Model Checking TLA+ Specifications
نویسندگان
چکیده
TLA is a specification language for concurrent and reactive systems that combines the temporal logic TLA with full first-order logic and ZF set theory. TLC is a new model checker for debugging a TLA specification by checking invariance properties of a finite-state model of the specification. It accepts a subclass of TLA specifications that should include most descriptions of real system designs. It has been used by engineers to find errors in the cache coherence protocol for a new Compaq multiprocessor. We describe TLA specifications and their TLC models, how TLC works, and our experience using it.
منابع مشابه
Validation of formal specifications
TLA (the Temporal Logic of Actions) is a linear temporal logic for specifying and reasoning about reactive systems. The purpose of this paper is to develop an animator and a model checker, both based on a subset of TLA, and illustrates how we can combine these tools to validate TLA specifications.
متن کاملTranslating B to TLA + for Validation with TLC
The state-based formal methods B and TLA share the common base of predicate logic, arithmetic and set theory. However, there are still considerable differences, such as the way to specify state transitions, the different approaches to typing, and the available tool support. In this paper, we present a translation from B to TLA to validate B specifications using the model checker TLC. The transl...
متن کاملThe Investigation of TLC Model Checker Properties
This paper presents the investigation and comparison of TLC model checking method (TLA Checker) properties. There are two different approaches to method usage which are considered. The first one consists of a transition system states attendance by breadth-first search (BFS), and the second one by depth-first search (DFS). The Kripke structure has been chosen as a transition system model. A case...
متن کاملHigh-Level Specifications: Lessons from Industry
We explain the rationale behind the design of the TLA+ specification language, and we describe our experience using it and the TLC model checker in industrial applications—including the verification of multiprocessor memory designs at Intel. Based on this experience, we challenge some conventional wisdom about high-level specifications.
متن کاملVerifying and Constructing Abstract TLA Specifications: Application to the Verification of C programs
One approach to verify the correctness of a system is to prove that it implements an executable (specification) model whose correctness is more obvious. Here, we define a kind of automata whose state is the product of values of multiple variables that we name State Transition System (STS). We define the semantics of TLA+ (specification language of the Temporal Logic of Actions) constructs using...
متن کامل