# Learning TLA+ by Examples

Richard Tang

January 21, 2025

# Contents

| 1 | Intr                   | roduction                                           | 3         |
|---|------------------------|-----------------------------------------------------|-----------|
|   | 1.1                    | Catching Problems Early                             | 3         |
|   | 1.2                    | The Generalized Problem                             | 4         |
|   | 1.3                    | $\mathrm{TLA}+\ldots\ldots\ldots\ldots\ldots\ldots$ | 5         |
|   | 1.4                    | Target Audience                                     | 5         |
|   | 1.5                    | Book Layout                                         | 5         |
| 2 | TL                     | A+ Primer                                           | 7         |
|   | 2.1                    | Design Intent                                       | 7         |
|   | 2.2                    | Requirement                                         | 8         |
|   | 2.3                    | Spec                                                | 8         |
|   | 2.4                    | Safety                                              | 9         |
|   | 2.5                    | Liveness                                            | 9         |
|   | 2.6                    | Model Checker                                       | 10        |
|   |                        |                                                     |           |
| Ι | $\mathbf{E}\mathbf{x}$ | camples                                             | <b>12</b> |
| 3 | Blir                   | nking LED                                           | 13        |
|   | 3.1                    | Requirement                                         | 13        |
|   | 3.2                    | Spec                                                | 13        |
|   | 3.3                    | Safety                                              | 15        |
|   | 3.4                    | Liveness                                            | 15        |
|   | 3.5                    | Model Checking                                      | 15        |
|   | 3.6                    | Limitation                                          | 16        |
| 4 | Sim                    | aple Gossip Protocol                                | 17        |
|   | 4.1                    | Requirement                                         | 17        |
|   | 4.0                    |                                                     |           |
|   | 4.2                    | Spec                                                | 18        |
|   | 4.2                    | Spec                                                | 18<br>20  |
|   |                        | -                                                   | _         |
| 5 | 4.3<br>4.4             | Safety                                              | 20        |

Contents 2

| 6                         | Simple Scheduler                                                                                                                                                              | 27                         |
|---------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------|
|                           | 6.1 Requirement                                                                                                                                                               | 27                         |
|                           | 6.2 Spec                                                                                                                                                                      | 27                         |
|                           | 6.3 Safety                                                                                                                                                                    | 29                         |
|                           | 6.4 Liveness                                                                                                                                                                  | 29                         |
|                           | 6.5 Requirement                                                                                                                                                               | 31                         |
|                           | 6.6 Spec                                                                                                                                                                      | 31                         |
| II                        | Examples with PlusCal                                                                                                                                                         | 32                         |
| 7                         | SPSC Lockfree Queue                                                                                                                                                           | 33                         |
|                           | 7.1 Requirement                                                                                                                                                               | 33                         |
|                           | 7.2 Spec                                                                                                                                                                      | 35                         |
|                           | 7.3 Safety                                                                                                                                                                    | 35                         |
|                           | 7.4 Liveness                                                                                                                                                                  |                            |
|                           | 7.5 Configuration                                                                                                                                                             | 36                         |
| 8                         | SPMC Lockless Queue                                                                                                                                                           | 37                         |
|                           |                                                                                                                                                                               |                            |
| II                        | I Language Reference                                                                                                                                                          | 38                         |
| II<br>9                   | I Language Reference  Data Structure                                                                                                                                          | 38<br>39                   |
|                           |                                                                                                                                                                               | 39                         |
|                           | Data Structure                                                                                                                                                                | <b>39</b><br>39            |
| 9                         | Data Structure 9.1 Set                                                                                                                                                        | <b>39</b><br>39            |
| 9<br>10                   | Data Structure           9.1 Set                                                                                                                                              | <b>39</b><br>39<br>39      |
| 9<br>10                   | Data Structure           9.1 Set                                                                                                                                              | 39<br>39<br>39<br>41       |
| 9<br>10                   | Data Structure 9.1 Set                                                                                                                                                        | 39 39 39 41 42             |
| 9<br>10                   | Data Structure  9.1 Set                                                                                                                                                       | 39 39 39 41 42 42 43       |
| 9<br>10<br>11             | Data Structure  9.1 Set                                                                                                                                                       | 39 39 39 41 42 42 43       |
| 9<br>10<br>11             | Data Structure         9.1 Set          9.2 Tuple          Didiom       Fairness and Liveness         11.1 Liveness          11.2 Weak Fairness          11.3 Strong Fairness | 39 39 39 41 42 42 43 44    |
| 9<br>10<br>11<br>12<br>13 | Data Structure  9.1 Set  9.2 Tuple  Didiom  Fairness and Liveness  11.1 Liveness  11.2 Weak Fairness  11.3 Strong Fairness  TLA+ Abstraction Guideline                        | 39 39 39 41 42 42 43 44    |
| 9<br>10<br>11<br>12<br>13 | Data Structure  9.1 Set  9.2 Tuple  1 Idiom  Fairness and Liveness  11.1 Liveness  11.2 Weak Fairness  11.3 Strong Fairness  2 TLA+ Abstraction Guideline  Reference          | 39 39 39 41 42 43 44 46 47 |

## Introduction

## 1.1 Catching Problems Early

Years ago, I worked on a propietary low power processor in an embedded system. The processor ran microcode featuring a custom instruction set. To enter a low power state, a set of (possibly hundreds) instructions were executed. These instructions progressively puts the system in lower power state. For example: turn off IP A, then turn off IP B, then turn off the power island to the IPs. To save cost and power, the low power processor had very limited debuggability support.

An experienced reader may start to notice some redflags.

If the microcode attempts to access the memory interface when the power island has been shut off, processor would hang. Since the power island has been shut off, the physical hardware debug port is also shut off, leaving the developer with *no way* of live debugging related problem. At this point the developer needs to siphon through (possibly hundreds) of instructions to catch invariant violation *manually*.

As one can imagine, maintaining the microcode was very expensive for the team. Fortunately, the propietary low power processor only had a handful of instructions, I created an emulator for this propietary processor to verify the microcode prior to deploying it on target. The emulator models the processor states as a state graph, with executed instruction transitions the state machine to to the next state. At every state all the invariants are evaluated to ensure none have been violated. Examples of invariants included:

- Accessing memory interface after power off leads to a hang
- Accessing certain register in certain chip revision leads to a hang
- Verify IPs are shut off in the allowed order

The verification algorithm was implemented using a depth-first search algorithm, providing 100% microcode coverage before deploy on target.

This was a very enlighting experience. To generalize, there are a class of problem where the solution has high *failure cost*. Solution such as lockless or waitfree data structure, distributed algorithms, OS scheduler are typically hard to reason about correctness because all the possible states existed during execution. These solutions tend to have high failure cost because related issues are difficult to reproduce and hard to debug. Good software engineering practice suggest we need to implement tests, but tests do not cover the entire state graph of the solution space exhaustively.

So, how do we ensure the solution is correct by design?

#### 1.2 The Generalized Problem

Fast forward to now: I stumbled across TLA+, a formalized solution of what I was looking for.

Leslie Lamport invented the TLA+ 1999, but TLA+ didn't appear to have caught on until the 2010's. My personal opinion is TLA+ was invented ahead of its time, and the problem complexity finally caught up in the past decade or so to allow TLA+ to visibly demonstrate its strength.

We are also at a point in the technology curve where vertical scaling is no longer practical, with CPU speed plateau'd in the past decade or so. The industry is exploring horizontal scaling solution, such as hardware vendor focusing adding more CPU cores, or software vendors buying many low end hardware instead of a few high end hardware. This shifts the technology complexity from hardware to software, demanding software solution to maximize concurrent hardware resource utilization.

One slight problem: human are bad at concurrent reasoning.

Humans are fundamentally single-threaded machines. Reasoning things that execute in parallel is possible, but difficult. It is hard to enumerate all possible scenario in one's mind to ensure the design accommodates all the edge cases.

Consider a distributed system. The system is a cluster of independently operating entities and need to somehow collectively offer the correct system behaviour, while any one of the machines may receive instructions out of order, crash, recover, etc.

Consider a single producer multiple consumer lockless queue. The consumers may reserve an index in the queue in certain order, but may release them in different order. What if one reader is really slow, and another reader is super fast and possibly lapse the slow reader?

Consider an OS scheduler with locks. Assume all the processes have the same priority. Can a process starve the other processes by repeatedly acquire and release the lock? How do we ensure scheduling is fair?

The usual *anti-pattern* is to keep bandaiding the design until bugs stop comming. This is never ideal. Per Murphy's law, anything that can go wrong will go wrong, and a hard to reproduce bug will come in at the most inconvinient time. How do we make sure the solution is actually *correct by design*? To solve this problem, we must rely on tools to do the reasoning *for us*.

#### $1.3 \quad TLA +$

TLA+ is a system specification language, with the intent to describe the system with implementation details removed. TLA+ allows designer to describe the system as a sequence of states. The designer can expresses transition condition from one state to another, describe invariants that must hold true in every state and liveness properties that the overall system should converge to. The key innovation of TLA+ is once the system is modeled as a finite state machine, the states can be exhaustively explored (via breath-first-search) to ensure certain properties are held through out the entire state space (either per state or a sequence of states).

## 1.4 Target Audience

The intent for the book is to teach reader how to write TLA+ spec for their design to provide confidence in *design correctness*. The content to this book is appropriate for software designer, hardware designer, system architect, and such.

As for the readers: some computing science knowledge is required. One doesn't need to be expert at a particular language to understand this book; TLA+ is effectively its own language. This book is example driven and will go through designs such as lockless queue, simple task scheduler, consensus algorithm, etc. Reader will likely enjoy a deeper insight if she has some familiarity with these topics.

## 1.5 Book Layout

This book was motivated by the intent to solve problems. The book is designed to be example heavy with many chapter each representing an problem that can

be modelled using TLA+.

Examples are split into two categories: A set of examples written using native TLA+ syntax, and another set of examples written using PlusCal (C-like syntax). I believe they are useful under different use cases. The differences will be highlighted in their respective sections. All examples will follow a similar layout, covering the expected design process (eg. requirement, spec, safety and liveness properties).

Finally, there will be part that language reference portion that that discuss a few topics deserving extra attention. The intent is to be using this section of the book as a *reference*.

## TLA+ Primer

## 2.1 Design Intent

The key insight into TLA+ is modelling a system as a state machine. A blinking LED system can be described using a single variable with two states, LED being on or off. A simple digital clock can be represented by two variables, hour and minute and the number of possible states in a digital clock is 24\*60 = 1440. For example, 10:01 is the next state 10:00 can transition to. Extrapolating further, Asssume an arbitrarily system described by N variables, each variable having K possible values such arbitrary system can have up to  $N^K$  state.

For every specification, designer can specify safety proerty (or invariants) that must be true in every states. For example, in any state of the digital clock hour must be between 0 to 23, or formally described as  $hour \in 0..23$ . Similarly,  $minute \in 0..59$ . More generic invariant examples include: in any state, only one thread has exclusive access to a critical region, all variables in the system are within allowable value, the resource allocation manager never allocates more than available resources, etc.

Designer can also specify liveness property. These are properties that are satisfied by a sequence of state. One liveness property for the digital clock could be when the clock is 10:00, it will eventually become 11:00 (10:00 leads to 11:00). More generic liveness property include: a distributed system eventually converges, the scheduler eventually schedules every tasks in the task queue, the resource allocation manager fairly allocates resources, etc.

TLC checks a TLA+ spec using *breath-first search* algorithm to explore *all* states in the state machine and ensure safety and liveness properties are upheld. TLA+ specifies the system using *propositional logic*.

## 2.2 Requirement

In this example, we will specify a *digital clock*. The digital clock has a few simple requirements:

- Two variables to represent state: hour and minute
- The clock increment one minute at a time
- The clock wraps around at midnight (ie. 23:59 transitions to 00:00)

#### 2.3 Spec

The *Init* state of such system can be described as:

```
Init \stackrel{\triangle}{=} \\ \wedge hour = 0 \\ \wedge minute = 0
```

 $\stackrel{\triangle}{=}$  is the defines equal symbol and  $\wedge$  is the logical and symbol. The above TLA+ syntax can be read as Init state is defined as both hour and minute are both 0.

The spec also always include a *Next* definition, an *action formula* describing how the system transition from one state to another. Action formula contains *primed* variables what happens to the variable in its next state. The *Next* action for the digital clock can be defined as:

```
NextHour \triangleq \\ \land minute = 59 \\ \land hour' = (hour + 1)\%24 \\ \land minute' = 0 \\ NextMinute \triangleq \\ \land minute \neq 59 \\ \land hour' = hour \\ \land minute' = minute + 1 \\ Next \triangleq \\ \lor NextMinute \\ \lor NextHour
```

Here's a breakdown of what the spec does:

- Next can take NextMinute or NextHour
- Next takes NextMinute when minute is not 59, next hour is hour, next minute is minute + 1.

• Next takes NextHour when minute is 59, next hour is (hour + 1) modulus 24, next minute set to 0

Technically it's possible for *Next* to take both *NextMinute* and *NextHour*. This is not possible in this definition as *NextHour* and *NextMinute* are defined in a *mutually exlusively* fashion.

Finally, the spec itself is formally defined as:

```
\begin{array}{l} vars \; \stackrel{\triangle}{=} \; \langle hour, \; minute \rangle \\ Spec \; \stackrel{\triangle}{=} \; \\ \wedge \; Init \\ \wedge \; \Box [Next]_{vars} \end{array}
```

 $\Box[Next]_{vars}$  deserves some special attention:

- vars is defined to be all variables in the spec. Different combination of these variables constitute the states of the system (eg. 23:59 and 00:00 are both states in the system).
- $\square[Next]_{vars}$  is a box-action formula, where Next is an action and vars is a state function.
- — operator asserts the formula is always true for every step in the behaviour.
- And steps in the behaviour is defined as  $[Next]_{vars}$ , where Next describe the action and vars capturing all variables representing the state.

## 2.4 Safety

Safety property describes invariant that must hold true in every state of system. A common invariant is *type safety* checks. In a digital clock, hour can only be in value between 0 to 23, and minute can only be value of 0 to 59:

```
Type\_OK \triangleq \\ \land hour \in 0 ... 23 \\ \land minute \in 0 ... 59
```

#### 2.5 Liveness

Liveness property verifies certain behavioural across a sequence of state. One liveness property can be confirming the clock wraps around correctly at midnight (which involves multiple states):

```
Liveness \triangleq
```

```
\land hour = 23 \land minute = 59 \Rightarrow hour = 0 \land minute = 0
```

→ is the *leads to* operator, suggesting something is eventually true. TLA+ provides a set of formulas that can be used to describe liveness property.

To verify liveness, we need to modify the spec slightly to enable *fairness* to prevent *stuttering*. In plain terms, fairness ensure *something* always happen in every step, allowing the states to transition. Without fairness the spec is allowed to *do nothing* as next step, this means liveness condition may fail because the spec permits the system to do nothing in perpetuity as next state. Fairness will be covered in more detailed in later chapter.

```
Spec \triangleq \\ \wedge Init \\ \wedge \Box [Next]_{vars} \\ \wedge WF_{vars}(Next)
```

 $WF_{vars}(Next)$  is the fairness qualifier.

#### 2.6 Model Checker

The TLA+ spec can be verified using TLC model checker. The TLC model checker runs the spec and verifies all configured safety and liveness properties are satisfied during execution. To run TLC, we need two things:

- clock.tla the spec itself
- clock.cfg the corresponding configuration file

For reference, clock.tla spec is listed below:

```
- MODULE clock
EXTENDS Naturals
VARIABLES hour, minute
vars \triangleq \langle hour, minute \rangle
Type\_OK \triangleq
     \land \ hour \in 0 \ldots 23
     \land minute \in 0...59
Liveness \triangleq
     \land hour = 23 \land minute = 59 \Rightarrow hour = 0 \land minute = 0
Init \triangleq
     \wedge hour = 0
     \land minute = 0
NextMinute \triangleq
     \land \ minute = 59
     \wedge hour' = (hour + 1)\%24
     \wedge minute' = 0
```

```
NextHour \triangleq \\ \land minute \neq 59 \\ \land hour' = hour \\ \land minute' = minute + 1
Next \triangleq \\ \lor NextMinute \\ \lor NextHour
Spec \triangleq \\ \land Init \\ \land \Box[Next]_{vars} \\ \land WF_{vars}(Next)
```

The corresponding clock.cfg is listed below:

```
SPECIFICATION Spec
INVARIANTS Type_OK
PROPERTIES Liveness
```

Now run TLC and one should see something like this:

```
Model checking completed. No error has been found.
...
The depth of the complete state graph search is 1440.
```

# Part I Examples

# Blinking LED

Let's start with a trivial specification of a blinking LED. The intent of this example is to demonstrate the core functionalities of TLA+ specification language.

TODO: briefly talk about tla+ and model checker here.

## 3.1 Requirement

The LED is represented by a boolean variable that can be either 0 or 1.

... that's it.

## 3.2 Spec

The specification language may appear alienating as it is mathematically motivated based on propositional logic. Despite the (possibly) daunting syntax, designer only need to be familiar with a handful of key operators to start realizing value using TLA+. This chapter will attempt to describe the example in exhaustive detail to reduce the learning curve.

The following describe the core portion of the blinking LED spec.

```
VARIABLES b

vars \triangleq \langle b \rangle

Init \triangleq

\wedge b = 0

On \triangleq

\wedge b' = 1

Off \triangleq

\wedge b = 1

\wedge b' = 0
```

```
 \begin{array}{c} Next \stackrel{\triangle}{=} \\ \lor Off \\ \lor On \\ Spec \stackrel{\triangle}{=} \\ \land Init \\ \land \Box [Next]_{vars} \end{array}
```

- $\stackrel{\triangle}{=}$  is the defines equal operator
- $\wedge$  and  $\vee$  are the AND and OR operator. The effect of these operator follow the natural definition in English:
  - -C  $\stackrel{\triangle}{=}$   $A \land B$ : C is true iff A and B are true -C  $\stackrel{\triangle}{=}$   $A \lor B$ : C is true iff A or B is true
- The ' operator represents the next state. b' represent b's next state.
- VARIABLES keyword defines a list of variables for the spec. In this case the spec defines a variable b which can be either 0 or 1
- vars is typically defined as a shorthand to refer to all variables in the spec.

With the above definition, we can revisit the Action definitions: *Init* defines the initial system state, where b is set to 0.

Next requires more elaboration. TLA+ specifies the system as a collection of states with transitions between them. In a simplified sense, the state is described as a collection of ANDs (eg. system is in state C if both A and B are true), the ORs then describe the states the system can possibly be in (eg. system can be in state C OR D). Revisiting the example, the blinking LED has two states:

- $On \triangleq b = 0 \land b' = 1$ : b switches on
- Off  $\stackrel{\triangle}{=} = 1 \wedge b' = 0$ : b switches off

The system's Next state is defined to be one of these states:  $Next \triangleq On \vee Off$ .

 $\Box[Next]_{vars}$  is a **Box-Action Formula**, where Next is an action and vars is a state function. The formula is true iff every successive pair of steps in behaviour is a  $[Next]_{vars}$ . Finally Spec is conjunction between Init and  $\Box[Next]_{vars}$ . Note all TLA+ specification follows very similar template. There are situation we will need to provide fairness description - this will be covered later.

In short: this specification describes a two-state state machine where b toggles between 0 and 1.

Note that b can technically be *anything*. b can be 0, 1, -42, a dinosaur, etc. TLA+ specifies values of b which are valid in the system.

## 3.3 Safety

The spec so far only defines the possible states - but the *power* of TLA+ lies in its *properties* description. Safety properties are invariants that must hold true in *every* state. An invariant in the blinking LED example is:

```
TypeOK \stackrel{\Delta}{=} b \in \{0, 1\}
```

This states the only valid value of b is 0 or 1. If b is ever set to anything else, the spec is invalid.

Some example safety properties include: Only a single thread have exclusive access to critical section, number of concurrent reads cannot exceed data available to be read, etc.

#### 3.4 Liveness

While safety properties describe invariant that must be upheld in every state, *Liveness* describe properties of a sequence of states. In the blinking LED example, a liveness property can be the if b is 0, it eventually becomes 1, and vice versa. This is described below:

```
Liveness \stackrel{\triangle}{=} \\ \land b = 0 \leadsto b = 1 \\ \land b = 1 \leadsto b = 0
```

It is the author's opinion liveness describes the *design essense* behind the spec. The key characteristic of a system is described by its *behaviour* across a series of states. Does a distribute algorithm eventually converge to a working state? Does a resource manager fairly allocate resources in all scenarios? Does a scheduler ensure all tasks are eventually scheduled? These are behaviours that are *cannot* be concluded by looking at a single state, but across a *sequence of state*. Liveness allows designer to express and verify these properties.

## 3.5 Model Checking

Since the blinking LED is trivially specified, the full specification is included below. For subsequent chapters only snippet will be included. Please refer to the accompanied material for full spec source.

— MODULE blinking

```
TODO: install toolchain
TODO: commandline
TODO: using TLC
The following is the content of blinking.tla:
```

```
EXTENDS Naturals
VARIABLES b
vars \stackrel{\triangle}{=} \langle b \rangle
TypeOK \stackrel{\triangle}{=}
```

 $\wedge b \in \{0, 1\}$ 

```
\begin{array}{l} \textit{Liveness} \; \stackrel{\triangle}{=} \\ \; \; \wedge \; b = 0 \leadsto b = 1 \\ \; \wedge \; b = 1 \leadsto b = 0 \\ \textit{Init} \; \stackrel{\triangle}{=} \\ \; \; \wedge \; b = 0 \\ \; \textit{Next} \; \stackrel{\triangle}{=} \\ \; \; \vee \; \wedge \; b = 0 \\ \; \; \wedge \; b' = 1 \\ \; \vee \; \wedge \; b = 1 \\ \; \; \wedge \; b' = 0 \\ \textit{Spec} \; \stackrel{\triangle}{=} \\ \; \; \wedge \; \textit{Init} \\ \; \wedge \; \Box [\textit{Next}]_{\textit{vars}} \\ \; \wedge \; \text{WF}_{\textit{vars}}(\textit{Next}) \end{array}
```

The following is the content of *blinking.cfg*:

```
SPECIFICATION Spec
INVARIANTS TypeOK
PROPERTIES Liveness
```

## 3.6 Limitation

Since TLA+ exhaustively explores all possible state, a linear growth of variables leads to TLC (temporal logic checker) execution time grows *exponentially*. This means the specification must be scoped correctly to limit the state space.

Similarly, if you want to verify concurrent psuedo code implementation in PlusCal, you can likely at most verify 10s of lines of code.

# Simple Gossip Protocol

This section the author's notes on a simple gossip protocol by Andrew Hewler: https://ahelwer.ca/post/2023-11-01-tla-finite-monotonic/

## 4.1 Requirement

In a distributed system, a cluster of nodes collectively provide a serivce. A distributed database may have a collection of 10s to 100s of nodes working together to offer the service in a geo diverse fashion to be immnue to partial outage. The nodes often have requirements to know about each other. In the context of distributed database, a node may need to know the key range another of its peers. The cluster needs a way to communicate this information. One such mechanism is the gossip protocol.

Gossip protocols are used to communicate cluster information in a distributed fashion, (unsurprisingly) in a distributed system. Without gossip protocol, nodes in a cluster learns about its neighbours by contacting a centralized server. This introduces a single failure point in the system. As the name suggest, gossip protocol relies on nodes to gossip with each other. The nodes in the cluster periodically selects a set of neighbors to exchange what it knows about the cluster. The recency information is part of the gossip message itself, allowing the node and the peer its talking to quickly decide who has the latest information on a node, and converge to it. Assume a N node cluster and each interal a node selects k neighbours to gossip with, the total amount of gossip propagation time is described logrithmticly below:

$$propagation\_time = \log_k N * gossip\_interval$$
 (4.1)

With the total number of messages exchanged:

$$messages\_exchanged = \log_k N * k$$
 (4.2)

Now let's look at how a simple gossip protocol can be described by TLA+.

## 4.2 Spec

In gossip protocol, every node needs to remember all its peers current version. This can be represented as a two dimension array:

```
Init \stackrel{\Delta}{=} counter = [n \in Node \mapsto [o \in Node \mapsto 0]]
```

This defines counter a collection of nodes, where each node also contains a collection of nodes initialized to 0. The nodes can bump to a new version:

```
Increment(n) \triangleq counter' = [counter \ \text{Except } ![n][n] = @+1]
```

Notice increment only bumps node's version. This change needs to be gossiped across the cluster:

```
Gossip(n, o) \triangleq \\ LET \ Max(a, b) \triangleq \text{ if } a > b \text{ then } a \text{ else } b \\ IN \ counter' = [\\ counter \ EXCEPT \ ![o] = [\\ nn \in Node \mapsto \\ Max(counter[n][nn], \ counter[o][nn]) \\ ]
```

A few things to unpack here:

- n, o are the two nodes exchanging gossip. o is the node to be updated and n is the neighbor o gossips with.
- LET..IN allows local definition under LET used under IN. In this case Max is a local macro defined to return maximum between a and b.
- counter' (or referred to as counter *prime*) is what the variable will be in the next state. TLA+ doesn't provide a way to update a variable in a collection, so the convention is to assign a new array to the variable.
- $counter\ EXCEPT![o] = [...]$  return counter with counter[o] defined in the bracket.
- where [...] is a collection of nodes with with counter set to the max between the current node and neighbour.

Finally, the actual spec:

```
Next \stackrel{\triangle}{=} \lor \exists n \in Node : Increment(n)
```

```
\vee \exists n, o \in Node : Gossip(n, o)
```

Next supports two possible next steps describe using disjunctions. The first is bumping the version of a random node, the second is select a pair of nodes to gossip. Note the *existential qualifier* on both, which basically states there exists a node n in nodes, or there exists a pair of nodes n, o in nodes, respectively.

There's a minor problem with the definition above. Gossip protocol, like many converging protocols, have a *monotonic increasing* requirement. On failures, the protocol bumps the version, which increases monotonically. Since TLA+ spec models the system as a graph, a monotonic increasing version number means the state graph is *infinitely large*. To put the specification back into finite space, we can normalize the state:

```
GarbageCollect \triangleq \\ \text{LET } SetMin(s) \triangleq \text{CHOOSE } e \in s : \forall \ o \in s : e \leq o\text{IN} \\ \text{LET } Transpose \triangleq SetMin(\{counter[n][o] : n, \ o \in Node\})\text{IN} \\ \wedge counter' = [\\ n \in Node \mapsto [\\ o \in Node \mapsto counter[n][o] - Transpose \\ ]\\ \cap \land \text{UNCHANGED } converge
```

Garbage Collect substracts every version value with set minimum. To limit range of version value, the increment function is now updated to:

```
 Increment(n) \triangleq \\  \land \neg converge \\  \land counter[n][n] < Divergence \\  \land S!Increment(n) \\  \land \text{UNCHANGED} \ converge
```

Finally, the *Next* is updated to the follow:

```
Next \triangleq 
 \lor \exists n \in Node : Increment(n)
 \lor \exists n, o \in Node : Gossip(n, o)
 \lor Converge
 \lor GarbageCollect
```

Note *Garbage Collect* is a now part of possible state transition. We will discuss *Converge* later, as it is related to liveness check. Lastly:

```
Fairness \stackrel{\triangle}{=} \forall n, o \in Node : WF_{vars}(Gossip(n, o))
Spec \stackrel{\triangle}{=} \land Init
```

```
 \land \Box [Next]_{vars} \\ \land Fairness
```

The Fairness definition ensures Gossip runs between every pair of nodes gossip.

## 4.3 Safety

In every state, counter[n][o] next must be larger than counter[n][o] current:

#### 4.4 Liveness

For liveness we want to check the version value across all nodes eventually converge. *Next* is updated to set Converge to true, which triggers the liveness condition and ensure all pair of nodes eventually have the same information.

```
\begin{array}{ll} Convergence & \triangleq \forall \ n, \ o \in Node : counter[n] = counter[o] \\ Liveness & \triangleq converge \leadsto S! \ Convergence \\ Converge & \triangleq \\ & \land \ converge' = \texttt{TRUE} \\ & \land \ \texttt{UNCHANGED} \ \ counter \end{array}
```

## Raft Consensus Protocol

Raft consensus protocol is a consensus algorithm that allows a cluster of independent nodes to work collectly to offer a service. One application of the raft consensus protocol is for database replication protocol. Assume replication factor of 3 and hard drive failure rate of 0.81% per year, the possibility of the total failure where the entire replication group goes down is  $1-0.0081^3=99.9999\%$  uptime [3].

This section will provide a brief description of the protocol, enough to enable discussion of the TLA+ protocol. For a full description of the Raft protocol, please refer to the sentinal paper [4].

The Raft protocol implements a few key tenent principles:

- A Raft cluster have N nodes, the cluster work collective as a system to offer some service
- Each node can be in one of three possible states: Follower, Candidate, Leader
- During normal operations, a cluster of N nodes have a single leader and N-1 followers.
- The leader handles all the client interactions. Requests sent to followers will be redirected to the leader.
- The leader regularly sends heartbeat to the follower, indicate its alive.
- The leader forwards all client requests to all of the followers. Once the majority nodes have processed the request, the request is now considered committed to the system.
- Once a request is *committed*, the protocol gaurantees the *system* will persist (possibly correct and re-replicate) all records across the cluster under *all* circumstance, including:

- One or more server lost packet due to unfavourable network condition
- One or more server crashed and recovered
- A subset of the server were partitioned off for some period of time
- ... etc
- If a follower cannot detect heartbeat from the leader, it will transition to become a candidate, vote for itself, and campaign for leader.
- A candidate collect the majority of the vote becomes the leader
- A newly elected leader will send a heartbeat to other nodes (irrespective to their state, leader, follower or candidate).

There are a lot of details omitted here, such as:

- How a node determine if it should vote for candidate
- How a node knows it's leadership status expired
- How a newly elected leader syncs its logs with the follower
- ... and more

Note all N nodes in the cluster operate *independently* following the above hueristics. Hopefully this highlights the complexity around verifying the the correctness of the protocol.

## 5.1 Spec

The Raft protocol inventor open sourced a full TLA+ spec for the protocol [5]. Since the focus of the book is learning TLA+, we will implement only a portion of the spec, namely the leader election. As usual, let's look at the init definition:

```
InitHistoryVars \triangleq \land elections = \{\} \\ \land allLogs = \{\} \\ \land voterLog = [i \in Server \mapsto [j \in \{\} \mapsto \langle \rangle]] \\ InitServerVars \triangleq \land currentTerm = [i \in Server \mapsto 1] \\ \land state = [i \in Server \mapsto Follower] \\ \land votedFor = [i \in Server \mapsto Nil] \\ InitCandidateVars \triangleq \land votesResponded = [i \in Server \mapsto \{\}] \\ \land votesGranted = [i \in Server \mapsto \{\}] \\ \land votesGranted = [i \in Server \mapsto \{\}] \\ \text{The values nextIndex}[i][i] \text{ and matchIndex}[i][i] \text{ are never read, since the leader does not send itself messages. It's still easier to include these in the functions.} \\ InitLeaderVars \triangleq \land nextIndex = [i \in Server \mapsto [j \in Server \mapsto 1]] \\ \land matchIndex = [i \in Server \mapsto [j \in Server \mapsto 0]]
```

- Servers are defined as a set in this protocol, so *function mapping* are used to represent various server state information
- log is set to a function mapping for all the servers, and each server is initialized as an ordered tuple
- commitIndex is initialized to empty ordered tuple for every server
- nextIndex and matchIndex are initialized to a function mapping of function mapping of integers, to represent every server keeps a counter for all other servers.
- voteResponded and voteGranted are represented as a set for every server
- currentTerm, state, and votedFor are represented as a mapping function for every server.
- message is defined to be an empty set, but each key in the set has an associated count value (similar to C++ standard map with value tracking the key count).

The following is the state transition definition:

```
Next \triangleq \land \lor \exists i \in Server : Restart(i) \\ \lor \exists i \in Server : Timeout(i) \\ \lor \exists i, j \in Server : RequestVote(i, j) \\ \lor \exists i \in Server : RequestVote(i, j) \\ \lor \exists i \in Server : BecomeLeader(i) \\ \lor \exists i \in Server, v \in Value : ClientRequest(i, v) \\ \lor \exists i \in Server : AdvanceCommitIndex(i) \\ \lor \exists i, j \in Server : AppendEntries(i, j) \\ \lor \exists m \in DOMAIN \ messages : Receive(m) \\ \lor \exists m \in DOMAIN \ messages : DuplicateMessage(m) \\ \lor \exists m \in DOMAIN \ messages : DropMessage(m)
```

The spec uses there exists qualifier to pick a server to perform an action. The possible actions are concatenated with  $\lor$  to indicate any of them can take. Some of these actions are state specific (eg. RequestVote or BecomeLeader).

The state check are applied within the macro definition itself (eg. RequestVote checks server is in Candidate state). Let's take a closer look at RequestVote:

```
— Module raft —
 Helper for Send and Reply. Given a message m and bag of messages, return a
 new bag of messages with one more m in it.
WithMessage(m, msgs) \stackrel{\Delta}{=}
    If m \in \text{domain } msgs \text{ then}
        [msqs \ EXCEPT \ ![m] = msqs[m] + 1]
     ELSE
        msqs @@ (m:>1)
 Add a message to the bag of messages.
Send(m) \stackrel{\triangle}{=} messages' = WithMessage(m, messages)
RequestVote(i, j) \triangleq
    \land state[i] = Candidate
    \land j \notin votesResponded[i]
    \land Send([mtype]
                                \mapsto RequestVoteRequest,
                                \mapsto currentTerm[i],
              mlastLogTerm \mapsto LastTerm(log[i]),
              mlastLogIndex \mapsto Len(log[i]),
              msource
                                \mapsto i,
              mdest
                                \mapsto j
    ∧ UNCHANGED ⟨serverVars, candidateVars, leaderVars, logVars⟩
```

- i and j are reciever and sender, respectively
- Send request only if receiver is a candidate
- Send request only if j isn't part of i's votesResponded set
- A message is defined as a function with a collection of keys and values.
- Send calls WithMessage
- With Message increments the count (value) if the message (key) already exists
- WithMessage insert the message (key) with count of 1 (value)
  - @@ combines two functions
  - -m:>1 creates a function with message and a count of 1

In short, the *RequestVote* function inserts a message into a ddictionary and track the number of times it has been inserted. Let's take a look at how the message is processed:

```
WithoutMessage(m, msgs) \stackrel{\Delta}{=}
   If m \in \text{domain } msgs \text{ then}
        If msgs[m] \leq 1 then [i \in DOMAIN \ msgs \setminus \{m\} \mapsto msgs[i]]
         ELSE [msgs \ EXCEPT \ ![m] = msgs[m] - 1]
     ELSE
        msgs
Reply(response, request) \stackrel{\Delta}{=}
    messages' = WithoutMessage(request, WithMessage(response, messages))
HandleRequestVoteRequest(i, j, m) \triangleq
   LET logOk \stackrel{\triangle}{=} \lor m.mlastLogTerm > LastTerm(log[i])
                      \lor \land m.mlastLogTerm = LastTerm(log[i])
                         \land m.mlastLogIndex \ge Len(log[i])
         grant \stackrel{\triangle}{=} \land m.mterm = currentTerm[i]
                      \land logOk
                      \land votedFor[i] \in \{Nil, j\}
          \land m.mterm < currentTerm[i]
          \land \lor grant \land votedFor' = [votedFor \ EXCEPT \ ![i] = j]
             \vee \neg grant \wedge \text{UNCHANGED } votedFor
          \land Reply([mtype]
                                      \mapsto RequestVoteResponse,
                                      \mapsto currentTerm[i],
                     mterm
                     mvoteGranted \mapsto grant,
                      mlog is used just for the 'elections' history variable for
                      the proof. It would not exist in a real implementation.
                     mlog
                                     \mapsto loq[i],
                     msource
                                     \mapsto i,
                     mdest
                                     \mapsto j],
                     m
          ∧ UNCHANGED ⟨state, currentTerm, candidateVars, leaderVars, logVars⟩
UpdateTerm(i, j, m) \triangleq
    \land m.mterm > currentTerm[i]
                          = [currentTerm EXCEPT ![i] = m.mterm]
    \land currentTerm'
                                           EXCEPT ![i] = Follower]
    \wedge state'
                          = [state]
                                           EXCEPT ![i] = Nil
    \land votedFor'
                          = [votedFor]
        messages is unchanged so m can be processed further.
    \land UNCHANGED \langle messages, candidate Vars, leader Vars, log Vars <math>\rangle
Receive(m) \triangleq
   Let i \triangleq m.mdest
         j \triangleq m.msource
          Any RPC with a newer term causes the recipient to advance
          its term first. Responses with stale terms are ignored.
          \vee UpdateTerm(i, j, m)
          \lor \land m.mtype = RequestVoteRequest
             \land HandleRequestVoteRequest(i, j, m)
```

```
 \lor \land m.mtype = Request Vote Response \\ \land \lor Drop Stale Response(i, j, m) \\ \lor Handle Request Vote Response(i, j, m) \\ \lor \land m.mtype = Append Entries Request \\ \land Handle Append Entries Request(i, j, m) \\ \lor \land m.mtype = Append Entries Response \\ \land \lor Drop Stale Response(i, j, m) \\ \lor Handle Append Entries Response(i, j, m) \\ \lor Handle Append Entries Response(i, j, m) \\ \hline \qquad MODULE \ raft \\ \hline
```

- Next randomly picks a message received. This simulates network reordering effect
- Per Raft protocol definition: *UpdateTerm* checks if *message* has higher term. If so, the current server transitions back to *Follower* with grantVote cleared.
- HandleRequestVoteRequest defines two local variables:
  - logOk represents requester log's recency per protocol spec
  - grant represents if vote is granted per protocol spec. Note it's possible
- Reply adds the replay to messages and removes the request
- In WithoutMessage, return a new function if message count is one:
  - $msgs \setminus \{m\}$  is all msgs excluding m
  - For all i in this reduced msgs functions, set value to key i as msgs[i]. This effectively copies the entire msgs excluding key m

If receiver is stale (eg. lower term), it will **not** grant the vote. This wasn't explicitly stated in the protocol spec. At the same time, the receiver should eventually call *UpdateTerm* to get updated term.

# Simple Scheduler

## 6.1 Requirement

In this section we will define a spec for a simple task scheduler. The task sechdeuler has the following requirements:

- Supporting N execution context (ie. CPUs)
- Supporting T number of tasks
- Tasks have identical priority and are scheduled coopertively
- System has a single global lock
- Any task can attempt to acquire the lock, Any task attempting to acquire the lock are gauranteed to be scheduled.
- If multiple tasks attempt to grab the lock, the tasks will be scheduled in lock request order.

## 6.2 Spec

We will model scheduler using the following variables:

```
 \begin{array}{l} Init \ \stackrel{\triangle}{=} \\ \  \  \, \land \  cpus = [i \in 0 \ldots N-1 \mapsto ``"] \\ \  \  \, \land \  ready\_q = S2T(Tasks) \\ \  \  \, \land \  blocked\_q = \langle \rangle \\ \  \  \, \land \  lock\_owner = \  ``" \end{array}
```

A few things to note:

- The system has N executing context, represented as number of CPUs. When a task is running, cpus[k] is set to taskName. When CPU is idle, cpus[k] is set to an empty string.
- $ready\_q$  and  $blocked\_q$  are initialized as  $ordered\ tuple$ , due to the cooperative scheduling requirement.
- S2T is a macro that converts a set into a ordered tuple. This is to accommodate the fact it appears I cannot define tuple in .cfg file.
- Finally, the single system lock is represented as *lock\_owner*.

A task can be in three possible state: Ready, Blocked and Running. The *Next* box-action fomula will define a Ready and Running action, and the implementation will include related lock contention handling.

```
- Module scheduler -
MoveToReady(k) \triangleq
     \land cpus[k] \neq ""
     \land lock\_owner \neq cpus[k]
     \land ready\_q' = Append(ready\_q, cpus[k])
     \wedge cpus' = [cpus \ EXCEPT \ ![k] = ""]
     \land UNCHANGED \langle lock\_owner, blocked\_q \rangle
Lock(k) \triangleq
       lock is empty
       \lor \land cpus[k] \neq ````
           \land lock\_owner = ""
           \wedge lock\_owner' = cpus[k]
           \land UNCHANGED \langle ready\_q, cpus, blocked\_q \rangle
        someone else has the lock
          \land cpus[k] \neq ```
           \land \ lock\_owner \neq ""
           \land lock\_owner \neq cpus[k] cannot double lock
           \land blocked\_q' = Append(blocked\_q, cpus[k])
           \land cpus' = [cpus \ \text{except} \ ![k] = ""]
           \land UNCHANGED \langle ready\_q, lock\_owner \rangle
Unlock(k) \triangleq
     \land \ cpus[k] \neq ""
     \land lock\_owner = cpus[k]
     \land \mathit{lock\_owner'} = ````
     \land cpus' = [cpus \ \text{EXCEPT} \ ![k] = ""]
     \wedge ready\_q' = ready\_q \circ blocked\_q \circ \langle cpus[k] \rangle
     \land blocked\_q' = \langle \rangle
Running \triangleq
    \exists k \in \text{DOMAIN } cpus:
         \land cpus[k] \neq "
```

```
 \land \lor MoveToReady(k) 
 \lor Lock(k) 
 \lor Unlock(k)
```

## 6.3 Safety

#### 6.4 Liveness

I believe this is the most important part of cooperative scheduler design. While the scheduler can't *force* a task to relinquish a lock (the scheduler doesn't dictate when the task is *done*), the scheduler can ensure scheduling fairness by scheduling the next lock requester intsead of the task that just relinquished the lock.

```
Liveness \triangleq \\ \forall \ t \in Tasks: \\ \text{LET} \\ b \triangleq \{x \in \text{DOMAIN } blocked\_q: blocked\_q[x] = t\} \\ \text{IN} \\ \land b \neq \{\} \leadsto b = \{\}
```

The formula defines set b to be either an empty set or a set of one task. Assume a set of  $\{"p0", "p1", "p2\}$ . Possible value of b include:  $\{\}, \{"p0"\}, \{"p1"\}$  and  $\{"p2"\}$ . The fomula then states an non empty set of b leads to an empty set of b. In other words:

If a task ever becomes blocked, it will eventually become unblocked.

However, when we actually run the model checker, we will find the liveness property is *violated*. The failure scenario is basically one task holding onto the lock in one CPU, while the scheduler repeatedly schedule/deschedule a separate task in another CPU. While this is perfectly allowed, the model checker detects a possible path for the the system to trap in a local state and fail the liveness property.

Perhaps not surprisingly, if you construct similar liveness property to verify a task is *eventually* always scheduled, it will also fail. The model checker will provide a counter case where a task is never scheduled because another task is repeatedly acquire/release the global lock.

We need *Strong Fairness* to solve this problem:

```
\begin{array}{l} L \triangleq \\ \forall \, t \in \mathit{Tasks}: \\ \forall \, n \in 0 \ldots (N-1): \\ \mathrm{WF}_{\mathit{vars}}(\mathit{HoldingLock}(t) \wedge \mathit{Unlock}(n)) \\ \mathit{Spec} \triangleq \\ \wedge \mathit{Init} \\ \wedge \square[\mathit{Next}]_{\mathit{vars}} \\ \wedge \mathrm{WF}_{\mathit{vars}}(\mathit{Next}) \\ \wedge L \end{array}
```

Fairness ensures that we are never stuck in a repeated state.

## 6.5 Requirement

## 6.6 Spec

```
 \begin{array}{l} \mathit{Init} \; \stackrel{\triangle}{=} \\ \; \wedge \; \mathit{lastHash} = \mathit{NoHash} \\ \; \wedge \; \mathit{distributedLedger} = [n \in \mathit{Node} \mapsto [h \in \mathit{Hash} \mapsto \mathit{NoBlock}]] \\ \; \wedge \; \mathit{received} = [n \in \mathit{Node} \mapsto \{\}] \end{array}
```

- Every node is a ledger in this system, initialized to NoBlock
- Every node's received set is initialized to nothing

# Part II Examples with PlusCal

# SPSC Lockfree Queue

Single producer single consumer (SPSC) Lockfree queue is a standard data exchange queue between a producer and a consumer. The SPSC lockfree queue promises data can exchange between producer and consumer in a lockfree fashion, suggesting all condition both producer and consumer can make progress.

Contrast to standard shared queues, a SPSC waitfree queue doesn't require the use of a lock (eg. mutex). The queue can be logically represented fairly simply as:

```
template <typename T, ssize_t N>
class cQueue<T> {
    ssize_t rptr = 0;
    ssize_t wptr = 0;
    std::array<T, N> buffer;
    /* TODO: API definition below... */
};
```

A real implementation need to account for memory ordering effects specific to the architecture. For example, ARM has weak memory ordering model where read/write may appear out of order between CPUs. In this chapter we will only assume *logical* execution where each command is issued sequentially (even perceived across CPUs) to focus the discussion on TLA+.

## 7.1 Requirement

As mentioned in earlier section, a SPSC queue is represented by an array, a pair of read write pointer. The implementation is (hopefully) descriptively trivial:

- Two executing context, reader and writer
- Writer advances wtpr after writes
- Reader advances rtpr after reads

- If rtpr equals wptr, queue is empty
- If (wtpr + 1) % N equals rptr, queue is full

A possible implementation may look like below (not accounting for memory ordering effects):

```
template <typename T, ssize_t N>
class cQueue {
    ssize_t rptr = 0;
    ssize_t wptr = 0;
    std::array<T, N> buffer;
public:
    bool read (T &v) {
         /* queue empty check */
         if (rptr == wptr) {
             return false;
         /* data get */
         v = buffer[rptr];
         /* rtpr update */
        rptr = (rptr + 1) \% N;
        return true;
    }
    bool write (const T &v) {
        /* queue full check */
if ((wptr + 1) % N == rptr) {
             return false;
         /* data write */
         buffer[wptr] = v;
         /* wptr update */
        wptr = (wptr + 1) \% N;
        return true;
    }
```

Since reader and writer execute in different context, the instructions in read and write can interleave in *any* way imaginable:

- queue empty check can happen before or after queue full check
- data write happens immediately before data read
- ... so on and so forth

The key observations is that buffer [wtpr] is reserved by the producer. buffer [wtpr] is either unused or being written to. In either case the reader is not allowed to access it. Symmetric reasoning applies to rptr. This provides the *safety* to the design - but how do we verify this?

This is where TLA+ can help us formally verify the design.

## **7.2** Spec

TLA+ specification can be writen using its native formal specification language, or a C-like syntax called PlusCal (which transpiles down to itse native form). In this example, I chose to implement the specification using PlusCal, since the content to be verified is psuedo implementation. While it is possible specify SPSC in native TLA+, it is the author's opinion that it is more error prone in this case, each line is effective an individual state needs to be modeled.

The following is a snippet of the specification written in PlusCal, hopefully intuitive to read:

```
procedure reader(i)
variable
begin
r\_chk\_empty:
                    if rptr = wptr then
r\_early\_ret:
                       return;
                    end if;
r\_read\_buf:
                    assert buffer[rptr] \neq 0;
                    buffer[rptr] := 0;
r_cs:
                    rptr := (rptr + 1)\%N;
r\_upd\_rtpr:
                    return;
end procedure;
procedure writer(i)begin
w\_chk\_full:
                    if (wptr + 1)\%N = rptr then
w_early_ret:
                      return;
                    end if;
                    assert buffer[wptr] = 0;
w\_write\_buf:
w\_cs:
                    buffer[wptr] := wptr + 1000;
w\_upd\_wptr:
                    wptr := (wptr + 1)\%N;
                    return;
end procedure;
```

Note each command starts with a *label*, such as r\_chk\_empty. All the actions associated with the label is assumed executed atomically. This is reflected in the generated TLA+ code:

```
r\_chk\_empty(self) \triangleq \land pc[self] = \text{"r\_chk\_empty"} \\ \land \text{IF } rptr = wptr \\ \text{THEN } \land pc' = [pc \text{ EXCEPT } ! [self] = \text{"r\_early\_ret"}] \\ \text{ELSE } \land pc' = [pc \text{ EXCEPT } ! [self] = \text{"r\_read\_buf"}] \\ \land \text{UNCHANGED } \langle rptr, wptr, buffer, stack, i\_, i \rangle
```

## 7.3 Safety

As mentioned before, safety properties need to hold true in every single state. Some safety requirement we can enforce, for example:

Reader and writer cannot access the same index at the same time:

$$\sim ((pc[100] = "w_cs") \land (pc[101] = "r_cs") \land rptr = wptr)$$
 (7.1)

All unused index should be set to 0:

$$\forall kk \in unused : buffer[kk] = 0 \tag{7.2}$$

At any given moment, buffer[wtpr] may be unused or written. buffer[rptr] may be unused or read:

```
\lor Cardinality(to\_be\_read) + 1 = Cardinality(reading)

\lor Cardinality(to\_be\_read) = Cardinality(reading) + 1

\lor Cardinality(to\_be\_read) = Cardinality(reading)
```

#### 7.4 Liveness

```
All indicies are eventually used:
```

```
Liveness \triangleq
\forall k \in 0 ... N - 1 :
\Diamond(buffer[k] \neq 0)
Unused index 0 becomes used, used index 0 becomes unused.
Liveness2 \triangleq
\land (buffer[0] = 0) \leadsto buffer[0] = 1000
\land (buffer[0] = 1000) \leadsto buffer[0] = 0
```

## 7.5 Configuration

# SPMC Lockless Queue

# Part III Language Reference

## **Data Structure**

Like other languages, TLA+ provides its data structure. I assume the readers are already familiar with common data structure, and this chapter will only focus on the TLA+ language semantics.

#### 9.1 Set

This is the most common data structure used in TLA+ spec. The following is a few examples on how a set can be used:

```
\begin{array}{l} a \stackrel{\triangle}{=} \{0,1,2\} \\ b \stackrel{\triangle}{=} \{2,3,4\} \\ c \stackrel{\triangle}{=} a \cup b \\ d \stackrel{\triangle}{=} a \cap b \\ e \stackrel{\triangle}{=} \exists x \in c : x > 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x > 5 \\ g \stackrel{\triangle}{=} \forall x \in c : x < 3 \\ h \stackrel{\triangle}{=} \forall x \in c : x < 5 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel{\triangle}{=} \exists x \in c : x < 3 \\ f \stackrel
```

## 9.2 Tuple

```
\begin{array}{lll} A & \stackrel{\triangle}{=} & \langle 0,\, 1,\, 2 \rangle \\ B & \stackrel{\triangle}{=} & \langle 2,\, 3,\, 4 \rangle \\ C & \stackrel{\triangle}{=} & A \circ B & \text{tuple: } 0,\, 1,\, 2,\, 2,\, 3,\, 4 \\ D & \stackrel{\triangle}{=} & Len(C) & 6 \\ E & \stackrel{\triangle}{=} & \forall\, x \in 1 \ldots Len(C) : C[x] \neq 10 & \text{TRUE - every C[x] is not } 10 \\ F & \stackrel{\triangle}{=} & \exists\, x \in 1 \ldots Len(C) : C[x] = 2 & \text{TRUE - there exists a C[x] that is } 2 \end{array}
```

 $G \ \stackrel{\Delta}{=} \ \big\{x \in 1 \ .. \ Len(\,C) : C[x] = 2 \big\} \quad \{3,\,4\}$  - when index is 3 or 4,  $\mathrm{C[x]} = 2$ 

# Idiom

Choose a x in set S such that for every Y in S x is smaller than y. Finding minimum in set:

$$Min(S) \triangleq \text{CHOOSE } x \in S : \forall y \in S : x \leq y$$

messages is an unordered map with untyped key and integer value:

## Fairness and Liveness

For rigorous definition and proof, please refer to (TODO: citations). This chapter focus on the application aspect of liveness and fairness and define an elevator spec that goes up and down.



#### 11.1 Liveness

Consider the following elevator Spec:

```
- MODULE elevator -
EXTENDS Integers
VARIABLES a
vars \triangleq \langle a \rangle
TOP
BOTTOM \triangleq 1
Init \triangleq
      \wedge a = BOTTOM
      \land \ a \neq \mathit{TOP}
      \wedge a' = a + 1
Down \triangleq
      \land a \neq BOTTOM
      \wedge a' = a - 1
Spec \triangleq
   \wedge Init
   \wedge \Box [Up \vee Down]_a
```

The building has a set of floors and the elevator can go either up or down. The elevator keeps going up until it's the top floor, or keep going down until it's the bottom floor. TLC will pass the Spec as is.

Let's introduce a liveness property. The elevator should always at least go to the second floor:

```
Liveness \stackrel{\triangle}{=} \\ \land a = 1 \leadsto a = 2
```

Running the *Spec* against TLC will report a violation:

```
Error: Temporal properties were violated.
Error: The following behavior constitutes a counter-example:
State 1: <Initial predicate>
a = 1
State 2: Stuttering
```

Since the *Spec* permits *suttering*, the state machine is allowed to perpetually stay on 1F and *never* go to 2F. This can be fixed by introduce fairness description.

#### 11.2 Weak Fairness

Weak fairness is defined as:

$$\Diamond \Box (ENABLED\langle A \rangle_v) \Rightarrow \Box \Diamond \langle A \rangle_v \tag{11.1}$$

 $ENABLED\langle A \rangle$  represents conditions required for action A. The above translates to: if conditions required for action A to occur is eventually always true, then action A will always eventually happen.

Without weak fairness defined, the elevator may *stutter* at floor 1 and never go to floor 2. Weak fairness states that if the conditions of an action is *eventually always* true (ie. elevator decides to stay on 1F but but *can* go up), the elevator *always eventually* go up.

```
Spec \triangleq \\ \land Init \\ \land \Box [Down \lor Up]_a \\ \land \operatorname{WF}_a(Down) \\ \land \operatorname{WF}_a(Up)
```

Running the spec against TLC passes again. What if we want to verify the elevator eventually always goes to the top, not just to 2F? Let's modify the Liveness property again:

 $Liveness \triangleq$ 

```
\land a = BOTTOM \leadsto a = TOP
```

TLC now reports the following violation:

```
Error: Temporal properties were violated.
Error: The following behavior constitutes a counter-example:
State 1: <Initial predicate>
a = 1
State 2: <Up line 10, col 5 to line 11, col 17 of module elevator>
a = 2
Back to state 1: <Down line 13, col 5 to line 14, col 17 of module elevator>
```

TLC identified a case where the elevator is perpetually stuck going between 1F and 2F, but never go to 3F. Weak fairness is no longer enough, because the the elevator is not stuck on 2F repeatedly, but stuck going between 1F and 2F. This is where we need strong fairness.

#### 11.3 Strong Fairness

Strong fairness is defined as:

$$\Box \Diamond (ENABLED\langle A \rangle_v) \Rightarrow \Box \Diamond \langle A \rangle_v \tag{11.2}$$

The difference between weak and strong fairness is the *eventually always* vs. always eventually.

In weak fairness, once the state machine is stuck in a state forever, the state machine always transition to a possible next state permitted by the spec (eg. if the elevator is stuck on 1F but can go to 2F, it will). With strong fairness, the elevator doesn't need to be stuck on 2F to go to 3F. If the elevator always eventually makes it to 2F, it eventually always go to 3F.

Intuitively we are tempted to enable strong fairness like so:

```
Spec \triangleq \\ \land Init \\ \land \Box [Up \lor Down]_a \\ \land WF_a(Down) \\ \land SF_a(UP)
```

However, TLC still reports the same violation. What's going on?

If we take a closer look at the enabling condition for Up, it only requires current floor to be not the top floor. When the elevator is stuck in a loop going Up and Down between 1F and 2F indefinitely, strong fairness for Up is already satisfied. What we really want is strong fairness on Up for every floor, instead

of any floor except top floor. So if elevator makes to 2F once, it will always eventaully go to 3F. If elevator makes to 3F once, it will always eventaully go to 4F, etc. The following is the change required:

```
 \begin{array}{l} Spec \ \stackrel{\triangle}{=} \\ \wedge \ Init \\ \wedge \ \square [\ Up \lor Down]_a \\ \wedge \ WF_a(Down) \\ \wedge \ \forall \ f \in BOTTOM \ .. \ TOP-1 : \\ \wedge \ WF_a(\ Up \land f = a) \end{array}
```

Once again with this change TLC will pass.

TLA+ Abstraction Guideline

Reference

# **Bibliography**

- [1] Srikumar Subramanian https://sriku.org/posts/fairness-in-tlaplus/, 2015
- [2] Richard M. Murray, Nok Wongpiromsarn  $Linear\ Temporal\ Logic,\ Lecture\ 3,\ 2012$
- $[3] \ https://www.backblaze.com/blog/cloud-storage-durability/$
- [4] https://raft.github.io/raft.pdf
- $[5] \ https://github.com/ongardie/raft.tla$

## Nano

TODO: add this to reference https://content.nano.org/whitepaper/Nano\_Whitepaper\_en.pdf

#### 14.1 Requirement

### 14.2 Spec

```
 \begin{array}{l} \mathit{Init} \; \stackrel{\triangle}{=} \\ \; \wedge \; \mathit{lastHash} = \mathit{NoHash} \\ \; \wedge \; \mathit{distributedLedger} = [n \in \mathit{Node} \mapsto [h \in \mathit{Hash} \mapsto \mathit{NoBlock}]] \\ \; \wedge \; \mathit{received} = [n \in \mathit{Node} \mapsto \{\}] \\ \end{array}
```

- Every node is a ledger in this system, initialized to NoBlock
- Every node's received set is initialized to empty set

```
Next \triangleq 

\lor \exists \ account \in PrivateKey : CreateGenesisBlock(account)

\lor \exists \ node \in Node : CreateBlock(node)

\lor \exists \ node \in Node : ProcessBlock(node)
```

PrivateKey represents the identity of the account, create the genesis block for every account. Let us look at how a genesis block is created:

```
\begin{aligned} & \textit{HashOf}(block) \triangleq \\ & \text{if } \exists \, hash \in \textit{Hash} : hashFunction[hash] = block \\ & \text{THEN CHOOSE} \, \, hash \in \textit{Hash} : hashFunction[hash] = block \\ & \text{ELSE CHOOSE} \, \, hash \in \textit{Hash} : hashFunction[hash] = N!\, NoBlock \\ & \textit{CalculateHashImpl}(block, \, oldLastHash, \, newLastHash) \triangleq \\ & \text{LET} \, \, hash \triangleq \, HashOf(block) \text{IN} \end{aligned}
```

```
\land \ newLastHash = hash
  \land hashFunction' = [hashFunction \ EXCEPT \ ! [hash] = block]
CreateGenesisBlock(privateKey) \stackrel{\Delta}{=}
   LET
        publicKey \triangleq KeyPair[privateKey]
        genesisBlock \triangleq
            [type \mapsto "genesis",
             account \mapsto publicKey,
            balance \mapsto GenesisBalance
   IN
    \land \neg GenesisBlockExists
    \land CalculateHash(genesisBlock, lastHash, lastHash')
    \land distributedLedger' =
        Let signedGenesisBlock \triangleq
             [block \mapsto genesisBlock,
             signature \mapsto SignHash(lastHash', privateKey)
        [n \in Node \mapsto
           [distributedLedger[n]] EXCEPT
               ![lastHash'] = signedGenesisBlock]]
    \land UNCHANGED received
```

Every account maintains its own chain of blocks. The first block in the account chain is the genesis block. The genesis block contains the type, account name, and genesis balance. The genesis block is then hashed and signed.

TODO: add this to reference https://content.nano.org/whitepaper/Nano\_Whitepaper\_en.pdf