Questions About TLC: Parallelism Efficiency, Caching Behavior, and Java Overloading for State-Dependent Operators
61 views
Skip to first unread message
Quentin DELAMEA
May 22, 2026, 9:40:56 AM (10 days ago) May 22
to tlaplus
Hello everyone,
I am currently working on a TLA+ specification that is challenging to model-check with TLC for two main reasons:
- The state space is very large.
- The evaluation of properties (especially invariants) is computationally expensive.
To optimize my workflow, I would appreciate insights or references regarding the following questions about TLC:
1. Parallelism in TLC:
How does TLC handle parallelism, and how effective is it to use many cores? For instance, would running TLC with ~100 cores be beneficial, or are there diminishing returns due to synchronization overhead or other limitations?
2. Caching in TLC:
When and how does TLC cache information during model checking? Specifically:
- Does TLC cache results for constant operators only?
- Does it require that a (constant or non-constant) operator be called repeatedly with the exact same inputs to leverage caching?
3. Java Overloading for State-Dependent Operators:
I am aware that constant operators can be overloaded with Java code. However, is it possible to overload state-dependent operators or properties (e.g., invariants) by:
- Passing state variables as parameters to the operator, or
- Directly accessing state variables from within the Java code?
If any of these topics have been discussed before, I’d be grateful for pointers to relevant threads or documentation. Otherwise, I’d love to hear your experiences or suggestions!
Thank you in advance for your time and help.
Quentin
Shane Miller
May 22, 2026, 6:16:04 PM (10 days ago) May 22
to tla...@googlegroups.com
See my post today. One of the things I mention is that TLA like all major model checkers does not verify LTL in a MT or distributed manner.
Now, spin (see again post for refs and links) has something along these lines but it's not currently used much. Although I started with it and like almost everything about it, I ran into a fairness issue tla didn't have. (Thanks, tla! Spin needed a bug fix and i didnt bother after that. Otherwise its performance is great. It compiles to C for fast runs.)
In my work on the RPC example I ran into excessive verification times a bunch. I reduced it by
- keeping process count to a bare minimum. This is darn important.
- eliminate procedures where possible sticking to macros and definitions if using pluscal
- I also found it useful to permit some slight duplication in code between processes (say when a client and server almost do the same thing differing only by passed arguments) so I could change the specification such that client stuff depends on client stuff only by process.
- my rpc example found 71MM distinct states in 2.5hrs. An hour or two is fine. But I had to use Amazon's mi8xlarge instance with at least 128gb of ram and swap. That's probably nothing in the big scheme of things, but certainly not somethibg my macpro could handle.
- periodically stronger assumptions can help
- be realistic: you may not depending on how much time you want to wait be able to test all features in the same model if too many states are made.
If anybody is knows a proven MT or distributed checker ... let me know! I guess here is where theorem oriented formal models might do better ... but I'm getting over my head there.
--
You received this message because you are subscribed to the Google Groups "tlaplus" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tlaplus+u...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/tlaplus/4a01fb5c-48bf-4d4d-8fa1-cedf01489283n%40googlegroups.com.
Markus Kuppe
May 25, 2026, 6:30:46 PM (7 days ago) May 25
to tla...@googlegroups.com
Hi Shane,
just a small clarification: the model checker is called TLC, not TLA. TLA is the acronym for "Temporal Logic of Actions”. The original TLA paper was published in 1994: https://dl.acm.org/doi/10.1145/177492.177726. TLC first appears in 1999: https://dl.acm.org/doi/10.5555/646704.702012.
Markus
> To view this discussion visit https://groups.google.com/d/msgid/tlaplus/CAFtQo5A_eruWhyQ-J1b1RQBzXkdbU%2BTfLi7Ov5eNynuOF6xrjw%40mail.gmail.com.
just a small clarification: the model checker is called TLC, not TLA. TLA is the acronym for "Temporal Logic of Actions”. The original TLA paper was published in 1994: https://dl.acm.org/doi/10.1145/177492.177726. TLC first appears in 1999: https://dl.acm.org/doi/10.5555/646704.702012.
Markus
Shane Miller
May 26, 2026, 8:11:55 PM (6 days ago) May 26
to tla...@googlegroups.com
Thank you for these corrections. I will incorporate in new version. Regards
To view this discussion visit https://groups.google.com/d/msgid/tlaplus/411F76CC-7DC1-472D-88FE-CC43DCF2C0DA%40lemmster.de.
qdel...@gmail.com
May 29, 2026, 4:10:17 AM (4 days ago) May 29
to tla...@googlegroups.com
Hi Shane,
Thank you for your response! If I have a correct understanding: BFS construction and invariant checking in TLC scale well, but other LTL property checking does not. Is it right?
By the way, why did you choose to run TLC on an Amazon's mi8xlarge instance? Is it an arbitrary choice or is there a particular Reason?
Quentin
De : tla...@googlegroups.com <tla...@googlegroups.com> De la part de Shane Miller
Envoyé : mercredi 27 mai 2026 02:12
À : tla...@googlegroups.com
Objet : Re: [tlaplus] Questions About TLC: Parallelism Efficiency, Caching Behavior, and Java Overloading for State-Dependent Operators
To view this discussion visit https://groups.google.com/d/msgid/tlaplus/CAFtQo5BnUhwzyTwWTYzu0TT5-2qA3sAQ%2Ba5Vt2G%2BerrvsDiaBQ%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages