
Leslie Lamport: Video course on TLA+ - kelvich
http://lamport.azurewebsites.net/video/intro.html
======
ahelwer
Great to see this here! I act as a TA for Dr. Lamport's TLA+ courses at
Microsoft, and can answer any questions y'all have.

TLA+ in one sentence: it is a language used to write specifications, same as
you might write a spec in English/your chosen informal language, except here
you write your spec in basic mathematics; benefits of a formal specification
language include freedom from ambiguity, model-checking, and even machine-
checked proofs of correctness.

This language is a joy to use and I've found it really affects the way I think
about system design.

~~~
djb_hackernews
I haven't watched the videos yet but I have been keeping my eye on TLA+ ever
since seeing the whitepaper from Amazon and how they use TLA+ to spec out
their distributed systems. As someone that works on distributed systems that
could use some formality I _think_ TLA+ could help, however, I have a hard
time really understanding it.

Do you know of any straight forward non-trivial examples? Something a little
more complex than "hello world" and something that isn't abstract?

~~~
hwayne
I wrote an essay[0] about a non-trivial example I did at my company. We had to
work with several finicky APIs and the TLA+ spec caught several critical bugs
with it. Plus, it's purely a business logic system, so it's pretty concrete.

If you're interested in learning more, I also wrote a beginner's guide[1] to
the language, which contains concrete examples and exercises.

[0] [https://medium.com/espark-engineering-blog/formal-methods-
in...](https://medium.com/espark-engineering-blog/formal-methods-in-
practice-8f20d72bce4f#.u3grkd2i3)

[1] [https://learntla.com/introduction/](https://learntla.com/introduction/)

~~~
chillitom
Following your introduction now, it is a great quick-start tutorial, thanks
for creating it.

------
algorithmsRcool
Introduction @2:49

"What kind of clown am I claiming that I know what can make you think better?
... This is not the time to be modest. I have done seminal research in the
theory of distributed and concurrent systems for which i won the turning
award. You can stop the video now and look me up on the web. <long pause>..."

~~~
rhizome
Hmm, on the face of it that doesn't answer the question.

~~~
noblethrasher
The claim is that what he is about to say is worth your _attention_.

Achievement of the highest professional accolade for the very stuff that he
plans to discuss is literally _prima facie_ evidence in support of that claim.

~~~
macintux
The transcription ("turning award" instead of "Turing award") makes it easier
to miss the key point.

------
setheron
I viewed this original when he posted them on the newsgroup. I thought they
were very well done, funny and enjoyable. I still haven't applied TLA+ into
something at work however I enjoyed learning it nevertheless.

------
mooneater
Ok I would love to know more about how the RTOS code was shrunk by 10x using
TLA+ (at 8:28)

~~~
pron
Well, that book costs $99:
[http://www.springer.com/us/book/9781441997357](http://www.springer.com/us/book/9781441997357)

But there's been more recent work done in TLA+ on another realtime OS, where
the mechanical proof system, TLAPS, was used to prove some aspects of the
kernel correct, and you can read about it for free here:
[https://members.loria.fr/SMerz/papers/abz2016-pharos.html](https://members.loria.fr/SMerz/papers/abz2016-pharos.html)

------
sdbbp
In my experience, writing a formal specification _once_ in TLA+ has shaped my
mindset around architecture, implementation, and verification of distributed
systems for the last 19 years. It's easier to provide feedback on most
informal architecture specifications. It is easier to implement to a
specification so as to have a higher confidence of compliance. It is easier to
consider the state space of an architecture (distributed system) when in a
testing/verification role.

------
neves
I'm about to start a new system that will have a state machine. The videos are
really good to help to think about the problem. This guy didn't get a Turing
Prize for nothing:-)

I won't even try to use TLA+ in my business context. Just will search for a
good java library. Maybe these videos will help me to recognize a good one?

BTW, do any of my HN's fellows have a good Java state machine opens source
library to recommend?

~~~
whitenoice
You could use akka[1] library to build a state machine, actor model is great
for building state machines [2]. I have built one in the past using akka.
Library is pretty robust and well maintained.

[1] [http://akka.io](http://akka.io) [2]
[http://erlang.org/documentation/doc/4.8.2/doc/design_princip...](http://erlang.org/documentation/doc/4.8.2/doc/design_principles/fsm.html)
[3]
[http://doc.akka.io/docs/akka/current/java/fsm.html](http://doc.akka.io/docs/akka/current/java/fsm.html)

~~~
neves
It looks nice, but overkill for my application. For now I have no need for
distributed systems, probably some concurrency in the near future.

------
colanderman
While TLA+ itself is great, I suspect for many here that PlusCal (a "veneer"
on top of TLA+) is more immediately useful. I didn't fully grasp either
language until I understood PlusCal for what it is: a simple procedural
language with two nondeterministic constructs, which can be used for
describing concurrent state machines. Nothing more, nothing less.

(To understand PlusCal, you need first understand the basics of TLA+, but you
don't need to understand the action system 100% in-depth.)

The idea behind PlusCal is to write your algorithm in it, leaving out the
"unimportant" bits, and using the nondeterministic operators in place of any
value that is not in your algorithm's control. The model checker, TLC, can
then run all possible traces of your algorithm to search for conditions under
which it may deadlock or violate some assertion you have made.

------
Aclassifier
I watched this very interesting and amusing series of videos and learned a lot
from them. I was shown practical in-use and the motivation for mathematical
syntax. I know Promela and CSPm some so I was curious to see more than a
trivial example of some C lines becoming a TLA+ spec. I missed real-life
examples of down-to-earth usage. The "Formal Development of a Network-Centric
RTOS" book shows not only TLA+ but also why in their situation TLA+ was more
suitable then other methodologies. Still, on TLA+ I miss the forest for the
trees. I probably need more time with Lamport. I hope he's able to do a
follow-up. (Or am I unfair here?)

------
gizmodo59
Just finished the first video. Very nicely done. The website is nicely done
too, not obtrusive and makes the learner to focus on the video. +1

------
rebootthesystem
In many ways this is what APL was originally about. Ken Iverson used it to
describe the operation of early IBM computers while at IBM.

~~~
qznc
"A Formal Description of System/360"

Readable (kind of) here:
[https://www.yumpu.com/en/document/view/40763566/a-formal-
des...](https://www.yumpu.com/en/document/view/40763566/a-formal-description-
of-system-360)

~~~
rebootthesystem
Nice find!

------
baby
> TLA+ (pronounced as tee ell a plus, /ˈtiː ɛl eɪ plʌs/) is a formal
> specification language developed by Leslie Lamport. It is used to design,
> model, document, and verify concurrent systems. TLA+ has been described as
> exhaustively-testable pseudocode[4] and blueprints for software systems.[5]

from wikipedia

------
nchuhoai
Possibly a side question:

What do people think of the format? I have off and on been thinking about a
format where the video is the main highlight, but is supported, like this one,
with links and other media to make it a more engaging experience. Are there
other use cases that you think this would be conducive for?

------
shaunxcode
These are great so far! I wish you had posted about it once they were all
available though as I was fully prepared to binge watch.

------
Ambrosia
Relevant: [http://sam.js.org](http://sam.js.org)

------
Avshalom
So how amenable is tla+ to automatic translation to an existing programming
language?

~~~
hwayne
IMO not very. It's easy in TLA+ to write things like "randomly select some
bijective function from the power set of N to [0, 1]", which can be really
handy for speccing but isn't exactly programming-friendly. I personally think
of this as a good thing, actually. TLA+ can be simpler and more expressive
than it would be if it had to also be translatable.

So you can't guarantee your implementation matches your spec. All the more
reason to write unit tests!

~~~
pron
That is not such a big problem. Many operators in TLA+ -- like division -- are
defined in terms of CHOOSE, but that doesn't stop TLC from implementing them
efficiently. It's very easy to supply efficient implementations for various
built in constructs, and tell you that you shouldn't use CHOOSE in your own
definitions that you want to be automatically translated. So the data and data
operations aren't the big problem; the control state is a bigger problem: It
is hard to translate TLA+ constructs to programming language idioms like
subroutines, loops and threads.

------
devdoomari
the video says it's 'video#1'... so where's the link to video#2, #3, ... ???

*edit: sorry I see the link after the end of video#1...

