March 2025 Monthly Development Update

This is the TLA⁺ Foundation monthly development update (subscribe via RSS). Here we summarize the past month of development for the benefit of Foundation patrons and interested members of the community. We will also highlight a good bug or small feature for prospective new contributors to look at! If your TLA⁺ contribution was missed, worry not - we publish monthly, so it’s easy to hop on the next train; open an issue here.

If you’re interested in getting involved in the TLA⁺ community:

• Learn TLA⁺ starting here!
• Join the monthly virtual community meetings here!
• Read the mailing list here!
• Start hacking on the tools themselves here!

Let’s start with some organizational, conference, blog post, and user-side TLA⁺ happenings:

• The TLA⁺ Community Event 2025 will be co-located with ETAPS 2025 in Hamilton, Ontario, Canada on May 4th, 2025. Hope to see you there!
• The TLA⁺ Foundation grant program is continuing on a rolling basis; please submit a proposal if you have ideas to improve TLA⁺ so the Foundation can support you financially as you work on them.
• Concur 2025, the 36th International Conference on Concurrency Theory, will take place August 25-30, 2025, at the University of Aarhus, Denmark. TLA⁺-related papers are being solicited. The abstract submission deadline is April 3rd.
• Hillel Wayne wrote a post categorizing kinds of nondeterminism commonly encountered or used when formally specifying a system.
• Marc Brooker and Ankush Desai published a paper titled Systems Correctness Practices at AWS: Leveraging Formal and Semi-formal Methods, an update of the now-decade-old paper How Amazon Web Services uses formal methods. TLA⁺ is mentioned, along with a diverse array of other formal methods tools; there is a clear trend toward use of deterministic simulation testing (in various flavors) to analyze correctness at the implementation level.
• The paper Smart Casual Verification of the Confidential Consortium Framework by Heidi Howard, Markus Kuppe, Eddy Ashton, Amaury Chamayou, and Natacha Crooks was accepted into USENIX NSDI 2025. The paper details the method of binding a formal TLA⁺ specification to a C++ implementation of the Confidential Consortium Framework.

Now on to coding-related community developments:

• Calvin Loncaric did some work on the Java-based TLA⁺ interpreter, fixing a recently-discovered bug occurring when TLA⁺ functions using EXCEPT are coerced into sequences, and performing some refactoring of lazy evaluation code.
• Stephan Merz fixed a number (1, 2, 3, 4) of proofs in the tlaplus/examples repository that were failing in the new rolling TLAPM pre-release.
• William Schultz worked on his web-based spectacle TLA⁺ interpreter, improving support for lambda operators and module instance variable substitutions; this was motivated by writing a TLA⁺ specification of MongoDB’s distributed cross-shard transaction protocol.
• rozlynd contributed a fix for a TLAPM soundness bug involving tuples and EXCEPT originally reported by Uğur Yavuz. It’s been a rough month for tuples/sequences and the EXCEPT keyword!
• domodwyer released a TLA⁺ formatter tool written in Rust, using the TLA⁺ tree-sitter grammar as the parser backend. That makes a second TLA⁺ formatting tool in existence, including the Java-based one! It is heartening to see a proliferation of community-written development tooling for TLA⁺.
• s12f contributed some fixes for TLA⁺ Unicode tooling, ensuring the TLA⁺ Unicode Converter tool preserves end-of-file newlines and activating the TLA⁺ Neovim Plugin when opening a new file.
• Ana Catarina Ribeiro enhanced TLC state graph output by including model values in transition labels, as part of using TLA⁺ in a testing strategy for microservices; the PR was later merged with modifications by Markus Kuppe.
• Longtime TLA⁺ Tools maintainer Markus Kuppe fixed & updated a TLA⁺ example for finitizing monotonic systems, expanded debug logging when deserializing states in TLC, expanded TLC debugger support for expressions as breakpoint filters, and fixed the VS Code TLA⁺ Extension upload process to open-vsx.org.

Finally, things Andrew Helwer (author of this post) worked on - all funded by the TLA⁺ Foundation!

• I created a semantic error test corpus for TLA⁺, a large set of small TLA⁺ files that should each trigger a specific standardized parse error. This corpus was developed by finding all locations in the Java-based SANY TLA⁺ parser where a parse error is reported, then attempting to reverse-engineer a parse input triggering that error. This greatly improves SANY test coverage, and also serves as an implementation-independent behavior standard for other TLA⁺ parsers to adopt.
• I supported Markus’s work on updating the monotonic systems examples by adding some features (1, 2) to the TLA⁺ examples automated validation tooling, and also expanded documentation to hopefully reduce the difficulty of contributing example specifications.

Newbie Corner

Here we highlight an issue that would be a good choice for new contributors! This one is substantial, similar in genre to last month: extending the Java-based TLA⁺ interpreter to handle a wider variety of expressions. Calvin Loncaric proposed allowing \subseteq/⊆ in TLA⁺ next-state relations; currently the interpreter only supports the logically-equivalent ∈ SUBSET operator. This work could also be easily extended to support the \subset/⊂ operator (without equality). Similar to last month, the high-level steps required to implement this feature are:

1. Figure out where TLC implements the ∈ functionality for next-state relations, while disallowing operators like \subseteq/⊆.
2. Modify the logic to translate ⊆ to an execution form equivalent to ∈ SUBSET.
3. Write tests to validate these changes.

Issues highlighted in past months have also yet to be claimed!

• February 2025: interpret expressions of the form CHOOSE x : x ∈ S
• January 2025: fix the PlusCal CLI -labelRoot option
• December 2024: add parser support for backticks in strings