Verifying Safety Properties With the TLA+ Proof System

TLAPS, the TLA+ proof system, is a platform for the development and mechanical verification of TLA+ proofs written in a declarative style requiring little background beyond elementary mathematics. The language supports hierarchical and non-linear proof construction and verification, and it is independent of any verification tool or strategy. A Proof Manager uses backend verifiers such as theorem provers, proof assistants, SMT solvers, and decision procedures to check TLA+ proofs. This paper documents the first public release of TLAPS, distributed with a BSD-like license. It handles almost all the non-temporal part of TLA+ as well as the temporal reasoning needed to prove standard safety properties, in particular invariance and step simulation, but not liveness properties.

💡 Research Summary

The paper presents TLAPS (the TLA+ Proof System), a platform that enables the development and mechanical verification of TLA+ proofs written in a declarative, hierarchical style. Unlike earlier approaches that relied mainly on model checking (e.g., TLC) or heavyweight interactive theorem provers, TLAPS provides a proof manager that orchestrates a collection of backend verifiers—such as Isabelle/TLA+, Coq, Z3, CVC4, and specialized decision procedures—to check each proof obligation. The system parses a user‑written proof script, decomposes it into sub‑goals, and dispatches each sub‑goal to the most suitable backend. This architecture allows non‑linear proof construction: the user can develop lemmas in any order, reuse previously proved lemmas via a caching mechanism, and combine results from different tools without manual translation.

TLAPS fully supports the non‑temporal fragment of TLA+, handling sets, functions, arithmetic, and other elementary mathematics. For temporal reasoning it implements the two safety‑oriented proof rules that are essential for most practical verification tasks: invariance and step simulation. Invariance proofs show that an initial condition holds and is preserved by every transition; step‑simulation proofs demonstrate that an implementation step mimics a specification step, thereby establishing refinement. These rules are expressed directly in TLA+ syntax (`