Article

Why Amazon Chose TLA+

Author:

Chris NewcombeAuthors Info & Claims

ABZ 2014: Proceedings of the 4th International Conference on Abstract State Machines, Alloy, B, TLA, VDM, and Z - Volume 8477

Pages 25 - 39

https://doi.org/10.1007/978-3-662-43652-3_3

Published: 02 June 2014 Publication History

Abstract

Since 2011, engineers at Amazon have been using TLA⁺ to help solve difficult design problems in critical systems. This paper describes the reasons why we chose TLA⁺ instead of other methods, and areas in which we would welcome further progress.

References

[1]

Abrial, J.-R.: Formal methods in industry: achievements, problems, future. In: 28th Intl. Conf. Software Engineering ICSE, Shanghai, China, pp. 761---768. ACM 2006

Digital Library

[2]

Abrial, J.-R.: Modeling in Event-B. Cambridge University Press 2010

[3]

Abrial, J.-R., et al.: Rodin: an open toolset for modelling and reasoning in Event-B. STTT 126, 447---466 2010

Digital Library

[4]

Alloy online tutorial: How to think about an alloy model: 3 levels, http://alloy.mit.edu/alloy/tutorials/online/sidenote-levels-of-understanding.html

[5]

Event-B wiki: Industrial projects, http://wiki.event-b.org/index.php/Industrial_Projects

[6]

Barr, J.: Amazon S3 --- the first trillion objects. Amazon Web Services Blog June 2012, http://aws.typepad.com/aws/2012/06/amazon-s3-the-first-trillion-objects.html

[7]

Barr, J.: Amazon S3 --- two trillion objects, 1.1 million requests per second. Amazon Web Services Blog March 2013, http://aws.typepad.com/aws/2013/04/amazon-s3-two-trillion-objects-11-million-requests-second.html

[8]

Batson, B., Lamport, L.: High-level specifications: Lessons from industry. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. eds. FMCO 2002. LNCS, vol. 2852, pp. 242---261. Springer, Heidelberg 2003

[9]

Bolosky, W.J., Douceur, J.R., Howell, J.: The Farsite project: a retrospective. Operating Systems Reviews 412, 17---26 2007

Digital Library

[10]

Cohen, E., Moskal, M., Schulte, W., Tobies, S.: Local verification of global invariants in concurrent programs. In: Touili, T., Cook, B., Jackson, P. eds. CAV 2010. LNCS, vol. 6174, pp. 480---494. Springer, Heidelberg 2010

Digital Library

[11]

Douceur, J., et al.: Memoir: Formal specs and correctness proof 2011, http://research.microsoft.com/pubs/144962/memoir-proof.pdf

[12]

Hall, A.: Seven myths of formal methods. IEEE Software 75, 11---19 1990

Digital Library

[13]

Holzmann, G.: Design and Validation of Computer Protocols. Prentice Hall, New Jersey 1991

Digital Library

[14]

Jackson, D.: Personal communication 2014

[15]

Jackson, D.: Software Abstractions, revised edition. MIT Press 2012, http://www.softwareabstractions.org/

Digital Library

[16]

Lamport, L.: Comment on the history of the TLC model checker, http://research.microsoft.com/en-us/um/people/lamport/pubs/pubs.html#yuanyu-model-checking

[17]

Lamport, L.: Summary of TLA+, http://research.microsoft.com/en-us/um/people/lamport/tla/summary.pdf

[18]

Lamport, L.: The TLA+ Hyperbook, http://research.microsoft.com/en-us/um/people/lamport/tla/hyperbook.html

[19]

Lamport, L.: The Temporal Logic of Actions. ACM Trans. Prog. Lang. Syst. 163, 872---923 1994

Digital Library

[20]

Lamport, L.: Specifying Systems. Addison-Wesley 2002, http://research.microsoft.com/en-us/um/people/lamport/tla/book-02-08-08.pdf

[21]

Lamport, L.: Fast Paxos. Distributed Computing 192, 79---103 2006

Digital Library

[22]

Lamport, L.: Byzantizing Paxos by refinement. In: Peleg, D. ed. DISC 2011. LNCS, vol. 6950, pp. 211---224. Springer, Heidelberg 2011

Digital Library

[23]

Lamport, L.: How to write a 21st century proof. Fixed Point Theory and Applications 2012

[24]

Lamport, L., Merz, S.: Specifying and verifying fault-tolerant systems. In: Langmaack, H., de Roever, W.-P., Vytopil, J. eds. FTRTFT 1994 and ProCoS 1994. LNCS, vol. 863, pp. 41---76. Springer, Heidelberg 1994

Digital Library

[25]

Lamport, L., Sharma, M., Tuttle, M., Yu, Y.: The wildfire challenge problem 2001, http://research.microsoft.com/en-us/um/people/lamport/pubs/wildfire-challenge.pdf

[26]

Lamport, L., Tuttle, M., Yu, Y.: The wildfire verification challenge problem {example of a specification from industry}, http://research.microsoft.com/en-us/um/people/lamport/tla/wildfire-challenge.html

[27]

Leinenbach, D., Santen, T.: Verifying the Microsoft Hyper-V Hypervisor with VCC. In: Cavalcanti, A., Dams, D.R. eds. FM 2009. LNCS, vol. 5850, pp. 806---809. Springer, Heidelberg 2009

Digital Library

[28]

Lu, T., Merz, S., Weidenbach, C.: Towards verification of the Pastry protocol using TLA+. In: Bruni, R., Dingel, J. eds. FORTE 2011 and FMOODS 2011. LNCS, vol. 6722, pp. 244---258. Springer, Heidelberg 2011

Digital Library

[29]

Newcombe, C.: Debugging designs. Presented at the 14th Intl. Wsh. High-Performance Transaction Systems 2011, http://hpts.ws/papers/2011/sessions_2011/Debugging.pdf and associated specifications: http://hpts.ws/papers/2011/sessions_2011/amazonbundle.tar.gz

[30]

Owre, S., et al.: Combining specification, proof checking, and model checking. In: Alur, R., Henzinger, T.A. eds. CAV 1996. LNCS, vol. 1102, pp. 411---414. Springer, Heidelberg 1996

Digital Library

[31]

Schwartz, B.: The paradox of choice, http://www.ted.com/talks/barry_schwartz_on_the_paradox_of_choice.html

[32]

Zave, P.: Using lightweight modeling to understand Chord. Comp. Comm. Reviews 422, 49---57 2012

Digital Library

[33]

Zave, P.: A practical comparison of Alloy and Spin. Formal Aspects of Computing to appear, 2014, http://www2.research.att.com/~pamela/compare.pdf

Cited By

Dürschmid TRoychoudhury APaiva AAbreu RStorey M(2024)Towards Automatic Inference of Behavioral Component Models for ROS-Based Robotics SystemsProceedings of the 2024 IEEE/ACM 46th International Conference on Software Engineering: Companion Proceedings10.1145/3639478.3639808(247-251)Online publication date: 14-Apr-2024
https://dl.acm.org/doi/10.1145/3639478.3639808
Dürschmid TTimperley CGarlan DLe Goues CRoychoudhury APaiva AAbreu RStorey M(2024)ROSInfer: Statically Inferring Behavioral Component Models for ROS-based Robotics SystemsProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639206(1-13)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639206
Bögli RLerena LTsigkanos CKehrer T(2024)A Systematic Literature Review on a Decade of Industrial TLA+ PracticeIntegrated Formal Methods10.1007/978-3-031-76554-4_2(24-34)Online publication date: 11-Nov-2024
https://dl.acm.org/doi/10.1007/978-3-031-76554-4_2
Show More Cited By

Recommendations

Model Checking TLA+ Specifications
CHARME '99: Proceedings of the 10th IFIP WG 10.5 Advanced Research Working Conference on Correct Hardware Design and Verification Methods

TLA+ is a specification language for concurrent and reactive systems that combines the temporal logic TLA with full first-order logic and ZF set theory. TLC is a new model checker for debugging a TLA+ specification by checking invariance properties of a ...
Specifying and verifying PLC systems with TLA+: A case study

We report on a method for formally specifying and verifying programmable logic controllers (PLCs) in the specification language TLA^+. The specification framework is generic. It separates the description of the environment from that of the controller ...
Practical TLA+: Planning Driven Development

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

ABZ 2014: Proceedings of the 4th International Conference on Abstract State Machines, Alloy, B, TLA, VDM, and Z - Volume 8477

June 2014

333 pages

ISBN:9783662436516

Editors:
Yamine Ait Ameur
INP-ENSEEIHT/IRIT, Toulouse Cedex 7, France
,
Klaus-Dieter Schewe
Software Competence Center Hagenberg, Hagenberg, Austria

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 02 June 2014

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

13
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 03 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Dürschmid TRoychoudhury APaiva AAbreu RStorey M(2024)Towards Automatic Inference of Behavioral Component Models for ROS-Based Robotics SystemsProceedings of the 2024 IEEE/ACM 46th International Conference on Software Engineering: Companion Proceedings10.1145/3639478.3639808(247-251)Online publication date: 14-Apr-2024
https://dl.acm.org/doi/10.1145/3639478.3639808
Dürschmid TTimperley CGarlan DLe Goues CRoychoudhury APaiva AAbreu RStorey M(2024)ROSInfer: Statically Inferring Behavioral Component Models for ROS-based Robotics SystemsProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639206(1-13)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639206
Bögli RLerena LTsigkanos CKehrer T(2024)A Systematic Literature Review on a Decade of Industrial TLA+ PracticeIntegrated Formal Methods10.1007/978-3-031-76554-4_2(24-34)Online publication date: 11-Nov-2024
https://dl.acm.org/doi/10.1007/978-3-031-76554-4_2
Pick LDesai AGupta A(2023)Psym: Efficient Symbolic Exploration of Distributed SystemsProceedings of the ACM on Programming Languages10.1145/35912477:PLDI(660-685)Online publication date: 6-Jun-2023
https://dl.acm.org/doi/10.1145/3591247
Kuppe M(2022)The TLA DebuggerSoftware Engineering and Formal Methods. SEFM 2022 Collocated Workshops10.1007/978-3-031-26236-4_15(174-180)Online publication date: 26-Sep-2022
https://dl.acm.org/doi/10.1007/978-3-031-26236-4_15
Rubio RRiesco A(2022)Theorem Proving for Maude Specifications Using LeanFormal Methods and Software Engineering10.1007/978-3-031-17244-1_16(263-280)Online publication date: 24-Oct-2022
https://dl.acm.org/doi/10.1007/978-3-031-17244-1_16
Stankaitis PIliasov AKobayashi TAït-Ameur YIshikawa FRomanovsky A(2020)Formal Distributed Protocol Development for Reservation of Railway SectionsRigorous State-Based Methods10.1007/978-3-030-48077-6_14(203-219)Online publication date: 27-May-2020
https://dl.acm.org/doi/10.1007/978-3-030-48077-6_14
de Oliveira DCucinotta Tde Oliveira R(2019)Modeling the behavior of threads in the PREEMPT_RT Linux kernel using automataACM SIGBED Review10.1145/3373400.337341016:3(63-68)Online publication date: 25-Nov-2019
https://dl.acm.org/doi/10.1145/3373400.3373410
Konnov IKukovec JTran T(2019)TLA+ model checking made symbolicProceedings of the ACM on Programming Languages10.1145/33605493:OOPSLA(1-30)Online publication date: 10-Oct-2019
https://dl.acm.org/doi/10.1145/3360549
Selvaraj YAhrendt WFabian M(2019)Verification of Decision Making Software in an Autonomous Vehicle: An Industrial Case StudyFormal Methods for Industrial Critical Systems10.1007/978-3-030-27008-7_9(143-159)Online publication date: 30-Aug-2019
https://dl.acm.org/doi/10.1007/978-3-030-27008-7_9
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents