A TLA+ Proof System

We describe an extension to the TLA+ specification language with constructs for writing proofs and a proof environment, called the Proof Manager (PM), to checks those proofs. The language and the PM support the incremental development and checking of hierarchically structured proofs. The PM translates a proof into a set of independent proof obligations and calls upon a collection of back-end provers to verify them. Different provers can be used to verify different obligations. The currently supported back-ends are the tableau prover Zenon and Isabelle/TLA+, an axiomatisation of TLA+ in Isabelle/Pure. The proof obligations for a complete TLA+ proof can also be used to certify the theorem in Isabelle/TLA+.

💡 Research Summary

The paper introduces a substantial extension to the TLA+ specification language, called TLA+ 2, that adds native constructs for writing formal proofs. To support these new constructs, the authors built a Proof Manager (PM) that orchestrates the incremental development, checking, and certification of hierarchical proofs. A proof in TLA+ 2 is organized as a tree of steps, each step being either a leaf (an “obvious”, “by”, or “use” step that can be handed to an automated prover) or a non‑leaf that contains a sub‑proof. Every step carries a current obligation: a logical goal together with a context of known facts, definitions, and declarations. The PM parses the proof, extracts each leaf’s obligation, and translates it into an independent proof obligation that can be dispatched to one or more back‑end provers.

The current back‑ends are Zenon, a tableau prover for classical first‑order logic with equality, and Isabelle/TLA+, an Isabelle/Pure development that axiomatizes the underlying set‑theoretic logic of TLA+. When Zenon succeeds it produces an Isar script that Isabelle checks; if Zenon fails or times out, the PM directly invokes Isabelle’s automated tactics. In either case the obligation is finally certified by Isabelle/TLA+, giving a high‑confidence proof of the original TLA+ 2 theorem.

The language itself is deliberately declarative, resembling Isabelle/Isar more than tactic‑driven systems such as Coq. It provides commands such as assume/prove, define, case, by, and use/hide. The use/hide commands let the author explicitly control which facts are available to the automated prover, thereby reducing search space and improving readability. Step numbers (h1i1, h2i3, …) and level tokens (h n i) encode the hierarchical structure, making the proof’s logical flow transparent to human readers.

The authors illustrate the system with a fully worked‑out proof of Cantor’s theorem. The top‑level theorem is introduced, then a universal quantifier is instantiated by assuming a fresh set S and a function f. The proof proceeds by defining the diagonal set T, supplying it as a witness for the existential quantifier, and then proving that for every x∈S we have `f