
Building a “Simple” Distributed System – Formal Verification - pron
https://jack-vanlightly.com/blog/2019/1/27/building-a-simple-distributed-system-formal-verification
======
ahelwer
If you're interested in learning TLA+, the best resources are:

(1) Specifying Systems by Leslie Lamport
([https://lamport.azurewebsites.net/tla/book.html](https://lamport.azurewebsites.net/tla/book.html))

This is the original TLA+ textbook (I myself learned from it) and is very
thorough, but sometimes fails to differentiate between specs which are model-
checkable and specs which are not. Since model-checking has become recognized
as the main source of value from TLA+, this might frustrate readers who think
"woah, TLA+ can do THAT!?!?" only to be disappointed. I still like it, though.
You can get a free digital copy.

(2) The TLA+ Hyperbook by Leslie Lamport
([https://lamport.azurewebsites.net/tla/hyperbook.html](https://lamport.azurewebsites.net/tla/hyperbook.html))

Unfinished and unlikely to ever be finished (Leslie has stopped working on
it), serves as a good companion book to Specifying Systems. I believe this is
the only resource for learning the formal proofs capability of TLA+, which I
myself have not yet used.

(3) The TLA+ video course by Leslie Lamport
([http://lamport.azurewebsites.net/video/videos.html](http://lamport.azurewebsites.net/video/videos.html))

Very goofy, very fun. When Leslie teaches courses to engineers in person, he
uses these videos. They're effective.

(4) Learn TLA+ by Hillel Wayne
([https://learntla.com/introduction/](https://learntla.com/introduction/))

A free online resource for learning TLA+.

(5) Practical TLA+ by Hillel Wayne
([https://www.apress.com/us/book/9781484238288](https://www.apress.com/us/book/9781484238288))

I own this book, and it is a great introduction to PlusCal (a pseudocode-type
language that transpiles to TLA+) and TLA+ in general. Highly recommend! Along
with the video course, probably the ideal starting point these days.

~~~
Tomte
If you're capable of understanding TLA+ proper, is there much value in
starting with PlusCal, in your opinion?

Is PlusCal more a gentle gateway or properly useful in real-world
applications?

I lean towards starting with Lamport's book over Wayne's, because the latter
seems very PlusCal-centric (and the layout and typography don't appeal to me),
but that may be a mistake.

~~~
hwayne
This is a question I lose sleep over. I keep going back and forth on it.
Here's my current position:

_In my experience_, PlusCal is easier for the average engineer to start with,
because it lets me decouple learning about behaviors, learning temporal logic,
and learning basic predicate logic. It's also my experience that for many
people, it's easier and faster to learn PlusCal and then TLA+ than to start
with TLA+.

But PlusCal adds syntax and has its own quirks and logic. So if you are fine
with TLA+, it's unnecessary overhead and can distract from the core ideas.
Here's a quick test:

    
    
       Op(x, y) ==
          /\ x > y
          /\ \E s \in S:
              /\ x' = F(s)
          /\ UNCHANGED y
    

If that makes sense to you, start with TLA+ proper.

~~~
pron
I think this is ultimately an empirical question about "the average beginner."
The main issue I have with PlusCal (aside from being more complicated in that
it has complicated constructs like subroutines and a stack) is that it could
confuse people into thinking that specifying (in TLA+/PlusCal) resembles
programming because the PlusCal syntax resembles programming. This can lead to
confusion down the line. This is why I think it's a question of would you
rather be confused now or later? But if someone finds it easier to start with
PlusCal, I see no issue with that.

