• Stars
    star
    1,280
  • Rank 36,774 (Top 0.8 %)
  • Language TLA
  • License
    Other
  • Created over 8 years ago
  • Updated about 1 month ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A collection of TLAโบ specifications of varying complexities

TLA+ Examples

Gitpod ready-to-code Validate Specs & Models

This is a repository of TLA+ specifications and models covering applications in a variety of fields. It serves as:

  • a comprehensive example library demonstrating how to specify an algorithm in TLA+
  • a diverse corpus facilitating development & testing of TLA+ language tools
  • a collection of case studies in the application of formal specification in TLA+

All TLA+ specs can be found in the specifications directory. A central manifest of specs with descriptions and accounts of their various models and features can be found in the manifest.json file.

List of Examples

# Name Description Authors TLAPS Proof? TLC Model? Module Dependencies PlusCal? Apalache?
1 2PCwithBTM A modified version of P2TCommit (Gray & Lamport, 2006) Murat Demirbas โœ” FinSet, Int, Seq โœ”
2 802.16 IEEE 802.16 WiMAX Protocols Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen, Zhi (Judy) Fu, and Hai Zhou โœ” Int, Seq, FinSet
3 aba-asyn-byz Asynchronous Byzantine agreement (Bracha & Toueg, 1985) Thanh Hai Tran, Igor Konnov, Josef Widder โœ” Nat
4 acp-nb Non-blocking atomic commitment with a reliable broadcast (BabaoฤŸlu & Toueg, 1993) Stephan Merz โœ” default theories
5 acp-nb-wrong Wrong version of the non-blocking atomic commitment with a reliable broadcast (BabaoฤŸlu & Toueg, 1993) Stephan Merz โœ” default theories
6 acp-sb Non-blocking atomic commitment with a simple broadcast (BabaoฤŸlu & Toueg, 1993) Stephan Merz โœ” default theories
7 allocator Specification of a resource allocator Stephan Merz โœ” FinSet
8 async-comm The diversity of asynchronous communication (Chevrou et al., 2016) Florent Chevrou, Aurรฉlie Hurault, Philippe Quรฉinnec โœ” Nat
9 bcastByz Asynchronous reliable broadcast - Figure 7 (Srikanth & Toeug, 1987) Thanh Hai Tran, Igor Konnov, Josef Widder โœ” โœ” Nat, FinSet
10 bcastFolklore Folklore reliable broadcast - Figure 4 (Chandra and Toueg, 1996) Thanh Hai Tran, Igor Konnov, Josef Widder โœ” โœ” Nat
11 bosco One-Step Byzantine asynchronous consensus (Song & Renesse, 2008) Thanh Hai Tran, Igor Konnov, Josef Widder โœ” Nat, FinSet
12 Boulangerie A variant of the bakery algorithm (Yoram & Patkin, 2015) Leslie Lamport, Stephan Merz โœ” โœ” Int โœ”
13 byihive Based on RFC3506 - Requirements and Design for Voucher Trading System (Fujimura & Eastlake) Santhosh Raju โœ” default theories
14 byzpaxos Byzantizing Paxos by Refinement (Lamport, 2011) Leslie Lamport โœ” Int, FinSet
15 c1cs Consensus in one communication step (Brasileiro et al., 2001) Thanh Hai Tran, Igor Konnov, Josef Widder โœ” Int, FinSet
16 Caesar Multi-leader generalized consensus protocol (Arun et al., 2017) Giuliano Losa โœ” FinSet, Seq, Int โœ”
17 CarTalkPuzzle A TLA+ specification of the solution to a nice puzzle. โœ” Int
18 CASPaxos An extension of the single-decree Paxos algorithm to a compare-and-swap type register (Rystsov) Tobias Schottdorf โœ” Int, FinSet
19 cbc_max Condition-based consensus (Mostefaoui et al., 2003) Thanh Hai Tran, Igor Konnov, Josef Widder โœ” Int, FinSet
20 cf1s-folklore One-step consensus with zero-degradation (Dobre & Suri, 2006) Thanh Hai Tran, Igor Konnov, Josef Widder โœ” Nat
21 ChangRoberts Leader election in a ring (Chang & Roberts, 1979) Stephan Merz โœ” Nat, Seq โœ”
22 DataPort Dataport protocal 505.89PT, only PDF files (Biggs & Noriaki, 2016) Geoffrey Biggs, Noriaki Ando Int, Seq
23 detector_chan96 Chandra and Touegโ€™s eventually perfect failure detector Thanh Hai Tran, Igor Konnov, Josef Widder โœ” Int, FinSet
24 DieHard A very elementary example based on a puzzle from a movie โœ” Nat
25 dijkstra-mutex Mutual exclusion algorithm (Dijkstra, 1965) โœ” Int โœ”
26 diskpaxos Disk Paxos (Gafni & Lamport, 2003) Leslie Lamport, Giuliano Losa โœ” Int
27 egalitarian-paxos Leaderless replication protocol based on Paxos (Moraru et al., 2013) Iulian Moraru โœ” Nat, FinSet
28 ewd840 Termination detection in a ring (Dijkstra et al., 1986) Stephan Merz โœ” โœ” Nat
70 ewd998 Shmuel safra's version of termination detection Stephan Merz, Markus Kuppe โœ” Int, FinSet
29 fastpaxos An extension of the classic Paxos algorithm, only PDF files (Lamport, 2006) Leslie Lamport Nat, FinSet
30 fpaxos A variant of Paxos with flexible quorums (Howard et al., 2017) Heidi Howard โœ” Int
31 HLC Hybrid logical clocks and hybrid vector clocks (Demirbas et al., 2014) Murat Demirbas โœ” Int โœ”
32 L1 Data center network L1 switch protocol, only PDF files (Thacker) Tom Rodeheffer FinSet, Nat, Seq
33 lamport_mutex Mutual exclusion (Lamport, 1978) Stephan Merz โœ” โœ” Nat, Seq
34 leaderless Leaderless generalized-consensus algorithms (Losa, 2016) Giuliano Losa โœ” FinSet, Int, Seq โœ”
35 losa_ap The assignment problem, a variant of the allocation problem (Delporte-Gallet, 2018) Giuliano Losa โœ” FinSet, Nat, Seq โœ”
36 losa_rda Applying peculative linearizability to fault-tolerant message-passing algorithms and shared-memory consensus, only PDF files (Losa, 2014) Giuliano Losa FinSet, Nat, Seq
37 m2paxos Multi-leader consensus protocols (Peluso et al., 2016) Giuliano Losa โœ” Int, Seq, FinSet
38 mongo-repl-tla A simplified part of Raft in MongoDB (Ongaro, 2014) Siyuan Zhou โœ” FinSet, Nat, Seq
39 MultiPaxos The abstract specification of Generalized Paxos (Lamport, 2004) Giuliano Losa โœ” Int, FinSet
40 N-Queens The N queens problem Stephan Merz โœ” Nat, Seq โœ”
41 naiad Naiad clock protocol, only PDF files (Murray et al., 2013) Tom Rodeheffer โœ” Int, Seq, FinSet
42 nbacc_ray97 Asynchronous non-blocking atomic commit (Raynal, 1997) Thanh Hai Tran, Igor Konnov, Josef Widder โœ” Nat, FinSet
43 nbacg_guer01 On the hardness of failure-sensitive agreement problems (Guerraoui, 2001) Thanh Hai Tran, Igor Konnov, Josef Widder โœ” Nat, FinSet
44 nfc04 Non-functional properties of component-based software systems (Zschaler, 2010) Steffen Zschaler โœ” Real, Nat
45 Paxos Paxos consensus algorithm (Lamport, 1998) Leslie Lamport โœ” Int, FinSet
46 Prisoners A puzzle that was presented on an American radio program. โœ” Nat, FinSet
47 raft Raft consensus algorithm (Ongaro, 2014) Diego Ongaro โœ” FinSet, Nat, Seq
48 SnapshotIsolation Serializable snapshot isolation (Cahill et al., 2010) Michael J. Cahill, Uwe Rรถhm, Alan D. Fekete โœ” FinSet, Int, Seq
49 spanning Spanning tree broadcast algorithm in Attiya and Welchโ€™s book Thanh Hai Tran, Igor Konnov, Josef Widder โœ” Int
50 SpecifyingSystems Examples to accompany the book Specifying Systems (Lamport, 2002) โœ” all modules
51 Stones The same problem as CarTalkPuzzle โœ” FinSet, Int, Seq
52 sums_even Two proofs for showing that x+x is even, for any natural number x. โœ” โœ” Int
53 SyncConsensus Synchronized round consensus algorithm (Demirbas) Murat Demirbas โœ” FinSet, Int, Seq โœ”
54 Termination Channel-counting algorithm (Kumar, 1985) Giuliano Losa โœ” Integers, FiniteSets, Apalache, Sequences โœ” โœ”
55 Tla-tortoise-hare Robert Floyd's cycle detection algorithm Lorin Hochstein โœ” Nat โœ”
56 tower_of_hanoi The well-known Towers of Hanoi puzzle. Markus Kuppe, Alexander Niederbรผhl โœ” Bit, FinSet, Int, Nat, Seq
57 transaction_commit Consensus on transaction commit (Gray & Lamport, 2006) Leslie Lamport โœ” Int
58 TransitiveClosure The transitive closure of a relation โœ” FinSet, Int, Seq
59 TwoPhase Two-phase handshaking Leslie Lamport, Stephan Merz โœ” Nat
60 VoldemortKV Voldemort distributed key value store Murat Demirbas โœ” FinSet, Int, Seq โœ”
61 Missionaries and Cannibals Missionaries and Cannibals Leslie Lamport โœ” FinSet, Int
62 Misra Reachability Algorithm Misra Reachability Algorithm Leslie Lamport โœ” โœ” Int, Seq, FiniteSets, TLC, TLAPS, NaturalsInduction โœ”
63 Loop Invariance Loop Invariance Leslie Lamport โœ” โœ” Int, Seq, FiniteSets, TLC, TLAPS, SequenceTheorems, NaturalsInduction โœ”
64 Teaching Concurrency Teaching Concurrency Leslie Lamport โœ” โœ” Int, TLAPS โœ”
65 Spanning Tree Spanning Tree Leslie Lamport โœ” Int, FiniteSets, TLC, Randomization
66 Paxos (How to win a Turing Award) Paxos Leslie Lamport โœ” Nat, Int, FiniteSets
67 Tencent-Paxos PaxosStore: high-availability storage made practical in WeChat. Proceedings of the VLDB Endowment(Zheng et al., 2017) Xingchen Yi, Hengfeng Wei โœ” โœ” Int, FiniteSets
68 Blocking Queue BlockingQueue Markus Kuppe โœ” โœ” (LiveEnv) Naturals, Sequences, FiniteSets
69 Paxos Paxos โœ” Int, FiniteSets
71 Echo Algorithm Echo Algorithm Stephan Merz โœ” Naturals, FiniteSets, Relation, TLC โœ”
72 Cigarette Smokers problem Cigarette Smokers problem Mariusz Ryndzionek โœ” Integers, FiniteSets
73 Conway's Game of Life Conway's Game of Life Mariusz Ryndzionek โœ” Integers
74 Sliding puzzles Sliding puzzles Mariusz Ryndzionek โœ” Integers
75 Lock-Free Set PlusCal spec of a lock-Free set used by TLC Markus Kuppe โœ” Sequences, FiniteSets, Integers, TLC โœ”
76 Chameneos Chameneos, a Concurrency Game Mariusz Ryndzionek โœ” Integers
77 ParallelRaft A variant of Raft Xiaosong Gu, Hengfeng Wei, Yu Huang โœ” Integers, FiniteSets, Sequences, Naturals
78 TLC MC PlusCal spec of safety checking as implemented in TLC Markus Kuppe โœ” Integers, FiniteSets, Sequences, TLC โœ”
79 TLA+ Level Checking Level-checking of TLA+ formulas as described in Specifying Systems Leslie Lamport Integers, Sequences
80 CRDT-Bug CRDT algorithm with defect and fixed version Alexander Niederbรผhl โœ” FiniteSets, Naturals, Sequences
81 asyncio-lock Bugs from old versions of Python's asyncio lock Alexander Niederbรผhl โœ” Sequences
82 Single Lane Bridge problem Single Lane Bridge Younes Akhouayri โœ” Naturals, FiniteSets, Sequences
83 Raft (with cluster changes) Raft with cluster changes, and a version with Apalache type annotations but no cluster changes George Pรฎrlea, Darius Foom, Brandon Amos, Huanchen Zhang, Daniel Ricketts โœ” Functions, SequencesExt, FiniteSetsExt, TypedBags โœ”
84 EWD687a Detecting termination in distributed computations by Edsger Dijkstra and Carel Scholten Stephan Merz (PlusCal spec), Leslie Lamport & Markus Kuppe (TLA+ spec) โœ” Integers, Graphs โœ”
85 Huang Termination detection by using distributed snapshots by Shing-Tsaan Huang Markus Kuppe โœ” DyadicRationals
86 Azure Cosmos DB Consistency models provided by Azure Cosmos DB Dharma Shukla, Ailidani Ailijiang, Murat Demirbas, Markus Kuppe โœ” Integers, Sequences, FiniteSets, Functions, SequencesExt โœ”
87 MET for CRDT-Redis Model-check the CRDT designs, then generate test cases to test CRDT implementations Yuqi Zhang โœ” Integers, Sequences, FiniteSets, TLC โœ”
88 Parallel increment Parallel threads incrementing a shared variable. Demonstrates invariants, liveness, fairness and symmetry Chris Jensen โœ” Integers, FiniteSets, TLC
89 The Streamlet consensus algorithm Specification and model-checking of both safety and liveness properties of Streamlet with TLC Giuliano Losa โœ” Sequences, Integers, FiniteSets โœ”
90 Petri Nets Instantiable Petri Nets with liveness properties Eugene Huang โœ” Integers, Sequences, FiniteSets, TLC
91 Knuth Yao & Markov Chains Knuth-Yao algorithm for simulating a sixsided die Ron Pressler, Markus Kuppe โœ” DyadicRationals
92 ewd426 - Token Stabilization Self-stabilizing systems in spite of distributed control Murat Demirbas, Markus Kuppe โœ” Naturals, FiniteSets
93 CRDT Specifying and Verifying CRDT Protocols Ye Ji, Hengfeng Wei โœ” Naturals, FiniteSets
94 Multi-Car Elevator System Directory Andrew Helwer โœ” Integers
95 Snapshot Key-Value Store Directory Andrew Helwer โœ”
96 Nano Blockchain Protocol Directory Andrew Helwer โœ” Naturals, Bags
97 Coffee Can White/Black Bean Problem Directory Andrew Helwer โœ” Naturals
98 The Slush Protocol Directory Andrew Helwer โœ” Naturals, FiniteSets, Sequences โœ”
99 SDP (Software Defined Perimeter) Specifying and Verifying SDP Protocol based Zero Trust Architecture Luming Dong, Zhi Niu โœ” FiniteSets, Sequences, Naturals
100 Simplified Fast Paxos Simplified version of Fast Paxos (Lamport, 2006) Lim Ngian Xin Terry, Gaurav Gandhi โœ” TLC, Naturals, FiniteSets, Integers
101 Learn TLAโบ Proofs Basic PlusCal algorithms and formal proofs of their correctness Andrew Helwer โœ” โœ” Sequences, Naturals, Integers, TLAPS โœ”
102 Lexicographically-Least Circular Substring Booth's 1980 algorithm to find the lexicographically-least circular substring Andrew Helwer โœ” FiniteSets, Integers, Naturals, Sequences โœ”
103 Distributed Checkpoint Coordination Algorithm for coordinating checkpoint/snapshot leases in a Paxos ring Andrew Helwer โœ” FiniteSets, Naturals, Sequences, TLC

License

The repository is under the MIT license. However, we can upload your benchmarks under your license.

Support or Contact

Do you have any questions or comments? Please open an issue or send an email to the TLA+ group.

Contributing

Do you have your own case study or TLA+ specification you'd like to share with the community? Follow these instructions:

  1. Ensure your spec is released under MIT or a similarly-permissive license
  2. Fork this repository and create a new directory under specifications with the name of your spec
  3. Place all TLA+ files in the directory, along with their .cfg model files; you are encouraged to include at least one model that completes execution in less than 10 seconds
  4. Ensure name of each .cfg file matches the .tla file it models, or has its name as a prefix; for example SpecName.tla can have the models SpecName.cfg and SpecNameLiveness.cfg, etc.
  5. Consider including a README.md in the spec directory explaining the significance of the spec with links to any relevant websites or publications, or integrate this info as comments in the spec itself
  6. Add an entry to the below table in this top-level README.md summarizing your spec and its attributes

Adding Spec to Continuous Integration

To combat bitrot, it is important to add your spec and model to the continuous integration system. To do this, you'll have to update the manifest.json file with machine-readable records of your spec files. If this process doesn't work for you, you can alternatively modify the .ciignore file to exclude your spec from validation. Otherwise, follow these directions:

  1. Ensure you have Python 3.11+ installed
  2. Download & extract tree-sitter-tlaplus (zip, tar.gz) to the root of the repository; ensure the extracted folder is named tree-sitter-tlaplus
  3. Open a shell and navigate to the repo root; ensure a C++ compiler is installed and on your path
    • On Windows, this might entail running the below script from the visual studio developer command prompt
  4. It is considered best practice to create & initialize a Python virtual environment to preserve your system package store; run python -m venv . then source ./bin/activate on Linux & macOS or .\Scripts\activate.bat on Windows (run deactivate to exit)
  5. Run pip install -r .github/scripts/requirements.txt
  6. Run python .github/scripts/generate_manifest.py
  7. Locate your spec's entry in the manifest.json file and ensure the following fields are filled out:
    • Spec title: an appropriate title for your specification
    • Spec description: a short description of your specification
    • Spec source: if this spec was first published elsewhere, provide a link to this location
    • Spec authors: a list of people who authored the spec
    • Spec tags:
      • "beginner" if your spec is appropriate for TLA+ newcomers
    • Model runtime: approximate model runtime on an ordinary workstation, in "HH:MM:SS" format
    • Model size:
      • "small" if the model can be executed in less than 10 seconds
      • "medium" if the model can be executed in less than five minutes
      • "large" if the model takes more than five minutes to execute
    • Model mode:
      • "exhaustive search" by default
      • {"simulate": {"traceCount": N}} for a simulation model
      • "generate" for model trace generation
    • Model config:
      • "ignore deadlock" if your model should ignore deadlock
    • Model result:
      • "success" if the model completes successfully
      • "safety failure" if the model violates an invariant
      • "liveness failure" if the model fails to satisfy a liveness property
      • "deadlock failure" if the model encounters deadlock
    • Other fields are auto-generated by the script; if you are adding an entry manually, ensure their values are present and correct (see other entries or the manifest-schema.json file)

Before submitted your changes to run in the CI, you can quickly check your manifest.json for errors and also check it against manifest-schema.json at https://www.jsonschemavalidator.net/.