TLC: Difference between revisions

 
(16 intermediate revisions by 4 users not shown)
Line 1: Line 1:
As of version 1.4.0, ProB can make use of [http://research.microsoft.com/en-us/um/people/lamport/tla/tlc.html TLC] as an alternative model checker to validate B specifications. TLC is an efficient model checker for TLA+ specifications, which can check LTL properties with fairness. It is particularly good for lower level specifications, where it can be substantially faster than ProB's own model checker.
As of version 1.4.0, ProB can make use of [http://research.microsoft.com/en-us/um/people/lamport/tla/tlc.html TLC] as an alternative model checker to validate B specifications. TLC is an efficient model checker for TLA+ specifications, which can check LTL properties with fairness. It is particularly good for lower level specifications, where it can be substantially faster than ProB's own model checker.
= Download and Installation =
TLC has been released as an open source project, under the [http://research.microsoft.com/en-us/um/people/lamport/tla/license.html MIT License].
TLC has been released as an open source project, under the [http://research.microsoft.com/en-us/um/people/lamport/tla/license.html MIT License].
To use TLC in the ProB Tcl/Tk GUI you have to select the menu command "Download and Install TLA Tools" in the Help menu.
[[File:Download_TLA_Tools.png|400px|center]]


= How to use TLC =
= How to use TLC =


== Using TLC in ProB Tcl/Tk ==
First you have to open a B specification in the ProB GUI.
First you have to open a B specification in the ProB GUI.
Then you can select the menu command "Model Check with TLC" in the "Verify->External Tools" menu.
Then you can select the menu command "Model Check with TLC" in the "Verify->External Tools" menu.
Line 27: Line 22:


[[File:Model_Checking_With_TLC_Trace.png|400px|center]]
[[File:Model_Checking_With_TLC_Trace.png|400px|center]]
   
=== Requirements ===
On Linux the tlc-thread package is required to run TLC from the tcl/tk ui:
  sudo apt-get install tcl-thread
 
== Using TLC in probcli ==
 
You can use the following switch to use TLC rather than ProB's model checker:
-mc_with_tlc
 
Some of the standard probcli options also work for TLC:
* -noinv  (no invariant checking)
* -nodead (no deadlock checking)
* -noass (no assertion checking)
* -nogoal (no checking for the optional goal predicate)
In addition you can provide
* -noltl (no checking of LTL assertions)
 
ProB Preferences influencing TLC:
* <tt>TLC_WORKERS</tt>: influences the number of workers that will be used by TLC; a call might look like this:
<tt>probcli FILE.mch -mc_with_tlc -p TLC_WORKERS 2 -noltl</tt>
* <tt>TLC_USE_PROB_CONSTANTS</tt>: setup constants using ProB before applying TLC (can lead to a considerable speed-up); e.g.
<tt>probcli FILE.mch -mc_with_tlc -p TLC_USE_PROB_CONSTANTS TRUE</tt>
 
= When to use TLC =
= When to use TLC =
TLC is extremely valuable when it comes to explicit state model checking for large state spaces.
TLC is extremely valuable when it comes to explicit state model checking for large state spaces.
Line 35: Line 52:


TLC is a very efficient model checker for specifications written in [http://research.microsoft.com/en-us/um/people/lamport/tla/tla.html TLA+].
TLC is a very efficient model checker for specifications written in [http://research.microsoft.com/en-us/um/people/lamport/tla/tla.html TLA+].
To validate B specification with TLC we developed the translator TLC4B which automatically translates a B specification to TLA+, invokes the model checker TLC, and translates the results back to B.  
To validate B specification with TLC we developed the translator [https://gitlab.cs.uni-duesseldorf.de/general/stups/tlc4b TLC4B] which automatically translates a B specification to TLA+, invokes the model checker TLC, and translates the results back to B.  
Counter examples produced by TLC are double checked by ProB and replayed in the ProB animator.
Counter examples produced by TLC are double checked by ProB and replayed in the ProB animator.
The translation to TLA+ and back to B is completely hidden to the user. Hence, the user needs no knowledge of TLA+ to use TLC.
The translation to TLA+ and back to B is completely hidden to the user. Hence, the user needs no knowledge of TLA+ to use TLC.


There is a [http://stups.hhu.de/w/Special:Publication/HansenLeuschel_TLC4B_techreport technical report] that describes our translation from B to TLA+.
The following article describes the translation in more detail:
* Dominik Hansen and Michael Leuschel. Translating B to TLA+ for validation with TLC. Sci. Comput. Program. 131, pages 109-125. 2016. [https://doi.org/10.1016/j.scico.2016.04.014 Link].


= Limitations =
= Limitations =
Line 45: Line 63:
* Refinement specifications
* Refinement specifications
* Machine inclusion (SEES, INCLUDES, ..)
* Machine inclusion (SEES, INCLUDES, ..)
* Sequential composition statement (G;H)
* Sequential composition (G;H) with variables assigned more than once


= Visited States =
= Visited States =
Line 56: Line 74:
  VARIABLES x
  VARIABLES x
  INVARIANT
  INVARIANT
   x : 1..10
   x : NATURAL
  INITIALISATION x:=1
  INITIALISATION x := k
  END
  END


ProB will report 21 distinct states (1 root state, 10 constant setup states, 10 initialization states):
ProB will report 21 distinct states (1 root state, 10 constant setup states, 10 initialization states):
[[File:NumberOfStates.jpeg]]
[[File:NumberOfStates.jpeg|800px|left|State space generated by ProB]]
TLC will report 10 states (10 initialization states).
 
 
TLC will only report 10 distinct states (10 initialization states).


= More Information =
= More Information =
More information can be found in our [http://www.stups.uni-duesseldorf.de/w/Special:Publication/HansenLeuschel_ABZ14 ABZ'14 article].
More information can be found in our article which is an extended version of the ABZ'2014 conference paper:
* Dominik Hansen and Michael Leuschel. Translating B to TLA+ for validation with TLC. Sci. Comput. Program. 131, pages 109-125. 2016. [https://doi.org/10.1016/j.scico.2016.04.014 Link].

Latest revision as of 11:27, 24 July 2024

As of version 1.4.0, ProB can make use of TLC as an alternative model checker to validate B specifications. TLC is an efficient model checker for TLA+ specifications, which can check LTL properties with fairness. It is particularly good for lower level specifications, where it can be substantially faster than ProB's own model checker. TLC has been released as an open source project, under the MIT License.

How to use TLC

Using TLC in ProB Tcl/Tk

First you have to open a B specification in the ProB GUI. Then you can select the menu command "Model Check with TLC" in the "Verify->External Tools" menu.

Model Checking With TLC.png

You can use TLC to find the following kinds of errors in the B specification:

  • Deadlocks
  • Invariant violations
  • Assertion errors
  • Goal found (a desired state is reached)
  • Properties violations (i.e, axioms over the B constants are false)
  • Well-definedness violations
  • Temporal formulas violations

In some cases, TLC reports a trace leading to the state where the error (e.g. deadlock or invariant violation) occur. Such traces are automatically replayed in the ProB animator (displayed in the history pane) to give an optimal feedback.

Model Checking With TLC Trace.png

Requirements

On Linux the tlc-thread package is required to run TLC from the tcl/tk ui:

sudo apt-get install tcl-thread

Using TLC in probcli

You can use the following switch to use TLC rather than ProB's model checker:

-mc_with_tlc

Some of the standard probcli options also work for TLC:

  • -noinv (no invariant checking)
  • -nodead (no deadlock checking)
  • -noass (no assertion checking)
  • -nogoal (no checking for the optional goal predicate)

In addition you can provide

  • -noltl (no checking of LTL assertions)

ProB Preferences influencing TLC:

  • TLC_WORKERS: influences the number of workers that will be used by TLC; a call might look like this:
probcli FILE.mch -mc_with_tlc -p TLC_WORKERS 2 -noltl
  • TLC_USE_PROB_CONSTANTS: setup constants using ProB before applying TLC (can lead to a considerable speed-up); e.g.
probcli FILE.mch -mc_with_tlc -p TLC_USE_PROB_CONSTANTS TRUE

When to use TLC

TLC is extremely valuable when it comes to explicit state model checking for large state spaces. Otherwise, TLC has no constraint solving abilities.

Translation from B to TLA+

TLC is a very efficient model checker for specifications written in TLA+. To validate B specification with TLC we developed the translator TLC4B which automatically translates a B specification to TLA+, invokes the model checker TLC, and translates the results back to B. Counter examples produced by TLC are double checked by ProB and replayed in the ProB animator. The translation to TLA+ and back to B is completely hidden to the user. Hence, the user needs no knowledge of TLA+ to use TLC.

The following article describes the translation in more detail:

  • Dominik Hansen and Michael Leuschel. Translating B to TLA+ for validation with TLC. Sci. Comput. Program. 131, pages 109-125. 2016. Link.

Limitations

The following constructs are currently not supported by the TLC4B translator:

  • Refinement specifications
  • Machine inclusion (SEES, INCLUDES, ..)
  • Sequential composition (G;H) with variables assigned more than once

Visited States

Sometimes TLC will show a different number of visited states compared to the ProB model checker. The following example should illustrate this issue:

MACHINE NumberOfStates
CONSTANTS k
PROPERTIES
 k : 1..10
VARIABLES x
INVARIANT
 x : NATURAL
INITIALISATION x := k
END

ProB will report 21 distinct states (1 root state, 10 constant setup states, 10 initialization states):

State space generated by ProB


TLC will only report 10 distinct states (10 initialization states).

More Information

More information can be found in our article which is an extended version of the ABZ'2014 conference paper:

  • Dominik Hansen and Michael Leuschel. Translating B to TLA+ for validation with TLC. Sci. Comput. Program. 131, pages 109-125. 2016. Link.