Faculty of Computer Systems &

Software Engineering

Formal methods.
Introduction to the Temporal Logic
of Actions

Vitaliy Mezhuyev
History and motivation

• Why formal methods are needed?

• What is mathematical base of formal methods?
• Specification of modern computer systems needs
expression of their temporal properties.
• In 1977, Amir Pnueli introduced the use of temporal
logic for describing system behaviors.
• In the late 1980's, Lesly Lamport invented the
Temporal Logic of Actions (TLA), a variant of Pnueli's
original logic.
History and motivation
• TLA is applicable for specifying a wide class of software
systems from simple programs to large distributed and
concurrent systems.
• TLA is good for describing asynchronous systems
(systems with components that do not operate in strict
lock-step manner).
• TLA allows us to write a precise and formal description of
almost any kind of discrete system by a single formula.
• TLA uses first order logic and set theory for expressing
ordinary mathematics.
• TLA expands ordinary mathematics by temporal operators
(like next, always, eventually, etc.).
What we will learn with TLA

• how to specify the safety properties of systems (what

the system should not do - with no temporal logic).
• how to specify liveness properties of systems (what the
system should do - with temporal logic).
• how to specify real-time properties of systems with
temporal logic.
• TLA tools: TLA Toolbox and TLC model checker.
• The main book: “Specifying Systems” of Leslie Lamport.
References to TLA framework

The TLA Home Page:

http://research.microsoft.com/en-
us/um/people/lamport/tla/tla.html

TLA Toolbox+ Tools:

https://tla.msr-inria.inria.fr/tlatoolbox/products/

Book of Lamport: http://research.microsoft.com/en-

us/um/people/lamport/tla/book.html
The Specification in TLA
Can be written in two formats:
• the ASCII
• the TLATEX (mathematical) notation

TLATEX ASCII Name

/\ And
\/ Or
¬ ~ Not
=> Imply
≡ <=> Equivalence

== Is defined to equal
□ [] Box
\in In
≠ #, /= Not equal
<> << >> Tuple
Introduction to TLA

• A system specification in TLA consists of ordinary

mathematics (sets, FOL) linked together with temporal
logic.
• To write a TLA speciation, first we need to learn how to
express ordinary math with TLA.
• So lets repeat basic statements of elementary algebra,
propositional logic and set theory.
Basic math

• Elementary algebra is the mathematics of natural

numbers and the operations + (addition), -
(subtraction), * (multiplication), and % (modulo).
• Propositional logic is the mathematics of the two
Boolean values TRUE and FALSE and the operations,
whose names are

TRUE and FALSE are reserved keywords in TLA

Definition of the Boolean operators

Iff means - if, and only if

Note, in TLA toolbox we use ASCII
/\, \/, ~, =>, <=>.
Truth tables
Definition of the Boolean operators can be done by truth
tables. For example, for the implication
The sense of implication
Implication F => G means F implies G or, equivalently,
if F then G.
Example:
if n is greater than 3, then it should be greater than 1, so
n > 3 should imply n > 1. Therefore, the formula
(n > 3) => (n > 1) is true.
For n = 4
(4 > 3) => (4 > 1) is true.

For n = 2
(2 > 3) => (2 > 1) is true.
For n = 0
(0 > 3) => (0 > 1) is true.
Precedence
In algebraic formulas, * has higher precedence (binds
more tightly) than +, so x + y*z means x + ( y*z ).

Similarly, ¬ has higher precedence than /\ and \/, which

have higher precedence than => and <=>, so ¬F/\G=>H
means ((¬F)/\G))=>H.

Arithmetical operators like + and > have higher

precedence than the operators of propositional logic, so
n>0 => n-1 >= 0 means (n>0) => (n-1>=0).

The rule is: always use parenthesis, if you don’t

remember precedence.
Sets. TLATEX vs ASCII
TLATEX ASCII Name

∈ \in Member of

∪ \union Union

∩ \intersect Intersection

⊆ \subseteq Subset

⊂ \subset Proper subset

\ \ Set difference

∉ \notin Not a member of

 Set comprehension.

{1, 2, 3} set consisting of elements 1, 2, 3

{x \in S : F} set of elements x in S satisfying F

Example, {x \in {1,2,3} : x >2} = {3}

Predicate Logic

Predicate logic extends propositional logic with the two

quantifiers

These allow to say that a formula is true for all the

elements of a set, or for some of the elements of a set
TLATEX ASCII Name
∀ \A For all
∃ \E There exists
Formulas of Predicate Logic

The formula asserts that formula F is true

for every element x in the set S.

The formula asserts that formula F is true

for at least one element x in S.

The same in ASCII

\A x \in S : F universal quantification

\E x \in S : F existential quantification

Tautologies

Formula F is true for some x in S iff F is not false for all x,

in S, i.e., if it's not the case that ¬F is true for all x in S.

Such the formulas are called tautologies, meaning that it

is true for all values of the identifiers (sets) S and F
 Functions

f == [x \in S |-> e] function f such that f[x] = e for x in S

f[e] function application

Example,
f == [x \in N |-> x+1]
N is domain of the function f
f[x] = x+1

DOMAIN f domain of the function f

Specifying behavior of a system

• To describe behavior of a system we use equations

that determine how its state evolves with time, where
the state consists of the values of system’s variables.
• For example, the behavior of the earth-moon system
can be described by a function F from time to states,
where F(t) represents the state of the system at time t.
• State of a computer system changes in discrete steps.
So, we will represent the behavior of a system as a
sequence of states, where a state is defined by
assignment of values to variables.
An Hour Clock System
• Let's specify a simple system - a digital clock that
displays only the hour.
• The value of the hour changes through the values 1
through 12.
• Let the variable hr represent the clock's display. We can
present a behavior of the clock as the sequence

• where e.g. [hr = 11] is a state in which the variable hr

has the value 11.
• A pair of successive states, such as [hr = 1] -> [hr = 2],
we will call a step.
Note, in ASCII the symbol is represented by ==
An Hour Clock – next state predicate

• The next-state predicate HCnxt is a formula expressing

the relation between the values of hr in the previous (old)
state and the next (new) state of a system.

• Let hr represent the value of hr in the old state and hr’

represent its value in the new state.

• The symbol ’ in hr’ is read prime.

• The next-state relation is that hr ’ equals hr+1 except if hr

equals 12, in which case hr ’ should start again from 1.
An Hour Clock – next state predicate

• Using typical If / Then / Else constructs, we can define

HCnxt to be the next-state relation

• HCnxt is an ordinary mathematical formula, except

that it contains primed and unprimed variables. Such
a formula is called an action.
• An action formula (HCnxt) can be true or false of a
step, e.g. on [hr = 1] -> [hr = 2]
• When an HCnxt step occurs, we can say that action
HCnxt is executed.
An Hour Clock – full specification
• The idea of TLA is to specify a system by a single
formula, combining asserts that (1) its initial state
satisfies HCini, and that (2) each of its steps satisfies
HCnxt.
• To express (2) we will use the temporal-logic operator
□ (pronounced box, in ASCII represented by [] ).
• The temporal formula □F asserts that formula F is
always true. In particular, □HCnxt is the assertion
that HCnxt is true for every step in the behavior.
• HCini /\ [] HCnxt is true of a behavior, if the initial
state satisfies HCini and every step satisfies HCnxt.
An Hour Clock – stuttering steps
• Lets the display shows not only the current hour
but also temperature. The state of the clock is
described by two variables: hr, representing the
hour, and tmp, representing the temperature.
• The example of behavior of the system is

• In the second and third steps, tmp changes, but hr

remains the same.
An Hour Clock – stuttering steps

• Thus, the formula HCini /\ [] HCnxt does not

describe the measuring temperature clock behavior.
• A formula that describes it must allow steps that
leave hr unchanged, i.e. hr’ = hr steps. These are
called stuttering steps.
• A specification of the measuring temperature hour
clock should allow both HCnxt steps and stuttering
steps, i.e.
HCnxt \/ (hr’ = hr)
An Hour Clock – stuttering steps
• Lets adopt HCini /\ [] HCnxt, we will have
HCini /\ ([] HCnxt \/ (hr’ = hr))

• Or, in TLA syntax we need write

HCini /\ [] [HCnxt]_hr

• This formula allows stuttering steps

• For example, it will allow us to add the min variable

into specification of the Hour Clock system. It will
change from 0..59, while hr remains unchanged.
A Closer Look at the Specification
• A state is defined by assignment of values to variables,
as e.g. [hr = 11]

• A behavior is a (infinite or finite) sequence of states, e.g.:

• Specification of the Hour clock is a temporal formula HC.

• A temporal formula is an assertion about behavior. Behavior

satisfies HC iff this formula is true in all states of Hour Clock.
A Closer Look at the Speciation

• Thus hr has a value from 1 through 12 in every state of any

behavior, satisfying the specification HC.
• Formula HCini asserts that hr has value from 1 through 12,
and □HCini asserts that HCini is always true. In other words
HC implies □HCini for any behavior.
• A temporal formula satisfied by every behavior is called a
theorem, so HC => □ HCini is a theorem.
Comparison of ASCII and TLATEX (HourClock.tla)
Typical structure of a TLA+ module in ASCII

---- MODULE m ----

EXTENDS m_1, m_2
CONSTANTS c_1, c_2
VARIABLES v_1, v_2
ASSUME c_1 = ...
Init == ...
Next == ...
Spec == ...
THEOREM
=====================
Miscellaneous constructs of TLA in ASCII

Action Operators
v' prime operator (only variables are able to be primed)
UNCHANGED v v'=v
UNCHANGED <<v_1, v_2>> v_1'=v_1 /\ v_2'=v_2

Conditions
IF P THEN e_1 ELSE e_2
CASE P_1 -> e_1 [] ... [] P_n ->e_n
CASE P_1 -> e_1 [] ... [] P_n ->e_n [] OTHER -> e
LET d_1 == e_1 ... d_n == e_n IN e
Thank you for your attention!
Please ask questions
Questions for control
1. What is TLA and why TLA is needed?
2. For what kind of systems TLA is good?
3. What is the basic math inside TLA?
4. Explain the implication operation.
5. What is tautology?
6. How we can specify behavior of a system?
7. What is a state of a system?
8. What is a step?
9. What is initial predicate in specification?
10.What is next-state predicate?
11.How to link the previous and the next state of a system?
12.What is an action?
13.What is the meaning of the operator □ (box)?
14.Explain the formula HCini /\ □ HCnxt
15.What is stuttering steps? Why do we need specify it?
16.Explain formula HCini /\ □[HCnxt]hr