

# Apalache: symbolic model checker for TLA<sup>+</sup>

[TLA+ tutorial at DISC 2021](#)

Igor Konnov <[igor@informal.systems](mailto:igor@informal.systems)>

# Material for this talk

[ [github.com/informalsystems/tla-apalache-workshop](https://github.com/informalsystems/tla-apalache-workshop) ]



*specs,  
commands,  
longer talk*



Apalache Documentation

## Apalache Manual

Authors: Igor Konnov, Jure Kukovec, Andrey Kuprianov, Shon Feder

Contact: {igor, andrey, shon} at informal.systems, jkukovec at forsyte.at

Apalache is a symbolic model checker for [TLA+](#). (*Still looking for a better tool name.*) Our checker is a recent alternative to [TLC](#). Whereas TLC enumerates the states produced by behaviors of a TLA+ specification, Apalache translates the verification problem to a set constraints. These constraints are solved by an [SMT solver](#), for instance, by Microsoft's Apalache operates on formulas (i.e., *symbolically*), not by enumerating states one by one *enumeration*).

Apalache is working under the following assumptions:

1. As in TLC, all specification parameters are fixed and finite, i.e., the system state is with integers, finite sets, and functions of finite domains and co-domains.
2. As in TLC, all data structures evaluated during an execution are finite, e.g., a system specification cannot operate on the set of all integers.
3. Only finite executions of bounded length are analyzed.

The screenshot shows a terminal window with the following content:

```
igor@pumpkin:~/dev/informal/tla-apalache-workshop/examples/clock-sync
15:55:02 igor@pumpkin ...tla-apalache-workshop/examples/clock-sync 2.7.
1 3.8.6 2.7.17 main ✘ ★
$
```

The terminal title is "igor@pumpkin:~/dev/informal/tla-apalache-workshop/examples/clock-sync". The status bar at the bottom of the terminal window displays the date and time (15:55:02), the user (igor), the host (pumpkin), the path (...tla-apalache-workshop/examples/clock-sync), the version (2.7), and the build number (1). The status bar also shows the current branch (main) and build status (★).

[apalache.informal.systems/docs/](http://apalache.informal.systems/docs/)

# **Example:**

# **clock synchronization**



# Clock sync. problem



# Property: bounded clock skew

$$|AC(p) - AC(q)| \leq \epsilon \quad \text{for } p, q \in Proc$$

---

**Algorithm 20** A clock synchronization algorithm for  $n$  processors:

---

code for processor  $p_i$ ,  $0 \leq i \leq n - 1$ .initially  $diff[i] = 0$ 

1: at first computation step:

2: send  $HC$  (current hardware clock value) to all other processors3: upon receiving message  $T$  from some  $p_j$ :4:  $diff[j] := T + d - u/2 - HC$ 

5: if a message has been received from every other processor then

6:  $adj := \frac{1}{n} \sum_{k=0}^{n-1} diff[k]$ 

---



# **How to turn 6 lines of pseudo-code**

**+ 9 pages of math text**

# **into 170 lines of TLA+**

# Incremental spec writing



# Version 1: introduce clocks (1)

```
MODULE ClockSync1
  * Incremental TLA+ specification of the clock synchronization algorithm from:
  *
  * Hagit Attiya, Jennifer Welch. Distributed Computing. Wiley Interscience, 2004,
  * p. 147, Algorithm 20.
  *
  * Assumptions: timestamps are natural numbers, not reals.
  *
  * Version 1: Setting up the clocks
```

```
EXTENDS Integers
```

VARIABLES  
the reference clock, inaccessible to the processes

```
@type: Int;  
time,  
hardware clock of a process  
@type: Str → Int;  
hc,  
clock adjustment of a process  
@type: Str → Int;  
adj
```

```
***** DEFINITIONS *****
```

we fix the set to contain two processes  
 $Proc \triangleq \{\text{``p1''}, \text{``p2''}\}$

the adjusted clock of process  $i$   
 $AC(i) \triangleq hc[i] + adj[i]$

```
***** INITIALIZATION *****
```

Initialization  
 $Init \triangleq$   
 $\wedge time \in Nat$   
 $\wedge hc \in [Proc \rightarrow Nat]$   
 $\wedge adj = [p \in Proc \mapsto 0]$

```
***** ACTIONS *****
```

let the time flow  
 $AdvanceClocks(delta) \triangleq$   
 $\wedge delta > 0$   
 $\wedge time' = time + delta$   
 $\wedge hc' = [p \in Proc \mapsto hc[p] + delta]$   
 $\wedge \text{UNCHANGED } adj$

all actions together

EXTENDS *Integers*

VARIABLES

the reference clock, inaccessible to the processes

```
@type: Int;
```

*time*,

hardware clock of a process

```
@type: Str → Int;
```

*hc*,

clock adjustment of a process

```
@type: Str → Int;
```

*adj*

# Version 1: introduce clocks (2)

```
MODULE ClockSync1
  * Incremental TLA+ specification of the clock synchronization algorithm from:
  *
  * Hagit Attiya, Jennifer Welch. Distributed Computing. Wiley Interscience, 2004,
  * p. 147, Algorithm 20.
  *
  * Assumptions: timestamps are natural numbers, not reals.
  *
  * Version 1: Setting up the clocks
```

EXTENDS *Integers*

VARIABLES

- the reference clock, inaccessible to the processes  
@type: *Int*;
- time*,
- hardware clock of a process  
@type: *Str* → *Int*;
- hc*,
- clock adjustment of a process  
@type: *Str* → *Int*;
- adj*

\*\*\*\*\* DEFINITIONS \*\*\*\*\*

we fix the set to contain two processes  
 $Proc \triangleq \{\text{``p1''}, \text{``p2''}\}$

the adjusted clock of process  $i$   
 $AC(i) \triangleq hc[i] + adj[i]$

\*\*\*\*\* INITIALIZATION \*\*\*\*\*

Initialization  
 $Init \triangleq$

- $\wedge time \in Nat$
- $\wedge hc \in [Proc \rightarrow Nat]$
- $\wedge adj = [p \in Proc \mapsto 0]$

\*\*\*\*\* ACTIONS \*\*\*\*\*

let the time flow  
 $AdvanceClocks(delta) \triangleq$

- $\wedge delta > 0$
- $\wedge time' = time + delta$
- $\wedge hc' = [p \in Proc \mapsto hc[p] + delta]$
- $\wedge \text{UNCHANGED } adj$

all actions together

\*\*\*\*\* DEFINITIONS \*\*\*\*\*

we fix the set to contain two processes

$$Proc \triangleq \{\text{``p1''}, \text{``p2''}\}$$

the adjusted clock of process  $i$

$$AC(i) \triangleq hc[i] + adj[i]$$

\*\*\*\*\* INITIALIZATION \*\*\*\*\*

Initialization

$$\begin{aligned} Init \triangleq \\ \wedge time \in Nat \\ \wedge hc \in [Proc \rightarrow Nat] \\ \wedge adj = [p \in Proc \mapsto 0] \end{aligned}$$

Bounded data  
structures!

# Version 1: introduce clocks (3)

```
MODULE ClockSync1
  * Incremental TLA+ specification of the clock synchronization algorithm from:
  *
  * Hagit Attiya, Jennifer Welch. Distributed Computing. Wiley Interscience, 2004,
  * p. 147, Algorithm 20.
  *
  * Assumptions: timestamps are natural numbers, not reals.
  *
  * Version 1: Setting up the clocks
```

EXTENDS *Integers*

VARIABLES

```
the reference clock, inaccessible to the processes
@type: Int;
time,
hardware clock of a process
@type: Str → Int;
hc,
clock adjustment of a process
@type: Str → Int;
adj
```

\*\*\*\*\* DEFINITIONS \*\*\*\*\*

we fix the set to contain two processes  
 $Proc \triangleq \{\text{"p1"}, \text{"p2"}\}$

the adjusted clock of process  $i$   
 $AC(i) \triangleq hc[i] + adj[i]$

\*\*\*\*\* INITIALIZATION \*\*\*\*\*

Initialization

 $Init \triangleq$ 

- $\wedge time \in Nat$
- $\wedge hc \in [Proc \rightarrow Nat]$
- $\wedge adj = [p \in Proc \mapsto 0]$

\*\*\*\*\* ACTIONS \*\*\*\*\*

let the time flow  
 $AdvanceClocks(delta) \triangleq$ 

- $\wedge delta > 0$
- $\wedge time' = time + delta$
- $\wedge hc' = [p \in Proc \mapsto hc[p] + delta]$
- $\wedge \text{UNCHANGED } adj$

all actions together

\*\*\*\*\* ACTIONS \*\*\*\*\*

let the time flow

$$AdvanceClocks(delta) \triangleq$$

$$\wedge delta > 0$$

$$\wedge time' = time + delta$$

$$\wedge hc' = [p \in Proc \mapsto hc[p] + delta]$$

$$\wedge \text{UNCHANGED } adj$$

all actions together

$$Next \triangleq$$

$$\exists delta \in Int :$$

$$AdvanceClocks(delta)$$

# Run apalache

A screenshot of a terminal window titled "igor@pumpkin:~/devl/informal/tla-apalache-workshop/examples/clock-sync". The window has a light beige background and a dark grey header bar. The title bar shows the path: "...tla-apalache-workshop/examples/clock-sync". The status bar at the bottom of the window displays the time "17:58:22", the user "igor@pumpkin", the repository name "...tla-apalache-workshop/examples/clock-sync", and the branch "2.7.". Below the status bar, there is a navigation bar with colored arrows and icons: a red arrow with the number "1", a green icon, a yellow arrow with the text "3.8.6 2.7.17", a blue arrow pointing up labeled "main", a red star icon, and a yellow star icon. The main body of the terminal is empty, showing only a single dollar sign (\$) prompt.

# **bounded model checking explained**

# Symbolic execution

| Frame 0                            | Frame 1                                                          | Frame 2                                                          | ... | Frame 10                                                                     |
|------------------------------------|------------------------------------------------------------------|------------------------------------------------------------------|-----|------------------------------------------------------------------------------|
| $time_0 = 0$                       | $time_1 = time_0 + \delta_1$                                     | $time_2 = time_1 + \delta_2$                                     |     | $time_{10} = time_9 + \delta_{10}$                                           |
| $hc[1]_0 = c_1$<br>$hc[2]_0 = c_2$ | $hc[1]_1 = hc[1]_0 + \delta_1$<br>$hc[2]_1 = hc[2]_0 + \delta_1$ | $hc[1]_2 = hc[1]_1 + \delta_2$<br>$hc[2]_2 = hc[2]_1 + \delta_2$ |     | $hc[1]_{10} = hc[1]_9 + \delta_{10}$<br>$hc[2]_{10} = hc[2]_9 + \delta_{10}$ |
| $adj[1]_0 = 0$<br>$adj[2]_0 = 0$   | $adj_1 = adj_0$                                                  | $adj_2 = adj_1$                                                  |     | $adj_{10} = adj_9$                                                           |

A *frame* represents multiple concrete states (symbolically)

# Bounded model checking (0 steps)

$time_0 = 0$

$\wedge$

$hc[1]_0 = c_1$

$\wedge$

$hc[2]_0 = c_2$

$\wedge$

$adj[1]_0 = 0$

$\wedge$

$adj[2]_0 = 0$

**Apalache: satisfiable?**

**Z3: Yes, here is a model**

**Apalache: one more step**

# Bounded model checking (1 step)

$$time_0 = 0$$

$\wedge$

$$hc[1]_0 = c_1$$

$\wedge$

$$hc[2]_0 = c_2$$

$\wedge$

$$adj[1]_0 = 0$$

$\wedge$

$$adj[2]_0 = 0$$

$$time_1 = time_0 + \delta_1$$

$\wedge$

$$hc[1]_1 = hc[1]_0 + \delta_1$$

$\wedge$

$$hc[2]_1 = hc[2]_0 + \delta_1$$

$\wedge$

$$adj_1 = adj_0$$

**Apalache: satisfiable?**

**Z3: Yes, here is a model**

**Apalache: one more step**

# Bounded model checking (2 steps)

$$time_0 = 0$$

$\wedge$

$$hc[1]_0 = c_1$$

$\wedge$

$$hc[2]_0 = c_2$$

$\wedge$

$$adj[1]_0 = 0$$

$\wedge$

$$adj[2]_0 = 0$$

$$time_1 = time_0 + \delta_1$$

$\wedge$

$$hc[1]_1 = hc[1]_0 + \delta_1$$

$\wedge$

$$hc[2]_1 = hc[2]_0 + \delta_1$$

$\wedge$

$$adj_1 = adj_0$$

$$time_2 = time_1 + \delta_2$$

$\wedge$

$$hc[1]_2 = hc[1]_1 + \delta_2$$

$\wedge$

$$hc[2]_2 = hc[2]_1 + \delta_2$$

$\wedge$

$$adj_2 = adj_1$$

**A: SAT?**

**Z3: yes**

**A: go on**

# Symbolic exploration

By default, Apalache:

- finds enabled actions, e.g., *AdvanceClocks*
- adds non-deterministic choice of one enabled action
- extends the symbolic execution by one more step
- until the bound is reached, e.g., 10 steps



one action



two actions

# Symbolic vs. concrete executions

$$time_0 = 0$$

$\wedge$

$$hc[1]_0 = c_1$$

$\wedge$

$$hc[2]_0 = c_2$$

$\wedge$

$$adj[1]_0 = 0$$

$\wedge$

$$adj[2]_0 = 0$$

$$time_1 = time_0 + \delta_1$$

$\wedge$

$$time_2 = time_1 + \delta_2$$

$\wedge$

infinitely many solutions:  
infinite number of states and  
executions!

$$adj_1 = adj_0$$

$$adj_2 = adj_1$$

# Checking an invariant (candidate)

the adjusted clock of process  $i$

$$AC(i) \triangleq hc[i] + adj[i]$$

---

$$NaiveSkewInv \triangleq$$

$$\forall p, q \in Proc :$$

$$AC(p) = AC(q)$$

$$\begin{aligned} time_0 &= 0 \\ \wedge \\ hc[1]_0 &= c_1 \\ \wedge \quad \wedge \quad &hc[p]_0 + adj[p]_0 \neq hc[q]_0 + adj[q]_0 \\ hc[2]_0 &= c_2 \\ \wedge \\ adj[1]_0 &= 0 \\ \wedge \\ adj[2]_0 &= 0 \end{aligned}$$

**Apalache: SAT?**

**Z3: yes**

**A: error!**



● ● ●

igor@pumpkin:~/devl/informal/tla-apalache-workshop/examples/clock-sync

✖✖1

```
> Your types are great! I@15:59:54.017
> All expressions are typed I@15:59:54.018
PASS #13: BoundedChecker I@15:59:54.064
Step 0: picking a transition out of 1 transition(s) I@15:59:54.539
Step 1: picking a transition out of 1 transition(s) I@15:59:54.591
Step 2: picking a transition out of 1 transition(s) I@15:59:54.622
Step 3: picking a transition out of 1 transition(s) I@15:59:54.653
Step 4: picking a transition out of 1 transition(s) I@15:59:54.687
Step 5: picking a transition out of 1 transition(s) I@15:59:54.715
Step 6: picking a transition out of 1 transition(s) I@15:59:54.750
Step 7: picking a transition out of 1 transition(s) I@15:59:54.782
Step 8: picking a transition out of 1 transition(s) I@15:59:54.824
Step 9: picking a transition out of 1 transition(s) I@15:59:54.856
Step 10: picking a transition out of 1 transition(s) I@15:59:54.884
The outcome is: NoError I@15:59:54.904
PASS #14: Terminal I@15:59:54.908
Checker reports no error up to computation length 10 I@15:59:54.911
It took me 0 days 0 hours 0 min 3 sec ↵ I@15:59:54.914
Total time: 3.813 sec I@15:59:54.916
EXITCODE: 0K
```

21:51:39 ➤ igor@pumpkin ➤ ...tla-apalache-workshop/examples/clock-sync ➤ 2.7.  
1 ➤ 3.8.6 2.7.17 ➤ ↴ main ✘ \* ★ ➤ 6s

# Writing basic tests

---

MODULE *MC\_ClockSync1*

VARIABLES

the reference clock, inaccessible to the processes  
 $\text{@type: } \text{Int;}$   
*time*,  
 hardware clock of a process  
 $\text{@type: } \text{Str} \rightarrow \text{Int;}$   
*hc*,  
 clock adjustment of a process  
 $\text{@type: } \text{Str} \rightarrow \text{Int;}$   
*adj*

INSTANCE *ClockSync1*

test that the clocks are non-decreasing

$\text{Test1\_Init} \triangleq$   
 $\wedge \text{time} \in \text{Nat}$   
 $\wedge \text{hc} \in [\text{Proc} \rightarrow \text{Nat}]$   
 $\wedge \text{adj} \in [\text{Proc} \rightarrow \text{Int}]$

$\text{Test1\_Next} \triangleq$   
 $\exists \text{delta} \in \text{Int} :$   
 $\text{AdvanceClocks}(\text{delta})$

$\text{Test1\_Inv} \triangleq$   
 $\wedge \text{time}' \geq \text{time}$   
 $\wedge \forall p \in \text{Proc} : \text{hc}'[p] \geq \text{hc}[p]$

---

INSTANCE *ClockSync1*

test that the clocks are non-decreasing

$\text{Test1\_Init} \triangleq$   
 $\wedge \text{time} \in \text{Nat}$   
 $\wedge \text{hc} \in [\text{Proc} \rightarrow \text{Nat}]$   
 $\wedge \text{adj} \in [\text{Proc} \rightarrow \text{Int}]$

$\text{Test1\_Next} \triangleq$   
 $\exists \text{delta} \in \text{Int} :$   
 $\text{AdvanceClocks}(\text{delta})$

$\text{Test1\_Inv} \triangleq$   
 $\wedge \text{time}' \geq \text{time}$   
 $\wedge \forall p \in \text{Proc} : \text{hc}'[p] \geq \text{hc}[p]$

# **version 2: sending messages**

# States

```
CONSTANTS
    minimum message delay
        @type: Int;
    t_min,
    maximum message delay
        @type: Int;
    t_max

ASSUME ( $t_{\text{min}} \geq 0 \wedge t_{\text{max}} \geq t_{\text{min}}$ )

VARIABLES
    the reference clock, inaccessible to the processes
        @type: Int;
    time,
    hardware clock of a process
        @type: Str → Int;
    hc,
    clock adjustment of a process
        @type: Str → Int;
    adj,
    messages sent by the processes
        @type: Set([src : Str, ts : Int]);
    msgs,
    the control state of a process
        @type: Str → Str;
    state

***** DEFINITIONS *****
we fix the set to contain two processes
Proc  $\triangleq$  {"p1", "p2"}

control states
State  $\triangleq$  {"init", "sent", "done"}
```

## CONSTANTS

minimum message delay

@type: *Int*;

$t_{\text{min}}$ ,

maximum message delay

@type: *Int*;

$t_{\text{max}}$

ASSUME ( $t_{\text{min}} \geq 0 \wedge t_{\text{max}} \geq t_{\text{min}}$ )

## VARIABLES

messages sent by the processes

@type: *Set*([src : Str, ts : Int]);

$msgs$ ,

the control state of a process

@type: Str → Str;

$state$

# Action SendMsg

$$AC(i) \triangleq hc[i] + adj[i]$$

\*\*\*\*\* INITIALIZATION \*\*\*\*\*

Initialization

$$\begin{aligned} Init &\triangleq \\ &\wedge time \in Nat \\ &\wedge hc \in [Proc \rightarrow Nat] \\ &\wedge adj = [p \in Proc \mapsto 0] \\ &\wedge state = [p \in Proc \mapsto "init"] \\ &\wedge msgs = \{\} \end{aligned}$$

\*\*\*\*\* ACTIONS \*\*\*\*\*

send the value of the hardware clock

$$\begin{aligned} SendMsg(p) &\triangleq \\ &\wedge state[p] = "init" \\ &\wedge msgs' = msgs \cup \{[src \mapsto p, ts \mapsto hc[p]]\} \\ &\wedge state' = [state \text{ EXCEPT } ![p] = "sent"] \\ &\wedge \text{UNCHANGED } \langle time, hc, adj \rangle \end{aligned}$$

let the time flow

$$\begin{aligned} AdvanceClocks(delta) &\triangleq \\ &\wedge delta > 0 \\ &\wedge time' = time + delta \\ &\wedge hc' = [p \in Proc \mapsto hc[p] + delta] \\ &\wedge \text{UNCHANGED } \langle adj, msgs, state \rangle \end{aligned}$$

all actions together

$$\begin{aligned} Next &\triangleq \\ &\vee \exists delta \in Int : \\ &\quad AdvanceClocks(delta) \\ &\vee \exists p \in Proc : \\ &\quad SendMsg(p) \end{aligned}$$

send the value of the hardware clock

$$\begin{aligned} SendMsg(p) &\triangleq \\ &\wedge state[p] = "init" \\ &\wedge msgs' = msgs \cup \{[src \mapsto p, ts \mapsto hc[p]]\} \\ &\wedge state' = [state \text{ EXCEPT } ![p] = "sent"] \\ &\wedge \text{UNCHANGED } \langle time, hc, adj \rangle \end{aligned}$$

all actions together

$$\begin{aligned} Next &\triangleq \\ &\vee \exists delta \in Int : \\ &\quad AdvanceClocks(delta) \\ &\vee \exists p \in Proc : \\ &\quad SendMsg(p) \end{aligned}$$

# Testing 2.1



# Testing 2.2

```

igor@pumpkin:~/dev/informal/tla-apalache-workshop/examples/clock-sync
PASS #12: PostTypeCheckerSnowcat
> Running Snowcat .::.
> Your types are great!
> All expressions are typed
PASS #13: BoundedChecker
State 0: Checking 1 state invariants
Step 0: picking a transition out of 1 transition(s)
State 1: Checking 1 state invariants
Step 1: picking a transition out of 1 transition(s)
State 2: Checking 1 state invariants
Step 2: picking a transition out of 1 transition(s)
Step 3: Transition #0 is disabled
Found a deadlock. Check the counterexample in: counterexample0.tla, MC0.out, cou
nterexample0.json E@09:23:26.214
The outcome is: Deadlock
Checker has found an error
It took me 0 days 0 hours 0 min 5 sec
Total time: 5.169 sec
EXITCODE: ERROR (12)

11:23:27 ➔ x igor@pumpkin ➔ ...tla-apalache-workshop/examples/clock-sync ➔
2.7.1 ➔ 3.8.6 2.7.17 ➔ ↴ main ✘ * ★ ➔ 7s ➔
$
```

test that messages are sent

$$Test2\_Inv \triangleq$$

$$\forall p \in Proc :$$

$$state[p] = \text{"sent"} \equiv$$

$$\exists m \in msgs :$$

$$m.src = p$$

$$Test2\_Init \triangleq$$

$$\wedge TypeInit$$

$$\wedge Test2\_Inv$$

$$Test2\_Next \triangleq$$

$$\exists p \in Proc :$$

$$SendMsg(p)$$

# **version 3: receiving messages**

# Receive messages

```

MODULE ClockSync3
  * Incremental TLA+ specification of the clock synchronization algorithm from:
  *
  * Hagit Attiya, Jennifer Welch. Distributed Computing. Wiley Interscience, 2004,
  * p. 147, Algorithm 20.
  *
  * Assumptions: timestamps are natural numbers, not reals.
  *
  * Version 3: Receiving messages
  * Version 2: Sending messages
  * Version 1: Setting up the clocks
EXTENDS Integers
CONSTANTS
  minimum message delay
    @type: Int;
  t_min,
  maximum message delay
    @type: Int;
  t_max
ASSUME (t_min ≥ 0 ∧ t_max ≥ t_min)
VARIABLES
  the reference clock, inaccessible to the processes
    @type: Int;
  time,
  hardware clock of a process
    @type: Str → Int;
  hc,
  clock adjustment of a process
    @type: Str → Int;
  adj,
  messages sent by the processes
    @type: Set([src : Str, ts : Int]);
  msgs,
  messages received by the processes
    @type: Str → Set([src : Str, ts : Int]);
  rcvd,
  the control state of a process
    @type: Str → Str;
  state
***** DEFINITIONS *****
we fix the set to contain two processes
Proc ≡ {"p1", "p2"}

```

```

control states
State ≡ {"init", "sent", "sync"}
the adjusted clock of process i
AC(i) ≡ hc[i] + adj[i]
***** INITIALIZATION *****
Initialization
Init ≡
  ∧ time ∈ Nat
  ∧ hc ∈ [Proc → Nat]
  ∧ adj = [p ∈ Proc ↦ 0]
  ∧ state = [p ∈ Proc ↦ "init"]
  ∧ msgs = {}
  ∧ rcvd = [p ∈ Proc ↦ {}]

***** ACTIONS *****
send the value of the hardware clock
SendMsg(p) ≡
  ∧ state[p] = "init"
  ∧ msgs' = msgs ∪ {[src ↦ p, ts ↦ hc[p]]}
  ∧ state' = [state EXCEPT !(p) = "sent"]
  ∧ UNCHANGED ⟨time, hc, adj, rcvd⟩

receive a message sent by another process
ReceiveMsg(p) ≡
  ∧ ∃ m ∈ msgs :
    ∧ m ≠ rcvd[p]
    the message cannot be received earlier than after t_min
    ∧ hc[m.src] ≥ m.ts + t_min
    ∧ rcvd' = [rcvd EXCEPT !(p) = rcvd[p] ∪ {m}]
    ∧ UNCHANGED ⟨time, hc, msgs, adj, state⟩

let the time flow
AdvanceClocks(delta) ≡
  ∧ delta > 0
  clocks can be advanced only if there is no pending message
  ∧ ∀ m ∈ msgs :
    hc[m.src] + delta > t_max ⇒
      ∵ p ∈ Proc :
        m ∈ rcvd[m.src]
  clocks are advanced uniformly
  ∧ time' = time + delta
  ∧ hc' = [p ∈ Proc ↦ hc[p] + delta]
  ∧ UNCHANGED ⟨adj, msgs, state, rcvd⟩

```

messages received by the processes  
@type:  $\text{Str} \rightarrow \text{Set}([\text{src} : \text{Str}, \text{ts} : \text{Int}])$ ;  
 $rcvd$ ,

$ReceiveMsg(p) \triangleq$   
 $\wedge \exists m \in msgs :$   
 $\wedge m \notin rcvd[p]$   
the message cannot be received earlier than after  $t\_min$   
 $\wedge hc[m.\text{src}] \geq m.\text{ts} + t\_min$   
 $\wedge rcvd' = [rcvd \text{ EXCEPT } !(p) = rcvd[p] \cup \{m\}]$   
 $\wedge \text{UNCHANGED } \langle \text{time}, \text{hc}, \text{msgs}, \text{adj}, \text{state} \rangle$

$AdvanceClocks(\delta) \triangleq$   
 $\wedge \delta > 0$   
clocks can be advanced only if there is no pending message  
 $\wedge \forall m \in msgs :$   
 $hc[m.\text{src}] + \delta > t\_max \Rightarrow$   
 $\forall p \in \text{Proc} :$   
 $m \in rcvd[m.\text{src}]$

clocks are advanced uniformly  
 $\wedge \text{time}' = \text{time} + \delta$   
 $\wedge hc' = [p \in \text{Proc} \mapsto hc[p] + \delta]$   
 $\wedge \text{UNCHANGED } \langle \text{adj}, \text{msgs}, \text{state}, \text{rcvd} \rangle$

# Testing 3.1

```

igor@pumpkin:~/devl/informal/tla-apalache-workshop/examples/clock-sync
> Running analyzers...
> Introduced expression grades
> Introduced 2 formula hints
PASS #12: PostTypeCheckerSnowcat
> Running Snowcat .::.
> Your types are great!
> All expressions are typed
PASS #13: BoundedChecker
State 0: Checking 1 state invariants
Step 0: picking a transition out of 1 transition(s)
State 1: Checking 1 state invariants
Step 1: picking a transition out of 1 transition(s)
The outcome is: NoError
PASS #14: Terminal
Checker reports no error up to computation length 1
It took me 0 days 0 hours 0 min 4 sec
Total time: 4.827 sec
EXITCODE: OK

11:24:18 igor@pumpkin ...tla-apalache-workshop/examples/clock-sync 2.7.
1 3.8.6 2.7.17 main ✘ * ★ 6s
$ 

```

test that messages are received within  $[t_{\text{min}}, t_{\text{max}}]$

$$Test3\_Inv \triangleq$$

$\wedge \forall m \in msgs :$

no messages from the future

$$m.ts \leq hc[m.src]$$

$\wedge \forall p \in Proc :$

$$\forall m \in rcvd[p] :$$

the message is received no earlier than after  $t_{\text{min}}$

$$hc[m.src] \geq m.ts + t_{\text{min}}$$

$\wedge \forall m \in msgs :$

the message is received no later than before  $t_{\text{max}}$

$$m.ts \geq hc[m.src] + t_{\text{max}} \Rightarrow$$

$\forall p \in Proc :$

$$m \in rcvd[p]$$

$$Test3\_Init \triangleq$$

$$\wedge TypeInit$$

$$\wedge Test3\_Inv$$

$$Test3\_Next \triangleq$$

$$\vee \exists \delta \in Int :$$

$$AdvanceClocks(\delta)$$

$$\vee \exists p \in Proc :$$

$$ReceiveMsg(p)$$

# **version 4: adjusting clocks**

# Adjust clocks

```

Initialization
Init  $\triangleq$ 
   $\wedge time \in Nat$ 
   $\wedge hc \in [Proc \rightarrow Nat]$ 
   $\wedge adj = [p \in Proc \mapsto 0]$ 
   $\wedge diff = [(p, q) \in Proc \times Proc \mapsto 0]$ 
   $\wedge state = [p \in Proc \mapsto "init"]$ 
   $\wedge msgs = \{\}$ 
   $\wedge rcvd = [p \in Proc \mapsto \{\}]$ 

***** ACTIONS *****
send the value of the hardware clock
SendMsg(p)  $\triangleq$ 
   $\wedge state[p] = "init"$ 
   $\wedge msgs' = msgs \cup \{[src \mapsto p, ts \mapsto hc[p]]\}$ 
   $\wedge state' = [state \text{ EXCEPT } ![p] = "sent"]$ 
   $\wedge \text{UNCHANGED } \langle time, hc, adj, diff, rcvd \rangle$ 

If the process has received a message from all processes,
then adjust the clock. Otherwise, accumulate the difference.
@type: (Str, <Str, Str>)  $\rightarrow$  Int,
Set([src : Str, ts : Int])  $\Rightarrow$  Bool;
AdjustClock(p, newDiff, newRcvd)  $\triangleq$ 
  LET fromAll  $\triangleq \{m.src : m \in newRcvd\} = ProcIN$ 
  IF fromAll
    THEN
      Assuming that Proc = {"p1", "p2"}.
      See ClockSync5 for the general case.
       $\wedge adj' = [adj \text{ EXCEPT } ![p] = (newDiff[p, "p1"] + newDiff[p, "p2"]) \div 2]$ 
       $\wedge state' = [state \text{ EXCEPT } ![p] = "sync"]$ 
    ELSE
      UNCHANGED ⟨adj, state⟩
    Adjust the clock if the message has been received from all processes.
    ReceiveMsg(p)  $\triangleq$ 
       $\wedge state[p] = "sent"$ 
       $\wedge \exists m \in msgs :$ 
         $\wedge m \notin rcvd[p]$ 
        the message cannot be received earlier than after t_min
         $\wedge hc[m.src] \geq m.ts + t\_min$ 
        accumulate the difference and adjust the clock if possible
         $\wedge \text{LET } delta \triangleq m.ts - hc[p] + (t\_min + t\_max) \div 2 \text{ IN}$ 
         $\text{LET } newDiff \triangleq [diff \text{ EXCEPT } ![p, m.src] = delta] \text{ IN}$ 
         $\text{LET } newRcvd \triangleq rcvd[p] \cup \{m\} \text{ IN}$ 
         $\wedge \text{AdjustClock}(p, newDiff, newRcvd)$ 
         $\wedge rcvd' = [rcvd \text{ EXCEPT } ![p] = newRcvd]$ 
         $\wedge diff' = newDiff$ 
       $\wedge \text{UNCHANGED } \langle time, hc, msgs \rangle$ 
    let the time flow
    AdvanceClocks(delta)  $\triangleq$ 
       $\wedge delta > 0$ 
      clocks can be advanced only if there is no pending message
       $\wedge \forall m \in msgs :$ 
         $hc[m.src] + delta > t\_max \Rightarrow$ 
           $\forall p \in Proc :$ 
             $m \in rcvd[m.src]$ 
          clocks are advanced uniformly
         $\wedge time' = time + delta$ 
         $\wedge hc' = [p \in Proc \mapsto hc[p] + delta]$ 
         $\wedge \text{UNCHANGED } \langle adj, diff, msgs, state, rcvd \rangle$ 
    all actions together
    Next  $\triangleq$ 
       $\vee \exists delta \in Int :$ 
        AdvanceClocks(delta)
       $\vee \exists p \in Proc :$ 
         $\vee SendMsg(p)$ 
         $\vee ReceiveMsg(p)$ 

```

If the process has received a message from all processes, then adjust the clock. Otherwise, accumulate the difference.

@type: (Str, <Str, Str>)  $\rightarrow$  Int,

$Set([src : Str, ts : Int]) \Rightarrow Bool;$

$AdjustClock(p, newDiff, newRcvd) \triangleq$

LET  $fromAll \triangleq \{m.src : m \in newRcvd\} = ProcIN$

IF  $fromAll$

THEN

Assuming that  $Proc = \{"p1", "p2"\}$ .

See *ClockSync5* for the general case.

$\wedge adj' = [adj \text{ EXCEPT } ![p] = (newDiff[p, "p1"] + newDiff[p, "p2"]) \div 2]$

$\wedge state' = [state \text{ EXCEPT } ![p] = "sync"]$

ELSE

UNCHANGED ⟨adj, state⟩

Adjust the clock if the message has been received from all processes.

$ReceiveMsg(p) \triangleq$

$\wedge state[p] = "sent"$

$\wedge \exists m \in msgs :$

$\wedge m \notin rcvd[p]$

the message cannot be received earlier than after  $t\_min$

$\wedge hc[m.src] \geq m.ts + t\_min$

accumulate the difference and adjust the clock if possible

$\wedge \text{LET } delta \triangleq m.ts - hc[p] + (t\_min + t\_max) \div 2 \text{ IN}$

$\text{LET } newDiff \triangleq [diff \text{ EXCEPT } ![p, m.src] = delta] \text{ IN}$

$\text{LET } newRcvd \triangleq rcvd[p] \cup \{m\} \text{ IN}$

$\wedge \text{AdjustClock}(p, newDiff, newRcvd)$

$\wedge rcvd' = [rcvd \text{ EXCEPT } ![p] = newRcvd]$

$\wedge diff' = newDiff$

UNCHANGED ⟨time, hc, msgs⟩

# Specifying bounded clock skew

Theorem 6.15 from AW04:

Algorithm achieves  $u * (1 - 1/n)$ -synchronization for n processors.

$SkewInv \triangleq$

LET  $allSync \triangleq$

$\forall p \in Proc : state[p] = \text{"sync"}$

IN

LET  $boundedSkew \triangleq$

LET  $bound \triangleq (t_{\max} - t_{\min}) * (NProc - 1)$

IN

$\forall p, q \in Proc :$

LET  $df \triangleq AC(p) - AC(q)$

IN

$- bound \leq df * NProc \wedge df * NProc \leq bound$

IN

$allSync \Rightarrow boundedSkew$

# Check SkewInv



```
igor@pumpkin:~/dev/informal/tla-apalache-workshop/examples/clock-sync ✘#1
Checker options: filename=MC_Clock4.tla, init=, next=, inv=ClockSkewInv I@15:39:22.451
Tuning: I@15:39:23.047
PASS #0: SanyParser I@15:39:23.050
File does not exist: /opt/apalache/src/tla/var/apalache/MC_Clock4.tla while looking in these directories: /opt/apalache/src/tla/, jar:file:/opt/apalache/mod-distribution/target/apalache-pkg-0.16.3-SNAPSHOT-full.jar!/tla2sany/StandardModules/
Error by TLA+ parser: *** Abort messages: 1

Unknown location

Cannot find source file for module /var/apalache/MC_Clock4.tla.

E@15:39:23.125
It took me 0 days 0 hours 0 min 0 sec I@15:39:23.129
Total time: 0.841 sec I@15:39:23.132
EXITCODE: ERROR (255)

17:39:24 ➤ x ➤ igor@pumpkin ➤ ...tla-apalache-workshop/examples/clock-sync ➤
2.7.1 ➤ 3.8.6 2.7.17 ➤ ↴ main x • ★ ➤
```

# Analyzing the counterexample

```
(* Transition 2 to State8 *)
state8 =
adj = "p1" :> -42 と "p2" :> -2
  ∧ diff
  = ((<<"p1", "p1">> :> -3 と <<"p2", "p1">> :> -1) と <<"p1", "p2">> :> -81)
    と <<"p2", "p2">> :> -3
  ∧ hc = "p1" :> 167 と "p2" :> 165
  ∧ msgs = { [src ↠ "p1", ts ↠ 34], [src ↠ "p2", ts ↠ 32] }
  ∧ rcvd
    = "p1" :> { [src ↠ "p1", ts ↠ 34], [src ↠ "p2", ts ↠ 32] }
      と "p2" :> { [src ↠ "p1", ts ↠ 34], [src ↠ "p2", ts ↠ 32] }
  ∧ state = "p1" :> "sync" と "p2" :> "sync"
  ∧ time = 133
```

Adjusting own clocks!

# Check the pseudo-code

---

**Algorithm 20** A clock synchronization algorithm for  $n$  processors:

code for processor  $p_i$ ,  $0 \leq i \leq n - 1$ .

---

initially  $diff[i] = 0$

- 1: at first computation step:
  - 2: send  $HC$  (current hardware clock value) to all other processors
  
  - 3: upon receiving message  $T$  from some  $p_j$ :
  - 4:  $diff[j] := T + d - u/2 - HC$
  - 5: if a message has been received from every other processor then
  - 6:  $adj := \frac{1}{n} \sum_{k=0}^{n-1} diff[k]$
- 



# Fix in ClockSync5



A screenshot of a terminal window titled "igor@pumpkin:~/dev/informal/tla-apalache-workshop/examples/clock-sync". The window shows a command-line interface with several colored arrows and symbols:

- An orange arrow points from the timestamp "18:08:04" to the user "igor@pumpkin".
- A blue arrow points from the user "igor@pumpkin" to the path "...tla-apalache-workshop/examples/clock-sync".
- A red arrow points from the path "...tla-apalache-workshop/examples/clock-sync" to the version "2.7.". A small red diamond icon is positioned before the version number.
- A yellow arrow points from the number "1" to the version "3.8.6".
- A brown arrow points from the version "3.8.6" to the date "2.7.17".
- A purple arrow points from the date "2.7.17" to the branch "main".
- A black arrow points from the branch "main" to the status indicators "x", "\*", and "★".

The command "\$ apala" is partially visible at the bottom of the terminal window.

**what about  $t_{min}$  and  $t_{max}$ ?**

# Parameterized time bounds

ASSUME( $t_{min} < t_{max}$ )

use  $-cinit = ConstInit$  to check for all  $t\_min$  and  $t\_max$   
 $ConstInit \triangleq$   
     $\wedge t\_min \in Nat$   
     $\wedge t\_max \in Nat$

Fix by increasing the bounds:



```
apalache check -cinit=ConstInit\  
--inv=SkewInv MC_ClockSync6.tla
```

LET  $bound \triangleq$   
     $(t\_max - t\_min) * (NProc - 1)$   
     $+ NProc * NProc$



error due to integer rounding!

# Next steps

# Does it work?

- Parameterize by the set of processes: ClockSync6p 
- Check 4 unit tests 
- Check for 2 and 3 processes 
- Check for arbitrary  $t_{min}$  and  $t_{max}$  (with ConstInit) 



- Check an inductive invariant 

# Inductive invariants

Find a predicate  $IndInv$  over states:

1.  $Init \Rightarrow IndInv$
2.  $IndInv \wedge Next \Rightarrow IndInv'$
3.  $IndInv \Rightarrow SkewInv$



Shallow queries of length 0 and 1 in Apalache!

[need one more session]

# github.com/informalsystems/apalache ↵

Search or jump to... / Pull requests Issues Marketplace Explore

informalsystems / apalache

Pinned issues

- Feature FTC: type checker Snowcat #350 opened on Dec 6, 2020 by konnov
- Feature FII1: infrastructure improvements 1 #351 opened on Dec 6, 2020 by konnov
- Feature FAF: Stabilizing the assignment finder #353 opened on Dec 6, 2020 by konnov

Filters is:issue is:open

158 Open 232 Closed

[BUG] Configuration pass should produce an error when a CONSTANT is not initialized Alpha Centauri

#669 opened 12 hours ago by konnov April iteration

[FEATURE] Experiment with ExprCache to see if it is a translation bottleneck FSMT enhancement

#666 opened 2 days ago by konnov April iteration

[FEATURE] Remove FailPredT FSMT enhancement refactoring

#665 opened 3 days ago by konnov April iteration

[FEATURE] Introduce a version of ? for a type FTC-Snowcat enhancement refactoring

ZULIP

# apalache | 12 A symbolic model checker for TLA+ -- https://github.com/informalsystems/apalache

All messages Private messages Mentions Starred messages Recent topics

STREAMS # apalache

- !Questions
- Apalache commandline e...
- Loading additional TLA m...
- Type annotations
- Checking two invariants?
- more topics

core team disco general introductions Add streams

apalache !Questions

Igor Konnov One more question: does apalache ever write to stderr? From what I can tell, it doesn't.

Igor Konnov not really. All messages go through the logger

Vitor Enes Is it possible to parse a TLA module using parse without doing type inference?

Igor Konnov yes. The command parse does not do type inference or at least it should. If it runs type inference, this is a bug

apalache !Questions

Message #apalache > !Questions

chat in zulip  
informal systems

**Our mission is to bring verifiability to distributed systems and organizations.**

**Our vision** is an open-source ecosystem of cooperatively owned and governed distributed organizations running on reliable distributed systems.



# | Formal Verification Tools

We build formal verification tools that we leverage in our protocol design, engineering, and security audits



## Apalache

Symbolic model checker for TLA+ – formally verify TLA+ specifications for real-world distributed systems protocols



## Model Based Testing

A methodology and tool used to auto-generate tests for real implementations from an underlying TLA+ model.

# | Blockchain Infrastructure

We are core developers of the Tendermint and IBC projects, with a focus on software implementations in Rust.



## tendermint-rs

Tendermint is a Byzantine Fault Tolerant state machine replication engine for applications written in Rust.



## ibc-rs

Inter-Blockchain Communication (IBC) is a protocol for secure, packet-based communication between distinct blockchains.



## Hermes

Hermes is an open-source Rust implementation of a relayer for IBC, released under the `ibc-relayer-cli` crate.