Abstraction-based Parameterized TLA+ Checker

Keyword: Model Checker

Functional Description: The first version implements a symbolic bounded model checker for TLA+ that runs under the same assumptions as the explicit-state model checker TLC. It checks whether a TLA+ specification satisfies an invariant candidate by checking satisfiability of an SMT formula that encodes: (1) an execution of bounded length, and (2) preservation of the invariant candidate in every state of the execution. Our tool is still in the experimental phase, due to a number of challenges posed by the semantics of TLA+ to SMT solvers.