A High-Level Language for Modeling Algorithms and Their Properties [chapter]

Sabina Akhtar, Stephan Merz, Martin Quinson
2011 Lecture Notes in Computer Science  
Designers of concurrent and distributed algorithms usually express them using pseudo-code. In contrast, most verification techniques are based on more mathematically-oriented formalisms such as state transition systems. This conceptual gap contributes to hinder the use of formal verification techniques. Leslie Lamport introduced PlusCal, a high-level algorithmic language that has the "look and feel" of pseudocode, but is equipped with a precise semantics and includes a high-level expression
more » ... uage based on set theory. PlusCal models can be compiled to TLA + and verified using the model checker tlc. However, in practice the use of PlusCal requires good knowledge of TLA + and of the translation from PlusCal to TLA + . In particular, the user needs to annotate the generated TLA + model in order to define the properties to be verified and to introduce fairness hypotheses. Moreover, the Plus-Cal language enforces certain restrictions that often make it difficult to express distributed algorithms in a natural way. We propose a new version of PlusCal with the aim of overcoming these limitations, and of providing a language in which algorithms and their properties can be expressed naturally. We have implemented a compiler of our language to TLA + , supporting the verification of algorithms by finite-state model checking. of operations such as the computation of successor (or predecessor) states. Most model checkers, in particular symbolic ones, support only low-level data types such as fixed-size integers and records. tlc [14], the model checker for the specification language TLA + [8], accepts a significant fragment of TLA + , which is based on set theory; it thus provides one of the most expressive and high-level input languages for model checking. However, TLA + models encode transition systems via logical formulas, losing much of the (control) structure that is present in code. Recently, Lamport introduced the PlusCal algorithm language [9] (originally called +Cal). While retaining the high level of abstraction of TLA + expressions, it provides familiar constructs of imperative programming languages for describing algorithms, such as processes, assignments, and control flow. The PlusCal compiler generates a TLA + model corresponding to the PlusCal algorithm, which is then verified using tlc. PlusCal is a high-level language that features set-based abstractions, non-determinism, and user-specified grain of atomicity; it emphasizes the analysis, not the efficient execution of algorithms and aims at bridging the gap that we described above. Unfortunately, as we discuss in more detail in section 2, use of Lamport's PlusCal requires good knowledge of TLA + , and even of the translation of PlusCal to TLA + . Aiming at a simple translation in order to make the resulting TLA + model human readable, Lamport imposed some limitations on the language that can make it difficult or unnatural to express distributed algorithms. After initial attempts to extend the original language and its compiler, these limitations motivated us to develop a new version of PlusCal that retains the basic ideas of Lamport's language but overcomes the shortcomings that we identified. At the same time, we aim at a translation that enables the use of reduction techniques and hence more efficient verification.
doi:10.1007/978-3-642-19829-8_4 fatcat:dbdtd4ja4rba7k2376ctinkype