Abstract
Since 2011, engineers at Amazon have been using TLA + to help solve difficult design problems in critical systems. This paper describes the reasons why we chose TLA + instead of other methods, and areas in which we would welcome further progress.
Keywords
- Model Checker
- Temporal Logic
- Proof System
- Linear Temporal Logic
- Safety Property
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, access via your institution.
Buying options
Preview
Unable to display preview. Download preview PDF.
References
Abrial, J.-R.: Formal methods in industry: achievements, problems, future. In: 28th Intl. Conf. Software Engineering (ICSE), Shanghai, China, pp. 761–768. ACM (2006)
Abrial, J.-R.: Modeling in Event-B. Cambridge University Press (2010)
Abrial, J.-R., et al.: Rodin: an open toolset for modelling and reasoning in Event-B. STTT 12(6), 447–466 (2010)
Alloy online tutorial: How to think about an alloy model: 3 levels, http://alloy.mit.edu/alloy/tutorials/online/sidenote-levels-of-understanding.html
Event-B wiki: Industrial projects, http://wiki.event-b.org/index.php/Industrial_Projects
Barr, J.: Amazon S3 – the first trillion objects. Amazon Web Services Blog (June 2012), http://aws.typepad.com/aws/2012/06/amazon-s3-the-first-trillion-objects.html
Barr, J.: Amazon S3 – two trillion objects, 1.1 million requests per second. Amazon Web Services Blog (March 2013), http://aws.typepad.com/aws/2013/04/amazon-s3-two-trillion-objects-11-million-requests-second.html
Batson, B., Lamport, L.: High-level specifications: Lessons from industry. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2002. LNCS, vol. 2852, pp. 242–261. Springer, Heidelberg (2003)
Bolosky, W.J., Douceur, J.R., Howell, J.: The Farsite project: a retrospective. Operating Systems Reviews 41(2), 17–26 (2007)
Cohen, E., Moskal, M., Schulte, W., Tobies, S.: Local verification of global invariants in concurrent programs. In: Touili, T., Cook, B., Jackson, P. (eds.) CAV 2010. LNCS, vol. 6174, pp. 480–494. Springer, Heidelberg (2010)
Douceur, J., et al.: Memoir: Formal specs and correctness proof (2011), http://research.microsoft.com/pubs/144962/memoir-proof.pdf
Hall, A.: Seven myths of formal methods. IEEE Software 7(5), 11–19 (1990)
Holzmann, G.: Design and Validation of Computer Protocols. Prentice Hall, New Jersey (1991)
Jackson, D.: Personal communication (2014)
Jackson, D.: Software Abstractions, revised edition. MIT Press (2012), http://www.softwareabstractions.org/
Lamport, L.: Comment on the history of the TLC model checker, http://research.microsoft.com/en-us/um/people/lamport/pubs/pubs.html#yuanyu-model-checking
Lamport, L.: Summary of TLA + , http://research.microsoft.com/en-us/um/people/lamport/tla/summary.pdf
Lamport, L.: The TLA + Hyperbook, http://research.microsoft.com/en-us/um/people/lamport/tla/hyperbook.html
Lamport, L.: The Temporal Logic of Actions. ACM Trans. Prog. Lang. Syst. 16(3), 872–923 (1994)
Lamport, L.: Specifying Systems. Addison-Wesley (2002), http://research.microsoft.com/en-us/um/people/lamport/tla/book-02-08-08.pdf
Lamport, L.: Fast Paxos. Distributed Computing 19(2), 79–103 (2006)
Lamport, L.: Byzantizing Paxos by refinement. In: Peleg, D. (ed.) DISC 2011. LNCS, vol. 6950, pp. 211–224. Springer, Heidelberg (2011)
Lamport, L.: How to write a 21st century proof. Fixed Point Theory and Applications (2012)
Lamport, L., Merz, S.: Specifying and verifying fault-tolerant systems. In: Langmaack, H., de Roever, W.-P., Vytopil, J. (eds.) FTRTFT 1994 and ProCoS 1994. LNCS, vol. 863, pp. 41–76. Springer, Heidelberg (1994)
Lamport, L., Sharma, M., Tuttle, M., Yu, Y.: The wildfire challenge problem (2001), http://research.microsoft.com/en-us/um/people/lamport/pubs/wildfire-challenge.pdf
Lamport, L., Tuttle, M., Yu, Y.: The wildfire verification challenge problem [example of a specification from industry], http://research.microsoft.com/en-us/um/people/lamport/tla/wildfire-challenge.html
Leinenbach, D., Santen, T.: Verifying the Microsoft Hyper-V Hypervisor with VCC. In: Cavalcanti, A., Dams, D.R. (eds.) FM 2009. LNCS, vol. 5850, pp. 806–809. Springer, Heidelberg (2009)
Lu, T., Merz, S., Weidenbach, C.: Towards verification of the Pastry protocol using TLA + . In: Bruni, R., Dingel, J. (eds.) FORTE 2011 and FMOODS 2011. LNCS, vol. 6722, pp. 244–258. Springer, Heidelberg (2011)
Newcombe, C.: Debugging designs. Presented at the 14th Intl. Wsh. High-Performance Transaction Systems (2011), http://hpts.ws/papers/2011/sessions_2011/Debugging.pdf and associated specifications: http://hpts.ws/papers/2011/sessions_2011/amazonbundle.tar.gz
Owre, S., et al.: Combining specification, proof checking, and model checking. In: Alur, R., Henzinger, T.A. (eds.) CAV 1996. LNCS, vol. 1102, pp. 411–414. Springer, Heidelberg (1996)
Schwartz, B.: The paradox of choice, http://www.ted.com/talks/barry_schwartz_on_the_paradox_of_choice.html
Zave, P.: Using lightweight modeling to understand Chord. Comp. Comm. Reviews 42(2), 49–57 (2012)
Zave, P.: A practical comparison of Alloy and Spin. Formal Aspects of Computing (to appear, 2014), http://www2.research.att.com/~pamela/compare.pdf
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Newcombe, C. (2014). Why Amazon Chose TLA + . In: Ait Ameur, Y., Schewe, KD. (eds) Abstract State Machines, Alloy, B, TLA, VDM, and Z. ABZ 2014. Lecture Notes in Computer Science, vol 8477. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-43652-3_3
Download citation
DOI: https://doi.org/10.1007/978-3-662-43652-3_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-43651-6
Online ISBN: 978-3-662-43652-3
eBook Packages: Computer ScienceComputer Science (R0)