Abstract

Since 2011, engineers at Amazon have been using TLA +  to help solve difficult design problems in critical systems. This paper describes the reasons why we chose TLA +  instead of other methods, and areas in which we would welcome further progress.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Abrial, J.-R.: Formal methods in industry: achievements, problems, future. In: 28th Intl. Conf. Software Engineering (ICSE), Shanghai, China, pp. 761–768. ACM (2006)Google Scholar
  2. 2.
    Abrial, J.-R.: Modeling in Event-B. Cambridge University Press (2010)Google Scholar
  3. 3.
    Abrial, J.-R., et al.: Rodin: an open toolset for modelling and reasoning in Event-B. STTT 12(6), 447–466 (2010)CrossRefGoogle Scholar
  4. 4.
    Alloy online tutorial: How to think about an alloy model: 3 levels, http://alloy.mit.edu/alloy/tutorials/online/sidenote-levels-of-understanding.html
  5. 5.
    Event-B wiki: Industrial projects, http://wiki.event-b.org/index.php/Industrial_Projects
  6. 6.
    Barr, J.: Amazon S3 – the first trillion objects. Amazon Web Services Blog (June 2012), http://aws.typepad.com/aws/2012/06/amazon-s3-the-first-trillion-objects.html
  7. 7.
    Barr, J.: Amazon S3 – two trillion objects, 1.1 million requests per second. Amazon Web Services Blog (March 2013), http://aws.typepad.com/aws/2013/04/amazon-s3-two-trillion-objects-11-million-requests-second.html
  8. 8.
    Batson, B., Lamport, L.: High-level specifications: Lessons from industry. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2002. LNCS, vol. 2852, pp. 242–261. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  9. 9.
    Bolosky, W.J., Douceur, J.R., Howell, J.: The Farsite project: a retrospective. Operating Systems Reviews 41(2), 17–26 (2007)CrossRefGoogle Scholar
  10. 10.
    Cohen, E., Moskal, M., Schulte, W., Tobies, S.: Local verification of global invariants in concurrent programs. In: Touili, T., Cook, B., Jackson, P. (eds.) CAV 2010. LNCS, vol. 6174, pp. 480–494. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  11. 11.
    Douceur, J., et al.: Memoir: Formal specs and correctness proof (2011), http://research.microsoft.com/pubs/144962/memoir-proof.pdf
  12. 12.
    Hall, A.: Seven myths of formal methods. IEEE Software 7(5), 11–19 (1990)CrossRefGoogle Scholar
  13. 13.
    Holzmann, G.: Design and Validation of Computer Protocols. Prentice Hall, New Jersey (1991)Google Scholar
  14. 14.
    Jackson, D.: Personal communication (2014)Google Scholar
  15. 15.
    Jackson, D.: Software Abstractions, revised edition. MIT Press (2012), http://www.softwareabstractions.org/
  16. 16.
    Lamport, L.: Comment on the history of the TLC model checker, http://research.microsoft.com/en-us/um/people/lamport/pubs/pubs.html#yuanyu-model-checking
  17. 17.
  18. 18.
  19. 19.
    Lamport, L.: The Temporal Logic of Actions. ACM Trans. Prog. Lang. Syst. 16(3), 872–923 (1994)CrossRefGoogle Scholar
  20. 20.
    Lamport, L.: Specifying Systems. Addison-Wesley (2002), http://research.microsoft.com/en-us/um/people/lamport/tla/book-02-08-08.pdf
  21. 21.
    Lamport, L.: Fast Paxos. Distributed Computing 19(2), 79–103 (2006)CrossRefMATHMathSciNetGoogle Scholar
  22. 22.
    Lamport, L.: Byzantizing Paxos by refinement. In: Peleg, D. (ed.) DISC 2011. LNCS, vol. 6950, pp. 211–224. Springer, Heidelberg (2011)Google Scholar
  23. 23.
    Lamport, L.: How to write a 21st century proof. Fixed Point Theory and Applications (2012)Google Scholar
  24. 24.
    Lamport, L., Merz, S.: Specifying and verifying fault-tolerant systems. In: Langmaack, H., de Roever, W.-P., Vytopil, J. (eds.) FTRTFT 1994 and ProCoS 1994. LNCS, vol. 863, pp. 41–76. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  25. 25.
    Lamport, L., Sharma, M., Tuttle, M., Yu, Y.: The wildfire challenge problem (2001), http://research.microsoft.com/en-us/um/people/lamport/pubs/wildfire-challenge.pdf
  26. 26.
    Lamport, L., Tuttle, M., Yu, Y.: The wildfire verification challenge problem [example of a specification from industry], http://research.microsoft.com/en-us/um/people/lamport/tla/wildfire-challenge.html
  27. 27.
    Leinenbach, D., Santen, T.: Verifying the Microsoft Hyper-V Hypervisor with VCC. In: Cavalcanti, A., Dams, D.R. (eds.) FM 2009. LNCS, vol. 5850, pp. 806–809. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  28. 28.
    Lu, T., Merz, S., Weidenbach, C.: Towards verification of the Pastry protocol using TLA + . In: Bruni, R., Dingel, J. (eds.) FORTE 2011 and FMOODS 2011. LNCS, vol. 6722, pp. 244–258. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  29. 29.
    Newcombe, C.: Debugging designs. Presented at the 14th Intl. Wsh. High-Performance Transaction Systems (2011), http://hpts.ws/papers/2011/sessions_2011/Debugging.pdf and associated specifications: http://hpts.ws/papers/2011/sessions_2011/amazonbundle.tar.gz
  30. 30.
    Owre, S., et al.: Combining specification, proof checking, and model checking. In: Alur, R., Henzinger, T.A. (eds.) CAV 1996. LNCS, vol. 1102, pp. 411–414. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  31. 31.
  32. 32.
    Zave, P.: Using lightweight modeling to understand Chord. Comp. Comm. Reviews 42(2), 49–57 (2012)CrossRefGoogle Scholar
  33. 33.
    Zave, P.: A practical comparison of Alloy and Spin. Formal Aspects of Computing (to appear, 2014), http://www2.research.att.com/~pamela/compare.pdf

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Chris Newcombe
    • 1
  1. 1.Amazon, Inc.USA

Personalised recommendations