行为时序逻辑 TLA
(The Temporal Logic of Actions)
与模型检测TLC、AVISPA
(Automated Validation of Internet Security
Protocols and Applications)
传统的程序验证技术（program verification techniques），例如Hoare型的方法，
一般都使用两类不同语言：一类用于编写程序，一类用于验证所写程序的性质.
程序逻辑用一种单一语言表达程序与属性。程序 II 满足属性 P 当且仅当 II=>P 是这一
逻辑的合法公式。Pratt 的动态逻辑[Pra76]是一种著名的程序逻辑。

行为时序逻辑TLA是一种组合了时序逻辑temporal logic与行为逻辑logic of actions来对
并发系统进行描述与验证的逻辑
以下来自fm99.pdf - TLA+ Verification of Cache-Coherence Protocols
TLA+ is a formal specification language based on (untyped) ZF set theory, first-order
logic, and TLA (the Temporal Logic of Actions). TLA is a version of temporal logic
developed for describing and reasoning about concurrent and reactive systems [7]. TLA+
includes modules and ways of combining them to form larger specifications. An introduction
to TLA+ appears in [4], further details can be found on the World Wide Web [5].
Although TLA+ permits a wide variety of specification styles, the specifications
discussed here all have the form Init ^ Next ^ Liveness, where: Init is the initial-state
predicate—a formula describing all legal initial states. Next is the next-state relation, which
specifies all possible steps (pairs of successive states) in a behavior of the system. It is a
disjunction of actions that describe the different system operations. An action is a
mathematical formula in which unprimed variables refer to the first state of a step and primed
variables refer to its second state. For example, (x’ = x +1) ^(y’ = y) is an action describing
steps in which the variable x is incremented by 1 and the variable y is unchanged. Liveness is
a temporal formula that specifies the liveness (progress) properties of the system as the
conjunction of fairness conditions on actions.
Such a specification can be viewed as describing a state machine. However, unlike
specifications in methods based on abstract machines or programming languages, a TLA+
specification consists of a single mathematical formula. Moreover, the state predicates and
actions in TLA+ specifications are arbitrary formulas written in a high-level language with the
full power of set theory and predicate logic, making TLA+ very expressive.
A state predicate I is an invariant of a specification S iff S impliesI , the formula
asserting that I is always true. When S equals Init ^ Next this is proved by finding a formula
Inv, called an invariant of Next, that satisfies Init ) Inv, Inv ^ Next ) Inv0, and Inv ) I , where
Inv0 is the formula obtained from Inv by priming all variables. A particularly simple form of
invariant is one that expresses type correctness, asserting that each variable is an element of
some set (its “type”).
To prove that a specification S1 implements another specification S2,
we must express the variables of S2 as functions of the variables of S1 and
prove S1 ) S2, where S2 is formula S2 with its variables replaced by the
2The
formulaNext should actually be [Next]v , where v is the tuple of all variables;
we drop the subscript for simplicity. We also ignore the hiding of internal variables,
expressed with temporal existential quantification.

以下来自fm99.pdf - TLA+ Verification of Cache-Coherence Protocols






行为时序逻辑TLA的语法:
TLA公式由通常的数学运算（例如=,+，-，  ）、状态变量集合V，常量集合Con，加
上三个运算构成: 原本Prime (’), 必然always (),与存在量词existential quantifier ().
对每个状态变量x  V, 称x'为(x的)原本变量，令Var=V  {x'|x V}
按通常的方式从Var,Log,Con及数学运算定义函数f,谓词p及时态公式
包含原本变量的谓词p称为行为，如x’=x+1; 对于行为p,写为[p]
例1：TLA公式
xy:（x=0y=0） □[x’=x+1  y’=y+2x+1]  □(y=x )
2
该式子可读为: 如果 x 与 y 初始化为 0，并且每一上单独步骤中 x 自增 1，y 为 2x+1,那
么 y 总是等于 x 的平方。
行为 x’=x+1∧y’=y+2x+1 表示一个多重赋值。但是，不象赋值语句，这种行为能代数地
操作。如，这一行为等价于 y’-y=x’+x∧y’-y=3x-x’+2。

例2：计算：y=0+1+2+3+…+n+…=n(n-1)/2 (n0)
根据递推式：y0=0, yn+1=yn+(n+1)可写出C语言(迭代)程序
描述该计算的TLA公式：
yn:（y=0n=0） □[y’=y+n+1  n’=n+1]  □(y=n(n+1)/2)

例3：TLA公式：
[x’=x+1]
表达了: x’=x+1必然最终要被执行, 即x=x+1的公平性：
fair: x=x+1
作业：写出计算：y=1+3+…+（2n+1）…=n2 (n0)的TLA公式
行为时序逻辑TLA的语义:
设Val为(变量可取)值的集合, St为状态的集合
状态变量,状态函数与状态谓词
对每个变量xV,定义[[x]]为映射:
St -> Val
设s St,则[[x]](s)为变量x在状态s下的值; 可将[[x]](s)写为: s[[x]]
类似地可归纳定义[[f]]与[[p]]；将[[x]], [[f]]与[[p]]分别称为状态变量,状态函数与状态谓词
例：
[[2x-y]]  2[[x]]-[[y]]
[[n: (x-n2)=2]](s)  n: [[x]](s)-n2=2
称状态谓词p是有效的并记为 |= p，如果p在一切状态下都成立，定义：
[[|= p]]为sSt: [[p]](s)，
可具体定义St为：sSt iff s是变量集合V的一个（Val下的）指派， 即映射：
s: V -> Val
这样，显然有：
[[x]](s) s[[x]] = s(x) (注意：为定义，=为相等)
行为, 状态转移：
称一个带有原本变量与非原本变量的谓词为行为，如x’=x+1; 对于行为A,写为[A]，设A
中有m个非原本变量, 有n个原本变量,St-m= St  …St (m-1次), St-n= St  …St (n-1次)
语义[[A]]被定义为映射：
St-m  St-n  {true, false}
其中，p的非原本变量在St-m取值，原本变量在St-n取值
示例: [[y’-x> 1]](s,t)  [[y]](t)-[[x]](s) > 1
从状态s到t的转移写为 s -> t. 定义行为A可从状态s转移到t iff [[A]](s,t)=true, 称为
A-转移.
对于行为A, 定义谓词 Enable(A), Enable(A)语义被定义为:
[[Enable(A)]](s)  t: [[A]](s,t)
注意1: 对于行为A，也将[[A]](s,t)记为s[[A]]t
注意2: 对于（不含原本变量的）状态谓词p，例如x=y+1，也可被视为一个(没有原本变量的)
行为，即：对任何t，[[p]](s,t)  [[p]](s)  s[[p]]t
注意3: 对于（不含非原本变量的）状态谓词p，例如x’=y’+1，也可被视为一个(没有非原本
变量的)行为，即：对任何t，[[p]](s,t)  [[p]](s,t)  s[[p]]t
注意4: 对于行为A，设x1',...,xn'是在A中出现的原本变量，则（请证明）：
Enable(A) = x1'Var,..., xn'Var: A

行动(behavior) 与时态行为,：
称状态系列<s0, s1,..., sn,...> 为一个行动(behavior)
对于行为A，定义：
<s0, s1,..., sn,...> [[A]]  s0[[A]]s1
<s0, s1,..., sn,...> [[A]]  n: <sn, sn+1,...>[[A]]
<s0, s1,..., sn,...> [[A]]  n: <sn, sn+1,...>[[A]]
<s0, s1,..., sn,...> [[A]]  n m: <sn+m, sn+m+1,...>[[A]]
作业：
<s0, s1,..., sn,...> [[A]]  ？
<s0, s1,..., sn,...> [[A]]  ？
<s0, s1,..., sn,...> [[A]]  ？

示例：

设（并发）程序为：
int x,y=0;
do{
true -> x=x+1
true -> y=y+1
} od
用TLA公式描述该程序：
Init  (x=0)  (y=0)
A 1  (x’=x+1)  (y’=y)
A 2  (y’=y+1)  (x’=x)
  Init  ( A 1  A 2 )

作业：
用TLA公式描述一个SPIN（并发）程序
用TLA公式描述一个SMV（并发）程序

TLA+ is a specification language based on TLA.
TLP is a system for mechanically checking TLA proofs (program verification).
The three available TLA+ tools are:
TLATeX, a program for typesetting TLA+ specs.
The Syntactic Analyzer, a parser and syntax checker for TLA+ specifications.
TLC, a model checker and simulator for a subclass of "executable" TLA+
specifications.
基于行为时序逻辑 TLA的
模型检测TLC
There are three TLA+ tools:
1) The Syntactic Analyzer: A parser and syntax checker for TLA+ specifications.
2) TLC: A model checker and simulator for a subclass of "executable" TLA+ specifications.
3) TLATeX: A program for typesetting TLA+ specifications.
TLC is a model checker for specifications written in TLA+.
TLA+ is a
specification language based on TLA, the Temporal Logic of Actions.
See
the TLA web page:
http://research.microsoft.com/users/lamport/tla/tla.html for general
information about TLA.
A description of TLC and directions for using it, along with an
introduction to writing specifications in TLA+, are contained
in Specifying Concurrent Systems :
http://research.microsoft.com/users/lamport/tla/book.html
The version of TLC available from the Microsoft Research download site is
TLC Version 2.0 of 17 January 2003
See the main TLA+ tools page:
http://research.microsoft.com/users/lamport/tla/tools.html:for how
this version differs from the version described in Specifying Concurrent
Systems .
TLC is available for Windows or Unix.
安装使用：
1 安装JDK1.5
2 将tla.rar解压得\tla
3 用TLC做模型检测, 用Generator进行随机模拟
类TLC：
public class TLC {
/*
* This TLA checker (TLC) provides the following functionalities:
* 1. Simulation of TLA+ specs: java tlc.TLC -simulate spec[.tla]
* 2. Model checking of TLA+ specs: java tlc.TLC [-modelcheck] spec[.tla]
*
* The command line also provides the following options:
* o -config file: provide the config file.
*
Defaults to spec.cfg if not provided
* o -deadlock: do not check for deadlock.
*
Defaults to checking deadlock if not specified
* o -depth num: specify the depth of random simulation
*
Defaults to 100 if not specified
* o -seed num: provide the seed for random simulation
*
Defaults to a random seed if not specified
* o -aril num: Adjust the seed for random simulation
*
Defaults to 0 if not specified
* o -recover path: recover from the checkpoint at path
*
Defaults to scratch run if not specified
* o -metadir path: store metadata in the directory at path
*
Defaults to specdir/states if not specified
* o -workers num: the number of TLC worker threads
*
Defaults to 1
* o -dfid num: use depth-first iterative deepening with initial depth num
* o -cleanup: clean up the states directory
* o -dump file: dump all the states into file
* o -difftrace: when printing trace, show only
*
the differences between successive states
*
Defaults to printing full state descriptions if not specified
*
(Added by Rajeev Joshi)
* o -terse: do not expand values in Print statement
*
Defaults to expand value if not specified
* o -coverage minutes: collect coverage information on the spec,
*
print out the information every minutes.
*
Defaults to no coverage if not specified
* o -continue: continue running even when invariant is violated
*
Defaults to stop at the first violation if not specified
* o -nowarning: disable all the warnings
*
Defaults to report warnings if not specified
* o -fp num: use the num'th irreducible polynomial from the list
*
stored in the class FP64.
* o -view: apply VIEW (if provided) when printing out states.
* o -gzip: control if gzip is applied to value input/output stream.
*
Defaults to use gzip.
*/
public static void main(String[] args) {
System.out.println("TLC " + TLCGlobals.versionOfTLC);
类Generator：
public class Generator {
/*
* This TLA trace generator generates random execution traces:
*
srcjava tlc.Generator spec[.tla]
*
* The command line provides the following options:
* o -deadlock:
do not check for deadlock.
*
Defaults to checking deadlock if not specified
* o -f file:
the file storing the traces. Defaults to spec_trace
* o -d num:
the max length of the trace. Defaults to 10
* o -config file: the config file. Defaults to spec.cfg
* o -coverage seconds: collect coverage information on the spec,
*
print out the information every seconds
*
Defaults to no coverage if not specified
* o -n num:
the max number of traces. Defaults to 10
* o -s:
the seed for random simulation
*
Defaults to a random seed if not specified
* o -aril num:
Adjust the seed for random simulation
*
Defaults to 0 if not specified
*/
public static void main(String[] args) {
System.out.println("TLC trace generator, " + TLCGlobals.versionOfTLC);
4 \tla\examples,提供了与书"Specifying Concurrent Systems" (by Leslie Lamport)
配套的示例:
为运行示例(例如:HourClock):从命令行进入\tla,
运行:
C:\000\tla>java tlc.TLC
.\examples\HourClock\HourClock.tla
注意：此软件对目录有时出现问题，最好将.tla与.cfg文件放到目录\tla如下运行：
C:\000\tla>java tlc.TLC HourClock.tla
结果:
TLC Version 2.0 of January 16, 2006
Model-checking
Parsing file HourClock.tla
Parsing file C:\000\tla\tlasany\StandardModules\Naturals.tla
Semantic processing of module Naturals
Semantic processing of module HourClock
Finished computing initial states: 12 distinct states generated.
Model checking completed. No error has been found.
Estimates of the probability that TLC did not check all reachable states
because two distinct states had the same fingerprint:
calculated (optimistic): 7.806255641895632E-18
based on the actual fingerprints: 1.6262447381494354E-18
24 states generated, 12 distinct states found, 0 states left on queue.
The depth of the complete state graph search is 1.
模拟运行：
C:\000\tla>java tlc.Generator .\examples\HourClock\HourClock.tla
结果：
TLC trace generator, Version 2.0 of January 16, 2006
Generating random traces with seed -3155617668634430995.
该随机路存盘在HourClock.tla所在目录：HourClock_trace1-10
Parsing file HourClock.tla
Parsing file C:\000\tla\tlasany\StandardModules\Naturals.tla
Semantic processing of module Naturals
Semantic processing of module HourClock
TLC源代码分析:
1 ６个子目录，提供三个工具：
１) The Syntactic Analyzer: A parser and syntax checker for TLA+ specifications.
２) \tlc：TLC: A model checker and simulator for a subclass of "executable" TLA+
specifications.
该目录下是两个运行程序：TLC与Generator，代码分析可由此进行！
３) \tlatex：TLATeX: A program for typesetting TLA+ specifications.
４) \tlasany：SANY is a shell class to call the main driver method of SANY
５) \pcal：
* CLASS PcalResourceFileReader
*
* A PcalResourceFileReader returns an object for reading a resource file,
*
* which is a file kept in the same directory as the pcal.AST class.
*
SANY is a shell class to call the main driver method of SANY
２
实例1:"Specifying a Simple Clock" :
文件：HourClock.tla：
The ASCII version of the HourClock module.
代码：
---------------------- MODULE HourClock -----------------------------------------EXTENDS Naturals (**用Java定义的模块－整数计算,在\tlc\module中**)
VARIABLE hr
(**状态变量**)
HCini == hr \in (1 .. 12)
HCnxt == hr' = IF hr # 12 THEN hr + 1 ELSE 1
HC == HCini /\ [][HCnxt]_hr
(**状态空间**)
(**状态转移**)
(**可停的钟**)
-----------------------------------------------------------------------------------------------THEOREM HC => []HCini (**此时钟系统运行时,hr必然取1,..12的值**)
文件：HourClock.cfg： A TLC configuration file for checking the HourClock specification.
代码：
(**************************************************************************)
(* This is a TLC configuration file for testing that HCini is an invariant *)
(* of the specification HC
*)
(**************************************************************************)
SPECIFICATION HC
\* This statement tells TLC that HC is the specification that it
\* should check.
INVARIANT HCini
\* This statement tells TLC to check that formula HCini is an
\* invariant of the specification--in other words, that the
\* specification implies []HCini.
运行:
C:\000\tla>java tlc.TL .\examples\HourClock\HourClock.tla
结果:
TLC Version 2.0 of January 16, 2006
Model-checking
Parsing file HourClock.tla
Parsing file C:\000\tla\tlasany\StandardModules\Naturals.tla
Semantic processing of module Naturals
Semantic processing of module HourClock
Finished computing initial states: 12 distinct states generated.
Model checking completed. No error has been found.
Estimates of the probability that TLC did not check all reachable states
because two distinct states had the same fingerprint:
calculated (optimistic): 7.806255641895632E-18
based on the actual fingerprints: 1.6262447381494354E-18
24 states generated, 12 distinct states found, 0 states left on queue.
The depth of the complete state graph search is 1.
说明：
１ 这是一个描述可停（但停了之后可能又会走）的时钟（并发系统）；
２ 状态转移（图）如下（请讨论）：
。
作业：
1 写出此状态转移的数学式并作说明
２ 描述一个停了后就不再走的钟和可停一下但不会永停的钟，画出
状态图写出LTA代码并运行
3 将下列材料（LTL与CTL*的比较3）用到2的时钟系统：
设:
模块调用：
HourClock2.tla
HourClock2.cfg
A module that defines the alternative specification HC2 of the
hour clock, and a configuration file for checking it with
TLC.
(******************MODULE ＨourClock2.tla
****************************)
(* This module contains the definition of the specification HC2 from the book.
*)
(***************************************************************************)
EXTENDS HourClock
(*调用模块HourClock*)
(*************************************************************************)
(* This statement includes in the current module all the definitions and *)
(* declarations from module HourClock, including the definitions of +
*)
(* and % from the Naturals module and the declaration of the variable
*)
(* hr.
*)
(*************************************************************************)
HCnxt2 == hr' = (hr % 12) + 1
HC2 == HCini /\ [][HCnxt2]_hr
----------------------------------------------------------------------------THEOREM HC <=> HC2
(*************************************************************************)
(* This theorem asserts that formulas HC and HC2 are equivalent. The
*)
(* symbol <=> , which can also be typed as \equiv , is typeset as an
*)
(* equivalence symbole (a three-lined equals sign).
*)
(*************************************************************************)
====================================================================
(***************************HourClock2.cfg**********************************)
(* This is a TLC configuration file for testing that HC2 implies HC.
*)
(***************************************************************************)
SPECIFICATION HC
\* This statement tells TLC that it is to take formula HC as
\* the specification it is checking.
PROPERTY HC2
\* This statement tells TLC to check that the specification
\* implies the property HC2.
(In TLA, a specification is
\* also a property.)
作业Exercises:
1. Run TLC on the HourClock specification.
2. Add an error into the specification by modifying HCini to be
HCini == hr \in (1 .. 11)
and find the error with TLC.
3. (a) Run TLC on the HourClock2 specification to test that
specifications
HC and HC2 are equivalent. (Hint: The given configuration file
checks that HC2 implies HC. Two formulas are equivalent iff
each implies the other.)
(b) Modify the definition of HC2 by changing the definition of
HCnxt2
to
HCnxt2 == hr' = (hr % 11) + 1
Use TLC to show that HC2 is then no longer equivalent to HC.
Asynchronous Interface
We now specify an interface for transmitting data between asynchronous devices.
A sender and a receiver are connected as shown here
Data is sent on val , and the rdy and ack lines are used for synchronization. The
sender must wait for an acknowledgment (an Ack) for one data item before it can
send the next. The interface uses the standard two-phase handshake protocol,
described by the following sample behavior:
计算并显示TLA+式子的值：
---------------------------- MODULE PrintValues 屏幕显示------------------------------------------(***************************************************************************)
(* 定义：Print(out, val) == val ；计算Print(e1, e2)时，TLC将显示e1与e2的值；*)
(* 按此定义，语句ASSUME Print(exp, TRUE)为真，因此exp的值被显示
*)
(* 定义：PrintVal(id, exp) == Print(<<id, exp>>, TRUE)即可显示<<id, exp>> *)
(***************************************************************************)
EXTENDS Naturals, TLC
PrintVal(id, exp) == Print(<<id, exp>>, TRUE)
(***************************************************************************)
(* 为显示<<id, exp>>，使用ASSUME（调用PrintVal）进行 .
*)
(***************************************************************************)
ASSUME
/\ PrintVal("Three more cats: ",
[cat |-> 1, dog |-> "d"].cat + 3)
/\ PrintVal("Here's a record一条记录: ",
[ [game |-> "baseball", player |-> "Marris", homers |-> 61]
EXCEPT !.player = "McGuire",
!.homers = @+9 ] )
----------------------------- MODULE SimpleMath ----------------------------(***************************************************************************)
(* This is a TLA+ module that asserts some simple mathematical formulas
*)
(* to be true. Each formula is preceded by the TLA+ keyword ASSUME,
*)
(* which means that it is to be taken as an assumption. TLC checks that *)
(* assumptions are valid, so it can be used to check the truth of
*)
(* formulas.
*)
(*
*)
(* You can modify this file and run TLC to check your own formulas.
*)
(* However, observe the following constraints:
*)
(*
*)
(* - Use only the built-in TLA operators, which are listed in Tables 1
*)
(*
and 2 of the book. (To use others, you either have to add their
*)
(*
definitions or the TLA+ statements that import their definitions
*)
(*
from other modules.)
*)
(*
*)
(* - The only variables you should use are bound variables--for example, *)
(*
the ones introduced by existential quantification.
*)
(*
*)
(* - In your formulas, you can use natural numbers (0, 1, 2, ... ),
*)
(*
strings like "abc", and the values a, b, c, d, e, f, and g, which
*)
(*
TLC will interpret as arbitrary values that are unequal to each
*)
(*
other and to any other value.
*)
(*
*)
(* - Use only bounded quantifiers; TLC cannot handle the unbounded
*)
(*
quantifiers. (It also cannot handle the unbounded CHOOSE operator). *)
(*
*)
(* This file contains a number of ASSUME statements. They could be
*)
(* replaced by a single ASSUME that assumes the conjunction of all the
*)
(* formulas, but using separate ASSUMEs makes it easier to locate an
*)
(* error.
*)
(*
*)
(* Note: Table 8 tells you how to type all the symbols that do not have
*)
(* obvious ASCII equivalents.
*)
(***************************************************************************)
EXTENDS Naturals, TLC
PrintVal(id, exp) == Print(<<id, exp>>, TRUE)
CONSTANTS a, b, c, d, e, f, g,tautologies
(*************************************************************************)
(* This statement declares the values a, ... , g so they can be used in formulas 在.cfg中定义*)
(*************************************************************************)
(***************************************************************************)
(* This example shows how you can check propositional logic tautologies. *)
(***************************************************************************)
ASSUME
/\
\A F, G \in {TRUE, FALSE} : (F => G) <=> ~F \/ G
/\
PrintVal("逻辑式:(F => G) <=> ~F or G 是", tautologies)
(***************************************************************************)
(* Here is an example showing how you can check that a formula is NOT a
*)
(* tautology of propositional logic.
*)
(***************************************************************************)
ASSUME
~ \A F, G \in {TRUE, FALSE} : (F \/ G) => (F /\ G)
(***************************************************************************)
(* The following examples illustrate the operators of set theory.
*)
(***************************************************************************)
ASSUME
{1, 2, 2, 3, 3, 3} = {3, 1, 1, 2}
ASSUME
{1, 2} \cup {2, 3, 4} = {5, 4, 3, 2, 1} \cap {1, 2, 3, 4}
ASSUME
{1, 3} \subseteq {3, 2, 1}
ASSUME
{a, b, c} \ {c} = {a, b}
ASSUME
{a, b} \in {{a, b}, c, {d, e}}
(***************************************************************************)
(* The following defines SomeSets to be the set of all subsets of the set *)
(* {a, b, c, d, e}. The ASSUME that follows shows how you can use this
*)
(* set to have TLC check that a property of sets hold for all the sets in *)
(* SomeSets. (This doesn't imply that the property is valid for all sets, *)
(* but it's likely to discover if the property is not valid.)
*)
(***************************************************************************)
SomeSets == SUBSET {a, b, c, d, e}
ASSUME
\A S, T \in SomeSets : (S \subseteq T) <=> S = (S \cap T)
====================================================================
基于行为时序逻辑 TLA的
模型检测AVISPA
AVISPA stands for Automated Validation of Internet Security Protocols and Applications.
The AVISPA project aims at developing a push-button, industrial-strength
technology for the analysis of large-scale Internet security-sensitive protocols
and applications.
安装使用
课程考试
研究课题选
1
2
病毒进程的研究
SPIN、SMV与TLA