A symbolic model checker for TLA+
| master | unstable |
|---|---|
 |
 |
Apalache translates TLA+ in the logic supported by the SMT solvers, for instance, Microsoft Z3. Apalache can check inductive invariants (for fixed or bounded parameters) and check safety of bounded executions (bounded model checking). To see the list of supported TLA+ constructs, check the supported features. In general, Apalache runs under the same assumptions as TLC.
Check the releases page.
We recommend you to run the latest docker image apalache/mc:latest and
checkout the source code from
master, which accumulate
bugfixes over the latest release, see the manual.
To try the latest cool features, check the unstable
branch.
Read the Apalache user manual.
WIP: Idioms for writing better TLA+
-
Model-based testing with TLA+ and Apalache. TLA+ Community Event 2020 (October 2020).
-
Type inference for TLA+ in Apalache. TLA+ Community Event 2020 (October 2020).
-
Formal Spec and Model Checking of the Tendermint Blockchain Synchronization Protocol 2nd Workshop on Formal Methods for Blockchains (July 2020).
-
Showing safety of Tendermint Consensus with TLA+ and Apalache. Dev session at Informal Systems (May 2020).
-
TLA+ model checking made symbolic OOPSLA 2019 (October 2019).
-
Bounded model checking of TLA+ specifications with SMT TLA+ Community Event 2018 (July 2018).
We are collecting apalache benchmarks. See the Apalache performance when checking inductive invariants and running bounded model checking. Version 0.6.0 is a major improvement over version 0.5.2 (the version reported at OOPSLA19).
To read an academic paper about the theory behind Apalache, check our paper at OOPSLA19. Related reports and publications can be found at the Apalache page at TU Wien.