Abstract
TLA+ is a language for formal specification of all kinds of computer systems. System designers use this language to specify concurrent, distributed, and fault-tolerant protocols, which are traditionally presented in pseudo-code. TLA+ is extremely concise yet expressive: The language primitives include Booleans, integers, functions, tuples, records, sequences, and sets thereof, which can be also nested. This is probably why the only model checker for TLA+ (called TLC) relies on explicit enumeration of values and states.
In this paper, we present APALACHE -- a first symbolic model checker for TLA+. Like TLC, it assumes that all specification parameters are fixed and all states are finite structures. Unlike TLC, APALACHE translates the underlying transition relation into quantifier-free SMT constraints, which allows us to exploit the power of SMT solvers. Designing this translation is the central challenge that we address in this paper. Our experiments show that APALACHE outperforms TLC on examples with large state spaces.
- Ali Abbassi, Amin Bandali, Nancy Day, and Jose Serna. 2018. A Comparison of the Declarative Modelling Languages B, Dash, and TLA+. In 2018 IEEE 8th International Model-Driven Requirements Engineering Workshop (MoDRE). IEEE, 11–20.Google ScholarCross Ref
- Jean-Raymond Abrial. 2005. The B-book: assigning programs to meanings. Cambridge University Press.Google ScholarDigital Library
- ABZ. 2018. 6th International ABZ Conference ASM, Alloy, B, TLA, VDM, Z, 2018.Google Scholar
- Hagit Attiya and Jennifer Welch. 2004. Distributed Computing: Fundamentals, Simulations and Advanced Topics, Second Edition . John Wiley & Sons, Inc.Google ScholarDigital Library
- Noran Azmy, Stephan Merz, and Christoph Weidenbach. 2018. A machine-checked correctness proof for Pastry. Sci. Comput. Program. 158 (2018), 64–80.Google ScholarCross Ref
- Thomas Ball, Rupak Majumdar, Todd D. Millstein, and Sriram K. Rajamani. 2001. Automatic Predicate Abstraction of C Programs. In PLDI. 203–213.Google Scholar
- Mike Barnett, Bor-Yuh Evan Chang, Robert DeLine, Bart Jacobs, and K Rustan M Leino. 2005. Boogie: A modular reusable verifier for object-oriented programs. In International Symposium on Formal Methods for Components and Objects. Springer, 364–387.Google Scholar
- Mike Barnett, K Rustan M Leino, and Wolfram Schulte. 2004. The Spec# programming system: An overview. In International Workshop on Construction and Analysis of Safe, Secure, and Interoperable Smart Devices . Springer, 49–69.Google Scholar
- Clark Barrett, Pascal Fontaine, and Cesare Tinelli. 2017. The SMT-LIB Standard: Version 2.6. Technical Report. Department of Computer Science, The University of Iowa. Available at www.SMT-LIB.org.Google Scholar
- Patrick Behm, Paul Benoit, Alain Faivre, and Jean-Marc Meynadier. 1999. METEOR: A successful application of B in a large project. In International Symposium on Formal Methods. Springer, 369–387.Google ScholarCross Ref
- Idan Berkovits, Marijana Lazic, Giuliano Losa, Oded Padon, and Sharon Shoham. 2019. Verification of Threshold-Based Distributed Algorithms by Decomposition to Decidable Logics. In CAV. 245–266.Google Scholar
- Yves Bertot and Pierre Castéran. 2013. Interactive theorem proving and program development: Coq’Art: the calculus of inductive constructions . Springer Science & Business Media.Google Scholar
- Jasmin Christian Blanchette, Sascha Böhme, and Lawrence C Paulson. 2013. Extending Sledgehammer with SMT solvers. Journal of automated reasoning 51, 1 (2013), 109–128.Google ScholarCross Ref
- Mats Carlsson, Johan Widen, Johan Andersson, Stefan Andersson, Kent Boortz, Hans Nilsson, and Thomas Sjöland. 1988. SICStus Prolog user’s manual . Vol. 3. Swedish Institute of Computer Science Kista, Sweden.Google Scholar
- Roberto Cavada, Alessandro Cimatti, Michele Dorigatti, Alberto Griggio, Alessandro Mariotti, Andrea Micheli, Sergio Mover, Marco Roveri, and Stefano Tonetta. 2014. The nuXmv symbolic model checker. In International Conference on Computer Aided Verification . Springer, 334–342.Google ScholarDigital Library
- Adrien Champion, Alain Mebsout, Christoph Sticksel, and Cesare Tinelli. 2016. The Kind 2 model checker. In International Conference on Computer Aided Verification . Springer, 510–517.Google ScholarCross Ref
- Kaustuv Chaudhuri, Damien Doligez, Leslie Lamport, and Stephan Merz. 2010. The TLA + proof system: Building a heterogeneous verification platform. In Theoretical aspects of computing. Springer-Verlag, 44–44.Google Scholar
- Alessandro Cimatti, Edmund Clarke, Enrico Giunchiglia, Fausto Giunchiglia, Marco Pistore, Marco Roveri, Roberto Sebastiani, and Armando Tacchella. 2002. Nusmv 2: An opensource tool for symbolic model checking. In International Conference on Computer Aided Verification . Springer, 359–364.Google ScholarCross Ref
- Edmund Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith. 2003. Counterexample-guided abstraction refinement for symbolic model checking. J. ACM 50, 5 (2003), 752–794.Google ScholarDigital Library
- Ernie Cohen, Markus Dahlweid, Mark Hillebrand, Dirk Leinenbach, Michał Moskal, Thomas Santen, Wolfram Schulte, and Stephan Tobies. 2009. VCC: A practical system for verifying concurrent C. In International Conference on Theorem Proving in Higher Order Logics . Springer, 23–42.Google ScholarDigital Library
- Ernie Cohen and Leslie Lamport. 1998. Reduction in TLA. In CONCUR (LNCS). 317–331.Google Scholar
- Maximiliano Cristiá and Gianfranco Rossi. 2016. A Decision Procedure for Sets, Binary Relations and Partial Functions. In CAV . 179–198.Google Scholar
- Andrei Damian, Cezara Dragoi, Alexandru Militaru, and Josef Widder. 2019. Communication-Closed Asynchronous Protocols. In CAV. 344–363.Google Scholar
- Leonardo De Moura and Nikolaj Bjørner. 2008. Z3: An efficient SMT solver. In TACAS. LNCS, Vol. 1579. 337–340.Google Scholar
- Giorgio Delzanno, Michele Tatarek, and Riccardo Traverso. 2014. Model Checking Paxos in Spin. In Proceedings Fifth International Symposium on Games, Automata, Logics and Formal Verification, GandALF 2014, Verona, Italy, September 10-12, 2014. 131–146.Google ScholarCross Ref
- Cezara Drăgoi, Thomas A. Henzinger, Helmut Veith, Josef Widder, and Damien Zufferey. 2014. A Logic-based Framework for Verifying Consensus Algorithms. In VMCAI (LNCS), Vol. 8318. 161–181.Google Scholar
- Cezara Drăgoi, Thomas A. Henzinger, and Damien Zufferey. 2016. PSync: a partially synchronous language for fault-tolerant distributed algorithms. In POPL. 400–415.Google Scholar
- Burak Ekici, Alain Mebsout, Cesare Tinelli, Chantal Keller, Guy Katz, Andrew Reynolds, and Clark Barrett. 2017. SMTCoq: A plug-in for integrating SMT solvers into Coq. In International Conference on Computer Aided Verification. Springer, 126–133.Google ScholarCross Ref
- Aboubakr Achraf El Ghazi and Mana Taghdiri. 2011. Relational reasoning via SMT solving. In International Symposium on Formal Methods . Springer, 133–148.Google ScholarCross Ref
- Azadeh Farzan, Zachary Kincaid, and Andreas Podelski. 2016. Proving Liveness of Parameterized Programs. In LICS. 185–196.Google Scholar
- Eli Gafni and Leslie Lamport. 2003. Disk Paxos. Distributed Computing 16, 1 (2003), 1–20.Google ScholarDigital Library
- Stephen J Garland and Nancy A Lynch. 1998. The IOA language and toolset: Support for designing, analyzing, and building distributed systems . Technical Report. Technical Report MIT/LCS/TR-762, Laboratory for Computer Science.Google Scholar
- Jim Gray and Leslie Lamport. 2006. Consensus on transaction commit. ACM Trans. Database Syst. 31, 1 (2006), 133–160.Google ScholarDigital Library
- Rachid Guerraoui, Nikola Knežević, Vivien Quéma, and Marko Vukolić. 2010. The next 700 BFT protocols. In Proceedings of the 5th European conference on Computer systems . ACM, 363–376.Google ScholarDigital Library
- Jason Gustafson. 2019. Kafka Improvement Proposal 320. https://cwiki.apache.org/confluence/display/KAFKA/KIP-320%3A+Allow+fetchers+to+detect+and+handle+log+truncationGoogle Scholar
- Dominik Hansen and Michael Leuschel. 2012. Translating TLA + to B for Validation with ProB. In IFM. 24–38.Google Scholar
- Chris Hawblitzel, Jon Howell, Manos Kapritsos, Jacob R. Lorch, Bryan Parno, Michael L. Roberts, Srinath Setty, and Brian Zill. 2017. IronFleet: Proving Safety and Liveness of Practical Distributed Systems. Commun. ACM 60, 7 (June 2017), 83–92.Google Scholar
- Charles Antony Richard Hoare. 1969. An axiomatic basis for computer programming. Commun. ACM 12, 10 (1969), 576–580.Google ScholarDigital Library
- Gerard Holzmann. 2003. The SPIN Model Checker. Addison-Wesley.Google Scholar
- Heidi Howard, Dahlia Malkhi, and Alexander Spiegelman. 2016. Flexible Paxos: Quorum Intersection Revisited. In OPODIS. 25:1–25:14.Google Scholar
- Daniel Jackson. 2012. Software Abstractions: logic, language, and analysis. MIT press.Google Scholar
- Cliff B Jones. 1990. Systematic software development using VDM. Vol. 2. Prentice Hall Englewood Cliffs.Google ScholarDigital Library
- Igor Konnov, Jure Kukovec, and Thanh-Hai Tran. 2019. APALACHE Model Checker. https://github.com/konnov/apalache .Google Scholar
- Igor Konnov, Marijana Lazic, Helmut Veith, and Josef Widder. 2017a. Para 2 : Parameterized Path Reduction, Acceleration, and SMT for Reachability in Threshold-Guarded Distributed Algorithms. Formal Methods in System Design 51, 2 (2017), 270–307.Google ScholarDigital Library
- Igor Konnov, Marijana Lazić, Helmut Veith, and Josef Widder. 2017b. A Short Counterexample Property for Safety and Liveness Verification of Fault-tolerant Distributed Algorithms. In POPL. 719–734.Google Scholar
- Sebastian Krings, Joshua Schmidt, Carola Brings, Marc Frappier, and Michael Leuschel. 2018. A Translation from Alloy to B. In International Conference on Abstract State Machines, Alloy, B, TLA, VDM, and Z. Springer, 71–86.Google ScholarCross Ref
- Jure Kukovec, Thanh-Hai Tran, and Igor Konnov. 2018. Extracting Symbolic Transitions from TLA+ Specifications. In Abstract State Machines, Alloy, B, TLA, VDM, and Z . 89–104.Google Scholar
- Viktor Kuncak, Huu Hai Nguyen, and Martin C. Rinard. 2005. An Algorithm for Deciding BAPA: Boolean Algebra with Presburger Arithmetic. In CADE. 260–277.Google Scholar
- Leslie Lamport. 1994. The Temporal Logic of Actions. ACM Trans. Program. Lang. Syst. 16, 3 (1994), 872–923.Google ScholarDigital Library
- Leslie Lamport. 2002. Specifying systems: The TLA+ language and tools for hardware and software engineers. Addison-Wesley.Google ScholarDigital Library
- Leslie Lamport. 2011. Byzantizing Paxos by Refinement. In DISC (LNCS), Vol. 6950. Springer, 211–224.Google Scholar
- Leslie Lamport. 2018. TLA +2 : A Preliminary Guide. https://lamport.azurewebsites.net/tla/tla2-guide.pdfGoogle Scholar
- Leslie Lamport et al. 2001. Paxos made simple. ACM Sigact News 32, 4 (2001), 18–25.Google Scholar
- Butler Lampson and Howard E Sturgis. 1979. Crash recovery in a distributed data storage system. (1979).Google Scholar
- K Rustan M Leino. 2008. This is boogie 2. manuscript KRML 178, 131 (2008), 9.Google Scholar
- K Rustan M Leino. 2010. Dafny: An automatic program verifier for functional correctness. In International Conference on Logic for Programming Artificial Intelligence and Reasoning . Springer, 348–370.Google ScholarDigital Library
- Michael Leuschel and Michael Butler. 2008. ProB: an automated analysis toolset for the B method. International Journal on Software Tools for Technology Transfer 10, 2 (2008), 185–203.Google ScholarDigital Library
- Richard J. Lipton. 1975. Reduction: A Method of Proving Properties of Parallel Programs. Commun. ACM 18, 12 (1975), 717–721.Google ScholarDigital Library
- Nancy A Lynch. 1996. Distributed algorithms. Morgan Kaufmann.Google Scholar
- Nancy A. Lynch and Eugene W. Stark. 1989. A Proof of the Kahn Principle for Input/Output Automata. Inf. Comput. 82, 1 (1989), 81–92.Google ScholarDigital Library
- Nuno Macedo, Julien Brunel, David Chemouil, Alcino Cunha, and Denis Kuperberg. 2016. Lightweight specification and analysis of dynamic systems with rich configurations. In Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering . ACM, 373–383.Google ScholarDigital Library
- Nuno Macedo and Alcino Cunha. 2016. Alloy meets TLA+: An exploratory study. arXiv preprint arXiv:1603.03599 (2016).Google Scholar
- Ognjen Maric, Christoph Sprenger, and David A. Basin. 2017. Cutoff Bounds for Consensus Algorithms. In CAV. 217–237.Google Scholar
- Kenneth L McMillan. 1993. The SMV system. In Symbolic Model Checking. Springer, 61–85.Google Scholar
- Simon Meier, Benedikt Schmidt, Cas Cremers, and David Basin. 2013. The TAMARIN prover for the symbolic analysis of security protocols. In International Conference on Computer Aided Verification. Springer, 696–701.Google ScholarCross Ref
- Baoluo Meng, Andrew Reynolds, Cesare Tinelli, and Clark Barrett. 2017. Relational constraint solving in SMT. In International Conference on Automated Deduction . Springer, 148–165.Google ScholarCross Ref
- Stephan Merz. 2008. The Specification Language TLA + . In Logics of Specification Languages, Dines Bjørner and Martin C. Henson (Eds.). Springer, Berlin-Heidelberg, 401–451.Google Scholar
- Stephan Merz. 2012. On the Logic of TLA + . Computing and Informatics 22, 3-4 (2012), 351–379.Google Scholar
- Stephan Merz and Hernán Vanzetto. 2012. Automatic Verification of TLA + Proof Obligations with SMT Solvers.. In LPAR, Vol. 7180. Springer, 289–303.Google Scholar
- Stephan Merz and Hernán Vanzetto. 2018. Encoding TLA+ into unsorted and many-sorted first-order logic. Science of Computer Programming 158 (2018), 3–20.Google ScholarCross Ref
- Iulian Moraru, David G Andersen, and Michael Kaminsky. 2013. There is more consensus in egalitarian parliaments. In SOSP . ACM, 358–372.Google Scholar
- Chris Newcombe. 2014. Why amazon chose TLA+. In International Conference on Abstract State Machines, Alloy, B, TLA, VDM, and Z . Springer, 25–39.Google ScholarDigital Library
- Chris Newcombe, Tim Rath, Fan Zhang, Bogdan Munteanu, Marc Brooker, and Michael Deardeuff. 2015. How Amazon web services uses formal methods. Comm. ACM 58, 4 (2015), 66–73.Google ScholarDigital Library
- Tobias Nipkow, Lawrence C Paulson, and Markus Wenzel. 2002. Isabelle/HOL: a proof assistant for higher-order logic. Vol. 2283. Springer Science & Business Media.Google Scholar
- Diego Ongaro. 2014. Consensus: Bridging theory and practice. Ph.D. Dissertation. Stanford University.Google Scholar
- Oded Padon, Giuliano Losa, Mooly Sagiv, and Sharon Shoham. 2017. Paxos made EPR: decidable reasoning about distributed protocols. PACMPL 1, OOPSLA (2017), 108:1–108:31.Google ScholarDigital Library
- Lawrence C Paulson and Kong Woei Susanto. 2007. Source-level proof reconstruction for interactive theorem proving. In International Conference on Theorem Proving in Higher Order Logics . Springer, 232–245.Google ScholarCross Ref
- Daniel Plagge and Michael Leuschel. 2012. Validating B, Z and TLA+ using ProB and Kodkod. In International Symposium on Formal Methods . Springer, 372–386.Google ScholarCross Ref
- Vincent Rahli, David Guaspari, Mark Bickford, and Robert L. Constable. 2017. EventML: Specification, verification, and implementation of crash-tolerant state machine replication systems. Sci. Comput. Program. 148 (2017), 26–48.Google ScholarCross Ref
- Michel Raynal. 2010. Communication and Agreement Abstractions for Fault-Tolerant Asynchronous Distributed Systems. Morgan & Claypool Publishers.Google Scholar
- Ilya Sergey, James R. Wilcox, and Zachary Tatlock. 2018. Programming and proving with distributed protocols. PACMPL 2, POPL (2018), 28:1–28:30.Google ScholarDigital Library
- J Michael Spivey and JR Abrial. 1992. The Z notation. Prentice Hall Hemel Hempstead.Google Scholar
- Nikhil Swamy, Cătălin Hriţcu, Chantal Keller, Aseem Rastogi, Antoine Delignat-Lavaud, Simon Forest, Karthikeyan Bhargavan, Cédric Fournet, Pierre-Yves Strub, Markulf Kohlweiss, et al. 2016. Dependent types and multi-monadic effects in F. In ACM SIGPLAN Notices, Vol. 51. ACM, 256–270.Google ScholarDigital Library
- Cesare Tinelli, Andrew Reynolds, Clark Barrett, and Kshitij Bansal. 2018. Reasoning with Finite Sets and Cardinality Constraints in SMT. Logical Methods in Computer Science 14 (2018).Google Scholar
- TLAPlus. 2019. A collection of TLA+ specifications of varying complexities. https://github.com/tlaplus/ExamplesGoogle Scholar
- Emina Torlak and Daniel Jackson. 2007. Kodkod: A relational model finder. In International Conference on Tools and Algorithms for the Construction and Analysis of Systems . Springer, 632–647.Google ScholarCross Ref
- Klaus von Gleissenthall, Nikolaj Bjørner, and Andrey Rybalchenko. 2016. Cardinalities and universal quantifiers for verifying parameterized systems. In PLDI. 599–613.Google Scholar
- Klaus von Gleissenthall, Rami Gökhan Kici, Alexander Bakst, Deian Stefan, and Ranjit Jhala. 2019. Pretend synchrony: synchronous verification of asynchronous distributed programs. PACMPL 3, POPL (2019), 59:1–59:30.Google Scholar
- Hillel Wayne. 2018. Practical TLA+. Apress.Google Scholar
- James R. Wilcox, Doug Woos, Pavel Panchekha, Zachary Tatlock, Xi Wang, Michael D. Ernst, and Thomas E. Anderson. 2015. Verdi: a framework for implementing and formally verifying distributed systems. In PLDI. 357–368.Google Scholar
- Kuat Yessenov, Ruzica Piskac, and Viktor Kuncak. 2010. Collections, Cardinalities, and Relations. In VMCAI. 380–395.Google Scholar
- Yuan Yu, Panagiotis Manolios, and Leslie Lamport. 1999. Model checking TLA + specifications. In Correct Hardware Design and Verification Methods . Springer, 54–66.Google Scholar
- Pamela Zave. 2012. Using lightweight modeling to understand Chord. ACM SIGCOMM Computer Communication Review 42, 2 (2012), 49–57.Google ScholarDigital Library
- Pamela Zave. 2015. A practical comparison of Alloy and Spin. Formal Aspects of Computing 27, 2 (2015), 239–253.Google ScholarCross Ref
Index Terms
- TLA+ model checking made symbolic
Recommendations
Specifying and verifying PLC systems with TLA+: A case study
We report on a method for formally specifying and verifying programmable logic controllers (PLCs) in the specification language TLA^+. The specification framework is generic. It separates the description of the environment from that of the controller ...
Specifying and Verifying PLC Systems with TLA+
TASE '09: Proceedings of the 2009 Third IEEE International Symposium on Theoretical Aspects of Software EngineeringWe report on a method for formally specifying and verifying programmable logic controllers (PLCs) in the specification language TLA+. Our specification is generic in that it separates the description of the environment from that of the controller itself ...
Extracting symbolic transitions from TLA+ specifications
Highlights- We formalize the notion of assignments and assignment strategies.
- We present an ...
AbstractIn ▪, a system specification is written as a logical formula that restricts the system behavior. As a logic, ▪ does not have assignments and other imperative statements that are used by model checkers to compute the successor states of ...
Comments