Extracting symbolic transitions from TLA+ specifications

Kukovec, Jure; Tran, Thanh-Hai; Konnov, Igor

doi:10.1016/j.scico.2019.102361

Cited by 3 publications

(5 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Importantly, we designed the technique with soundness in mind. Detailed proofs can be found in the report [16]. We believe that our results can be used as a first preprocessing step when developing a symbolic model checker or a type checker for TLA + .…”

Section: Discussionmentioning

confidence: 89%

Extracting Symbolic Transitions from TLA$$^{+}$$+ Specifications

Kukovec

Tran²,

Konnov³

2018

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

In TLA + , a system specification is written as a logical formula that restricts the system behavior. As a logic, TLA + does not have assignments and other imperative statements that are used by model checkers to compute the successor states of a system state. Model checkers compute successors either explicitly-by evaluating program statementsor symbolically-by translating program statements to an SMT formula and checking its satisfiability. To efficiently enumerate the successors, TLA's model checker TLC introduces side effects. For instance, an equality x = e is interpreted as an assignment of e to the yet unbound variable x. Inspired by TLC, we introduce an automatic technique for discovering expressions in TLA + formulas such as x = e and x ∈ {e1,. .. , e k } that can be provably used as assignments. In contrast to TLC, our technique does not explicitly evaluate expressions, but it reduces the problem of finding assignments to the satisfiability of an SMT formula. Hence, we give a way to slice a TLA + formula in symbolic transitions, which can be used as an input to a symbolic model checker. Our prototype implementation successfully extracts symbolic transitions from a few TLA + benchmarks.

show abstract

Section: Discussionmentioning

confidence: 89%

Extracting Symbolic Transitions from TLA$$^{+}$$+ Specifications

Kukovec

Tran²,

Konnov³

2018

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…Recently, we introduced a symbolic technique for finding such assignments without evaluating the TLA + formula [Kukovec et al 2018]. Additionally, we proposed a technique for decomposing a TLA + formula into a disjunction of formulas T 1 , .…”

Section: Assignments and Symbolic Transitionsmentioning

confidence: 99%

“…• Assignment x ′ S: Following TLC, under the conditions given by [Kukovec et al 2018], we treat an expression x ′ ∈ S as an assignment of a value from the set S to the variable x ′ . Note that an expression x ′ = e is a special case of this rule, which can be written as x ′ ∈ {e}.…”

Section: Kera+: the Kernel Language Of Tla+ Expressionsmentioning

confidence: 99%

“…This is also a requirement of TLC. (3) Following our previous work [Kukovec et al 2018], we assume that for each variable x, there is a set of expressions x ′ = e and x ′ ∈ S that can be be treated as assignments to x ′ . As a consequence, the specification can be decomposed into a set of symbolic transitions.…”

mentioning

confidence: 99%

“…First, the call sites of userdefined operators are replaced with their bodies, which produces a flat specification. Second, the technique by [Kukovec et al 2018] finds symbolic transitions in the specification. Third, basic type inference labels expressions with types.…”

mentioning

confidence: 99%

See 2 more Smart Citations

TLA+ model checking made symbolic

Konnov

Kukovec²,

Tran³

2019

Proc. ACM Program. Lang.

Self Cite

View full text Add to dashboard Cite

TLA + is a language for formal specification of all kinds of computer systems. System designers use this language to specify concurrent, distributed, and fault-tolerant protocols, which are traditionally presented in pseudo-code. TLA + is extremely concise yet expressive: The language primitives include Booleans, integers, functions, tuples, records, sequences, and sets thereof, which can be also nested. This is probably why the only model checker for TLA + (called TLC) relies on explicit enumeration of values and states. In this paper, we present APALACHE Ð a first symbolic model checker for TLA +. Like TLC, it assumes that all specification parameters are fixed and all states are finite structures. Unlike TLC, APALACHE translates the underlying transition relation into quantifier-free SMT constraints, which allows us to exploit the power of SMT solvers. Designing this translation is the central challenge that we address in this paper. Our experiments show that APALACHE outperforms TLC on examples with large state spaces. CCS Concepts: • Theory of computation → Logic and verification; • Software and its engineering → Model checking; Specification languages.

show abstract

Symbolic Model Checking for TLA+ Made Faster

Otoni

Konnov²,

Kukovec³

et al. 2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

The need to provide formal guarantees about the behaviour of the algorithms underpinning modern distributed systems became evident in recent years. This interest made apparent the complexities involved in applying verification techniques in a distributed setting, with significant effort being made in both academia and industry to aid in this endeavour. Many formalisms have been proposed to tackle the difficulties faced by practitioners, with one that has seen widespread use in industry being TLA$$^+$$ + , adopted, for instance, by Amazon Web Services. TLA$$^+$$ + provides engineers with a way of specifying both systems and desired properties, and is supported by a number of verification tools. Despite their extensive use, such tools suffer considerably from lack of scalability. To solve this, we propose a novel encoding of TLA$$^+$$ + into SMT constraints to improve symbolic model checking efficiency. Our insight is the need to provide the SMT solver with structural information about the TLA$$^+$$ + specification encoded, i.e., how data structures and their component elements interact, which we do by relying on the SMT theory of arrays. We implemented our approach by modifying the SMT-based model checker Apalache and evaluated it against comparable tools. Our results show that our approach outperforms existing ones on a number of benchmarks, with an order of magnitude improvement in checking time.

show abstract

Extracting symbolic transitions from TLA+ specifications

Cited by 3 publications

References 14 publications

Extracting Symbolic Transitions from TLA$$^{+}$$+ Specifications

Extracting Symbolic Transitions from TLA$$^{+}$$+ Specifications

TLA+ model checking made symbolic

Symbolic Model Checking for TLA+ Made Faster

Contact Info

Product

Resources

About