Proving the Correctness of Distributed Algorithms using TLA

Proving the Correctness of DistributedAlgorithms using TLAKhushboo Kanjani, khush@cs.tamu.edu, Texas A & M University11 May 2007AbstractThis work is a summary of the Temporal Logic of Actions(TLA)proposed by Leslie Lamport as a language for specifying and verifyingconcurrent systems. Dijkstra’s self-stabilizing mutual exclusionalgorithm is discussed to demonstrate the use of TLA.1 IntroductionFormal methods are mathematically-based techniques for the specification,development and verification of software and hardware systems. Formal verificationis the act of proving the correctness of algorithms with respect to aproperty, using formal methods of mathematics. There are two approachesto formal verification as defined in [1]:• Model Checking: This is a technique that relies on building a finitemodel of a system and checking that a desired property holds in thatmodel.The check is performed as an exhaustive state space search thatis guaranteed to terminate since the model is finite.• Theorem Proving: Theorem proving is the process of finding aproof of a property from the axioms of the system. It is a techniquein which the behavior of the system and its desired properties are expressedas formulas in some mathematical logic. The temporal logic ofactions(TLA) is one such logic aiming at proving correctness of multiprocessprograms.1

Khushboo KanjaniThe properties which define the correctness of a program are often describedin temporal logic. The following is a brief overview of the kinds of logic:1.1 Logic• Binary Logic has two boolean values True and False.• Propositional Logic adds the following operators to the binary logic.conjunction(and) ∧disjunction(or) ∨negation(not) ¬implication(implies) →equivalence ≡.• First-Order(Predicate) Logic extends propositional logic with twoquantifiers:∃ existential quantification(there exists)∀ universal quantification (for all)• Temporal Logic quantifies in terms of time and has the following twooperators:♦ - now or sometime in future□ - now and foreverTime is viewed as a sequence of states in temporal logic.The Temporal Logic of Actions(TLA) is a combination of two logics : logicof actions and the standard temporal logic. In TLA, the program and itsproperties are written in the same language. The behavior of the programis written as a temporal formula σ. To prove that the program satisfies aproperty P, it is sufficient to prove that σ => P.1.2 Related WorkThe other formal methods based on temporal logic are Unity Logic [4], thelogic of Manna, Pnueli [11] and Process Algebra by Hoare [2], Milner[9].Unity logic is based on assertions of the form {p}s{q}, which denotes thatthe execution of statement s in any state satisfying predicate p results in astate satisfying predicate q. Properties of a program are expressed in termsof the basic operators unless, invariant, ensures and → (leads-to).CPSC 689-608 Spring 2007 Report Draft

Khushboo KanjaniThe language of temporal logic defined by Manna, Pnueli [11] is built froma state language used to construct state formulas, and a set of logical andtemporal operators. By applying the logical and temporal operators to thestate formulas, they construct general temporal formulas.Process algebra provides a tool for the high-level description of interactions,communications, and synchronizations between a collection of independentprocesses. Some examples of this are Hoare’s Communicating SequentialProcesses(CSP)[2] and Milner’s Calculus of Communicating Systems(CCS)[9].2 DefinitionsThis section defines all the definitions used in the logic. The semantic meaningof every object T in the logic in denoted by [[T]]. The semantic meaningof state functions, predicates, actions etc. are stated in Figure 1 from [6] inthe appendix.1. Values, Variables and States: A set Val of all possible values ofvariables is assumed. It includes sets like the set Nat of natural numbers.The booleans true and false do not belong to this set Val. Theset Var is an infinite set of all variable names. A state is a mappingfrom the set Var to the set Val. A state s assigns a value s[x] to avariable x. St is the collection of all possible states.2. State Functions: A non boolean expression built from variables andconstants. For example: z=x+y+3.3. State Predicate: It is a boolean expression built from variables andconstant symbols. For example x + y = 1 and x, y ∈ Nat4. Actions: An action represents an atomic operation in a concurrentprogram. It is a relation between unprimed variables(referring to oldstate) and primed variables(referring to the new state after the actionis executed). For example : y’=x+y+1. s[[A]]t is true if executing theA operation in state s produces state t.CPSC 689-608 Spring 2007 Report Draft

Khushboo Kanjani5. Validity: The formal definition of validity of an action A, denoted as|= A is:|= A ≡ ∀s, t ∈ St : s[[A]]t6. Rigid Variables: A variable whose value does not change in the executionof the program is termed as a rigid variable.7. Enabled Predicate: For any action A, Enabled A is defined as follows:s[[EnabledA]] ≡ ∃t ∈ St : s[[A]]t8. Unchanged Action: An action Unchanged f , for a state function f isdefined as a step in which the value of f does not change. Formally :Unchanged f ≡ f ′ = f3 TLAIn TLA, specification of the system and the desired properties are stated byTLA formulas. A TLA formula is true or false on a behavior, which is asequence of states, where a state is an assignment of values to variables.3.1 SpecificationA specification is a formal description of the desired behavior of a program.The approach to define it can be divided into two steps:• State the variables that define the system’s state.• State the granularity of the steps that change those variables’ values.CPSC 689-608 Spring 2007 Report Draft

Khushboo KanjaniP1: while true doif x 1 = x n thenx 1 := (x 1 + 1)mod(n + 1)endendP i (i ≠ 1) :while true doifx i ≠ x i−1 thenx i := x i−1endendAlgorithm 1: Dijkstra self-stabilizing algorithm for MEExample: Here we give a TLA specification of the famous Dijkstra’s selfstabilizingalgorithm for mutual exclusion in a ring described in Algorithm1. The notations used here are explained in Figure 1. Equation 1 describesthe initial condition of the variables. Equation 2 states that ∀i ∈ [0, N]i ≠ 1if the value of x i is not equal to that of its left neighbor, it is assigned thatvalue when process P i is activated. For P 1 , equation 3 states that the valueof x 1 is incremented if its value is equal to x n . In equation 4, w definesthe state function of all the variables in the program. These TLA formulasC 1 , C 2 , ....C n describe the behavior of the processes P 1 , P 2 , ....P n respectively.All possible executions of the program satisfy the temporal formula definedin equation 6.Init φ ≡ ∀i ∈ n, 0 ≤ x i ≤ n (1)∀i ∈ [0, N]i ≠ 1, C i ≡ (x i ≠ x i−1 ) ∧ (x ′ i = x i−1 ) ∧ Unchanged < AllBut(x i ) >(2)C 1 ≡ (x 1 = x n ) ∧ (x ′ 1 = (x 1 + 1)mod(n + 1)) ∧ Unchanged < AllBut(x 1 ) >(3)w =< x 1 , x 2 , ........., x n > (4)C ≡ C 1 ∨ C 2 ∨ ........ ∨ C n (5)φ ≡ Init φ ∧ □[C] w (6)CPSC 689-608 Spring 2007 Report Draft

Khushboo Kanjani3.2 Safety PropertiesSafety properties assert that something bad never happens. For example,for the problem of mutual exclusion, the safety property is that at mostone processor is in the critical section. For the self-stabilizing Algorithm1, mutual exclusion will be guaranteed if only one processor is allowed tochange its value. In other words, only one of C 1 , C 2 , ....C n is enabled. Safetyproperties are usually described as invariance properties with TLA formulasof the form □ P where P is predicate. These invariance properties are provedwith rule INV1 of Figure 1.3.3 Fairness PropertiesWeak fairness asserts that eventually the action is either executed or becomeimpossible to execute- maybe only briefly. Strong fairness rules out thatlast condition. It means that either the action is eventually executed, or itsexecution is eventually always impossible. For an action A and state functionf, weak fairness (WF) and strong fairness(SF) are expressed as follows:W F f (A) = (□♦〈A〉 f ) ∨ (□♦¬Enabled〈A〉 f ) (7)SF f (A) = (□♦〈A〉 f ) ∨ (♦□¬Enabled〈A〉 f ) (8)For the algorithm 1, starting with a random initial configuration, the programeventually reaches a safe configuration where only one processor changes itsvalue. The program guarantees W F 〈C〉 w .4 Verification of the Byzantine Generals algorithmIn [8], the one-traitor ”oral-message” solution to the Byzantine Generalsproblem is verified using TLA. The specification is divided into three levelsand a hierarchical proof is presented. The high-level specification defines theproblem statement. The mid-level specification captures the ”oral-message”solution to the problem that works in the presence of at most of one traitor.The underlying communication is ignored. The low-level specification modelsthe way values are transmitted over communication channels. All these threelevel specifications are long. So cannot be included here.CPSC 689-608 Spring 2007 Report Draft

Khushboo Kanjani5 DevelopmentsTLA+[7] provides a language for specifying TLA specifications. It can beused for a wide class of systems - from program interfaces(API) to distributedsystems. It is an extension to TLA and it contains operators for definingand manipulating data structures and syntactic structures for handling largespecifications. The syntax for expressions in TLA+ aims to capture some ofthe richness of ordinary mathematical notation. But a precise specificationin TLA+ gets very long and complicated. TLA+ is good for software andhardware engineers and of little use to researchers concentrating on designof algorithms.6 CommentsTLA is good as a formal method for verifying systems but I feel that it isnot good for proving the correctness of distributed algorithms. The designerof the algorithm has an intuition of why the algorithm is correct. TLA onlygives a language to specify the behavior of the program. If the behavior isspecified correctly, the safety and liveness proofs are direct conclusions byapplying the TLA rules. Capturing the complete behavior of the algorithmcan get long and complicated. I believe informal proofs give a better insightof the correctness of the algorithm.Some points to be noted about TLA :• Booleans are distinct from values of any variable and so state predicatesare different from state functions.• The variables in TLA have no types. Type-correctness is a provableproperty and not a syntactic requirement for specifying programs inTLA.• A specification of a multiprocess program can be decomposed as conjunctionof its processes.• The rules stated in Figure 2 as described in [6] form a complete proofsystem for reasoning programs in TLA.• There is no distinction between a program and a property in TLA.CPSC 689-608 Spring 2007 Report Draft

Khushboo KanjaniReferences[1] E.M. Clarke and J.M. Wing. Formal methods: State of the art andfuture directions. ACM Computing Surveys, 1996.[2] C.A.R. Hoare. Communicating Sequential Processes. Prentice-Hall International,London,1985.[3] Rajeev Joshi, Leslie Lamport, John Matthews, Serdar Tasiran, MarkTuttle, and Yuan Yu. Checking cache-cohorence protocols with tla+.Formal Methods in System Design, 2003.[4] Chandy K.M. and Misra. Parallel Program Design. Addison-Wesley,1988.[5] Leslie Lamport. Proving the correctness of multiprocess programs. IEEETransactions on Software Engineering, 1977.[6] Leslie Lamport. The temporal logic of actions. ACM Transactions onProgramming Languages and Systems, pages 1–52, 1993.[7] Leslie Lamport. Specifying Systems:The TLA+ Language and Tools forHardware and Software Engineers. Addison-Wesley, 2003.[8] Leslie Lamport and Stephan Merz. Specifying and verifying faulttolerantsystems. International Symposium on Formal Techniques inReal and Fault Tolerant Systems, 1994.[9] Robin Milner. A complete inference system for a class of regular behaviors.Journal of Computer and System Sciences, 28:439–466, 1984.[10] Joao Luis Sobrinho. An algebraic theory of dynamic network routing.ACM Transcations on Networking, 2004.[11] Manna Z. and Pnuelli A. The temporal logic and reactive and concurrentsystems. Springer-Verlag, New York, 1991.CPSC 689-608 Spring 2007 Report Draft

Khushboo KanjaniFigure 1: Syntax of TLACPSC 689-608 Spring 2007 Report Draft

Figure 2: Proof Rules of TLACPSC 689-608 Spring 2007 Report DraftKhushboo Kanjani

Khushboo KanjaniFigure 3: Quantification in TLACPSC 689-608 Spring 2007 Report Draft