TLA+: Lamport's Temporal Logic of Actions specification language

TLA is a linear-time temporal logic introduced by Leslie Lamport in The Temporal Logic of Actions (ACM TOPLAS 16(3), 1994, 872-923). Unlike other temporal logics, both systems and properties are represented as logical formulas, and logical connectives such as implication, conjunction, and existential quantification represent structural relations such as refinement, parallel composition, and hiding.

TLA+ is a language for specifying and verifying concurrent and distributed systems. It is based on a variant of Zermelo-Fraenkel set theory for describing the data structures manipulated by the algorithms to be verified, and on TLA for describing their dynamic behavior. TLA+ has been applied to numerous case studies.

This directory formalizes TLA+ in Isabelle (version 2009-1), as follows:

• PredicateLogic theory defines classical first-order logic as a basis for an encoding of TLA+. TLA+ is untyped, to the extent that it does not even distinguish between terms and formulas. We therefore declare a single type c that represents the universe of "constants" rather than introducing the traditional types i and o of first-order logic that, for example, underly Isabelle/ZF.
• SetTheory defines the basic syntax and axiomatization of set theory.
• The FixedPoints theory develops the Knaster-Tarski theorems for least and greatest fixed points in the subset lattice. This development is used for the construction of natural numbers; it also serves as a test for the encoding of TLA+ set theory.
• Functions theory: functions in TLA+ are not defined (e.g., as sets of pairs), but axiomatized, and in fact, pairs and tuples are later defined as special functions. Incidentally, this approach helps us to identify functional values, and to automate the reasoning about them. This theory considers only unary functions; functions with multiple arguments are defined as functions over products.
• Peano theory: Peano's axioms for natural numbers. We prove the existence of a structure satisfying these axioms and derive the set of natural numbers.
• NatOrderings theory: introduces the order <= over natural numbers. It also defines a < b (for arbitrary values) as a <= b & a # b. Proves many lemmas over these orders. Also defines intervals m .. n for natural numbers m and n.
• The Tuples theory defines tuples and relations in TLA+. Tuples are functions whose domains are intervals of the form 1 .. n, for some natural number n, and relations are sets of tuples. This theory also introduces the notation [x : S, y : T] to denote the set of functions f with domain {x,y} such that f[x] \in S and f[y] \in T.

  Finally, this theory introduces standard notions for binary relations, such as orderings, equivalence relations and so on.

• CaseExpressions theory: reasoning about CASE expressions in TLA+.
• Strings theory: encoding of characters and strings (written with two single quotes: ''string''). Characters are represented as pairs of hexadecimal numbers, strings are sequences of characters.

  Records should be written as finite functions, e.g. (''foo'' :> 1) @@ (''bar'' :> TRUE), and sets of records can be written using the notation for sets of finite functions introduced in theory Tuples.

• NatArith theory: addition, subtraction, and multiplication over natural numbers. The subtraction (noted --) is defined such that the result is cut off at 0: this is different from the standard difference over integers.
• NatDivision theory: divisibility relation, division and modulus for natural numbers.

The theories are accompanied by two examples:

• Allocator: a case study for the specification and analysis of reactive systems in TLA+ . This theory contains some elementary invariant proofs over a specification that uses basic set theory.
• AtomicBakeryG: proof of type correctness and mutual exclusion for the well-known Bakery algorithm for N processes.