Extracting symbolic transitions from TLA+ specifications

Abstract

• We formalize the notion of assignments and assignment strategies. • We present an SMT encoding from which assignment strategies are extracted. • We define a sound decomposition of a TLA+ formula into symbolic transitions. • We implement the above as part of the APALACHE model checker. • We present experimental results using several state-of-the-art TLA+ specifications. In , a system specification is written as a logical formula that restricts the system behavior. As a logic, does not have assignments and other imperative statements that are used by model checkers to compute the successor states of a system state. Model checkers compute successors either explicitly — by evaluating program statements — or symbolically — by translating program statements to an SMT formula and checking its satisfiability. To efficiently enumerate the successors, TLA's model checker TLC introduces side effects. For instance, an equality x ′ = e is interpreted as an assignment of e to the yet unbound variable x . Inspired by TLC , we introduce an automatic technique for discovering expressions in formulas such as x ′ = e and x ′ ∈ { e 1 , … , e k } that can be provably used as assignments. In contrast to TLC , our technique does not explicitly evaluate expressions, but it reduces the problem of finding assignments to the satisfiability of an SMT formula. Hence, we give a way to slice a formula in symbolic transitions, which can be used as an input to a symbolic model checker. Our prototype implementation successfully extracts symbolic transitions from a few benchmarks.