
TLA+ - ahelwer
https://en.wikipedia.org/wiki/TLA%2B
======
mad44
Here is my experience getting started with TLA+ and using it in my distributed
systems class.

[http://muratbuffalo.blogspot.com/2014/08/using-tla-for-
teach...](http://muratbuffalo.blogspot.com/2014/08/using-tla-for-teaching-
distributed.html)

[http://muratbuffalo.blogspot.com/2015/01/my-experience-
with-...](http://muratbuffalo.blogspot.com/2015/01/my-experience-with-using-
tla-in.html)

------
ted_dunning
Intel has had good results with formal methods. This is pretty important to
all of the rest of us.

Here are some slightly dated references to slides on the topic:

[http://www.cl.cam.ac.uk/~jrh13/slides/nasa-14apr10/slides.pd...](http://www.cl.cam.ac.uk/~jrh13/slides/nasa-14apr10/slides.pdf)

[http://www.cl.cam.ac.uk/~jrh13/slides/kieburtz-05dec03/slide...](http://www.cl.cam.ac.uk/~jrh13/slides/kieburtz-05dec03/slides.pdf)

~~~
nickpsecurity
Intel's work is great. The hardware industry in general is light-years ahead
of software industry on applied formal methods. The reason is straightforward:
bad circuits can't be fixed with an update. That recall made Intel and others
look at the balance sheet a second time with nice results. :)

And thanks for the links1

------
anonymousDan
Amazon have used it to verify algorithms in several of the core distributed
systems they run apparently. There was an article in the communications of the
ACM recently about it, can't remember the reference offhand.

~~~
ahelwer
"How Amazon Web Services Uses Formal Methods"
[http://cacm.acm.org/magazines/2015/4/184701-how-amazon-
web-s...](http://cacm.acm.org/magazines/2015/4/184701-how-amazon-web-services-
uses-formal-methods/fulltext)

------
alvatar
I remember this from a Leslie Lamport talk posted also on HN a few months ago.
Is anyone using this for specifications, prototyping or anything in between in
real life?

~~~
mulligan
At Machine Zone, we've been using formal methods to specify and verify systems
we have in development. This is something we've only been doing in the last
6-9 months though.

~~~
ahelwer
Fascinating! I'd love to read a blog post or white paper on this.

It does seem like online gaming companies are at the forefront of distributed
systems implementation. See League of Legends' use of conflict-free replicated
data types, for example: [http://highscalability.com/blog/2014/10/13/how-
league-of-leg...](http://highscalability.com/blog/2014/10/13/how-league-of-
legends-scaled-chat-to-70-million-players-it-t.html)

------
fizixer
I saw the TLA+ talk [1] recently and was surprised there was no discussion of
code-generation.

Once you've spent a significant effort in writing and verifying a formal spec
for a program, there should be an automated mapping between it and the
implementation, or at least a template of such implementation.

[1]:
[https://www.youtube.com/watch?v=-4Yp3j_jk8Q](https://www.youtube.com/watch?v=-4Yp3j_jk8Q)

~~~
ahelwer
There is a difference between formal specification and formal verification.
Formal specification is what we have with TLA+: you create a high-level
description of your system, to which you apply software tools to check the
design. It's like blueprints for software.

Formal verification deals with proving that the actual code you write
implements a formal specification. This is a much, much harder problem.
Usually, it involves cajoling a theorem prover by adding lots of annotations
to your code. There's been some impressive work with the Ironclad project from
MSR[1] which brought this down to ~5 lines of annotation per single line of
implementation code - within striking distance of unit testing! Still,
probably a decade or more away from widespread use.

Formal verification isn't quite what you meant, though. You were talking about
code generation. For general systems specified by TLA+, this isn't going to be
useful unless you write in a very idiomatic way; in which case TLA+ is just a
very high-level programming language. However, code generation _is_
implemented in some specification languages that deal with very specific areas
of system design. I'm thinking primarily of the P language[2], which is used
to specify & check state machines and includes code generation capabilities
for C++ and C#.

[1] [https://www.usenix.org/conference/osdi14/technical-
sessions/...](https://www.usenix.org/conference/osdi14/technical-
sessions/presentation/hawblitzel)

[2]
[http://research.microsoft.com/apps/pubs/default.aspx?id=1771...](http://research.microsoft.com/apps/pubs/default.aspx?id=177118)

