TLA+ Model Checking Made Symbolic

International audienceTLA + is a language for formal specification of all kinds of computer systems. System designers use this language to specify concurrent, distributed, and fault-tolerant protocols, which are traditionally presented in pseudo-code. TLA + is extremely concise yet expressive: The language primitives include Booleans, integers, functions, tuples, records, sequences, and sets thereof, which can be also nested. This is probably why the only model checker for TLA + (called TLC) relies on explicit enumeration of values and states. In this paper, we present APALACHE-a first symbolic model checker for TLA +. Like TLC, it assumes that all specification parameters are fixed and all states are finite structures. Unlike TLC, APALACHE translates the underlying transition relation into quantifier-free SMT constraints, which allows us to exploit the power of SMT solvers. Designing this translation is the central challenge that we address in this paper. Our experiments show that APALACHE outperforms TLC on examples with large state spaces

On the uniform one-dimensional fragment over ordered models

The uniform one-dimensional fragment U1 is a recently introduced extension of the two-variable fragment FO2. The logic U1 enables the use of relation symbols of all arities and thereby extends the scope of applications of FO2. In this thesis we show that the satisfiability and finite satisfiability problems of U1 over linearly ordered models are NExpTime-complete. The corresponding problems for FO2 are likewise NExpTime-complete, so the transition from FO2 to U1 in the ordered realm causes no increase in complexity. To contrast our results, we also establish that U1 with an unrestricted use of two built-in linear orders is undecidable