booleans, integers, functions, tuples, records, sequences, and sets thereof, which can be also nested. This is probably why the only model checker for TLA+ (called TLC) relies on explicit enumeration of values and states.

In this paper, we present APALACHE -- a first symbolic model checker for TLA+. Like TLC, it assumes that all specification parameters are fixed and all states are finite structures. Unlike TLC, APALACHE translates the underlying transition relation into quantifier-free SMT constraints, which allows us to exploit the power of SMT solvers. Designing this translation is the central challenge that we address in this paper. Our experiments show that APALACHE outperforms TLC on examples with large state spaces.

References

Ali Abbassi, Amin Bandali, Nancy Day, and Jose Serna. 2018. A Comparison of the Declarative Modelling Languages B, Dash, and TLA+. In 2018 IEEE 8th International Model-Driven Requirements Engineering Workshop (MoDRE). IEEE, 11–20.Google ScholarCross Ref
Jean-Raymond Abrial. 2005. The B-book: assigning programs to meanings. Cambridge University Press.Google ScholarDigital Library
ABZ. 2018. 6th International ABZ Conference ASM, Alloy, B, TLA, VDM, Z, 2018.Google Scholar
Hagit Attiya and Jennifer Welch. 2004. Distributed Computing: Fundamentals, Simulations and Advanced Topics, Second Edition . John Wiley & Sons, Inc.Google ScholarDigital Library
Noran Azmy, Stephan Merz, and Christoph Weidenbach. 2018. A machine-checked correctness proof for Pastry. Sci. Comput. Program. 158 (2018), 64–80.Google ScholarCross Ref
Thomas Ball, Rupak Majumdar, Todd D. Millstein, and Sriram K. Rajamani. 2001. Automatic Predicate Abstraction of C Programs. In PLDI. 203–213.Google Scholar
Mike Barnett, Bor-Yuh Evan Chang, Robert DeLine, Bart Jacobs, and K Rustan M Leino. 2005. Boogie: A modular reusable verifier for object-oriented programs. In International Symposium on Formal Methods for Components and Objects. Springer, 364–387.Google Scholar
Mike Barnett, K Rustan M Leino, and Wolfram Schulte. 2004. The Spec# programming system: An overview. In International Workshop on Construction and Analysis of Safe, Secure, and Interoperable Smart Devices . Springer, 49–69.Google Scholar
Clark Barrett, Pascal Fontaine, and Cesare Tinelli. 2017. The SMT-LIB Standard: Version 2.6. Technical Report. Department of Computer Science, The University of Iowa. Available at www.SMT-LIB.org.Google Scholar
Patrick Behm, Paul Benoit, Alain Faivre, and Jean-Marc Meynadier. 1999. METEOR: A successful application of B in a large project. In International Symposium on Formal Methods. Springer, 369–387.Google ScholarCross Ref
Idan Berkovits, Marijana Lazic, Giuliano Losa, Oded Padon, and Sharon Shoham. 2019. Verification of Threshold-Based Distributed Algorithms by Decomposition to Decidable Logics. In CAV. 245–266.Google Scholar
Yves Bertot and Pierre Castéran. 2013. Interactive theorem proving and program development: Coq’Art: the calculus of inductive constructions . Springer Science & Business Media.Google Scholar
Jasmin Christian Blanchette, Sascha Böhme, and Lawrence C Paulson. 2013. Extending Sledgehammer with SMT solvers. Journal of automated reasoning 51, 1 (2013), 109–128.Google ScholarCross Ref
Mats Carlsson, Johan Widen, Johan Andersson, Stefan Andersson, Kent Boortz, Hans Nilsson, and Thomas Sjöland. 1988. SICStus Prolog user’s manual . Vol. 3. Swedish Institute of Computer Science Kista, Sweden.Google Scholar
Roberto Cavada, Alessandro Cimatti, Michele Dorigatti, Alberto Griggio, Alessandro Mariotti, Andrea Micheli, Sergio Mover, Marco Roveri, and Stefano Tonetta. 2014. The nuXmv symbolic model checker. In International Conference on Computer Aided Verification . Springer, 334–342.Google ScholarDigital Library
Adrien Champion, Alain Mebsout, Christoph Sticksel, and Cesare Tinelli. 2016. The Kind 2 model checker. In International Conference on Computer Aided Verification . Springer, 510–517.Google ScholarCross Ref
Kaustuv Chaudhuri, Damien Doligez, Leslie Lamport, and Stephan Merz. 2010. The TLA + proof system: Building a heterogeneous verification platform. In Theoretical aspects of computing. Springer-Verlag, 44–44.Google Scholar
Alessandro Cimatti, Edmund Clarke, Enrico Giunchiglia, Fausto Giunchiglia, Marco Pistore, Marco Roveri, Roberto Sebastiani, and Armando Tacchella. 2002. Nusmv 2: An opensource tool for symbolic model checking. In International Conference on Computer Aided Verification . Springer, 359–364.Google ScholarCross Ref
Edmund Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith. 2003. Counterexample-guided abstraction refinement for symbolic model checking. J. ACM 50, 5 (2003), 752–794.Google ScholarDigital Library
Ernie Cohen, Markus Dahlweid, Mark Hillebrand, Dirk Leinenbach, Michał Moskal, Thomas Santen, Wolfram Schulte, and Stephan Tobies. 2009. VCC: A practical system for verifying concurrent C. In International Conference on Theorem Proving in Higher Order Logics . Springer, 23–42.Google ScholarDigital Library
Ernie Cohen and Leslie Lamport. 1998. Reduction in TLA. In CONCUR (LNCS). 317–331.Google Scholar
Maximiliano Cristiá and Gianfranco Rossi. 2016. A Decision Procedure for Sets, Binary Relations and Partial Functions. In CAV . 179–198.Google Scholar
Andrei Damian, Cezara Dragoi, Alexandru Militaru, and Josef Widder. 2019. Communication-Closed Asynchronous Protocols. In CAV. 344–363.Google Scholar
Leonardo De Moura and Nikolaj Bjørner. 2008. Z3: An efficient SMT solver. In TACAS. LNCS, Vol. 1579. 337–340.Google Scholar
Giorgio Delzanno, Michele Tatarek, and Riccardo Traverso. 2014. Model Checking Paxos in Spin. In Proceedings Fifth International Symposium on Games, Automata, Logics and Formal Verification, GandALF 2014, Verona, Italy, September 10-12, 2014. 131–146.Google ScholarCross Ref
Cezara Drăgoi, Thomas A. Henzinger, Helmut Veith, Josef Widder, and Damien Zufferey. 2014. A Logic-based Framework for Verifying Consensus Algorithms. In VMCAI (LNCS), Vol. 8318. 161–181.Google Scholar
Cezara Drăgoi, Thomas A. Henzinger, and Damien Zufferey. 2016. PSync: a partially synchronous language for fault-tolerant distributed algorithms. In POPL. 400–415.Google Scholar
Burak Ekici, Alain Mebsout, Cesare Tinelli, Chantal Keller, Guy Katz, Andrew Reynolds, and Clark Barrett. 2017. SMTCoq: A plug-in for integrating SMT solvers into Coq. In International Conference on Computer Aided Verification. Springer, 126–133.Google ScholarCross Ref
Aboubakr Achraf El Ghazi and Mana Taghdiri. 2011. Relational reasoning via SMT solving. In International Symposium on Formal Methods . Springer, 133–148.Google ScholarCross Ref
Azadeh Farzan, Zachary Kincaid, and Andreas Podelski. 2016. Proving Liveness of Parameterized Programs. In LICS. 185–196.Google Scholar
Eli Gafni and Leslie Lamport. 2003. Disk Paxos. Distributed Computing 16, 1 (2003), 1–20.Google ScholarDigital Library
Stephen J Garland and Nancy A Lynch. 1998. The IOA language and toolset: Support for designing, analyzing, and building distributed systems . Technical Report. Technical Report MIT/LCS/TR-762, Laboratory for Computer Science.Google Scholar
Jim Gray and Leslie Lamport. 2006. Consensus on transaction commit. ACM Trans. Database Syst. 31, 1 (2006), 133–160.Google ScholarDigital Library
Rachid Guerraoui, Nikola Knežević, Vivien Quéma, and Marko Vukolić. 2010. The next 700 BFT protocols. In Proceedings of the 5th European conference on Computer systems . ACM, 363–376.Google ScholarDigital Library
Jason Gustafson. 2019. Kafka Improvement Proposal 320. https://cwiki.apache.org/confluence/display/KAFKA/KIP-320%3A+Allow+fetchers+to+detect+and+handle+log+truncationGoogle Scholar
Dominik Hansen and Michael Leuschel. 2012. Translating TLA + to B for Validation with ProB. In IFM. 24–38.Google Scholar
Chris Hawblitzel, Jon Howell, Manos Kapritsos, Jacob R. Lorch, Bryan Parno, Michael L. Roberts, Srinath Setty, and Brian Zill. 2017. IronFleet: Proving Safety and Liveness of Practical Distributed Systems. Commun. ACM 60, 7 (June 2017), 83–92.Google Scholar
Charles Antony Richard Hoare. 1969. An axiomatic basis for computer programming. Commun. ACM 12, 10 (1969), 576–580.Google ScholarDigital Library
Gerard Holzmann. 2003. The SPIN Model Checker. Addison-Wesley.Google Scholar
Heidi Howard, Dahlia Malkhi, and Alexander Spiegelman. 2016. Flexible Paxos: Quorum Intersection Revisited. In OPODIS. 25:1–25:14.Google Scholar
Daniel Jackson. 2012. Software Abstractions: logic, language, and analysis. MIT press.Google Scholar
Cliff B Jones. 1990. Systematic software development using VDM. Vol. 2. Prentice Hall Englewood Cliffs.Google ScholarDigital Library
Igor Konnov, Jure Kukovec, and Thanh-Hai Tran. 2019. APALACHE Model Checker. https://github.com/konnov/apalache .Google Scholar
Igor Konnov, Marijana Lazic, Helmut Veith, and Josef Widder. 2017a. Para 2 : Parameterized Path Reduction, Acceleration, and SMT for Reachability in Threshold-Guarded Distributed Algorithms. Formal Methods in System Design 51, 2 (2017), 270–307.Google ScholarDigital Library
Igor Konnov, Marijana Lazić, Helmut Veith, and Josef Widder. 2017b. A Short Counterexample Property for Safety and Liveness Verification of Fault-tolerant Distributed Algorithms. In POPL. 719–734.Google Scholar
Sebastian Krings, Joshua Schmidt, Carola Brings, Marc Frappier, and Michael Leuschel. 2018. A Translation from Alloy to B. In International Conference on Abstract State Machines, Alloy, B, TLA, VDM, and Z. Springer, 71–86.Google ScholarCross Ref
Jure Kukovec, Thanh-Hai Tran, and Igor Konnov. 2018. Extracting Symbolic Transitions from TLA+ Specifications. In Abstract State Machines, Alloy, B, TLA, VDM, and Z . 89–104.Google Scholar
Viktor Kuncak, Huu Hai Nguyen, and Martin C. Rinard. 2005. An Algorithm for Deciding BAPA: Boolean Algebra with Presburger Arithmetic. In CADE. 260–277.Google Scholar
Leslie Lamport. 1994. The Temporal Logic of Actions. ACM Trans. Program. Lang. Syst. 16, 3 (1994), 872–923.Google ScholarDigital Library
Leslie Lamport. 2002. Specifying systems: The TLA+ language and tools for hardware and software engineers. Addison-Wesley.Google ScholarDigital Library
Leslie Lamport. 2011. Byzantizing Paxos by Refinement. In DISC (LNCS), Vol. 6950. Springer, 211–224.Google Scholar
Leslie Lamport. 2018. TLA +2 : A Preliminary Guide. https://lamport.azurewebsites.net/tla/tla2-guide.pdfGoogle Scholar
Leslie Lamport et al. 2001. Paxos made simple. ACM Sigact News 32, 4 (2001), 18–25.Google Scholar
Butler Lampson and Howard E Sturgis. 1979. Crash recovery in a distributed data storage system. (1979).Google Scholar
K Rustan M Leino. 2008. This is boogie 2. manuscript KRML 178, 131 (2008), 9.Google Scholar
K Rustan M Leino. 2010. Dafny: An automatic program verifier for functional correctness. In International Conference on Logic for Programming Artificial Intelligence and Reasoning . Springer, 348–370.Google ScholarDigital Library
Michael Leuschel and Michael Butler. 2008. ProB: an automated analysis toolset for the B method. International Journal on Software Tools for Technology Transfer 10, 2 (2008), 185–203.Google ScholarDigital Library
Richard J. Lipton. 1975. Reduction: A Method of Proving Properties of Parallel Programs. Commun. ACM 18, 12 (1975), 717–721.Google ScholarDigital Library
Nancy A Lynch. 1996. Distributed algorithms. Morgan Kaufmann.Google Scholar
Nancy A. Lynch and Eugene W. Stark. 1989. A Proof of the Kahn Principle for Input/Output Automata. Inf. Comput. 82, 1 (1989), 81–92.Google ScholarDigital Library
Nuno Macedo, Julien Brunel, David Chemouil, Alcino Cunha, and Denis Kuperberg. 2016. Lightweight specification and analysis of dynamic systems with rich configurations. In Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering . ACM, 373–383.Google ScholarDigital Library
Nuno Macedo and Alcino Cunha. 2016. Alloy meets TLA+: An exploratory study. arXiv preprint arXiv:1603.03599 (2016).Google Scholar
Ognjen Maric, Christoph Sprenger, and David A. Basin. 2017. Cutoff Bounds for Consensus Algorithms. In CAV. 217–237.Google Scholar
Kenneth L McMillan. 1993. The SMV system. In Symbolic Model Checking. Springer, 61–85.Google Scholar
Simon Meier, Benedikt Schmidt, Cas Cremers, and David Basin. 2013. The TAMARIN prover for the symbolic analysis of security protocols. In International Conference on Computer Aided Verification. Springer, 696–701.Google ScholarCross Ref
Baoluo Meng, Andrew Reynolds, Cesare Tinelli, and Clark Barrett. 2017. Relational constraint solving in SMT. In International Conference on Automated Deduction . Springer, 148–165.Google ScholarCross Ref
Stephan Merz. 2008. The Specification Language TLA + . In Logics of Specification Languages, Dines Bjørner and Martin C. Henson (Eds.). Springer, Berlin-Heidelberg, 401–451.Google Scholar
Stephan Merz. 2012. On the Logic of TLA + . Computing and Informatics 22, 3-4 (2012), 351–379.Google Scholar
Stephan Merz and Hernán Vanzetto. 2012. Automatic Verification of TLA + Proof Obligations with SMT Solvers.. In LPAR, Vol. 7180. Springer, 289–303.Google Scholar
Stephan Merz and Hernán Vanzetto. 2018. Encoding TLA+ into unsorted and many-sorted first-order logic. Science of Computer Programming 158 (2018), 3–20.Google ScholarCross Ref
Iulian Moraru, David G Andersen, and Michael Kaminsky. 2013. There is more consensus in egalitarian parliaments. In SOSP . ACM, 358–372.Google Scholar
Chris Newcombe. 2014. Why amazon chose TLA+. In International Conference on Abstract State Machines, Alloy, B, TLA, VDM, and Z . Springer, 25–39.Google ScholarDigital Library
Chris Newcombe, Tim Rath, Fan Zhang, Bogdan Munteanu, Marc Brooker, and Michael Deardeuff. 2015. How Amazon web services uses formal methods. Comm. ACM 58, 4 (2015), 66–73.Google ScholarDigital Library
Tobias Nipkow, Lawrence C Paulson, and Markus Wenzel. 2002. Isabelle/HOL: a proof assistant for higher-order logic. Vol. 2283. Springer Science & Business Media.Google Scholar
Diego Ongaro. 2014. Consensus: Bridging theory and practice. Ph.D. Dissertation. Stanford University.Google Scholar
Oded Padon, Giuliano Losa, Mooly Sagiv, and Sharon Shoham. 2017. Paxos made EPR: decidable reasoning about distributed protocols. PACMPL 1, OOPSLA (2017), 108:1–108:31.Google ScholarDigital Library
Lawrence C Paulson and Kong Woei Susanto. 2007. Source-level proof reconstruction for interactive theorem proving. In International Conference on Theorem Proving in Higher Order Logics . Springer, 232–245.Google ScholarCross Ref
Daniel Plagge and Michael Leuschel. 2012. Validating B, Z and TLA+ using ProB and Kodkod. In International Symposium on Formal Methods . Springer, 372–386.Google ScholarCross Ref
Vincent Rahli, David Guaspari, Mark Bickford, and Robert L. Constable. 2017. EventML: Specification, verification, and implementation of crash-tolerant state machine replication systems. Sci. Comput. Program. 148 (2017), 26–48.Google ScholarCross Ref
Michel Raynal. 2010. Communication and Agreement Abstractions for Fault-Tolerant Asynchronous Distributed Systems. Morgan & Claypool Publishers.Google Scholar
Ilya Sergey, James R. Wilcox, and Zachary Tatlock. 2018. Programming and proving with distributed protocols. PACMPL 2, POPL (2018), 28:1–28:30.Google ScholarDigital Library
J Michael Spivey and JR Abrial. 1992. The Z notation. Prentice Hall Hemel Hempstead.Google Scholar
Nikhil Swamy, Cătălin Hriţcu, Chantal Keller, Aseem Rastogi, Antoine Delignat-Lavaud, Simon Forest, Karthikeyan Bhargavan, Cédric Fournet, Pierre-Yves Strub, Markulf Kohlweiss, et al. 2016. Dependent types and multi-monadic effects in F. In ACM SIGPLAN Notices, Vol. 51. ACM, 256–270.Google ScholarDigital Library
Cesare Tinelli, Andrew Reynolds, Clark Barrett, and Kshitij Bansal. 2018. Reasoning with Finite Sets and Cardinality Constraints in SMT. Logical Methods in Computer Science 14 (2018).Google Scholar
TLAPlus. 2019. A collection of TLA+ specifications of varying complexities. https://github.com/tlaplus/ExamplesGoogle Scholar
Emina Torlak and Daniel Jackson. 2007. Kodkod: A relational model finder. In International Conference on Tools and Algorithms for the Construction and Analysis of Systems . Springer, 632–647.Google ScholarCross Ref
Klaus von Gleissenthall, Nikolaj Bjørner, and Andrey Rybalchenko. 2016. Cardinalities and universal quantifiers for verifying parameterized systems. In PLDI. 599–613.Google Scholar
Klaus von Gleissenthall, Rami Gökhan Kici, Alexander Bakst, Deian Stefan, and Ranjit Jhala. 2019. Pretend synchrony: synchronous verification of asynchronous distributed programs. PACMPL 3, POPL (2019), 59:1–59:30.Google Scholar
Hillel Wayne. 2018. Practical TLA+. Apress.Google Scholar
James R. Wilcox, Doug Woos, Pavel Panchekha, Zachary Tatlock, Xi Wang, Michael D. Ernst, and Thomas E. Anderson. 2015. Verdi: a framework for implementing and formally verifying distributed systems. In PLDI. 357–368.Google Scholar
Kuat Yessenov, Ruzica Piskac, and Viktor Kuncak. 2010. Collections, Cardinalities, and Relations. In VMCAI. 380–395.Google Scholar
Yuan Yu, Panagiotis Manolios, and Leslie Lamport. 1999. Model checking TLA + specifications. In Correct Hardware Design and Verification Methods . Springer, 54–66.Google Scholar
Pamela Zave. 2012. Using lightweight modeling to understand Chord. ACM SIGCOMM Computer Communication Review 42, 2 (2012), 49–57.Google ScholarDigital Library
Pamela Zave. 2015. A practical comparison of Alloy and Spin. Formal Aspects of Computing 27, 2 (2015), 239–253.Google ScholarCross Ref

Index Terms

TLA+ model checking made symbolic
1. Software and its engineering
  1. Software notations and tools
    1. System description languages
      1. Specification languages
  2. Software organization and properties
    1. Software functional properties
      1. Formal methods
        Model checking
2. Theory of computation
  1. Logic
    1. Logic and verification

Recommendations

Specifying and verifying PLC systems with TLA+: A case study

We report on a method for formally specifying and verifying programmable logic controllers (PLCs) in the specification language TLA^+. The specification framework is generic. It separates the description of the environment from that of the controller ...
Read More
Specifying and Verifying PLC Systems with TLA+
TASE '09: Proceedings of the 2009 Third IEEE International Symposium on Theoretical Aspects of Software Engineering

We report on a method for formally specifying and verifying programmable logic controllers (PLCs) in the specification language TLA+. Our specification is generic in that it separates the description of the environment from that of the controller itself ...
Read More
Extracting symbolic transitions from TLA⁺ specifications
Highlights
- We formalize the notion of assignments and assignment strategies.
- We present an ...
Abstract
In ▪, a system specification is written as a logical formula that restricts the system behavior. As a logic, ▪ does not have assignments and other imperative statements that are used by model checkers to compute the successor states of ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in

Proceedings of the ACM on Programming Languages Volume 3, Issue OOPSLA
October 2019
2077 pages
EISSN:2475-1421
DOI:10.1145/3366395
Issue’s Table of Contents

Copyright © 2019 Owner/Author
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 10 October 2019
Published in pacmpl Volume 3, Issue OOPSLA

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Badges
Author Tags
Model checking
SMT
TLA+
Qualifiers
- research-article
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 25
  Total Citations
  View Citations
- 2,316
  Total Downloads
- Downloads (Last 12 months)583
- Downloads (Last 6 weeks)72
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

TLA+ model checking made symbolic

Proceedings of the ACM on Programming Languages

Abstract

References

Cited By

Index Terms

Recommendations

Specifying and verifying PLC systems with TLA+: A case study

Specifying and Verifying PLC Systems with TLA+

Extracting symbolic transitions from TLA⁺ specifications