Tutorial on the Executable ASM Specification of the AB Protocol and Comparison with TLA$^+$

TL;DR

This paper introduces ASM and TLA+ specification methods for the AB protocol, compares their frameworks, and explores their complementary use and potential formal connections in software engineering.

Contribution

It provides an introductory tutorial on ASM and TLA+ for software specifications, compares executable frameworks, and investigates their combined application and formal relationships.

Findings

ASMs and Quint are better for top-down specification.

TLA+ is more suited for bottom-up development.

Models are semantically equivalent but differ in usability.

Abstract

The main aim of this report is to provide an introductory tutorial on the Abstract State Machines (ASM) specification method for software engineering to an audience already familiar with the Temporal Logic of Actions (TLA$^+$) method. The report asks to what extent the ASM and TLA$^+$ methods are complementary in checking specifications against stated requirements and proposes some answers. A second aim is to provide a comparison between different executable frameworks that have been developed for the same specification languages. Thus, the ASM discussion is complemented by executable Corinthian ASM (CASM) and CoreASM models. Similarly, the two TLA$^+$ specifications presented, which rely on the TLC and Apalache model checkers, respectively, are complemented by a Quint specification, a new language developed by Informal Systems to serve as a user-friendly syntax layer for TLA$^+$. For the basis of comparison we use the specification of the Alternating Bit (AB) protocol because it is a simple and well-understood protocol already extensively analysed in the literature. While the models reported here and developed with the two methods are semantically equivalent, ASMs and Quint are better suited for top-down specification from abstract requirements by iterative refinement. TLA$^+$ seems to be more easily used bottom-up, to build abstractions on top of verified components in spite of the fact that it, too, emphasizes iterative refinement. In the final section, the report begins to scope out the possibility of a homomorphism between the specification of the AB protocol and its finite-state machine (FSM) through state space visualizations, motivated by a search for a formal decomposition method.