Erla⁺: Translating TLA⁺ Models into Executable Actor-Based Implementations
Pages 13 - 23
Abstract
Distributed systems are notoriously difficult to design and implement correctly. Although formal methods provide rigorous approaches to verifying the adherence of a program to its specification, there still exists a gap between a formal model and implementation if the model and its implementation are only loosely coupled. Developers usually overcome this gap through manual effort, which may result in the introduction of unexpected bugs. In this paper, we present Erla+, a translator which automatically translates models written in a subset of the PlusCal language to TLA+ for formal reasoning and produces executable Erlang programs in one run. Erla+ additionally provides new PlusCal primitives for actor-style modeling, thus clearly separating the modeled system from its environment. We show the expressivity and strengths of Erla+ by applying it to representative use cases such as a Raft-based key-value store. Our evaluation shows that the implementations generated by Erla+ offer competitive performance against manually written and optimized state-of-the-art libraries.
References
[1]
Heba Alkayed, Horatiu Cirstea, and Stephan Merz. 2020. An Extension of PlusCal for Modeling Distributed Algorithms. In TLA+ Community Event 2020.
[2]
Joe Armstrong. 2010. erlang. Commun. ACM, 53, 9 (2010), 68–75.
[3]
Yves Bertot and Pierre Castéran. 2013. Interactive theorem proving and program development: Coq’Art: the calculus of inductive constructions. Springer Science & Business Media.
[4]
Christian Cachin, Rachid Guerraoui, and Luís Rodrigues. 2011. Introduction to Reliable and Secure Distributed Programming (second edition. ed.). Springer Nature, Berlin, Heidelberg. isbn:3642152600
[5]
Brian F Cooper. 2019. Yahoo! Cloud Serving Benchmark. https://github.com/brianfrankcooper/YCSB (last accessed on 2024-05-15)
[6]
Brian F Cooper, Adam Silberstein, Erwin Tam, Raghu Ramakrishnan, and Russell Sears. 2010. Benchmarking cloud serving systems with YCSB. In Proceedings of the 1st ACM symposium on Cloud computing. 143–154.
[7]
Microsoft Corporation. [n. d.]. tlaplus Repository. https://github.com/tlaplus/tlaplus (last accessed on 2023-05-15)
[8]
Cezara Drăgoi, Thomas A Henzinger, and Damien Zufferey. 2016. PSync: a partially synchronous language for fault-tolerant distributed algorithms. ACM SIGPLAN Notices, 51, 1 (2016), 400–415.
[9]
Emanuele D’Osualdo, Jonathan Kochems, and C H Luke Ong. 2013. Automatic verification of Erlang-style concurrency. In Static Analysis: 20th International Symposium, SAS 2013, Seattle, WA, USA, June 20-22, 2013. Proceedings 20. 454–476.
[10]
Lars-Åke Fredlund and Hans Svensson. 2007. McErlang: a model checker for a distributed functional programming language. In Proceedings of the 12th ACM SIGPLAN international conference on Functional programming. 125–136.
[11]
Amir Ghaffari. 2014. Investigating the scalability limits of distributed Erlang. In Proceedings of the Thirteenth ACM SIGPLAN workshop on Erlang. 43–49.
[12]
Alkis Gotovos, Maria Christakis, and Konstantinos Sagonas. 2011. Test-driven development of concurrent programs using Concuerror. In Proceedings of the 10th ACM SIGPLAN Workshop on Erlang. 51–61.
[13]
Finn Hackett, Shayan Hosseini, Renato Costa, Matthew Do, and Ivan Beschastnikh. 2023. Compiling Distributed System Models with PGo. In Proceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 2 (ASPLOS 2023). Association for Computing Machinery, New York, NY, USA. 159–175. isbn:9781450399166 https://doi.org/10.1145/3575693.3575695
[14]
Florian Haftmann and Lukas Bulwahn. 2013. Code generation from Isabelle/HOL theories. Part of the Isabelle documentation: http://isabelle. in. tum. de/dist/Isabelle2017/doc/codegen. pdf.
[15]
Chris Hawblitzel, Jon Howell, Manos Kapritsos, Jacob R Lorch, Bryan Parno, Michael L Roberts, Srinath Setty, and Brian Zill. 2015. IronFleet: proving practical distributed systems correct. In Proceedings of the 25th Symposium on Operating Systems Principles. 1–17.
[16]
Fred Hebert. 2013. Learn You Some Erlang for Great Good! A Beginner’s Guide. No Starch Press, USA. isbn:1593274351
[17]
Marian Hristov. 2024. Erla+ Repository. https://github.com/mmhristov/Erlaplus
[18]
Marian Hristov. 2024. Yahoo! Cloud Serving Benchmark for Raft implementations in Erlang. https://github.com/mmhristov/ycsb_raft
[19]
John Högberg. 2021. A few notes on message passing. https://www.erlang.org/blog/message-passing/ (last accessed on 2024-05-15)
[20]
Haukur Kristinsson, Ali Jafari, Ehsan Khamespanah, Brynjar Magnusson, and Marjan Sirjani. 2013. Analysing timed rebeca using mcerlang. In Proceedings of the 2013 workshop on Programming based on actors, agents, and decentralized control. 25–36.
[21]
Markus Alexander Kuppe, Leslie Lamport, and Daniel Ricketts. 2019. The TLA+ toolbox. arXiv preprint arXiv:1912.10633.
[22]
Leslie Lamport. 1994. The Temporal Logic of Actions. ACM Trans. Program. Lang. Syst., 16, 3 (1994), may, 872–923. issn:0164-0925 https://doi.org/10.1145/177492.177726
[23]
Leslie Lamport. 2002. Specifying systems: the TLA+ language and tools for hardware and software engineers.
[24]
Leslie Lamport. 2009. The PlusCal Algorithm Language. In Theoretical Aspects of Computing - ICTAC 2009, Martin Leucker and Carroll Morgan (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg. 36–60. isbn:978-3-642-03466-4
[25]
K Rustan M Leino. 2010. Dafny: An automatic program verifier for functional correctness. In International conference on logic for programming artificial intelligence and reasoning. 348–370.
[26]
Pierre Letouzey. 2008. Extraction in coq: An overview. In Logic and Theory of Algorithms: 4th Conference on Computability in Europe, CiE 2008, Athens, Greece, June 15-20, 2008 Proceedings 4. 359–369.
[27]
Yanhong A. Liu, Scott D. Stoller, and Bo Lin. 2017. From Clarity to Efficiency for Distributed Algorithms. ACM Trans. Program. Lang. Syst., 39, 3 (2017), Article 12, may, 41 pages. issn:0164-0925 https://doi.org/10.1145/2994595
[28]
Haojun Ma, Aman Goel, Jean-Baptiste Jeannin, Manos Kapritsos, Baris Kasikci, and Karem A Sakallah. 2019. I4: incremental inference of inductive invariants for verification of distributed protocols. In Proceedings of the 27th ACM Symposium on Operating Systems Principles. 370–384.
[29]
Gabriela Moreira, Cristiano Vasconcellos, and Janine Kniess. 2022. Fully-Tested Code Generation from TLA+ Specifications. In Proceedings of the 7th Brazilian Symposium on Systematic and Automated Software Testing (SAST ’22). Association for Computing Machinery, New York, NY, USA. 19–28. isbn:9781450397537 https://doi.org/10.1145/3559744.3559747
[30]
Diego Ongaro. 2014. TLA+ specification for the Raft consensus algorithm. https://github.com/ongardie/raft.tla (last accessed on 2024-05-15)
[31]
Diego Ongaro and John Ousterhout. 2014. In search of an understandable consensus algorithm. In 2014 USENIX annual technical conference (USENIX ATC 14). 305–319.
[32]
Oded Padon, Kenneth L McMillan, Aurojit Panda, Mooly Sagiv, and Sharon Shoham. 2016. Ivy: safety verification by interactive generalization. In Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation. 614–630.
[33]
RabbitMQ. 2018. Ra: A Raft Implementation for Erlang and Elixir. https://github.com/rabbitmq/ra (last accessed on 2024-05-15)
[34]
RabbitMQ. 2018. Raft-based Key/Value Store. https://github.com/rabbitmq/ra-kv-store (last accessed on 2024-05-15)
[35]
Rick Reed. 2024. Scaling to Millions of Simultaneous Connections. http://www.erlang-factory.com/upload/presentations/558/efsf2012-whatsapp-scaling.pdf (last accessed on 2024-05-15)
[36]
Arni Hermann Reynisson, Marjan Sirjani, Luca Aceto, Matteo Cimini, Ali Jafari, Anna Ingólfsdóttir, and Steinar Hugi Sigurdarson. 2014. Modelling and simulation of asynchronous real-time systems using Timed Rebeca. Science of Computer Programming, 89 (2014), 41–68.
[37]
Marjan Sirjani, Ali Movaghar, Amin Shali, and Frank S De Boer. 2004. Modeling and verification of reactive systems using Rebeca. Fundamenta Informaticae, 63, 4 (2004), 385–410.
[38]
Hans Svensson and Lars-Åke Fredlund. 2007. Programming distributed erlang applications: pitfalls and recipes. In Proceedings of the 2007 SIGPLAN Workshop on ERLANG Workshop (ERLANG ’07). Association for Computing Machinery, New York, NY, USA. 37–42. isbn:9781595936752 https://doi.org/10.1145/1292520.1292527
[39]
Klaus v. Gleissenthall, Rami Gökhan Kıcı, Alexander Bakst, Deian Stefan, and Ranjit Jhala. 2019. Pretend synchrony: synchronous verification of asynchronous distributed programs. Proceedings of the ACM on Programming Languages, 3, POPL (2019), 1–30.
[40]
VMWare. [n. d.]. RabbitMQ. https://www.rabbitmq.com (last accessed on 2023-05-15)
[41]
Dong Wang, Wensheng Dou, Yu Gao, Chenao Wu, Jun Wei, and Tao Huang. 2023. Model checking guided testing for distributed systems. In Proceedings of the Eighteenth European Conference on Computer Systems. 127–143.
[42]
James R Wilcox, Doug Woos, Pavel Panchekha, Zachary Tatlock, Xi Wang, Michael D Ernst, and Thomas Anderson. 2015. Verdi: a framework for implementing and formally verifying distributed systems. In Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation. 357–368.
[43]
Yuan Yu, Panagiotis Manolios, and Leslie Lamport. 1999. Model checking TLA+ specifications. In Advanced Research Working Conference on Correct Hardware Design and Verification Methods. 54–66.
[44]
Peter Zeller, Annette Bieniusa, and Carla Ferreira. 2020. Teaching Practical Realistic Verification of Distributed Algorithms in Erlang with TLA+. In Proceedings of the 19th ACM SIGPLAN International Workshop on Erlang (Erlang 2020). Association for Computing Machinery, New York, NY, USA. 14–23. isbn:9781450380492 https://doi.org/10.1145/3406085.3409009
Index Terms
- Erla⁺: Translating TLA⁺ Models into Executable Actor-Based Implementations
Recommendations
Translating B to TLA+ for Validation with TLC
ABZ 2014: Proceedings of the 4th International Conference on Abstract State Machines, Alloy, B, TLA, VDM, and Z - Volume 8477The state-based formal methods B and TLA + share the common base of predicate logic, arithmetic and set theory. However, there are still considerable differences, such as the way to specify state transitions, the different approaches to typing, and the ...
An Executable Specification Language for Planning Attacks to Security Protocols
CSFW '00: Proceedings of the 13th IEEE workshop on Computer Security FoundationsWe propose AL_SP, a Declarative Executable Specification Language for Planning Attacks to Security Protocols based on logic programming. In AL_SP, we can give a declarative specification of a protocol with the natural semantics of send and receive ...
Specifying and verifying PLC systems with TLA+: A case study
We report on a method for formally specifying and verifying programmable logic controllers (PLCs) in the specification language TLA^+. The specification framework is generic. It separates the description of the environment from that of the controller ...
Comments
Information & Contributors
Information
Published In
August 2024
107 pages
Copyright © 2024 Copyright is held by the owner/author(s). Publication rights licensed to ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 28 August 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
Erlang '24
Sponsor:
Acceptance Rates
Overall Acceptance Rate 51 of 68 submissions, 75%
Upcoming Conference
ICFP '25
- Sponsor:
- sigplan
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 139Total Downloads
- Downloads (Last 12 months)139
- Downloads (Last 6 weeks)9
Reflects downloads up to 28 Dec 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in