Proofs and Proof Certification in the TLA Proof System

TLA is a specification language originally designed for specifying concurrent and distributed systems and their properties. It is based on Zermelo-Fraenkel set theory for modeling data structures and on the linear-time temporal logic TLA for specifying system executions and their properties. The TLA proof system (tlaps) has been designed as an interactive proof assistant for deductively verifying TLA specifications. Designed to be independent of any particular theorem prover, it is based on a hierarchical proof language. A proof manager interprets this language and generates proof obligations corresponding to leaf proofs, which can be discharged by different back-end provers. The current release, restricted to non-temporal reasoning, includes Isabelle/TLA, an encoding of the set theory underlying TLA as an object logic in the proof assistant Isabelle, the tableau prover Zenon, and a back-end for SMT solvers. This article will first give an overview of the overall design of tlaps and its proof language and then focus on proof certification in tlaps. Since the use of different back-end provers raises legitimate concerns about the soundness of the integration, we expect backend provers to produce proofs that can be checked by Isabelle/TLA, our most trusted back-end, and this is currently implemented for the Zenon back-end. I will review our experiences with proof certification, and to what extent it has contributed to avoiding soundness bugs, and will indicate future work that we intend to carry out in order to improve our confidence in the soundness of tlaps. 1 The TLA+ proof language TLA [4] is a specification language originally designed for specifying concurrent and distributed systems and their properties. It is based on Zermelo-Fraenkel set theory for modeling data structures and on the linear-time temporal logic TLA for specifying system executions and their properties. The TLA proof system tlaps [2, 3] has been designed as an interactive proof assistant for deductively verifying TLA specifications. Designed to be independent of any particular theorem prover, it is based on a hierarchical proof language. As a simple example of the TLA proof language, let us consider the proof of Cantor’s theorem. Given the definitions Range(f ) ∆ = {f [x ] : x ∈ domain f } Surj (f ,S ) ∆ = S ⊆ Range(f ) of the range of a function and the notion of a function f being surjective for set S , Cantor’s theorem can be stated as theorem Cantor ∆ = ∀S : ¬∃f ∈ [S → subset S ] : Surj (f , subset S ) 1The application of function f to argument x is written as f [x ] in TLA+. The TLA+ expression [S → T ] denotes the set of functions whose domain is S and such that f [x ] ∈ T for all x ∈ S . 16 David Pichardie, Tjark Weber (eds.); PxTP 2012, pp. 16–20 Proofs and Proof Certification in the TLA+ Proof System S. Merz theorem Cantor ∆ = ∀S : ¬∃f ∈ [S → subset S ] : Surj (f , subset S ) proof 〈1〉1. assume newS , ∃f ∈ [S → subset S ] : Surj (f , subset S ) prove false 〈2〉. pick f ∈ [S → subset S ] : Surj (f , subset S ) obvious 〈2〉2. ¬Surj (f , subset S ) 〈3〉1. define D ∆ = {x ∈ S : x / ∈ f [x ]} 〈3〉2. D ∈ subset S obvious 〈3〉3. D / ∈ Range(f ) by def Range 〈3〉4. qed by 〈3〉2, 〈3〉3 def Surj 〈2〉3. qed by 〈2〉2 〈1〉2. qed by 〈1〉1 Figure 1: A hierarchical proof of Cantor’s theorem in TLA. where subset S denotes the powerset (the set of all subsets) of S . A hierarchical proof of that theorem appears in Figure 1. Proof steps carry labels of the form 〈d〉n, where d is the depth of the step (which is also indicated by indentation in the presentation of the proof), and n is a freely chosen name—in the example, steps at any given level are just numbered. There are many different ways to write any given proof; in fact, Cantor’s theorem could simply be proved by one of the automatic proof backends available in tlaps. The user chooses how to decompose a proof, starting a new level of proof that ends with a qed step establishing the assertion of the enclosing level. Assertions appearing at the leaves of the proof tree are considered trivial enough to be passed to the automatic provers of tlaps. Step 〈1〉1 reformulates Cantor’s theorem as a sequent (TLA sequents are written as assume . . . prove . . . ) that assumes given some set S for which there exists a surjective function from S to subset S , in order to prove a contradiction. Step 〈1〉2 deduces the assertion of the theorem from that sequent. (In general, proofs of qed steps are written before the proofs of the steps that precede it.) The level-2 proof starts by picking some such surjective function f and then shows that it cannot in fact be surjective—hence 〈2〉3 deduces a contradiction. The main argument of the proof appears in the level-3 step, which defines the diagonal set D ⊆ S , which can by definition not be in the range of f . The proof of Cantor’s theorem shows some of the main features of the TLA proof language. Hierarchical structure is the key to managing complexity. All proof obligations that appear in a proof are independent of one another and can be elaborated and verified in any order. In general, facts and definitions to be used to establish leaf proof steps must be cited explicitly in order to keep the search space for the automatic proof backends manageable. In our experience, the proof language scales well to large proofs. tlaps is integrated into