> there have been a number of formal specification tools that have been developed in recent years which use programming-language-like notation, such as FizzBee, P, PlusCal, and Quint. I think these notations are more approachable for programmers than the more set-theoretic notation of TLA+.
This statement may make it seem like the design of those other languages is a later development than TLA+, while the opposite is the case. Programming-language-like specification languages have existed continuously since the 70s and 80s (VDM, Estelle, SMV, Spin/PROMELLA - they were about as known to practising programmers at the time as the newer ones are known today...), as well as model-checkable programming languages similar to P (Esterel). The new incarnations are very similar to those from more than four decades ago.
TLA+ was the newer development, designed as a reaction to the old programming-like approach, which, Leslie Lamport felt, wasn't simple and succinct enough, didn't allow for specification at arbitrary levels of detail, and didn't allow for easy manipulation and substitution (e.g. that `x = 2` might mean something different from `x + 3 = 5` is not just added complexity, but makes it hard to describe the relationship between specifications of the same system at different levels of detail).
Lamport decided to ditch the older style in favour of one based almost solely on simple mathematics (there were some earlier attempts, but they were still more programming-like than TLA+). He didn't expect that mathematics at the level taught in an introductory, first-semester university course would be so unapproachable to programmers.
Lamport didn't design TLA+ for model checking or for practicing developers to use. He did purely for publishing papers where the researchers express their proofs as math (his new TLA+) instead of free form text.
TLA+ was specifically designed for practitioners (https://lamport.azurewebsites.net/tla/book.html), although he did use earlier incarnations of TLA to analyse his own concurrent and distributed algorithms.
His paper explaining TLA [1] says:
> We are motivated not by an abstract ideal of elegance, but by the practical problem of reasoning about real algorithms. Rigorous reasoning is the only way to avoid subtle errors in concurrent algorithms, and we want to make reasoning as simple as possible by making the underlying formalism simple.
The introduction to the book says:
> TLA provides a mathematical foundation for describing systems. To write specifications, we need a complete language built atop that foundation. I ini- tially thought that this language should be some sort of abstract programming language whose semantics would be based on TLA. I didn’t know what kind of programming language constructs would be best, so I decided to start writing specifications directly in TLA. I intended to introduce programming constructs as I needed them. To my surprise, I discovered that I didn’t need them. What I needed was a robust language for writing mathematics.
> Although mathematicians have developed the science of writing formulas, they haven’t turned that science into an engineering discipline. ... The specification of a real system can be dozens or even hundreds of pages long. Mathematicians know how to write 20-line formulas, not 20-page formulas. So, I had to introduce notations for writing long formulas. What I took from programming languages were ideas for modularizing large specifications.
And the Getting Started portion says:
> A system specification consists of a lot of ordinary mathematics glued together with a tiny bit of temporal logic. That’s why most TLA+ constructs are for expressing ordinary mathematics. To write specifications, you have to be familiar with this ordinary math. Unfortunately, the computer science departments in many universities apparently believe that fluency in C++ is more important than a sound education in elementary mathematics. So, some readers may be unfamiliar with the math needed to write specifications. Fortunately, this math is quite simple. If exposure to C++ hasn’t destroyed your ability to think logically, you should have no trouble filling any gaps in your mathematics education.
He recognises the tradeoffs of abandoning the programming style, but it is done to make the language simple and practitioner-friendly (and it is a much simpler language than Python, let alone any other specification language, all while preserving maximal expressive power). You can have an opinion on whether this is a good tradeoff or not, but it was done intentionally, and with the purpose of helping practitioners.
As a counterpoint, Dijkstra [0] makes a distinction between what he calls “postulational” and “operational” (more like what TFA is describing) formal methods. (Sidenote: I think people nowadays would use “denotational” instead of “postulational” (e.g. denotational vs. operational semantics), but Dijkstra wrote this in the 1980s)
Instead of thinking of a program as a set of potential execution traces, he advocated thinking of programs as formulas (e.g. pre/postconditions) that can be used to construct proofs without having to simulate any executions. His idea with weakest preconditions was to derive code from the desired logical properties, not to prove that a priori written code satisfies those properties, reckoning that his way would be less work and result in more elegant programs.
I am just an amateur but it seems like formal methods as a whole is often conflated with model checking and other operational formal methods.
While there is a proof assistant for checking TLA+ proofs and a couple of model checkers for subsets of TLA+, TLA+ itself is no more and no less than a formal language for expressing mathematical formulas that describe dynamical systems.
There is no notion of code, program, or execution in TLA+ any more than the formula y(t) = y0 + v0t - 0.5gt^2 has the notion of a ball, a vacuum, or of Earth. When the author talks about "sets of behaviours" (really, classes of behaviours, but that's getting too technical) it is precisely in the same sense that the formula `x > 3` denotes the set of all integers > 3 in a logic over the integers.
What's interesting about TLA+ (or, really, about TLA, the temporal logic at the core of TLA+) is how change over time is represented. Rather than with an explicit time variable, TLA intrinsically represents the evolution of the values of variables over time in a way that makes abstraction-refinement relations (the relation between more and less detailed descriptions of a dynamical system) particularly easy to express.
Dijkstra's pre/post conditions can be expressed in TLA+ just as anything that could be stated precisely could be expressed in any sufficiently rich mathematical language.
We can choose to interpret some TLA+ formulas as "programs" just as we can choose to interpret some formulas as describing the motion of a baseball in a vacuum, but TLA+ allows us to express things that are more abstract than programs, which can be very useful (e.g. no program can express the Quicksort algorithm in its full generality, as that algorithm is too abstract to be a program, but it is nevertheless very useful to show that a particular program is a particular implementation of that algorithm).
A model checker doesn't imply anything about the kind of the formal specification used. It is a program that checks whether all assignments of free variables in a formula are satisfying assignments, or "models" for the formula (a model is a satisfying assignement of free variables in a formula, i.e. assignments that make the formula true).
It is distinct from an automated proof finder in that it doesn't (necessarily) find a deductive proof in the relevant logic that the forumla is always true, but rather operates in the semantic universe of the logic.
For example, the proposition `A ⇒ A` is true for any A in a simple boolean logic. We can determine that either via a deductive proof, which consists of a sequence of application of the deductive rules of the logic, or by examining the relevant truth table; the latter method would be a form of model checking.
Neither the use of deductive proofs or of model checking implies something about the nature of the logic. They are just two different ways of determining the truth of a proposition.
> A model checker doesn't imply anything about the kind of the formal specification used.
That is true; I was just contrasting the way TFA explained specifications as being definitions of groups of acceptable execution traces (perhaps checked using a model checker) with Dijkstra’s approach of characterizing the acceptable behavior without simulating any executions.
Both are of course valid approaches to demonstrate the correctness of a specification.
> I was just contrasting the way TFA explained specifications as being definitions of groups of acceptable execution traces (perhaps checked using a model checker) with Dijkstra’s approach of characterizing the acceptable behavior without simulating any executions.
I think that's a misunderstanding, as TLA+ doesn't require simulating anything (even the model checker doesn't work like that; it can check a formula that corresponds to an uncountable infinity of behaviours, each of them infinite, in a second [1]), and Dijkstra's approach is separate from the logical semantics.
It is true that a TLA formula denotes a set (really, a class) of something called "behaviours" (which could be interpreted as execution traces when a formula is interpreted to describe a program) just as the statement x > 3 denotes the set of all integers greater than 3 (in a logic over the integers), but in neither case is enumerating or "simulating" anything required, either in principle or in practice. It's just simple logical semantics, and Dijkstra's approach is easily expressed in a logic with such simple semantics.
In fact, TLA serves as a generalisation of Dijkstra's approach, as that is lacking when dealing with concurrency. While in sequential programs it is easy to specify invariants as pre/post conditions, it is hard to do that in concurrent/distributed programs.
[1]: You can ask the TLC model checker to simulate behaviours if you want (it can be useful sometimes), but checking mode, not simulation mode, is the default. Obviously, in simulation mode TLC doesn't work as a model checker. Technically speaking, every TLA formula denotes an uncountable infinity of behaviours of infinite lengths, where between any two states in the behaviour there is an infinite number of steps (it is in this regard that TLA is different from other temporal logics like LTL), and each state in every behaviour is an assignment to an infinite number of variables (in fact, that uncountable infinity is so large that it doesn't even correspond to a set in the set theory sense but to something called a class). The large infinities are what makes TLA so suitable for expressing abstractions and refinement and interactions between components.
This may sound strange, but it's actually how most simple logics work. When I said before that `x > 3` in a logic over the integers denotes the set of integers greater than 3, I wasn't entirely precise. What it really denotes is: "x is in the set of integers greater than three and any other imaginable variable could be any integer".
I was referring to way the Python REPL examples/tree diagrams and sections on execution histories were used to explain things in the article, not to TLA+. I was contrasting how the author explained specifications versus how someone like Dijkstra would, not anything about TLA+. I don’t know enough about TLA+ to say anything interesting, but I appreciate your explanations of its approach!
>His idea with weakest preconditions was to derive code from the desired logical properties, not to prove that a priori written code satisfies those properties, reckoning that his way would be less work and result in more elegant programs.
I love the idea. Are you aware of any such spec-based code generators in widespread use today?
The most developed one I know of is Atelier B [0], which uses the B-Method and has a C code generator. I believe this was the tool used to develop several driverless train control systems in the Paris Metro and other subways.
There is a free version but unfortunately it is not open source.
Hillel Wayne's "Practical TLA+" book and the TLA+ examples repository (https://github.com/tlaplus/Examples) both contain excellent worked examples ranging from simple algorithms to complex distributed systems.
> there have been a number of formal specification tools that have been developed in recent years which use programming-language-like notation, such as FizzBee, P, PlusCal, and Quint. I think these notations are more approachable for programmers than the more set-theoretic notation of TLA+.
This statement may make it seem like the design of those other languages is a later development than TLA+, while the opposite is the case. Programming-language-like specification languages have existed continuously since the 70s and 80s (VDM, Estelle, SMV, Spin/PROMELLA - they were about as known to practising programmers at the time as the newer ones are known today...), as well as model-checkable programming languages similar to P (Esterel). The new incarnations are very similar to those from more than four decades ago.
TLA+ was the newer development, designed as a reaction to the old programming-like approach, which, Leslie Lamport felt, wasn't simple and succinct enough, didn't allow for specification at arbitrary levels of detail, and didn't allow for easy manipulation and substitution (e.g. that `x = 2` might mean something different from `x + 3 = 5` is not just added complexity, but makes it hard to describe the relationship between specifications of the same system at different levels of detail).
Lamport decided to ditch the older style in favour of one based almost solely on simple mathematics (there were some earlier attempts, but they were still more programming-like than TLA+). He didn't expect that mathematics at the level taught in an introductory, first-semester university course would be so unapproachable to programmers.
Lamport didn't design TLA+ for model checking or for practicing developers to use. He did purely for publishing papers where the researchers express their proofs as math (his new TLA+) instead of free form text.
TLA+ was specifically designed for practitioners (https://lamport.azurewebsites.net/tla/book.html), although he did use earlier incarnations of TLA to analyse his own concurrent and distributed algorithms.
His paper explaining TLA [1] says:
> We are motivated not by an abstract ideal of elegance, but by the practical problem of reasoning about real algorithms. Rigorous reasoning is the only way to avoid subtle errors in concurrent algorithms, and we want to make reasoning as simple as possible by making the underlying formalism simple.
The introduction to the book says:
> TLA provides a mathematical foundation for describing systems. To write specifications, we need a complete language built atop that foundation. I ini- tially thought that this language should be some sort of abstract programming language whose semantics would be based on TLA. I didn’t know what kind of programming language constructs would be best, so I decided to start writing specifications directly in TLA. I intended to introduce programming constructs as I needed them. To my surprise, I discovered that I didn’t need them. What I needed was a robust language for writing mathematics.
> Although mathematicians have developed the science of writing formulas, they haven’t turned that science into an engineering discipline. ... The specification of a real system can be dozens or even hundreds of pages long. Mathematicians know how to write 20-line formulas, not 20-page formulas. So, I had to introduce notations for writing long formulas. What I took from programming languages were ideas for modularizing large specifications.
And the Getting Started portion says:
> A system specification consists of a lot of ordinary mathematics glued together with a tiny bit of temporal logic. That’s why most TLA+ constructs are for expressing ordinary mathematics. To write specifications, you have to be familiar with this ordinary math. Unfortunately, the computer science departments in many universities apparently believe that fluency in C++ is more important than a sound education in elementary mathematics. So, some readers may be unfamiliar with the math needed to write specifications. Fortunately, this math is quite simple. If exposure to C++ hasn’t destroyed your ability to think logically, you should have no trouble filling any gaps in your mathematics education.
He recognises the tradeoffs of abandoning the programming style, but it is done to make the language simple and practitioner-friendly (and it is a much simpler language than Python, let alone any other specification language, all while preserving maximal expressive power). You can have an opinion on whether this is a good tradeoff or not, but it was done intentionally, and with the purpose of helping practitioners.
[1]: https://lamport.azurewebsites.net/pubs/lamport-actions.pdf
Wetware programmers may have found the mathematics unapproachable, but what about the LLMs?
As a counterpoint, Dijkstra [0] makes a distinction between what he calls “postulational” and “operational” (more like what TFA is describing) formal methods. (Sidenote: I think people nowadays would use “denotational” instead of “postulational” (e.g. denotational vs. operational semantics), but Dijkstra wrote this in the 1980s)
Instead of thinking of a program as a set of potential execution traces, he advocated thinking of programs as formulas (e.g. pre/postconditions) that can be used to construct proofs without having to simulate any executions. His idea with weakest preconditions was to derive code from the desired logical properties, not to prove that a priori written code satisfies those properties, reckoning that his way would be less work and result in more elegant programs.
I am just an amateur but it seems like formal methods as a whole is often conflated with model checking and other operational formal methods.
[0] https://www.cs.utexas.edu/~EWD/transcriptions/EWD10xx/EWD101...
While there is a proof assistant for checking TLA+ proofs and a couple of model checkers for subsets of TLA+, TLA+ itself is no more and no less than a formal language for expressing mathematical formulas that describe dynamical systems.
There is no notion of code, program, or execution in TLA+ any more than the formula y(t) = y0 + v0t - 0.5gt^2 has the notion of a ball, a vacuum, or of Earth. When the author talks about "sets of behaviours" (really, classes of behaviours, but that's getting too technical) it is precisely in the same sense that the formula `x > 3` denotes the set of all integers > 3 in a logic over the integers.
What's interesting about TLA+ (or, really, about TLA, the temporal logic at the core of TLA+) is how change over time is represented. Rather than with an explicit time variable, TLA intrinsically represents the evolution of the values of variables over time in a way that makes abstraction-refinement relations (the relation between more and less detailed descriptions of a dynamical system) particularly easy to express.
Dijkstra's pre/post conditions can be expressed in TLA+ just as anything that could be stated precisely could be expressed in any sufficiently rich mathematical language.
We can choose to interpret some TLA+ formulas as "programs" just as we can choose to interpret some formulas as describing the motion of a baseball in a vacuum, but TLA+ allows us to express things that are more abstract than programs, which can be very useful (e.g. no program can express the Quicksort algorithm in its full generality, as that algorithm is too abstract to be a program, but it is nevertheless very useful to show that a particular program is a particular implementation of that algorithm).
P.S.
A model checker doesn't imply anything about the kind of the formal specification used. It is a program that checks whether all assignments of free variables in a formula are satisfying assignments, or "models" for the formula (a model is a satisfying assignement of free variables in a formula, i.e. assignments that make the formula true).
It is distinct from an automated proof finder in that it doesn't (necessarily) find a deductive proof in the relevant logic that the forumla is always true, but rather operates in the semantic universe of the logic.
For example, the proposition `A ⇒ A` is true for any A in a simple boolean logic. We can determine that either via a deductive proof, which consists of a sequence of application of the deductive rules of the logic, or by examining the relevant truth table; the latter method would be a form of model checking.
Neither the use of deductive proofs or of model checking implies something about the nature of the logic. They are just two different ways of determining the truth of a proposition.
> A model checker doesn't imply anything about the kind of the formal specification used.
That is true; I was just contrasting the way TFA explained specifications as being definitions of groups of acceptable execution traces (perhaps checked using a model checker) with Dijkstra’s approach of characterizing the acceptable behavior without simulating any executions.
Both are of course valid approaches to demonstrate the correctness of a specification.
> I was just contrasting the way TFA explained specifications as being definitions of groups of acceptable execution traces (perhaps checked using a model checker) with Dijkstra’s approach of characterizing the acceptable behavior without simulating any executions.
I think that's a misunderstanding, as TLA+ doesn't require simulating anything (even the model checker doesn't work like that; it can check a formula that corresponds to an uncountable infinity of behaviours, each of them infinite, in a second [1]), and Dijkstra's approach is separate from the logical semantics.
It is true that a TLA formula denotes a set (really, a class) of something called "behaviours" (which could be interpreted as execution traces when a formula is interpreted to describe a program) just as the statement x > 3 denotes the set of all integers greater than 3 (in a logic over the integers), but in neither case is enumerating or "simulating" anything required, either in principle or in practice. It's just simple logical semantics, and Dijkstra's approach is easily expressed in a logic with such simple semantics.
In fact, TLA serves as a generalisation of Dijkstra's approach, as that is lacking when dealing with concurrency. While in sequential programs it is easy to specify invariants as pre/post conditions, it is hard to do that in concurrent/distributed programs.
[1]: You can ask the TLC model checker to simulate behaviours if you want (it can be useful sometimes), but checking mode, not simulation mode, is the default. Obviously, in simulation mode TLC doesn't work as a model checker. Technically speaking, every TLA formula denotes an uncountable infinity of behaviours of infinite lengths, where between any two states in the behaviour there is an infinite number of steps (it is in this regard that TLA is different from other temporal logics like LTL), and each state in every behaviour is an assignment to an infinite number of variables (in fact, that uncountable infinity is so large that it doesn't even correspond to a set in the set theory sense but to something called a class). The large infinities are what makes TLA so suitable for expressing abstractions and refinement and interactions between components.
This may sound strange, but it's actually how most simple logics work. When I said before that `x > 3` in a logic over the integers denotes the set of integers greater than 3, I wasn't entirely precise. What it really denotes is: "x is in the set of integers greater than three and any other imaginable variable could be any integer".
> TLA+ doesn't require simulating anything
I was referring to way the Python REPL examples/tree diagrams and sections on execution histories were used to explain things in the article, not to TLA+. I was contrasting how the author explained specifications versus how someone like Dijkstra would, not anything about TLA+. I don’t know enough about TLA+ to say anything interesting, but I appreciate your explanations of its approach!
You can read more about the Temporal Logic of Actions in my post here: https://pron.github.io/posts/tlaplus_part3
>His idea with weakest preconditions was to derive code from the desired logical properties, not to prove that a priori written code satisfies those properties, reckoning that his way would be less work and result in more elegant programs.
I love the idea. Are you aware of any such spec-based code generators in widespread use today?
The most developed one I know of is Atelier B [0], which uses the B-Method and has a C code generator. I believe this was the tool used to develop several driverless train control systems in the Paris Metro and other subways.
There is a free version but unfortunately it is not open source.
[0] https://www.atelierb.eu/en/
There’s definitely some good patterns in here. Needs worked examples
I was hoping for a TLA+ example, but it never got there.
Hillel Wayne's "Practical TLA+" book and the TLA+ examples repository (https://github.com/tlaplus/Examples) both contain excellent worked examples ranging from simple algorithms to complex distributed systems.