Home > Store

Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers

Register your product to gain access to bonus material or receive a coupon.

Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers

Book

  • Your Price: $35.99
  • List Price: $44.99
  • Usually ships in 24 hours.

Description

  • Copyright 2003
  • Dimensions: 7-3/8" x 9-1/4"
  • Pages: 384
  • Edition: 1st
  • Book
  • ISBN-10: 0-321-14306-X
  • ISBN-13: 978-0-321-14306-8

This book is the distillation of over 25 years of work by one of the world's most renowned computer scientists. A specification is a written description of what a system is supposed to do, plus a way of checking to make sure that it works. Specifying a system helps us understand it. It's a good idea to understand a system before building it, so it's a good idea to write a specification of a system before implementing it. The most effective tool to describe a specification is the Temporal Logic of Actions, or TLA, because it provides a mathematical, i.e. precise, foundation for describing systems. TLA+ is the language the author developed to write the mathematical specifications. TLA+ is available freely on the web. It can be used for both software and hardware. In fact, Intel is using TLA+ with great success in the design of a new chip. The book is divided into four parts. The first part contains all that most programmers and engineers need to know about writing specifications. The second part contains more advanced material for more sophisticated readers. The third and fourth parts comprise a reference manual for TLA+ - both the language itself as well as its tools.

Sample Content

Online Sample Chapter

Using TLA+ to Write Specifications for an Asynchronous Interface

Downloadable Sample Chapter

Click below for Sample Chapter(s) related to this title:
Sample Chapter 3

Table of Contents



List of Figures and Tables.


Acknowledgments.


Introduction.

I. Getting Started.

1. A Little Simple Math.

Propositional Logic.

Sets.

Predicate Logic.

Formulas and Language.

2. Specifying a Simple Clock.

Behaviors.

An Hour Clock.

A Closer Look at the Specification.

The Specification in TLA+.

An Alternative Specification.

3. An Asynchronous Interface.

The First Specification.

Another Specification.

Types: A Reminder.

Definitions.

Comments.

4. A FIFO.

The Inner Specification.

Instantiation Examined.

Instantiation Is Substitution.

Parametrized Instantiation.

Implicit Substitutions.

Instantiation Without Renaming.

Hiding the Queue.

A Bounded FIFO.

What We're Specifying.

5. A Caching Memory.

The Memory Interface.

Functions.

A Linearizable Memory.

Tuples as Functions.

Recursive Function Definitions.

A Write-Through Cache.

Invariance.

Proving Implementation.

6. Some More Math.

Sets.

Silly Expressions.

Recursion Revisited.

Functions versus Operators.

Using Functions.

Choose.

7. Writing a Specification: Some Advice.

Why Specify.

What to Specify.

The Grain of Atomicity.

The Data Structures.

Writing the Specification.

Some Further Hints.

When and How to Specify.

II: More Advanced Topics.

8. Liveness and Fairness.

Temporal Formulas.

Temporal Tautologies.

Temporal Proof Rules.

Weak Fairness.

The Memory Specification.

The Liveness Requirement.

Another Way to Write It.

A Generalization.

Strong Fairness.

The Write-Through Cache.

Quantification.

Temporal Logic Examined.

A Review.

Machine Closure.

Machine Closure and Possibility.

Refinement Mappings and Fairness.

The Unimportance of Liveness.

Temporal Logic Considered Confusing.

9. Real Time.

The Hour Clock Revisited.

Real-Time Specifications in General.

A Real-Time Caching Memory.

Zeno Specifications.

Hybrid System Specifications.

Remarks on Real Time.

10. Composing Specifications.

Composing Two Specifications.

Composing Many Specifications.

The FIFO.

Composition with Shared State.

Explicit State Changes.

Composition with Joint Actions.

A Brief Review.

A Taxonomy of Composition.

Interleaving Reconsidered.

Joint Actions Reconsidered.

Liveness and Hiding.

Liveness and Machine Closure.

Hiding.

Open-System Specifications.

Interface Refinement.

A Binary Hour Clock.

Refining a Channel.

Interface Refinement in General.

Open-System Specifications.

Should You Compose?.

11. Advanced Examples.

Specifying Data Structures.

Local Definitions.

Graphs.

Solving Differential Equations.

BNF Grammars.

Other Memory Specifications.

The Interface.

The Correctness Condition.

A Serial Memory.

A Sequentially Consistent Memory.

The Memory Specifications Considered.

III: The Tools.

12. The Syntactic Analyzer.
13. The TLATEX Typesetter.

Introduction.

Comment Shading.

How It Typesets the Specification.

How It Typesets Comments.

Adjusting the Output Format.

Output Files.

Trouble-Shooting.

Using LATEX Commands.

14. The TLC Model Checker.

Introduction to TLC.

What TLC Can Cope With.

TLC Values.

How TLC Evaluates Expressions.

Assignment and Replacement.

Evaluating Temporal Formulas.

Overriding Modules.

How TLC Computes States.

How TLC Checks Properties.

Model-Checking Mode.

Simulation Mode.

Views and Fingerprints.

Taking Advantage of Symmetry.

Limitations of Liveness Checking.

The TLC Module.

How to Use TLC.

Running TLC.

Debugging a Specification.

Hints on Using TLC Effectively.

What TLC Doesn't Do.

The Fine Print.

The Grammar of the Configuration File.

Comparable TLC Values.

IV: The TLA+ Language.

Mini-Manual 268-273.
15. The Syntax of TLA+.

The Simple Grammar.

The Complete Grammar.

Precedence and Associativity.

Alignment.

Comments.

Temporal Formulas.

Two Anomalies.

The Lexemes of TLA+.

16. The Operators of TLA+.

Constant Operators.

Boolean Operators.

The Choose Operator.

Interpretations of Boolean Operators.

Conditional Constructs.

The Let/In Construct.

The Operators of Set Theory.

Functions.

Records.

Tuples.

Strings.

Numbers.

. Nonconstant Operators.

Basic Constant Expressions.

The Meaning of a State Function.

Action Operators.

Temporal Operators.

17. The Meaning of a Module.

Operators and Expressions.

The Order and Arity of an Operator.

¿¿ Expressions.

Simplifying Operator Application.

Expressions.

Levels.

Contexts.

The Meaning of a ¿¿ Expression.

The Meaning of a Module.

Extends.

Declarations.

Operator Definitions.

Function Definitions.

Instantiation.

Theorems and Assumptions.

Submodules.

Correctness of a Module.

Finding Modules.

The Semantics of Instantiation.

18. The Standard Modules.

Module Sequences.

Module FiniteSets.

Module Bags.

The Numbers Modules.

Index. 032114306XT07022002

Preface

This book will teach you how to write specifications of computer systems, using the language TLA+. It's rather long, but most people will read only Part I, which comprises the first 83 pages. That part contains all that most engineers need to know about writing specifications; it assumes only the basic background in computing and knowledge of mathematics expected of an undergraduate studying engineering or computer science. Part II contains more advanced material for more sophisticated readers. The remainder of the book is a reference manual--Part III for the TLA+ tools and Part IV for the language itself.

The TLA World Wide Web page contains material to accompany the book, including the TLA+ tools, exercises, references to the literature, and a list of corrections. There is a link to the TLA Web page on http://lamport.org.

What Is a Specification?

Writing is nature's way of letting you know how sloppy your thinking is.
-Guindon

A specification is a written description of what a system is supposed to do. Specifying a system helps us understand it. It's a good idea to understand a system before building it, so it's a good idea to write a specification of a system before implementing it.

This book is about specifying the behavioral properties of a system--also called its functional or logical properties. These are the properties that specify what the system is supposed to do. There are other important kinds of properties that we don't consider, including performance properties. Worst-case performance can often be expressed as a behavioral property--for example, Chapter 9 explains how to specify that a system must react within a certain length of time. However, specifying average performance is beyond the scope of the methods described here.

Our basic tool for writing specifications is mathematics. Mathematics is nature's way of letting you know how sloppy your writing is. It's hard to be precise in an imprecise language like English or Chinese. In engineering, imprecision can lead to errors. To avoid errors, science and engineering have adopted mathematics as their language.

The mathematics we use is more formal than the math you've grown up with. Formal mathematics is nature's way of letting you know how sloppy your mathematics is. The mathematics written by most mathematicians and scientists is not really precise. It's precise in the small, but imprecise in the large. Each equation is a precise assertion, but you have to read the accompanying words to understand how the equations relate to one another and exactly what the theorems mean. Logicians have developed ways of eliminating those words and making the mathematics completely formal, and hence completely precise.

Most mathematicians and scientists think that formal mathematics, without words, is long and tiresome. They're wrong. Ordinary mathematics can be expressed compactly in a precise, completely formal language. It takes only about two dozen lines to define the solution to an arbitrary differential equation in the Differential Equations module of Chapter 11. But few specifications need such sophisticated mathematics. Most require only simple application of a few standard mathematical concepts.

Why TLA+?

We specify a system by describing its allowed behaviors--what it may do in the course of an execution. In 1977, Amir Pnueli introduced the use of temporal logic for describing system behaviors. In principle, a system could be described by a single temporal logic formula. In practice, it couldn't. Pnueli's temporal logic was ideal for describing some properties of systems, but awkward for others. So, it was usually combined with a more traditional way of describing systems.

In the late 1980s, I invented TLA, the Temporal Logic of Actions--a simple variant of Pnueli's original logic. TLA makes it practical to describe a system by a single formula. Most of a TLA specification consists of ordinary, nontemporal mathematics. Temporal logic plays a significant role only in describing those properties that it's good at describing. TLA also provides a nice way to formalize the style of reasoning about systems that has proved to be most effective in practice--a style known as assertional reasoning. However, this book is about specification; it says almost nothing about proofs.

Temporal logic assumes an underlying logic for expressing ordinary mathematics. There are many ways to formalize ordinary math. Most computer scientists prefer one that resembles their favorite programming language. I chose instead the one that most mathematicians prefer--the one logicians call first-order logic and set theory.

TLA provides a mathematical foundation for describing systems. To write specifications, we need a complete language built atop that foundation. I initially thought that this language should be some sort of abstract programming language whose semantics would be based on TLA. I didn't know what kind of programming language constructs would be best, so I decided to start writing specifications directly in TLA. I intended to introduce programming constructs as I needed them. To my surprise, I discovered that I didn't need them. What I needed was a robust language for writing mathematics.

Although mathematicians have developed the science of writing formulas, they haven't turned that science into an engineering discipline. They have developed notations for mathematics in the small, but not for mathematics in the large. The specification of a real system can be dozens or even hundreds of pages long. Mathematicians know how to write 20-line formulas, not 20-page formulas. So, I had to introduce notations for writing long formulas. What I took from programming languages were ideas for modularizing large specifications.

The language I came up with is called TLA+. I refined TLA+ in the course of writing specifications of disparate systems. But it has changed little in the last few years. I have found TLA+ to be quite good for specifying a wide class of systems--from program interfaces (APIs) to distributed systems. It can be used to write a precise, formal description of almost any sort of discrete system. It's especially well suited to describing asynchronous systems--that is, systems with components that do not operate in strict lock-step.

About This Book

Part I, consisting of Chapters 1 through 7, is the core of the book and is meant to be read from beginning to end. It explains how to specify the class of properties known as safety properties. These properties, which can be specified with almost no temporal logic, are all that most engineers need to know about. After reading Part I, you can read as much of Part II as you like. Each of its chapters is independent of the others. Temporal logic comes to the fore in Chapter 8, where it is used to specify the additional class of properties known as liveness properties. Chapter 9 describes how to specify real-time properties, and Chapter 10 describes how to write specifications as compositions. Chapter 11 contains more advanced examples.

The three chapters in Part III serve as the reference manual for three TLA+ tools: the Syntactic Analyzer, the TLATEX typesetting program, and the TLC model checker. If you want to use TLA+, then you probably want to use these tools. They are available from the TLA Web page. TLC is the most sophisticated of them. The examples on the Web can get you started using it, but you'll have to read Chapter 14 to learn to use TLC effectively.

Part IV is a reference manual for the TLA+ language. Part I provides a good enough working knowledge of the language for most purposes. You need look at Part IV only if you have questions about the fine points of the syntax and semantics. Chapter 15 gives the syntax of TLA+. Chapter 16 describes the precise meanings and the general forms of all the built-in operators of TLA+; Chapter 17 describes the precise meaning of all the higher-level TLA+ constructs such as definitions. Together, these two chapters specify the semantics of the language. Chapter 18 describes the standard modules--except for module RealTime, described in Chapter 9, and module TLC, described in Chapter 14. You might want to look at this chapter if you're curious about how standard elementary mathematics can be formalized in TLA+.

Part IV does have something you may want to refer to often: a mini-manual that compactly presents lots of useful information. Pages 268-273 list all TLA+ operators, all user-definable symbols, the precedence of all operators, all operators defined in the standard modules, and the ASCII representation of symbols.



032114306XP05082002

Index

Click below to download the Index file related to this title:
Index

Updates

Submit Errata

More Information

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020