The TLA+ Toolbox

  title={The TLA+ Toolbox},
  author={Markus Alexander Kuppe and Leslie Lamport and Daniel Ricketts},
We discuss the workflows supported by the TLA+ Toolbox to write and verify specifications. We focus on features that are useful in industry because its users are primarily engineers. Two features are novel in the scope of formal IDEs: CloudTLC connects the Toolbox with cloud computing to scale up model checking. A Profiler helps to debug inefficient expressions and to pinpoint the source of state space explosion. For those who wish to contribute to the Toolbox or learn from its flaws, we… 

Figures from this paper

Specification and Verification with the TLA+ Trifecta: TLC, Apalache, and TLAPS

Using an algorithm due to Safra for distributed termination detection as a running example, a work is suggested that supports multiple types of analysis and that can be adapted to the desired degree of confidence.

SpecEdit: Projectional Editing for TLA+ Specifications

Through SpecEdit, TLA+ gains the specification editor that was missing without compromising compatibility with the existing tools, and illustrates the benefits of the approach using the specification of the Elasticsearch cluster coordination module.

Understanding Inconsistency in Azure Cosmos DB with TLA+

A formal specification of the Cosmos DB database was written that was Significantly smaller and conceptually simpler than any other speci⬂cation of Cosmos DB, while representing a wider range of valid user-observable behaviors than existing more detailed speci fications.

Specification and Verification of the Zab Protocol with TLA+

This paper model the Zab protocol with TLA+ and verify three properties abstracted from the specification by the model checker TLC, including two liveness properties and one safety property, which can prove that the design of the protocol conforms to the original requirements.

Planning for Software System Recovery by Knowing Design Limitations of Cloud-native Patterns

The result suggests that important quality decisions derived from formal models of the patterns help application designers prepare for unacceptable system quality degradation by knowing when a third-party implementation of the architectural patterns fails to maintain its guarantees.

Formal verification and validation of run-to-completion style state charts using Event-B

This paper introduces a notion of refinement into a ‘run to completion’ state chart modelling notation and leverages Event-B’s tool support for theorem proving to verify liveness and shows how critical invariant properties can be verified by proof despite the reactive nature of the system.

Formal Specification and Verification of Drone System using TLA+: A Case Study

  • Madhusmita DasBiju R. MohanR. R. Guddeti
  • Computer Science
    2022 IEEE/ACIS 23rd International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD)
  • 2022
The safety of this Safety-Critical System (SCS) is analyzed by looking into the potential failure using Fault Tree Analysis (FTA) and building a TLA+ Specification and Verification for this drone system.

Towards an Automatic Proof of Lamport’s Paxos

This is the first demonstration of an automatically-inferred inductive invariant for Lamport’s original Paxos specification, and it is noted that these structural features are not specific to Paxos and that IC3PO can serve as an automatic general-purpose protocol verification tool.

Formal Verification of SDN-Based Firewalls by Using TLA+

It is shown that the firewall rule behavior of switches can be formalized using TLA+, and this is verified with the TLC model checker that uses TLA+ as the model description language to ensure that the same firewall rules are maintained even if the topology changes.

Invariants in Distributed Algorithms ∗

It is shown that even with state-machine based specifications, distributed algorithms can be expressed at a higher level, by using high-level queries over message history variables, capturing important invariants explicitly, and it is further shown that higher-level control flows can be supported allowing any grain of atomicity in the specification.

TLA + Proofs

This work uses Peterson’s mutual exclusion algorithm as a simple example to describe the features of TLAPS and shows how it and the Toolbox help users to manage large, complex proofs.

Model Checking TLA+ Specifications

TLC is a new model checker for debugging a TLA+ specification by checking invariance properties of a finite-state model of the specification.

A TLA+ Proof System

An extension to the TLA+ specification language with constructs for writing proofs and a proof environment, called the Proof Manager (PM), to checks those proofs, to support the incremental development and checking of hierarchically structured proofs.

TLA+ model checking made symbolic

This paper presents APALACHE -- a first symbolic model checker for TLA+.

Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers [Book Review]

This book will teach you how to write specifications of computer systems, using the language TLA+, which is a simple variant of Pnueli's original logic.

The temporal logic of programs

  • A. Pnueli
  • Computer Science
    18th Annual Symposium on Foundations of Computer Science (sfcs 1977)
  • 1977
A unified approach to program verification is suggested, which applies to both sequential and parallel programs. The main proof method suggested is that of temporal reasoning in which the time

The PlusCal Algorithm Language

PlusCal is an algorithm language that can be used right now to replace pseudo-code, for both sequential and concurrent algorithms, based on the TLA + specification language, and a PlusCal algorithm is automatically translated to a T LA + specification that is checked with the TLC model checker and reasoned about formally.

Should your specification language be typed

It may be possible to have the best of both worlds by adding typing annotations to an untyped specification language, and to serve as the basis for a specification language without types.

How Amazon web services uses formal methods

Engineers use TLA+ to prevent serious but subtle bugs from reaching production and find ways to reduce the number of bugs in the final product.

Using TLC to Check Inductive Invariance

This paper proves that a formula I is an invariant of the spec, which means that I is true on all reachable states of theSpec, by finding a formula Inv that satisfies these conditions.