# The TLA+ Toolbox

@article{Kuppe2019TheTT, title={The TLA+ Toolbox}, author={Markus Alexander Kuppe and Leslie Lamport and Daniel Ricketts}, journal={ArXiv}, year={2019}, volume={abs/1912.10633}, pages={50-62} }

We discuss the workflows supported by the TLA+ Toolbox to write and verify specifications. We focus on features that are useful in industry because its users are primarily engineers. Two features are novel in the scope of formal IDEs: CloudTLC connects the Toolbox with cloud computing to scale up model checking. A Profiler helps to debug inefficient expressions and to pinpoint the source of state space explosion. For those who wish to contribute to the Toolbox or learn from its flaws, we…

## 23 Citations

### Specification and Verification with the TLA+ Trifecta: TLC, Apalache, and TLAPS

- Computer ScienceISoLA
- 2022

Using an algorithm due to Safra for distributed termination detection as a running example, a work is suggested that supports multiple types of analysis and that can be adapted to the desired degree of conﬁdence.

### SpecEdit: Projectional Editing for TLA+ Specifications

- Computer Science2020 IEEE Workshop on Formal Requirements (FORMREQ)
- 2020

Through SpecEdit, TLA+ gains the specification editor that was missing without compromising compatibility with the existing tools, and illustrates the benefits of the approach using the specification of the Elasticsearch cluster coordination module.

### Understanding Inconsistency in Azure Cosmos DB with TLA+

- Computer Science, PhysicsArXiv
- 2022

A formal speciﬁcation of the Cosmos DB database was written that was Significantly smaller and conceptually simpler than any other speci⬂cation of Cosmos DB, while representing a wider range of valid user-observable behaviors than existing more detailed speci ﬁcations.

### Specification and Verification of the Zab Protocol with TLA+

- Computer ScienceJournal of Computer Science and Technology
- 2020

This paper model the Zab protocol with TLA+ and verify three properties abstracted from the specification by the model checker TLC, including two liveness properties and one safety property, which can prove that the design of the protocol conforms to the original requirements.

### Planning for Software System Recovery by Knowing Design Limitations of Cloud-native Patterns

- Computer ScienceCLOSER
- 2022

The result suggests that important quality decisions derived from formal models of the patterns help application designers prepare for unacceptable system quality degradation by knowing when a third-party implementation of the architectural patterns fails to maintain its guarantees.

### Formal verification and validation of run-to-completion style state charts using Event-B

- Computer ScienceInnovations in Systems and Software Engineering
- 2022

This paper introduces a notion of refinement into a ‘run to completion’ state chart modelling notation and leverages Event-B’s tool support for theorem proving to verify liveness and shows how critical invariant properties can be verified by proof despite the reactive nature of the system.

### Formal Specification and Verification of Drone System using TLA+: A Case Study

- Computer Science2022 IEEE/ACIS 23rd International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD)
- 2022

The safety of this Safety-Critical System (SCS) is analyzed by looking into the potential failure using Fault Tree Analysis (FTA) and building a TLA+ Specification and Verification for this drone system.

### Towards an Automatic Proof of Lamport’s Paxos

- Computer Science2021 Formal Methods in Computer Aided Design (FMCAD)
- 2021

This is the first demonstration of an automatically-inferred inductive invariant for Lamport’s original Paxos specification, and it is noted that these structural features are not specific to Paxos and that IC3PO can serve as an automatic general-purpose protocol verification tool.

### Formal Verification of SDN-Based Firewalls by Using TLA+

- Computer ScienceIEEE Access
- 2020

It is shown that the firewall rule behavior of switches can be formalized using TLA+, and this is verified with the TLC model checker that uses TLA+ as the model description language to ensure that the same firewall rules are maintained even if the topology changes.

### Invariants in Distributed Algorithms ∗

- Computer Science
- 2018

It is shown that even with state-machine based specifications, distributed algorithms can be expressed at a higher level, by using high-level queries over message history variables, capturing important invariants explicitly, and it is further shown that higher-level control flows can be supported allowing any grain of atomicity in the specification.

## 23 References

### TLA + Proofs

- Computer ScienceFM
- 2012

This work uses Peterson’s mutual exclusion algorithm as a simple example to describe the features of TLAPS and shows how it and the Toolbox help users to manage large, complex proofs.

### Model Checking TLA+ Specifications

- Computer ScienceCHARME
- 1999

TLC is a new model checker for debugging a TLA+ specification by checking invariance properties of a finite-state model of the specification.

### A TLA+ Proof System

- Computer ScienceLPAR Workshops
- 2008

An extension to the TLA+ specification language with constructs for writing proofs and a proof environment, called the Proof Manager (PM), to checks those proofs, to support the incremental development and checking of hierarchically structured proofs.

### TLA+ model checking made symbolic

- Computer ScienceProc. ACM Program. Lang.
- 2019

This paper presents APALACHE -- a first symbolic model checker for TLA+.

### Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers [Book Review]

- Computer ScienceComputer
- 2002

This book will teach you how to write specifications of computer systems, using the language TLA+, which is a simple variant of Pnueli's original logic.

### The temporal logic of programs

- Computer Science18th Annual Symposium on Foundations of Computer Science (sfcs 1977)
- 1977

A unified approach to program verification is suggested, which applies to both sequential and parallel programs. The main proof method suggested is that of temporal reasoning in which the time…

### The PlusCal Algorithm Language

- Computer ScienceICTAC
- 2009

PlusCal is an algorithm language that can be used right now to replace pseudo-code, for both sequential and concurrent algorithms, based on the TLA + specification language, and a PlusCal algorithm is automatically translated to a T LA + specification that is checked with the TLC model checker and reasoned about formally.

### Should your specification language be typed

- Computer ScienceTOPL
- 1999

It may be possible to have the best of both worlds by adding typing annotations to an untyped specification language, and to serve as the basis for a specification language without types.

### How Amazon web services uses formal methods

- BusinessCommun. ACM
- 2015

Engineers use TLA+ to prevent serious but subtle bugs from reaching production and find ways to reduce the number of bugs in the final product.

### Using TLC to Check Inductive Invariance

- Computer Science, Mathematics
- 2018

This paper proves that a formula I is an invariant of the spec, which means that I is true on all reachable states of theSpec, by finding a formula Inv that satisfies these conditions.