In order to find subtle bugs in a s

In order to find subtle bugs in a system
design, it is necessary to have a precise
description of that design. There are
at least two major benefits to writing a
precise design: the author is forced to
think more clearly, helping eliminate
“plausible hand waving,” and tools
can be applied to check for errors in
the design, even while it is being writ-
ten. In contrast, conventional design
documents consist of prose, static dia-
grams, and perhaps pseudo-code in
an ad hoc untestable language. Such
descriptions are far from precise; they
are often ambiguous or missing criti-
cal aspects (such as partial failure or
the granularity of concurrency). At the
other end of the spectrum, the final
executable code is unambiguous but
contains an overwhelming amount of
detail. We had to be able to capture the
essence of a design in a few hundred
lines of precise description. As our
designs are unavoidably complex, we
needed a highly expressive language,
far above the level of code, but with
precise semantics. That expressiv-
ity must cover real-world concurrency
and fault tolerance. And, as we wish
to build services quickly, we wanted a
language that is simple to learn and
apply, avoiding esoteric concepts. We
also very much wanted an existing eco-
system of tools. We were thus looking
for an off-the-shelf method with high
return on investment.
We found what we were looking for
in TLA+, 11 a formal specification lan-
guage based on simple discrete math,
or basic set theory and predicates,
with which all engineers are familiar.
A TLA+ specification describes the set
of all possible legal behaviors, or ex-
ecution traces, of a system. We found
it helpful that the same language is
used to describe both the desired cor-
rectness properties of the system (the
“what”) and the design of the system
(the “how”). In TLA+, correctness
properties and system designs are
just steps on a ladder of abstraction,
with correctness properties occupy-
ing higher levels, systems designs and
algorithms in the middle, and execut-
able code and hardware at the lower
levels. TLA+ is intended to make it as
easy as possible to show a system de-
sign correctly implements the desired
correctness properties, through either
conventional mathematical reasoning
or tools like the TLC model checker 9
that take a TLA+ specification and
exhaustively checks the desired cor-
rectness properties across all possible
execution traces. The ladder of ab-
straction also helps designers manage
the complexity of real-world systems;
designers may choose to describe
the system at several “middle” levels
of abstraction, with each lower level
serving a different purpose (such as to
understand the consequences of fin-
A P R I L 2 0 1 5 | VO L. 58 | N O. 4 | C OM M U N IC AT ION S OF T HE ACM
67contributed articles
er-grain concurrency or more detailed
behavior of a communication medi-
um). The designer can then verify that
each level is correct with respect to a
higher level. The freedom to choose
and adjust levels of abstraction makes
TLA+ extremely flexible.
At first, the syntax and idioms of
TLA+ are somewhat unfamiliar to
programmers. Fortunately, TLA+ is
accompanied by a second language
called PlusCal that is closer to a C-style
programming language but much
more expressive, as it uses TLA+ for
expressions and values. PlusCal is
intended to be a direct replacement
for pseudo-code. Several engineers at
Amazon have found they are more pro-
ductive using PlusCal than they are us-
ing TLA+. However, in other cases, the
additional flexibility of plain TLA+ has
been very useful. For many designs the
choice is a matter of taste, as PlusCal is
automatically translated to TLA+ with a
single key press. PlusCal users do have
to be familiar with TLA+ in order to
write rich expressions and because it is
often helpful to read the TLA+ transla-
tion to understand the precise seman-
tics of a piece of code. Moreover, tools
(such as the TLC model checker) workIn order to find subtle bugs in a system
design, it is necessary to have a precise
description of that design. There are
at least two major benefits to writing a
precise design: the author is forced to
think more clearly, helping eliminate
“plausible hand waving,” and tools
can be applied to check for errors in
the design, even while it is being writ-
ten. In contrast, conventional design
documents consist of prose, static dia-
grams, and perhaps pseudo-code in
an ad hoc untestable language. Such
descriptions are far from precise; they
are often ambiguous or missing criti-
cal aspects (such as partial failure or
the granularity of concurrency). At the
other end of the spectrum, the final
executable code is unambiguous but
contains an overwhelming amount of
detail. We had to be able to capture the
essence of a design in a few hundred
lines of precise description. As our
designs are unavoidably complex, we
needed a highly expressive language,
far above the level of code, but with
precise semantics. That expressiv-
ity must cover real-world concurrency
and fault tolerance. And, as we wish
to build services quickly, we wanted a
language that is simple to learn and
apply, avoiding esoteric concepts. We
also very much wanted an existing eco-
system of tools. We were thus looking
for an off-the-shelf method with high
return on investment.
We found what we were looking for
in TLA+, 11 a formal specification lan-
guage based on simple discrete math,
or basic set theory and predicates,
with which all engineers are familiar.
A TLA+ specification describes the set
of all possible legal behaviors, or ex-
ecution traces, of a system. We found
it helpful that the same language is
used to describe both the desired cor-
rectness properties of the system (the
“what”) and the design of the system
(the “how”). In TLA+, correctness
properties and system designs are
just steps on a ladder of abstraction,
with correctness properties occupy-
ing higher levels, systems designs and
algorithms in the middle, and execut-
able code and hardware at the lower
levels. TLA+ is intended to make it as
easy as possible to show a system de-
sign correctly implements the desired
correctness properties, through either
conventional mathematical reasoning
or tools like the TLC model checker 9
that take a TLA+ specification and
exhaustively checks the desired cor-
rectness properties across all possible
execution traces. The ladder of ab-
straction also helps designers manage
the complexity of real-world systems;
designers may choose to describe
the system at several “middle” levels
of abstraction, with each lower level
serving a different purpose (such as to
understand the consequences of fin-
A P R I L 2 0 1 5 | VO L. 58 | N O. 4 | C OM M U N IC AT ION S OF T HE ACM
67contributed articles
er-grain concurrency or more detailed
behavior of a communication medi-
um). The designer can then verify that
each level is correct with respect to a
higher level. The freedom to choose
and adjust levels of abstraction makes
TLA+ extremely flexible.
At first, the syntax and idioms of
TLA+ are somewhat unfamiliar to
programmers. Fortunately, TLA+ is
accompanied by a second language
called PlusCal that is closer to a C-style
programming language but much
more expressive, as it uses TLA+ for
expressions and values. PlusCal is
intended to be a direct replacement
for pseudo-code. Several engineers at
Amazon have found they are more pro-
ductive using PlusCal than they are us-
ing TLA+. However, in other cases, the
additional flexibility of plain TLA+ has
been very useful. For many designs the
choice is a matter of taste, as PlusCal is
automatically translated to TLA+ with a
single key press. PlusCal users do have
to be familiar with TLA+ in order to
write rich expressions and because it is
often helpful to read the TLA+ transla-
tion to understand the precise seman-
tics of a piece of code. Moreover, tools
(such as the TLC model checker) work