TLA+ model checking made symbolic

Konnov, Igor; Kukovec, Jure; Tran, Thanh-Hai

doi:10.1145/3360549

Cited by 37 publications

(21 citation statements)

References 76 publications

(74 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Back-ends Konnov et al built a symbolic model checker for TLA + , the results of which are encouraging [3]. We wish to integrate this model checker into the Toolbox as a new back-end.…”

Section: Future Workmentioning

confidence: 99%

“…To alleviate this problem, a TLC feature of the next Toolbox release will issue a warning if a translation has become stale. 3 As seen in figure 2, a spec editor provides templates for PlusCal expressions. The goal of templates is not to speed up typing -specs are usually short -but to guide novice users by putting the syntactical and semantic documentation of PlusCal expressions at their fingertips.…”

Section: Pluscalmentioning

confidence: 99%

See 1 more Smart Citation

The TLA+ Toolbox

Kuppe

Lamport

Ricketts

2019

Electron. Proc. Theor. Comput. Sci.

View full text Add to dashboard Cite

We discuss the workflows supported by the TLA + Toolbox to write and verify specifications. We focus on features that are useful in industry because its users are primarily engineers. Two features are novel in the scope of formal IDEs: CloudTLC connects the Toolbox with cloud computing to scale up model checking. A Profiler helps to debug inefficient expressions and to pinpoint the source of state space explosion. For those who wish to contribute to the Toolbox or learn from its flaws, we present its technical architecture.

show abstract

“…Back-ends Konnov et al built a symbolic model checker for TLA + , the results of which are encouraging [3]. We wish to integrate this model checker into the Toolbox as a new back-end.…”

Section: Future Workmentioning

confidence: 99%

Section: Pluscalmentioning

confidence: 99%

The TLA+ Toolbox

Kuppe

Lamport

Ricketts

2019

Electron. Proc. Theor. Comput. Sci.

View full text Add to dashboard Cite

show abstract

“…CADP is oriented at concurrent value-passing systems, and can perform explicit-state model checking of temporal properties specified in a variant of the modal 𝜇-calculus, with support for compositional verification [65]. TLA+ [64] supports checking assertion violations and verifying linear temporal properties through explicit-state model checking [106], theorem proving [23], and symbolic model checking [58]. Disel [94] aims at modular verification, i.e., verifying individual components and exploiting these proofs when verifying a larger system.…”

Section: Related Workmentioning

confidence: 99%

Verification of Distributed Systems via Sequential Emulation

Stefano

Nicola

Inverso

2022

ACM Trans. Softw. Eng. Methodol.

View full text Add to dashboard Cite

Sequential emulation is a semantics-based technique to automatically reduce property checking of distributed systems to the analysis of sequential programs. An automated procedure takes as input a formal specification of a distributed system, a property of interest, and the structural operational semantics of the specification language and generates a sequential program whose execution traces emulate the possible evolutions of the considered system. The problem as to whether the property of interest holds for the system can then be expressed either as a reachability or as a termination query on the program. This allows to immediately adapt mature verification techniques developed for general-purpose languages to domain-specific languages, and to effortlessly integrate new techniques as soon as they become available. We test our approach on a selection of concurrent systems originated from different contexts from population protocols to models of flocking behaviour. By combining a comprehensive range of program verification techniques, from traditional symbolic execution to modern inductive-based methods such as property-directed reachability, we are able to draw consistent and correct verification verdicts for the considered systems.

show abstract

“…We first use TLA + [30] to specify the failure detector with both encoding techniques for the message buffer, and the abstraction in Section 7. Then, we use the model checker TLC in the TLA + Toolbox version 1.7.1 [48,38] and the model checker APALACHE version 0.15.0 [25,42] to verify instances with fixed bounds ∆ and Φ, and the GST T 0 = 1. This approach helps us to search constraints in inductive invariants in case of fixed parameters.…”

Section: Reduce Liveness Properties To Safety Propertiesmentioning

confidence: 99%

A case study on parametric verification of failure detectors

Tran¹,

Konnov²,

Widder³

2021

Preprint

Self Cite

View full text Add to dashboard Cite

Partial synchrony is a model of computation in many distributed algorithms and modern blockchains. These algorithms are typically parameterized in the number of participants, and their correctness requires the existence of bounds on message delays and on the relative speed of processes after reaching Global Stabilization Time (GST). These characteristics make partially synchronous algorithms parameterized in the number of processes, and parametric in time bounds, which render automated verification of partially synchronous algorithms challenging. In this paper, we present a case study on formal verification of both safety and liveness of the Chandra and Toueg failure detector that is based on partial synchrony. To this end, we first introduce and formalize the class of symmetric point-to-point algorithms that contains the failure detector. Second, we show that these symmetric point-to-point algorithms have a cutoff, and the cutoff results hold in three models of computation: synchrony, asynchrony, and partial synchrony. As a result, one can verify them by model checking small instances, but the verification problem stays parametric in time. Next, we specify the failure detector and the partial synchrony assumptions in three frameworks: TLA + , IVy, and counter automata. Importantly, we tune our modeling to use the strength of each method: (1) We are using counters to encode message buffers with counter automata, (2) we are using first-order relations to encode message buffers in IVy, and (3) we are using both approaches in TLA + . By running the tools for TLA + (TLC and APALACHE) and counter automata (FAST), we demonstrate safety for fixed time bounds. This helped us to find the inductive invariants for fixed parameters, which we used as a starting point for the proofs with IVy. By running IVy, we prove safety for arbitrary time bounds. Moreover, we show how to verify liveness of the failure detector by reducing the verification problem to safety verification. Thus, both properties are verified by developing inductive invariants with IVy. We conjecture that correctness of other partially synchronous algorithms may be proven by following the presented methodology.

show abstract

TLA+ model checking made symbolic

Cited by 37 publications

References 76 publications

The TLA+ Toolbox

The TLA+ Toolbox

Verification of Distributed Systems via Sequential Emulation

A case study on parametric verification of failure detectors

Contact Info

Product

Resources

About