
TLA+: design, model, document, and verify concurrent systems - lolptdr
https://lamport.azurewebsites.net/tla/tla.html
======
gralx
I've been learning TLA+ for the past two months, hoping I could use it as a
formal language for software design generally and not just for concurrent
systems. I'm enamored with the idea of using math formalisms to describe a
state machine.

But now that I've gone through Lamport's (very charming) video tutorials at
OP's link and studied some of the specifications at

[https://github.com/tlaplus/Examples/tree/master/specificatio...](https://github.com/tlaplus/Examples/tree/master/specifications)

I'm less sure now that I can. I'll keep plugging away, but if anyone here has
any suggestions or offers any alternatives, I'm all ears.

~~~
pron
I think TLA+ is a great fit for what you want to do. What problems are you
facing?

BTW, while state machines are certainly the recommended approach for TLA+
specifications (and for very good reasons), there are others, which _may_ be
useful in some cases. For example, here I have a rule-based specification of
Tic-Tac-Toe:
[https://pron.github.io/files/TicTacToe.pdf](https://pron.github.io/files/TicTacToe.pdf)
Instead of describing a state machine, the specification is a _conjunction_ of
state machines in a style known as "behavioral programming".

Also, you may benefit from looking at the TLA+ subreddit
([https://old.reddit.com/r/tlaplus/](https://old.reddit.com/r/tlaplus/)) for
various posts on TLA+ and formal methods in general, and maybe get some ideas.

~~~
gralx
> I think TLA+ is a great fit for what you want to do.

I'm very happy to hear that.

> What problems are you facing?

Generally, the problem of formally specifying a program in set theory and
first-order logic syntax before choosing implementation details, such as the
language to program it in.

I have to give more thought to how I would describing specific problems. I've
started with a program I want to write that I've already modelled informally.
I'll edit this post later to explain it.

~~~
pron
First, just to be precise, system dynamics are specified in TLA+ with TLA,
which is a linear-time temporal logic (albeit one that seeks to minimize
temporal reasoning); set theory is used "only" for the data part.

Second, the whole point of a high-level specification is that it is not
dependent on a programming language, and allows you to choose the level of
detail that suits you. One of the things that set TLA+ apart is that it allows
for very convenient refinements, i.e. you can specify the same system multiple
times, at different levels of detail, and show that a more detailed
specification indeed implements a more abstract one.

Perhaps looking at examples (which you can find on the subreddit I linked and
in the sidebar) will give you a better feel for how TLA+ is used for precisely
the goal you have in mind. The Practical TLA+ book[1] (which uses PlusCal)
also has good examples.

[1]:
[https://www.apress.com/gp/book/9781484238288](https://www.apress.com/gp/book/9781484238288)

~~~
gralx
Fantastic, pron - thanks for the helpful replies.

I had a look at Practical TLA+ a few weeks back, but because its first example
also specifies a concurrent system, and because most of it is written in
PlusCal syntax, not in TLA+, I decided to put it off. I'll give it another
look on your recommendation. I'll also check out the subreddit you linked to.

The idea of starting with a general high-level specification before adding
detail makes a lot of sense.

As for specific problems, I have in mind a program that should be simple to
specify. At its heart, it tests whether each numeric value in an input tuple X
lies between values at the same index in tuples A and B, so that if

    
    
        ∀x ∈ X : a_i ∈ A ≤ x_i ≤ b_i ∈ B
    

then the program outputs "true", and otherwise the program outputs "false".
Because both outputs are allowed,

    
    
        True ≜  ∧ ∀x ∈ X : ∧ x_i ≥ a_i ∈ A
                           ∧ x_i ≤ b_i ∈ B
                ∧ Output′ = true
    
        False ≜ ∧ ∃x ∈ X : ∨ x_i < a_i ∈ A
                           ∨ x_i > b_i ∈ B
                ∧ Output′ = false
    

covers all states. Some of my syntax is not TLA+, as you can see, so that's
the specific problem I'm up against right now.

~~~
hwayne
Yo, author of PT here. I'd say that given your use case, the book _probably_
won't be that useful to you. Among other things, I intentionally avoided
teaching refinements. You'd probably be happier starting with either
_Specifying Systems_[1] or the _Hyperbook_[2], particularly the latter's proof
track.

If you still have access to a copy of PT, I'd recommend reading chapter 7
(specifying and implementing algorithms) to see if that helps at all. The code
is in PlusCal, but the general approach transfers to pure TLA+.

[1]:
[https://lamport.azurewebsites.net/tla/book.html](https://lamport.azurewebsites.net/tla/book.html)
[2]:
[https://lamport.azurewebsites.net/tla/hyperbook.html](https://lamport.azurewebsites.net/tla/hyperbook.html)

EDIT: in terms of writing it as TLA+, you probably want something like

    
    
        EXTENDS Sequences
        IndicesBetween(X, A, B) ==
          \A i \in 1..Len(X):
            /\ A[i] <= X[i]
            /\ B[i] >= X[i]
    

Assuming `Len(X) <= Min(Len(A), Len(B))`.

~~~
gralx
Thanks, Hillel! The TLA+ formulation looks good. I was so happy to get your
advice that I bought a copy of Practical TlA+ from Apress. Even if it doesn't
help with this particular project, I'm sure it will be useful down the line.

Specifying Systems has been my go-to reference alongside Lamport's video
tutorial. Thanks for suggesting Chapter 7 of the Hyperbook - I never thought
to look there.

EDIT: I misread: Chapter 7 refers to the chapter in Practical TLA+, not to the
Hyperbook's proof track.

------
yingw787
Raymond Hettinger just have a talk at PyCon an hour ago about formal reasoning
and solvers. There’s a lot of polish in the talk, with a whole ReadTheDocs
site with runnable Python code with solvers written from scratch. The slides
aren’t out yet publicly or privately, but I would highly recommend going
through the examples when the PyCon committee releases the information. The
way he puts it makes it much less intimidating than I thought it would be.

Also Raymond is a very nice guy :D

~~~
camel_Snake
PyCon usually uploads talks within a day or two of their presentation. There
should be a PyCon 2019 YouTube channel already.

~~~
manaskarekar
PyCon 2019
[https://www.youtube.com/channel/UCxs2IIVXaEHHA4BtTiWZ2mQ](https://www.youtube.com/channel/UCxs2IIVXaEHHA4BtTiWZ2mQ)

------
billfruit
One thing that bothered me while trying to learn the TLA+ is the two different
but equivalent forms or syntax for writing it: a mathematical
formula/expression form and code/program form. This topic is difficult as it,
and having to deal with not one but two equivalent forms of saying one thing
is perhaps a bit hard on a learner. I wish if there was a tutorial of TLA+
that ditched the whole mathematical formula notation, and taught only the code
form.

~~~
pron
They're equivalent in the sense that PlusCal, the pseudo-code-like language
compiles to TLA+, the mathematical notation. The book Practical TLA+ teaches
pretty much only PlusCal. Eventually, though, to get the full power, even
those who start with PlusCal will need to learn at least some TLA+.

------
bayareanative
Interesting. I've worked concurrent systems in VHDL and Verilog (but not
SystemVerilog) stacks, and those using C, C++, Haskell, OCaml, Ruby, Go,
Erlang and Rust.

I wonder if this approach could formally verify systems like seL4.

Here's an approach to verifying concurrent systems using coq:

[https://www.sciencedirect.com/science/article/pii/S157106610...](https://www.sciencedirect.com/science/article/pii/S1571066108000765)

~~~
pron
The main difference between Coq and TLA+ is that Coq is a research tool,
intended and designed for use by researchers, while TLA+ is intended as an
industry tool, and designed for use by engineers. They are essentially
equivalent in their power when it comes to specifying and verifying software
(although Coq is more suitable for proving general mathematics), but Coq is
used almost exclusively by researchers. The learning curve is very different
(one could get productive to the point they specify real nontrivial systems
after learning TLA+ within a few days or a couple of weeks, while with Coq
this takes many months), and TLA+ has much more automation.

------
hcnews
This keeps getting re-shared periodically on HN. I wonder what's HN policy
around re-sharing same/similar content.

~~~
Tomte
If it did not get "attention" (which I interpret as 10+ karma, but that's my
interpretation), it may be resubmitted.

If the last "attention" is older than a year, resubmitting is also okay.

The first part is in the FAQ, the second part has been said by the mods
multiple times.

