LLM 시대의 TLA+ 입문: 프롬프트로 승리하기

Most engineers&rsquo; first objection to using TLA+ is, the syntax is hostile. It looks like LaTeX, not like code. But now, frontier LLMs can generate TLA+ easily. It&rsquo;s still your responsibility to understand your system and define what &ldquo;correctness&rdquo; means, and you need a high-level understanding of temporal logic. I&rsquo;ll explain temporal logic in this article. At the end I&rsquo;ll show an example prompt to start a TLA+ spec with Claude. Subscribe for new articles A toy problem # Here&rsquo;s a classic puzzle. You have a can of beans. Each bean is white or black. The can starts nonempty. While there are at least 2 beans: Choose 2 beans. If they&rsquo;re the same color: discard both, add 1 white bean. If they&rsquo;re different colors: discard both, add 1 black bean. Two questions: Can the number of beans ever reach zero? If the algorithm terminates with b = 1, what must have been true at the start? You could think really hard. Or you could write it down in TLA+ and let a model checker answer both questions automatically. The whole point is to avoid thinking&mdash;or at least, to have a machine verify that your thinking was correct. Or convince your friends that your thinking is correct, or convince the peer-review panel for your research paper. How logical formulae produce a state machine # TLA+ was invented by Leslie Lamport in the 1990s. TLA stands for &ldquo;Temporal Logic of Actions,&rdquo; and TLA+ is the name of the specific language. TLA+ has basic boolean logic, and it has sets and functions, and quantification (&ldquo;for all&rdquo; and &ldquo;there exists&rdquo;). It also has temporal operators, which we&rsquo;ll see soon. When you write a specification in TLA+, you&rsquo;re writing a logical formula which defines a state machine. The machine has a fixed set of variables, and each state is an assignment of values to the variables. For the can problem, there are variables: w (the number of white beans) and b (the number of black beans). Each state is an assignment of values to w and b . A behavior is a sequence of states, and a specification is the set of allowed behaviors. Initial state # We need an initial-state rule&mdash;a predicate that&rsquo;s true of exactly the states we&rsquo;re willing to start from. In English: &ldquo;the can is initially nonempty,&rdquo; or w + b > 0 . Which of these initial states matches the predicate? b = 0 /\ w = 0 b = 0 /\ w = 4 b = 6 /\ w = 1 b = 1 /\ w = &#34;foo&#34; In TLA+ &ldquo;/\&rdquo; means &ldquo;and&rdquo;, so b = 0 /\ w = 0 means &ldquo;b = 0 and w = 0&rdquo;. The second and third states match the predicate. The first doesn&rsquo;t, because w and b sum to zero, and the final state doesn&rsquo;t make sense because you can&rsquo;t add 1 and the string &ldquo;foo&rdquo;. TLA+ has no type system, only sets, so there&rsquo;s nothing stopping w from being a string. Lamport calls something like that &ldquo;silly.&rdquo; We prevent silly states by specifying that w and b must be natural numbers: EXTENDS Integers Init == w \in Nat /\ b \in Nat /\ w + b > 0 EXTENDS Integers imports everything you need for handling integers, like the set of natural numbers Nat , and \in is the set-membership operator ∈ \in . In TLA+, == means &ldquo;defined as.&rdquo; This is confusing, because it&rsquo;s kind of the opposite of C: a single = tests for equality, and == names a formula (like a macro). State transitions # A state-transition rule is a predicate over two states&mdash;current and next&mdash;that says which transitions are legal. Let&rsquo;s turn our algorithm into a state-transition rule in TLA+. Starting from English: 2 white beans: remove 2 whites, add 1 white → net effect: w -= 1 2 black beans: remove 2 blacks, add 1 white → net effect: b -= 2 1 of each: remove 1 white and 1 black, add 1 black → net effect: w -= 1 Notice the first and third cases have identical effects on the state: both just subtract 1 from w and leave b alone. This is the kind of insight that falls out naturally when you write things down precisely. In TLA+ these become three actions : WW == w > 1 /\ w' = w - 1 /\ UNCHANGED b \* Picked 2 white BB == b > 1 /\ b' = b - 2 /\ w' = w + 1 \* Picked 2 black WB == w > 0 /\ b > 0 /\ w' = w - 1 /\ UNCHANGED b \* Picked 1 of each There are two operators that we&rsquo;re seeing for the first time here. The prime ( ' ) operator means &ldquo;the next value of this variable&rdquo;: w' = w - 1 means &ldquo;in the next state, w will equal the current w minus 1.&rdquo; UNCHANGED b is shorthand for b' = b . You have to account for every variable in every action&mdash;TLA+ won&rsquo;t assume that unmentioned variables stay the same. This is annoying, but it forces you to think about what each action does to the whole state. The terms without primes are the guard : conditions that must hold now for the action to fire. The terms with primes are the assignment : what the next state looks like. If the guard is false, the action is disabled. The \* starts a comment (yes, it&rsquo;s a backslash and a star). A full TLA+ spec # Here&rsquo;s the full specification: -------------- MODULE beans ----------------- EXTENDS Integers VARIABLES w, b vars == <<w, b>> \* convenient list of all variables Init == w \in Nat /\ b \in Nat /\ w + b > 0 WW == w > 1 /\ w' = w - 1 /\ UNCHANGED b \* Picked 2 white BB == b > 1 /\ b' = b - 2 /\ w' = w + 1 \* Picked 2 black WB == w > 0 /\ b > 0 /\ w' = w - 1 /\ UNCHANGED b \* Picked 1 of each Next == WW \/ BB \/ WB Spec == Init /\ [][Next]_vars /\ WF_vars(Next) ============================================== The formula Next is defined as the OR ( \/ ) of all three actions&mdash;at any given state, whichever actions have their guards satisfied are enabled. This is nondeterminism : the spec doesn&rsquo;t say which action happens, just which are possible. The model checker explores all of them. The Spec line is the spine of any TLA+ specification and you&rsquo;ll see it in basically every TLA+ spec you read. It says: &ldquo;every behavior allowed by this spec starts from an initial state where Init is true, and every transition satisfies Next.&rdquo; The WF_vars(Next) part means &ldquo;the algorithm must keep making progress&mdash;it can&rsquo;t stall forever when an action is enabled.&rdquo; That&rsquo;s called a fairness constraint , stay tuned&hellip; The [][Next]_vars part hides some complexity I&rsquo;m going to skip. If you want to deeply understand it, read Lamport&rsquo;s &ldquo;Specifying Systems.&rdquo; For prompting purposes, just know it goes there. States and behaviors # A behavior is an infinite sequence of states, starting from an initial state, where each step is allowed by Next . Behaviors are infinitely long by convention. If the algorithm terminates (reaches a state where no further actions are enabled), the final state just repeats forever. That repetition is called stuttering . So &ldquo;termination&rdquo; in TLA+ means the algorithm reaches a stuttering state and stays there. There are infinitely many init states in our spec&mdash;any pair of natural numbers with w + b > 0 is a valid initial state. Let&rsquo;s look at a subset of the state space, just the states that begin at b=3 and w=5: Each node is a state. Each edge is a valid transition, labeled with which action(s) apply. Some edges say &ldquo;WW/WB&rdquo;&mdash;that&rsquo;s because when w > 1 and b > 0 , both WW and WB are enabled and lead to the same next state (both just decrement w by 1). The model checker explores both actions but discovers the same successor state, so they collapse into one edge. A behavior in this picture is a path from the initial node to a terminal node, followed by stuttering. Here&rsquo;s a behavior: Model-checking # The model-checker, TLC, starts from the set of initial states, applies the next-state relation to generate successor states, and uses hashing (it calls this &ldquo;fingerprinting&rdquo;) to avoid revisiting states it&rsquo;s already seen. As TLC disco