Date: May 26, 2026

This text is artisanally typed using a keyboard, with occasional suggestions by Copilot. The figures are generated with ChatGPT 5.5. The plots are produced by AI-generated scripts from the experimental data. By AI tools, I refer to Codex GPT 5.4/5.5 and Claude Code Sonnet/Opus 4.6/4.7.

Recently, I gave a talk on “Interactive symbolic testing with TLA⁺, Apalache, and LLMs” at the TLA+ Community Meeting 2026. If you prefer watching talks, see the talk recording. I talked about the new Apalache JSON-RPC and how it can be used to test real distributed protocols. As the first example, I presented the case study on symbolic testing of TFTP protocol, which was published in December 2025. As the second example, I presented a case study on symbolic testing of Apache ZooKeeper, which is the subject of this blog post. I also talked about this as ongoing work at D-CON 2026 (thanks to Uwe Nestmann for inviting me!).

In case of TFTP, the main hypothesis was that AI tools can accelerate the process of writing test harnesses for protocol testing. In October 2025, I used Copilot and Sonnet 4.5. The answer was “yes”, though the AI tools in 2025 required plenty of manual intervention and literally drained my energy. Back then, I wrote the TLA⁺ specification of TFTP by hand. I also had to refine it manually, in about 20-25 iterations. As a reward, the test harness helped me to find a few bugs in the real implementations. I still had to triage the bugs manually though.

Footnote: Actually, the real question for me was not whether AI tools could help the engineers to write a test harness. In my experience, engineers avoid writing test harnesses as much as they can. So the real question was whether the AI tools could do the job that engineers avoid doing.

The next step was to ask the following question:

In March-April 2026, I ran Claude Code Sonnet/Opus 4.6 and Codex GPT 5.4 to check this hypothesis on the example of Apache ZooKeeper. This case study is the subject of this blog post. I already hinted at this work in Debug as Code Generation. To this end, I have been running this loop:

In general, it looks like the answer is “yes, but”. The extraction-checking loop stopped finding new mismatches between the behavior of a running ZooKeeper replica and the extracted formal specification and harness. So I do not have new logs to feed into Codex and Claude Code, and it is good time to reflect on this.

Look carefully at Figure 1. Even though my AI agents had a lot of freedom in coming up with their plans and implementing them, I did not let the agents run wild. I keep reading claims about “autonomous agents” and “agentic loops”, where agents simulate unhealthy human management loops. I still had to read the triage reports and implementation plans. Several times, had not I caught an agent in planning to introduce really bad workarounds in the specification, we would have gone down the rabbit hole of slop. Every iteration had a separate commit, so we could keep track of regressions in the specification and harness. Having said that, I admit that my reviews were high-level and intuitive, not Github-level reviews.

What I believe is the killer feature of this approach is that it does not need any pre-existing test suites. We do not mutate the existing tests. The model checker finds new tests, including timeouts, crashes, TPC disconnects, etc. Moreover, this approach requires zero code instrumentation. We do not have to add any hooks or logging to the implementation. The test harness operates at the TCP boundary.

Did I burn thousands of dollars on this? Not at all. I did this case study with two lowest-tier subscriptions to Codex and Claude Code, which cost me about $80 for two months in total. (Given the news about Claude price changes and Copilot price changes, this becomes more expensive). Most of the time went into running the testing experiments on my workstation: AMD Ryzen 9 5950X processor (16 physical, 32 logical cores), 128 GB RAM. The cool thing about my testing architecture is that the machine was running 10-15 episodes of 300 steps in parallel on 10-20 cores, totalling in 30000-90000 steps in a single campaign. Hence, the AI tools had to triage 1-30 counterexamples at once, before starting a new campaign.

Since we now live in a hype-driven world, I want to stress that this is still an experiment. I am pretty sure that Ouyang et. al. had much more time to write their TLA⁺ specifications of ZooKeeper and to conduct their experiments.

If you read the blog post carefully, you will probably find some points that could be investigated further. I have decided to time box this experiment and report about it where it is.

Want to skip the long text? Jump to the conclusions.

1. The effort

This experiment took about two months, from March 2026 to April 2026. The git repository has 336 commits in total. Except for several initial commits, each new commit corresponds to a new iteration of the extraction-checking loop.

You can see the statistics in the figures below:

• Figure 2 shows the number of commits per day.
• Figure 3 shows the number of lines added and deleted in the whole repository.
• Figure 4 shows the number of lines added and deleted in the specification files.
• Figure 5 shows the number of lines added and deleted in the test harness (zoomonkey).

You can see that the commit volume decays with time. This is a sign of convergence. The first week has the most commits and the most code added and deleted. This was the bootstrapping phase. It’s also interesting to observe a big splash around the first-second week of April. This is where we start to reach a new class of behaviors that did not match the implementation.

2. Extracting formal specifications

As I learned with TFTP testing, AI tools need a good predefined architecture. Hence, I spent some time capturing this architecture in AGENTS.md and CLAUDE.md. The formal specification is composed of several modules, each corresponding to a subprotocol of ZooKeeper:

1. Module process captures the normal lifecycle of a ZooKeeper replica: start, on_started, on_stopped. Crashes and restarts are handled by the system module.
2. Module tcp captures the standard TCP lifecycle: connect, accept, disconnect, half_close, reset, refused.
3. Module fle captures the Fast Leader Election protocol, which is used by ZooKeeper to elect a leader among the replicas: send_notification, rcv_notification, become_leader, become_follower, restart_election.
4. Module zab captures the ZooKeeper Atomic Broadcast protocol and its clients. It has 22 actions, including proposal, ack_proposal, commit, diff, trunc, snap, client_connect, client_ping, client_create, client_set_data, etc.
5. Module system composes the above modules and adds failures.

These modules were written by the AI tools, by following the high-level architecture, hands off the keyboard. To get the flavor of the specification, look at one action from the specification of ZAB:

@action(inline=False)
def send_diff(c: Context[ZabState], leader: Expr, follower: Expr, next_turn: Expr):
    """Leader sends DIFF to a follower (requires quorum of epoch_acked)."""
    s = c.state
    c.assume(follower != leader)
    c.assume(_proc_up(s, leader))
    # The leader must have completed its election before registering in
    # epoch_leader.  Without this guard a FOLLOWING replica whose
    # fle_current_vote happens to be targeted by another follower can
    # act as a second leader for the same epoch, violating leadership2.
    c.assume(s.fle_role[leader] == LEADING)
    c.assume(_follower_targets_leader(s, follower, leader))
    c.assume(s.zab_sync[follower] == SYNC_EPOCH_ACKED)
    c.assume(_has_quorum_of_sync_state(s, leader, "epoch_acked"))
    c.assume(_can_send_diff(s, leader, follower))
    # Leader-initiated
    c.assume(_turn_matches_iut_actor(s, leader, next_turn))
    next_s = s.edit()
    next_s.zab_sync[follower] = SYNC_DIFF_SENT
    next_s.zab_state[leader] = SYNCHRONIZATION
    next_s.zab_accepted_epoch[leader] = s.zab_current_epoch[leader]
    next_s.zab_persisted_accepted_epoch[leader] = s.zab_current_epoch[leader]
    # By this point ACKEPOCH quorum has formed (see epoch_acked guard above),
    # which means ZK's Leader.lead() has already called setCurrentEpoch on
    # disk. Bump the currentEpoch shadow here to match that disk write.
    next_s.zab_persisted_current_epoch[leader] = s.zab_current_epoch[leader]
    next_s.epoch_leader[s.zab_current_epoch[leader]] = (
        s.epoch_leader[s.zab_current_epoch[leader]].union(Set(leader))  # type: ignore
    )
    s.zab_action = ZabAction.SendDiff(  # type: ignore
        ZabDiff(leader=leader, follower=follower)
    )

As you can see, this is Python code, not TLA⁺. I noticed that the AI tools are quite good at writing Python. Hence, they write the specification in a Python DSL, which is automatically translated to TLA⁺. The test harness is also written in Python, and it uses the Apalache JSON-RPC to interact with the model checker. If you are interested in the details of this Python DSL, contact me.

The fragment of the above action in TLA⁺ looks like this. The complete generated specification looks much more hairy. If you are still curious, check its snapshot in this gist.

In the table below, you can see the statistics on the formal specification. Since the TLA⁺ specification is generated from the Python code, this specification is monolithic and has no submodules.

3. Generating the test harness

The test harness is also written in Python. It is composed of several modules, which are listed in the table below.

The interesting design choice here is that the test harness runs a single replica of ZooKeeper. We call this replica implementation under test (IUT). The whole distributed system exists only in the formal specification and its behavior. This is conceptually similar to a Digital Twin of the real distributed system.

Since most of the behavior exists only in the specification, this approach is sensitive to quick and accurate choice of events. I believe that a random simulator would not help us much here, as it would keep crunching through a very large set of unproductive events.

This is where the new Apalache JSON-RPC comes into play. The test harness chooses the next action to execute and asks the symbolic model checker to find the action parameters that would enable it. It also calls Apalache to check the state invariants and find out whether the implementation’s output matches the specification. Since the complexity of SMT solving grows with the number of steps very quickly, we use the new method compact to prune the symbolic context and keep it manageable.

4. Running the test harness

Running the test harness looks quite boring:

$ ./scripts/run-parallel.sh 8 -- --replicas 3 --episodes 20 --steps 500 \
  --failure-rate 0.2 --fle-rate 0.05 --fallback-rate 0.1 --decay 0.8 --crashes 0

It basically runs 20 episodes of 500 steps in parallel, with 3 replicas and a number of parameters to control the test scenario generation. The script is using GNU Parallel to run the episodes in parallel. Since each test runs a single actual replica and simulates the rest of the distributed system with the specification, running multiple experiments in parallel is easy. We only have to make sure that different experiments get assigned different ports.

Every episode produces a detailed log of events. If it finds an invariant violation or a mismatch between the behavior of the real replica and the specification, it produces a trace in the ITF format. These logs and traces are read by the AI tools to triage the mismatches and to improve the specification and the test harness.

Similar to tftp-testing, I have a script to convert the logs into a sequence chart in Mermaid. However, for a system of this complexity, these diagrams are hard to digest. Instead, I produce a high-level figure of the test campaign that shows the events in all episodes in one big picture. See Figure 6. Click on it to see the full-size version and examine it in detail.

If you look at the events in the figure, you will see that the most episodes have productive events such as ZAB proposals, commits, diffs, snapshots, client operations, etc. However, a few episodes degrade into permanent leader election, where the implementation-under-test keeps sending FLE notifications. Basically, the two simulated replicas keep working together and exclude the IUT from the quorum.

5. Triaging conformance mismatches

Back in October 2025, Copilot + Sonnet 4.5 were quite bad at triaging specification mismatches. Now, the frontier models are quite good at it. This is definitely an improvement in the frontier models. I also believe that my effort of definining a good architecture for the test harness paid off this time. Below are fragments of a triage report by Claude Code Opus 4.7:

Several things are impressive here:

1. The test harness stopped a replica and dropped a TCP connection at the right moments, so the replica did not have a chance to persist the new accepted epoch. It did not happen often, but the parallel campaign was diverse enough to trigger this scenario. To be fair, the initial version of the test harness would not be able to trigger this scenario. I had to teach the AI tools to properly diversify the test scenarios.

2. Claude figured this out in a matter of minutes. It would be hard for me to figure this out.

3. It also proposed a fix.

6. Checking invariants and producing examples

Since the AI tools write the specification and the test harness, we have to evaluate the quality of the specification and the harness together. To this end, we do two things:

1. Add state invariants to evaluate safety.
2. Add state examples to illustrate reachability of interesting states.

6.1. State invariants

To our luck, ZooKeeper already has several TLA⁺ specifications for earlier versions. I let the AI tools harvest these specifications for invariants.

For example, these are the shortest invariants these tools wrote:

@invariant
def leadership1(s: SystemState):
    return s.REPLICA.forall(
        lambda i: s.REPLICA.forall(
            lambda j: (
                _is_established_leader(s, i)
                & _is_established_leader(s, j)
                & (s.zab_accepted_epoch[i] == s.zab_accepted_epoch[j])
            ).implies(i == j)
        )
    )

@invariant
def leadership2(s: SystemState):
    return Set(Val(1), ..., Val(s.MAX_EPOCH)).forall(
        lambda epoch: s.epoch_leader[epoch].size <= Val(1)
    )

@invariant
def fle_wait_finalize_sound(s: SystemState):
    return s.REPLICA.forall(
        lambda replica: (
            _fle_invariant_replica_live(s, replica) & s.fle_wait_finalize[replica]
        ).implies(
            _fle_has_proposed_recv_quorum(s, replica)
            | _fle_has_local_ooe_quorum(s, replica)
        )
    )

Their TLA⁺ translations look like this:

Leadership1 ==
    \A i142 \in REPLICA: \A j143 \in REPLICA:
        (/\ /\ /\ (fle_role[i142] = "LEADING")
               /\ \/ (zab_state[i142] = "synchronization")
                  \/ (zab_state[i142] = "broadcast")
            /\ /\ (fle_role[j143] = "LEADING")
               /\ \/ (zab_state[j143] = "synchronization")
                  \/ (zab_state[j143] = "broadcast")
         /\ (zab_accepted_epoch[i142] = zab_accepted_epoch[j143])) => ((i142 = j143))

Leadership2 ==
    \A epoch144 \in (1)..(MAX_EPOCH): (Cardinality(epoch_leader[epoch144]) <= 1)

The translation of fle_wait_finalize_sound is a bit longer, you can check it in the FleWaitFinalizeSound.

We have 11 invariants in total. The other 8 invariants are more complex. These invariants are checked by the test harness with Apalache. We can also check them against the generated TLA⁺ specification.

6.2. Reachability examples

I usually write “falsy invariants” to check reachability of interesting states. Again, the AI tools are quite good at writing such “examples”. For instance:

@example
def at_least_one_committed(s: SystemState):
    return s.REPLICA.exists(
        lambda replica: s.zab_last_committed[replica].index >= Val(1)
    )

This example is translated to the following TLA⁺ invariant:

AtLeastOneCommitted ==
    ~(\E replica63 \in REPLICA: (zab_last_committed[replica63].index >= 1))

To see an instance of this example, I ran a test campaign with 10 episodes of 100 steps each. One of the episodes reached a state that satisfies at_least_one_committed. Below is the summary of this episode by Claude Code Opus 4.7:

Below is the sequence diagram of this full episode. Click on it to see the full-size version and examine it in detail. It is quite long, so feel free to scroll through it.

The table below shows the example coverage in two test campaigns (20 episodes of 100 steps and 20 episodes of 200 steps).

7. Conclusions

Obviously, the AI tools change the way we should test distributed systems. Interestingly, my conversations with these tools show that they have very little understanding of distributed computations. Funny enough, even though they have all the knowledge about TCP/IP at their fingertips, if you ask them right, they cannot efficiently operate with this knowledge. However, when they have plenty of counterexamples to learn from, they improve the quality of the testing harness very quickly. This is where the interplay of formal verification and AI tools becomes really powerful. The model checker produces negative and positive examples, and the AI tools learn from them and improve the specification and the test harness.

The good:

• It is actually possible to extract formal specifications from the source code of a real distributed system and to write test harnesses with AI tools. We have to keep in mind that this requires a verification loop, which uses a tool such as Apalache.

• In this experiment, we extracted a modular specification that captures five protocols.

• If we do not try to one-shot the testing process and follow an iterative process with a clear pre-defined architecture, the AI tools actually help us. “Test it and make no mistakes” obviously does not work.

• Comparing to tftp-testing, the AI tools in 2026 are much better at triaging specification mismatches and producing fixes. The whole process is much less energy-draining now.

The bad:

• I have no idea about the extracted specification. When I write a specification by hand, I internalize the protocol behavior. Even after I forget the details, I can still come back and recover them from the spec. Here, it is much harder.

• If we focus on bug finding, it is fine to have a hard-to-understand specification. However, from the maintainability perspective, it is a big problem. This is probably why we see such a spike in security bugs, but no so much in real software products.

Even though the whole development is quite exciting, my main takeaway is that writing formal specifications is still a human job. AI tools can assist us in producing test harness and finding issues.

If you need help with writing formal specifications and producing test harnesses, contact me. I can help you with that. It still takes time, expertise, and effort to do it right. Also, coming up with the right architecture is not as easy as it may seem. Of course, you can hire an intern and spend several months learning from your own mistakes together. Or you can fast-forward it and hire me.

Want to talk?

Date: April 30, 2026

Recently, I wrote a blog post on random walks that compared the state coverage of random walks for increasingly larger sets of experiments: 100 thousands, 1 million, 10 million, and even 100 million episodes. There, I used custom-built simulators in Rust to randomly walk through the state spaces of several TLA⁺ benchmarks: two-phase commit, readers-writers, and FPaxos.

A. Jesse Jiryu Davis noticed my blog post and wrote a message on the TLA⁺ Google group. Since the random walks in the blog post are not exactly the same as the random simulation in TLC, we both wondered how the TLC simulation mode compares to the model checker in terms of coverage and running times. Markus Kuppe shared the options to collect distinct state coverage in the TLC simulation mode, see the discussion.

The important distinction between the random walks and the TLC simulator is that a random walk chooses one successor state at each step, whereas TLC enumerates all successor states and then chooses one of them uniformly at random. Markus explains the rationale behind this design choice in TLC:

…enumerating all successors is useful for more than just choosing the next step: TLC can also check invariants on all generated successor states, not only on the one that ends up being sampled. That is a meaningful benefit when the goal is to catch bugs, not just drive a walk.

This new blog post explores this direction. To get more details about the bennchmarks, read the original blog post on random walks.

Look at two groups of figures below. They summarize the results of running random walks on specifications of three prominent distributed protocols: two-phase commit, readers-writers, and FPaxos (see Benchmarks). The figures show the coverage achieved by the TLC simulation mode, with 100% being the numbers of distinct states (reported by TLC). All running times are given for an AMD Ryzen 9 5950X processor (16 physical, 32 logical cores), 128 GB memory.

Importantly, the TLC simulations are run on a single worker, they are not running in parallel. We do that, in order to compute the state coverage precisely. When you look at running times, keep in mind that TLC can run multiple simulation workers in parallel.

1. Coverage for minimal instances

In this set of experiments, we run TLC simulations for the minimal instances of the benchmarks. We start with the meaningful default of 100,000 simulation runs, with at most 100 steps per run. (Mind that the successor set is computed at each step.) As you can see from Figure 1, the coverage is close to 100%, but it’s not complete. Interestingly, 10 million runs give us 99.9% coverage.

2. Running times for tiny instances

All of the above benchmarks are quite small by the model checking standards. They have tens of thousands of states. It takes TLC only 1-3 seconds to explore the state space and check the invariants for each of these benchmarks.

Figure 2 shows the running times for the above simulation benchmarks. The dashed lines show the running times for the TLC model checker to explore the complete state space. Additionally, the right-hand y-axis shows the slowdown factor of the simulations compared to the model checker. For example, for the two-phase commit benchmark with 3 resource managers, the model checker takes about 2 seconds, while 10 million simulations take about 2 hours, which is a slowdown factor of about 10,000. As you can see, 10 million simulations take hours, where the model checker needs several seconds.

3. Slightly larger instances

What happens if we take the instances that are still small, but have 1-2 participants more? Figure 3 shows the results of running TLC simulations on these instances.

As you can see, with the meaningful default of 100,000 random walks, we achieve poor coverage on readers-writers and FPaxos, though the coverage on two-phase commit is nearly 99%. So this TLC simulations achieve much better coverage on two-phase commit than random walks, but they have comparable coverage on the readers-writers and FPaxos benchmarks! You can also switch between this blog post and random walks to see the difference in coverage between the two approaches.

To stress the message of the previous blog post, these instances are not that large by the model checking standards.

4. Running times for larger instances

Again, it takes the model checker TLC up to 10 minutes to enumerate all the states and check the invariants for these instances, whereas we have been running the simulations for hours!.

5. Conclusions

I am not going to repeat the conclusions from the previous blog post. They are still valid. The TLC simulation mode achieves better coverage than the random walks on two-phase commit, but it has comparable coverage on readers-writers and FPaxos. The running times of the TLC simulator with a single-worker are worse than the model checker and the random walks.

Want to talk?

Date: March 23, 2026

This is an anecdote about another useful application of Codex and Claude Code in the middle of a testing project. It is another example of using LLMs to make distributed systems easier to test and debug, instead of generating piles of slop.

Context

I am currently developing a test harness for an implementation of distributed consensus, cannot disclose the details yet. Think of the approach presented in TFTP Symbolic Testing but for a more complex distributed system. It involves five state machines, each for a different subprotocol of the system. The submachines are composed into a single machine. We generate the protocol specifications and the test harness with Claude Code and Codex. This test harness produces input events for the protocol implementation with Apalache and replays the output events from the implementation, checking that they conform to the protocol specification with Apalache. Pretty cool. This is AI-assisted protocol extraction and testing.

It took me a few days to bootstrap this project, designing the proper interfaces and the harness architecture. After sheparding the AI tools for dozens of iterations, I got a harness that communicates with the implementation. Whenever, it surfaces a mismatch, the LLM looks into the source code, the specification, and the test harness, and investigates the mismatch. When it identifies the root cause and proposes a fix, I take a careful look at the proposed fix, and if it looks good, I apply it. Sometimes, the LLM identifies a completely wrong root cause. However, after a few iterations, we end up with the right root cause and the right fix. This is a very efficient way to extract the protocol specification from the actual implementation, and it is much faster than doing it manually.

This specification-testing-refinement loop worked quite well for multiple iterations. Sometimes, I could even leave this agentic loop running for several hours unattended, though protocol extraction often requires human supervision. At some point, however, the harness and the implementation started to produce a sequence of events that was rejected by the specification, or, to be more precise, by the model checker following the specification. Codex and Claude tried to identify the root cause and fix it. They introduced multiple fixes, but the mismatch persisted. I basically lost a whole day looking at the LLM outputs and prompting them. At some point, I looked at the git log and realized that we were going in circles. What was worse, every fix was introducing a workaround and generally the harness started to degrade. So we went down the rabbit hole of slop. In the rest of this post, I will just call both Claude and Codex “the LLM”, as I don’t remember which one did what, and it doesn’t matter for the story.

At this point, I realized that the AI feedback loop stopped working, and the human had to seriously intervene. The LLMs could describe what was happening, we had a concrete state from the model checker, but a single transition that must have been enabled in this state was not enabled. If you worked with formal verification tools, you know that this is the situation we all dread. It is a clear sign of the specification being overconstrained. The model checker is doing its job, and it is correctly rejecting the transition. The issue is that the specification requires an impossible combination somewhere, like x = 2 and x = 3. In this case, the model checker cannot produce a counterexample, or anything meaningful, because the constraints are contradictory. (There is a line of research on UNSAT cores, but it’s hard to apply in practice in TLA⁺.)

If you wrote the specification yourself, you can usually stare at it and find the combination of contradicting constraints. However, in this case, the specification was written by the LLM! Of course, I looked at it. Things looked fine. The LLM agreed with me that the transition should be enabled.

Debug an overconstrained specification like a human would

The LLMs were stuck. So I decided to explain them how I usually debug overconstrained specifications. First, I asked the LLM to use git bisect to find the last working commit. It crunched for 10-15 minutes and found the last working one. Comparing the git diffs did not help though.

The next usual step is to comment out some parts of the specification, and see whether the transition becomes enabled. If it does, then we know that one of the problematic constraints is in the commented-out part. We did this exercise for about 1 hour. The agentic loop was amazing. The LLM was doing everything automatically. In the end, we still could not find the root cause.

I was surprised how well Codex and Claude were running Apalache and transforming the TLA⁺ specification. They neither required skills, nor MCP. They simply ran the model checker, parsed its output and parsed the produced counterexamples. Being a CLI tool finally paid off for Apalache!

Turn specification debugging into code generation

I could stare at the specification and look for a mismatch. In the hindsight, that would not help me, as the issue was outside of the subprotocol specification. So I thought: LLMs fail to identify the issue, but they can generate code in minutes. Can I turn this debugging problem into a code generation problem?

Hence, I told the LLM to take the pieces of my specification framework, extract the random simulator, write an ad hoc simulator that drives the system into the exact problematic state, do random exploration from there, look for the disabled assumptions. Since my framework is written in Python, it was quite an easy task for the LLM. In 5 minutes, it ran the ad hoc simulator. In 2-3 more minutes, we had the root cause! Indeed, there were two contradicting constraints. It was hard to identify them by looking at the specification, as one of them was in the subprotocol specification, and the other one was in the system specification. Obviously, I extended AGENTS.md with an instruction to avoid introducing constraints at both levels.

This approach worked, since my specification is not just a TLA⁺ specification. It is actually Python code. It can be executed. But it can also generate a TLA⁺ specification. As a result, the LLM can easily interact with the Python code, wrap it into a large ad-hoc simulator, and run it. At the same time, the model checker uses the generated TLA⁺ specification to reason about it. Moreover, the LLM also benefits from having two different perspectives in the form of the Python code and TLA⁺.

If you find this hint useful, leave a comment below.

Want to talk?

Date: March 09, 2026

Punchline: Testing distributed protocols with random simulation and stateful property-based testing (PBT) is not enough! Yes, running a simulator for days is better than doing manual testing or just running unit tests. But you will miss states, which may expose bugs. Even on very small systems. I have been saying exactly this to many software engineers. Many times. However, whiteboard arguments do not help. As humans, we have a great deal of trust in probabilities, and our intuitive understanding of randomness is often wrong. Hence, I am giving you concrete figures and plots in this blog post. I must admit that my own intuition was also wrong: I expected fewer random walks to be needed to achieve good coverage. For a quick glance, see Quick summary.

Achieving complete coverage with random walks is hard. This is especially important to know, if you are using them to produce test cases for your implementation. It is also crucial to know, in case you generate an implementation of a distributed protocol with AI tools and hope for random walks/PBT to work as an ultimate guardrail.

Don’t get me wrong. I like PBT and simulators (having written the Quint simulator). I believe that these tools are must-have tools for testing. See my recent blog post on Property-based testing, adversarial developers, and LLMs. However, they are not the only tools that we need to make sure that our systems work as expected. This is especially true now, when we do not have time to properly design and review the AI-generated code.

Why now? It has always been difficult to compare search procedures that were developed by different branches of computer science. Everyone wanted to promote their technique as the ultimate winner. Want to compare property-based testing and model checking? Bad luck. Different tools require different inputs. Some are libraries for programming languages (like QuickCheck), some are tools for specification languages (like TLC and Apalache). Now it is much faster to design frameworks, to experiment with multiple search procedures. It is also easier to do reproducible experiments with LLMs. Good times, if you know how to conduct experimental research.

1. Quick summary for the impatient readers

Look at two groups of figures below. They summarize the results of running random walks on specifications of three prominent distributed protocols: two-phase commit, readers-writers, and FPaxos (see Benchmarks). The figures show the coverage achieved by random walks, with 100% being the numbers of distinct states (reported by the model checker TLC). In addition, we plot the running times of the random walks, with the values plotted against the right y-axis. All running times are on a AMD Ryzen 9 5950X processor (16 physical, 32 logical cores), 128 GB memory.

1.1 Coverage for minimal instances

In this set of experiments, we do random walks for the minimal instances of the benchmarks. We start with the meaningful default of 100,000 random walks, with at most 100 steps per walk. As you can see from Figure 1, only in the case of two-phase commit and two resource managers, we achieve complete state coverage. This is not surprising, since this instance has only 56 states. It’s tiny! For two-phase commit with three resource managers and readers-writers with three actors, we achieve 85-90% coverage. This is also in the reasonable range. On FPaxos with two acceptors, we achieve the 77.5% coverage with 100k random walks. This is a bit worrying, since the state space is about 37k states.

The good news is that we can push all of the above benchmarks to achieve over 99% coverage. As you can see in the figures, it takes 10 million random walks to achieve 99% coverage. In addition to that, these runs require 1-2 hours.

All of the above benchmarks are quite small by the model checking standards. They have tens of thousands of states. It takes TLC only 1-3 seconds to explore the state space and check the invariants for each of these benchmarks.

1.2 Slightly larger instances

What happens if we take the instances that are still small, but have 1-2 participants more? Figure 2 shows the results of doing random walks on these instances.

As you can see, with the meaningful default of 100,000 random walks, we achieve extremely poor coverage, about 25-30% on the benchmarks up to 2 million states. On FPaxos with 4 acceptors, we achieve only 3% coverage after 100,000 random walks. Really bad!

To see how far we could push the coverage, we did the experiments with 10-100 million random walks. It is clear that in 1-2 hours of simulation we get to 60-80% coverage. It is good, but not great. When we push FPaxos with 3 acceptors to 100 million random walks, we get to 94.5% coverage. Nice, though it took us 7.5 hours to get there. However, on FPaxos with 4 acceptors, we get a poor coverage of 60.4% even with 100 million random walks, which took us 8.5 hours to run. This benchmark has about 11 million states. So it is reasonably large, but, again, not that large by the model checking standards.

Again, it takes the model checker TLC up to 10 minutes to enumerate all the states and check the invariants for these instances, whereas we have been running the simulations for hours! This is especially striking, given that we are running optimized simulators in Rust.

2. The benchmarks

As benchmarks, we use three specifications of distributed protocols. These are prominent examples from the repository of TLA+ Examples:

• Two-phase commit. This is the famous two-phase commit. The specification is explained in Consensus on Transaction Commit by Jim Gray and Leslie Lamport. You can check the TLA⁺ specification in TwoPhase.tla.

• Readers-writers. This is a solution to the Readers-Writers Problem. The TLA⁺ specification by Stephan Merz can be found in ReadersWriters.tla.

• FPaxos. This is Flexible Paxos by Heidi Howard, Dahlia Malkhi, and Alexander Spiegelman. The TLA⁺ specification can be found in FPaxos.tla.

All of the above specifications are parameterized in the number of participating processes. We consider several instances of each benchmark. To give you an idea of their state space size (the number of reachable states), we compute the figures with TLC. The reachable states are called distinct states in TLC, whereas produced states are the number of states that TLC generates during the search. Another important metric is the diameter of the state space, which is the length of the longest shortest path between any two reachable states (read it again!).

As you can see from Table 1, these transition systems are not tiny, but they are actually small by the model checking standards. Surprisingly, they are sophisticated enough to challenge random walks! Distributed protocols are hard.

In the experiments, I am using a custom framework to represent the above specifications-as-code that makes it easy to experiment with different search procedures. To make sure that these specifications faithfully represent the original TLA⁺ specifications, I do the following:

1. do a code review (obviously),

2. automatically translate the specifications to TLA⁺ and check them with TLC,

3. run a custom-tailored model checker to compute the number of distinct states and check the invariants.

3. What are random walks and state enumeration?

I have mentioned random walks and state enumeration multiple times so far. Let’s clarify what these terms mean. The concept of a random walk is intuitively simple, though the details matter. Instead of looking at a large specification, let’s look at a simple example of a system that models adding and removing workers from a pool. This example is inspired by the example in Parameterize Your Actions by Hillel Wayne. We add the variable count to have a meaningful invariant. The specification is shown below. Even if you do not know TLA⁺, it should be easy to understand. If you still have trouble understanding it, just ask an LLM, they are good at explaining TLA⁺ specifications.

EXTENDS Integers, FiniteSets

CONSTANTS
    (* The set of workers to choose from. *)
    (* @type: Set(Int);                   *)
    Worker

VARIABLES
    (* The set of active workers.         *)
    (* @type: Set(Int);                   *)
    active,
    (* The number of active workers.      *)
    (* @type: Int;                        *)
    count

(* Add a worker w to the set of active workers, if it is not already active. *)
(* @type: (Int) => Bool;                                                     *)
Add(w) ≜ w ∉ active ∧ active' = active ∪ {w} ∧ count' = count + 1

(* Remove a worker w from the set of active workers, if it is active.        *)
(* @type: (Int) => Bool;                                                     *)
Remove(w) ≜ w ∈ active ∧ active' = active \ {w} ∧ count' = count - 1

(* Initialize the system with no active workers and a count of zero.         *)
Init ≜ active = {} ∧ count = 0

(* In a next state, either add a worker or remove a worker.                  *)
Next ≜ ∃ w ∈ Worker:
          Add(w) ∨ Remove(w)

(* An invariant: `count` matches the cardinality of the active set.          *)
Inv ≜ (count = Cardinality(active))

If we fix the set of workers to be Worker = {1, 2}, we get a nice labelled transition system (LTS) of 4 states. The graphical representation of this LTS is shown below.

TLA⁺ does not have any built-in notion of randomness or probabilities. It is what is usually called a qualitative specification. When evaluating Next in a state, we can only evaluate whether a specific transition is possible under a specific choice of w and the action scheduling decision (whether to execute Add(w) or Remove(w)). This is the standard semantics under the definition of behaviors. We can enumerate all reachable states for the above system by breadth-first search or depth-first search. This is what the model checker TLC does (it uses breadth-first search). This is what I will call state enumeration in this blog post.

We could also interpret the choice of w and the action scheduling decision as a random choice. Since the above specification is small, we can visualize it as a Markov decision process (MDP). The states are the same as in the LTS, but we also attach probabilities to the transitions.

Notice that we assign probabilities for choosing the value of w and for choosing the action to execute: Add(w) or Remove(w). For example, in the initial state, we choose w=1 with probability 0.5, then the action Add(1) with probability 0.5, which gives us a transition to the state where active = {1} and count = 1 (with probability 0.25). However, if we choose w=1 and the action Remove(1), we have to backtrack to the initial state, since the precondition of Remove(1) is not satisfied.

A random walk is a path through the MDP. It is a sequence of states that we get by making random choices at each step. In the above figure, you can see one walk in blue and one walk in red. To avoid too many backward edges, we have a retry budget, typically, 3-10 retries per step. We take this simple approach in our custom framework. It is similar to what the randomized simulator in Quint is doing, though the Quint simulator is trying a bit more locally before backtracking. Probabilities are basically used to produce various random walks. There is no inherent statistical meaning to these probabilities in random walks. This is very much how stateful property-based testing works, too, though PBT frameworks usually use biased coins, instead of uniform ones.

4. Which states are missing?

Since we can measure state coverage now, the next question is: What are these states that we are missing? Maybe these states are not important at all. To check that, I ran the random walks for the two-phase commit benchmark with 2 resource managers for 10,000 instead of 100,000 runs. Conveniently, exactly one state was missing from the coverage. As our specifications are code, I just asked Claude to instrument the search to experimentally evaluate the visit frequencies per run for each reachable state. Figure 6 is quite detailed. Click on it to see the full-size version.

As we can see, the missing state (with the frequency of 0) is the state where the transasction manager aborts the transaction, one resource manager also aborts the transaction, and the other resource manager is in the “prepared” state. This is an interesting state in this protocol, as the other resource manager still has the potential to commit the transaction, though it should not do that.

Bottom line: We may miss important states with random walks.

5. More coverage plots

Figure 7 shows the coverage evolution for the large instances of the benchmarks. With this, we can see how increasing the number of random walks helps to increase the coverage. It also demonstrates the growing volume of covered and missing states.

I wanted to share these flame plots with you. I find them cool.

6. Conclusions

Random walks are not sufficient to achieve complete coverage except for very small state spaces. Moreover, random walks take significantly longer than the model checker. This is especially striking, given that we are running optimized simulators in Rust. Another issue with state coverage by random walks is that you would not even know that you achieved complete coverage. You can measure the speed of discovering new states, but understanding that the simulator has converged basically requires a model checker.

Interestingly, random walks behaved badly on FPaxos with four acceptors. This is a relatively benign benchmark, not having a state explosion like specifications of Byzantine consensus protocols (BFT). In BFT, the minimal configurations contain 4-6 replicas, depending on the protocol. Hence, we should expect a significantly worse coverage by random walks on BFT.

Why do engineers keep running randomized experiments? Well, it is relatively easy to write a simulator. (It is not that easy to write one that actually works!) I have seen people playing with action distributions in the simulator, just to drive the search towards “interesting” states. Whenever I was asking, where the distributions were coming from, they could not explain this. Simulators are deceptive. You have to understand what you are doing, or, better, incorporate feedback. The most basic feedback is state coverage, though we can implement more sophisticated feedback mechanisms.

From our experiments it may look like state enumeration is all we need. I would argue that it is true as long as the set of reachable states fits into memory. We do not have to store the states directly in memory, practical model checkers store hashes of states. We can go as far as to store 2-3 bits per state, assuming that collisions are acceptable (still better than random walks!). Having a machine with 128 GB of memory, we can store roughly 50 billions of states. This is way more than the number of states in our benchmarks – dozens of billions vs. thousands and millions.

There are cases where randomness may find bugs, where state enumeration gets stuck:

1. Value domains are quite large. For example, if we choose values from the set of all 64-bit integers, it is not feasible to enumerate all successors even for a single state. A random walk can still do some progress without getting stuck. One can argue that choosing a value from the set $[0, 2^{64})$ uniformly at random is shooting in the dark, but sometimes it helps us to find bugs, especially if the large set has just a few large equivalence classes. Arguably, one should be able to apply data abstraction in this case. Also, this is usually the moment when you should consider using a model checker that supports symbolic representation of states, like Apalache.

2. Guided search. If we have an heuristic that guides the search towards interesting states, we can achieve better coverage with random walks faster. Maybe we use reinforcement learning to learn such a heuristic. Maybe we use an LLM to predict which actions are more likely to lead to interesting states. The main issue is that it is quite hard to find a direction for the search in the state space of distributed protocols.

Want to talk?

Date: February 12, 2026

tl;dr:

• AI coding tools now reduce development costs, but they also accelerate the creation of software that appears high-quality while hiding serious correctness and reliability risks.

• When both code and tests are autogenerated, traditional quality checks lose their signaling value, increasing the likelihood of costly failures, outages, and liability exposure in production systems.

• To responsibly capture productivity gains without undermining trust, organizations must pair AI-generated code with specification-driven development and automated validation techniques that verify real system behavior rather than surface-level compliance.

In 2025, we saw plenty of enthusiastic announcements about LLMs generating (or, more correctly, replicating) relatively complex projects, like web applications or video games. Apparently, many people got so tired of all this that you could hear the words “AI slop” quite often. So often that some very important people asked all of us not to call the output of their amazing tools “slop”.

Anyhow, by the end of 2025, the amazing AI tools became visibly more amazing. In the early 2025, I was only using ChatGPT and Copilot to produce small code snippets and scripts, as well as to search for design solutions. In the summer of 2025, I used Copilot & Sonnet to produce boilerplate code. Now, I am using Claude Code and Copilot (both with Opus and Sonnet) to generate code and tests as well as to fix linting errors (still the hardest task!). I still have to define the core data structures, write non-standard code and explain in detail what I want to achieve. It is still hit and miss (see the most notable examples below). However, it becomes economically feasible for me to use these tools, unless they get 10x more expensive. By the way, after finishing my experiment with Symbolic testing of TFTP, I was still not sure, whether I wanted to use agentic tools every day. The feedback loop was energy draining. It looks like the tools became better, and I’ve learnt how to give them more focused and smaller-scoped tasks.

It still remains to see an AI-generated product that generates revenue. Are there any examples, except the AI coding assistants themselves? In any case, this is not what I wanted to write about. I wanted to write about something that looks like a new phenomenon to me. We all have heard the saying: When everyone is digging for gold, sell shovels. Just over a couple of weeks, there was an unusual number of announcements about development tools that were generated with AI. This is what I call AI-generated shovels. These announcements bring so much joy to AI influencers that it’s hard to find anything else. Do these tools actually work though? At a closer look, some of the shovels break on a first try, some happen to work only under very specific conditions. Most likely, you have seen some announcements, and you know what I am talking about. It is also very likely that you have not seen all of the announcements that I have in mind. Since we are talking about development tools, libraries, or even languages that do not actually work, not web apps, it is not just slop, it is a second-order slop!

I am not going to call any names, or do any fingerpointing. This is not the point. What makes me seriously concerned about the second-order slop is that the software development industry was cutting corners everywhere even before the AI boom. “Move fast and break things!”, minimum-viable products (or are they solutions?), product-market-fit, etc. A couple of years ago, I was joking that I would rather not use an MVP compiler, operating system, or database. Well, AI tools generate compilers. Here we are.

Shovel ad! Since I have been working on pre-LLM shovels like Apalache and Quint myself, I am in the shovel business, too! (Do you know that SMT solvers were also considered AI?) Of course, I am developing new shovels, and they are also AI-generated and AI-compatible, and they are the best in town, by the way. So if you want to talk, drop me a message. To be fair, my time tracker shows that I’ve burnt six weeks of my time on the latest shovel, in addition to burning through and over my Copilot and Claude budgets, so it’s not entirely AI-generated. Perhaps, a bit artisanal.

Good shovel or slop? How do we distinguish a robust AI-generated shovel from a second-order slop? In the pre-LLM years, I could just look at the test suite and say, whether the team was serious or not. Those amazing days when blockchain engineers would nod their heads to the question: Do you have integration tests? They were proudly demonstrating a single integration test that was 3-5 KLOC long. Also, by looking at the code, you could sense whether it was written just yesterday, or someone had time to think about it.

In 2026, the code may look professionally written and follow all the best practices and still be completely broken. On top of that, LLMs generate well-looking tests, if you ask them. A lot of tests! The more tests you have, the more tokens you have to pay for. Win-win. Moreover, the generated tests may check that the code works, but this does not mean that the code does what you expect. This happened to me (see below).

So when we evaluate an AI-generated shovel, we want to answer two questions:

1. Does this shovel do what the authors claim it should do?

2. Does this shovel work beyond a few simple tests?

These are not new questions. The testing and verification communities have been trying to automate validation and verification for long time. Interestingly, these questions did not get much attention over the last two decades. It was expected that open source projects and products by respectable companies were “more or less” correct and complete. In my understanding, two factors contributed to that:

1. The code was written and reviewed by highly-skilled engineers, for fun or profit.

2. The projects were extensively tested with continuous integration tools.

Now, if an LLM generated the code just yesterday, and all tests pass, are we good? It is hard to tell. If we follow the brand new spec-driven development, we have a bunch of markdown files. Apparently, we should ask a few other LLMs to check whether the implemented code matches the markdown specs. Something like that.

Can we do better? I believe we can. For example, if you are developing a distributed system, do not generate it directly. First, write or AI-generate a sequential reference implementation (e.g., in Python) or, even better, a formal specification (e.g., in TLA⁺). Second, use this artifact to produce the code for the actual distributed system.

Why does this help? For two reasons:

1. It is easier to compare the reference implementation or specification against the markdown requirements than to compare the entire codebase.

2. The reference implementation/specification is an actionable artifact. Use it to produce tests for the distributed system. Instead of generating 10 KLOC tests once (and paying for loading them into the LLM context), automatically produce as many tests as you can. This is where property-based testing and model checking start to shine. See Symbolic testing of TFTP for an example.

Examples of LLMs hit and miss. If you follow me on LinkedIn, you could have seen some of the examples. Below are the most curious instances that I would regret missing in a code review (by Sonnet 4.5 and Opus 4.5):

• The set minimum. When I asked an LLM to implement the search for the minimal element of a set by using its string representation (called repr in Python), it collected all set elements in a list, sorted them by repr and picked the first one. It looks like my requirement was slightly non-standard.

• Sets with duplicates. An LLM has produced a unit test that constructed the data structure called “Set” from the list [ V(1), V(2), V(3), V(1) ] and asserted that the set cardinality was 4. The test passed, since V did not have equality defined, and two different instances of V(1) had different references. So it was doing the things right, but it was not doing the right things!

• Performance bottleneck. An LLM translated my Python function into a Rust function. Perfectly looking code. However, instead of adding a big integer x to the big integer y, it used an iterator that made y increments of x. Almost like a theorem prover! A logically correct solution, but my Rust code was slower than the Python code. I only spotted it after running the profiler. Again, a bit non-standard setup threw it off.

Want to talk?

Date: December 22, 2025

I present a simple example that illustrates how property-based testing (PBT) and model checking can help us catch unexpected behaviors of LLMs when they are used to generate code. The example is inspired by the talk on property-based testing by Scott Wlaschin. If you are looking for a light example that stresses the importance of writing good properties and having them checked, this post is for you.

1. Adversarial Developer

A few days ago, I watched the talk on property-based testing by Scott Wlaschin. He started the talk by introducing a persona that he called the Enterprise Developer from Hell. This is basically someone who implements a feature to satisfy the given requirements, but they do it in creatively evil (or just stupid) and unexpected ways. I will call such a persona an adversarial developer in the rest of this post.

Then, Scott¹ showed how an adversarial developer could ruin as simple task as adding up two numbers. For example, if we give them two tests $2+2=4$ and $10+33 = 43$, they will implement exactly those cases by case distinction. I am not going to repeat Scott’s talk. Watch it! It’s instructive and entertaining.

Back in 2020, of course, Scott added that we are often aversarial developers ourselves, and our peers are rarely that evil. It could be an enthusiastic junior developer, who has just started and now wants to rewrite the whole code base. Now, we are a few weeks away from 2026, and we definitely have such a peer! It is called an LLM, or just AI, as the corporate marketers prefer. LLMs are not necessarily evil, but they are definitely less predictable than experienced human software engineers. I am not talking about prompt injection here, which is another real issue with LLMs.

To be clear, in the rest of this text, I am talking about how an LLM could behave like an adversarial developer when it generates code. It does not mean that I ran one of the commercial LLMs and got those results.

2. Property-Based Testing

The point of Scott’s talk was to show that a few data points (typical unit tests) are insufficient to demonstrate correctness of the implementation. A totally valid point!

In addition to the standard unit tests, we should also write the expected properties of our implementation. The PBT frameworks test the code by producing input values at random. For example, have a look at Hypothesis. While this may seem to be a silly idea at first, property-based tests uncovers tricky bugs. Moreover the input value distribution does not have to be uniform. Keep reading to see how this helps us catch the adversarial developer.

Here are the three properties of addition that Scott used to defeat the adversarial developer:

• identity: for every number $x$, we have $x + 0 = x$,
• commutativity: for every numbers $x$ and $y$, we have $x + y = y + x$, and
• associativity: for every numbers $x$, $y$, and $z$, we have $(x + y) + z = x + (y + z)$.

At this point of the talk, I was like: Wait a minute! I could continue this game of the adversarial developer. Before doing this, let’s look at where we are with respect to the code and the properties. Here is the obvious implementation of integer addition in Python, since the language has built-in support for unbounded integers:

def add(a: int, b: int) -> int:
    return a + b

Here are the property-based tests in Hypothesis, generated by Claude Sonnet 4.5:

@given(st.integers())
def test_identity(a):
    """Test identity property: a + 0 = a."""
    assert add(a, 0) == a
    assert add(0, a) == a


@given(st.integers(), st.integers())
def test_commutativity(a, b):
    """Test commutativity property: a + b = b + a."""
    assert add(a, b) == add(b, a)


@given(st.integers(), st.integers(), st.integers())
def test_associativity(a, b, c):
    """Test associativity property: (a + b) + c = a + (b + c)."""
    assert add(add(a, b), c) == add(a, add(b, c))

You can find these and further examples in the example repository.

We run these tests with pytest to make sure that they all pass:

$ git clone https://github.com/konnov/pbt-example-summation.git
$ cd pbt-example-summation/python
$ poetry run pytest tests/test_add.py \
  -k "test_identity or test_commutativity or test_associativity" --verbose
...
tests/test_add.py::test_identity PASSED                                        [ 33%]
tests/test_add.py::test_commutativity PASSED                                   [ 66%]
tests/test_add.py::test_associativity PASSED                                   [100%]

3. Symbolic model checking with Apalache

I decided to go even further and write a TLA⁺ specification, to check the three properties with Apalache and Z3 (only showing the relevant parts):

----------------------------------- MODULE Add --------------------------------
(*
 * A simple TLA+ specification of different kinds of addition.
 *
 * Igor Konnov, 2025
 *)
EXTENDS Integers

VARIABLE
    \* @type: Int;
    x,
    \* @type: Int;
    y,
    \* @type: Int;
    z

AddMath(a, b) == a + b

InitMath ==
    /\ x \in Int
    /\ y \in Int
    /\ z \in Int

Next == UNCHANGED <<x, y, z>>

Identity(F(_, _)) ==
    F(x, 0) = x

Commutativity(F(_, _)) ==
    F(x, y) = F(y, x)

Associativity(F(_, _)) ==
    F(F(x, y), z) = F(x, F(y, z))

InvMath ==
    /\ Identity(AddMath)
    /\ Commutativity(AddMath)
    /\ Associativity(AddMath)

With the above specification, we define a very simple state machine that non-deterministically picks three integers x, y, and z with InitMath. These variables do not change their values in the state machine, as you can see from the definition of Next. We use x, y, and z to define three properties of addition: Identity, Commutativity, and Associativity. As you can see, these definitions are parameterized by the operator F, which is Add for now. Our invariant InvMath is simply the conjunction of the three properties.

This is how we run Apalache to check the invariant:

$ cd pbt-example-summation/tla-spec
$ docker pull ghcr.io/apalache-mc/apalache
$ docker run --rm -v `pwd`:/var/apalache ghcr.io/apalache-mc/apalache \
  check --init=InitMath --inv=InvMath --length=0 Add.tla

With the above command, we tell Apalache to check the invariant InvMath starting from the initial state InitMath. The --length=0 option tells Apalache to unroll Next zero times, which is sufficient in our case, since the state machine does not change the values of the state variables.

4. Playing adversarial

Ok, the code and the specification above seem to be correct. But what if our friendly AI produced something unexpected?

4.1. Hallucinating addition over 32-bit unsigned integers

Since we are dealing with an adversarial developer, they could simply use a different definition of addition. So far, we have been talking about unbounded mathematical integers, which Python conveniently implements for us.

Now, the adversarial developer gives us this implementation:

def add32(a: int, b: int) -> int:
    return (a + b) % (2**32)

This implementation is actually not wrong. An LLM could copy it from a code base that emulates a 32-bit CPU architecture in Python. This is a bit of a stretch, but possible.

Let’s add property-based tests for this implementation as well:

# Tests for add32 (32-bit natural numbers with wrapping)

@given(st.integers(min_value=0, max_value=2**32 - 1))
def test_add32_identity(a):
    """Test identity property for add32: a + 0 = a."""
    assert add32(a, 0) == a
    assert add32(0, a) == a


@given(st.integers(min_value=0, max_value=2**32 - 1), st.integers(min_value=0, max_value=2**32 - 1))
def test_add32_commutativity(a, b):
    """Test commutativity property for add32: a + b = b + a."""
    assert add32(a, b) == add32(b, a)


@given(
    st.integers(min_value=0, max_value=2**32 - 1),
    st.integers(min_value=0, max_value=2**32 - 1),
    st.integers(min_value=0, max_value=2**32 - 1)
)
def test_add32_associativity(a, b, c):
    """Test associativity property for add32: (a + b) + c = a + (b + c)."""
    assert add32(add32(a, b), c) == add32(a, add32(b, c))

These tests also pass:

$ poetry run pytest tests/test_add.py \
  -k "test_add32_identity or test_add32_commutativity or test_add32_associativity" \
  --verbose
...
tests/test_add.py::test_add32_identity PASSED                                [ 33%]
tests/test_add.py::test_add32_commutativity PASSED                           [ 66%]
tests/test_add.py::test_add32_associativity PASSED                           [100%]

What is going on? Well, identity, commutativity, and associativity also hold for 32-bit integers with overflow semantics. If we let AI generate not only the implementation but also the properties, we may end up with a correct implementation, but not the one we wanted! In this case, imagine an LLM has added the @given decorators for the inputs to be in the range in $[0, 2^{32})$, whereas we wanted unbounded integers! This is an example of the classical question in requirements engineering: do we get things right vs. do we get the right things.

Just to double check that it is not the random chance, I ran Apalache on the TLA⁺ specification above with Add32 instead of Add:

$ docker run --rm -v `pwd`:/var/apalache ghcr.io/apalache-mc/apalache \
  check --length=0 --init=Init32 --inv=Inv32 Add.tla
...
Checker reports no error up to computation length 0
Total time: 2.205 sec

Further, the SMT solver Z3 confirms that identity, commutativity, and associativity hold for 32-bit integers with overflow semantics. This is provided that we pick the integers from the range $[0, 2^{32})$, which we do with Init32.

However, this is not what we wanted initially. Let’s catch the adversarial developer with the PBT tests that pick unbounded non-negative integers:

@given(st.integers(0))
def test_add32_unbounded_inputs_identity(a):
    """Test identity property for add32: a + 0 = a."""
    assert add32(a, 0) == a
    assert add32(0, a) == a

@given(st.integers(0), st.integers(0))
def test_add32_unbounded_inputs_commutativity(a, b):
    """Test commutativity property for add32: a + b = b + a."""
    assert add32(a, b) == add32(b, a)


@given(
    st.integers(0),
    st.integers(0),
    st.integers(0)
)
def test_add32_unbounded_inputs_associativity(a, b, c):
    """Test associativity property for add32: (a + b) + c = a + (b + c)."""
    assert add32(add32(a, b), c) == add32(a, add32(b, c))

This time, Hypothesis catches the issue with identity:

$ poetry run pytest tests/test_add.py  --verbose \
  -k "test_add32_unbounded_inputs_identity or test_add32_unbounded_inputs_commutativity or test_add32_unbounded_inputs_associativity"
...
a = 4294967296

    @given(st.integers(0))
    def test_add32_unbounded_inputs_identity(a):
        """Test identity property for add32: a + 0 = a."""
>       assert add32(a, 0) == a
E       assert 0 == 4294967296
E        +  where 0 = add32(4294967296, 0)
E       Falsifying example: test_add32_unbounded_inputs_identity(
E           a=4_294_967_296,
E       )

4.2. Is property-based testing a magic tool?

Let’s stop and think about our example. How did Hypothesis catch the issue over an unbounded integer domain? Even it was picking the integers from the interval $[0, 2^{64})$, the chance of picking 4294967296 by uniform random sampling is pretty slim. Yet, Hypothesis keeps picking this number.

Well, the trick is that its input generator tries the well-known “magic numbers” such as 0, 1, -1, 2**32, 2**64, etc. In this sense, Hypothesis does not use uniform random sampling. See the discussion on domain and distribution in the Hypothesis documentation for more details.

What if our adversarial developer hallucinated an implementation that stays undetected by Hypothesis? This is what our next example is about.

4.3. Hallucinating addition over 256-bit unsigned integers

This time, the adversarial developer uses 256-bit unsigned integers with overflow semantics:

def add256(a: int, b: int) -> int:
    return (a + b) % (2**256)

If you think that using 256-bit integers is absurd, well, the Ethereum Virtual Machine (EVM) does exactly that. So an LLM could have adapted the above code from an EVM-related code base.

@given(st.integers(0))
@settings(max_examples=100000)
def test_add256_unbounded_inputs_identity(a):
    """Test identity property for add256: a + 0 = a."""
    assert add256(a, 0) == a
    assert add256(0, a) == a

@given(st.integers(0), st.integers(0))
@settings(max_examples=100000)
def test_add256_unbounded_inputs_commutativity(a, b):
    """Test commutativity property for add256: a + b = b + a."""
    assert add256(a, b) == add256(b, a)


@given(
    st.integers(0),
    st.integers(0),
    st.integers(0)
)
@settings(max_examples=100000)
def test_add256_unbounded_inputs_associativity(a, b, c):
    """Test associativity property for add256: (a + b) + c = a + (b + c)."""
    assert add256(add256(a, b), c) == add256(a, add256(b, c))

This time, the adversarial developer gets away, all tests pass:

$ poetry run pytest tests/test_add.py --verbose -k \
  "test_add256_unbounded_inputs_identity or test_add256_unbounded_inputs_commutativity or test_add256_unbounded_inputs_associativity" 
...
tests/test_add.py::test_add256_unbounded_inputs_identity PASSED                [ 33%]
tests/test_add.py::test_add256_unbounded_inputs_commutativity PASSED           [ 66%]
tests/test_add.py::test_add256_unbounded_inputs_associativity PASSED           [100%]

Why? Hypothesis does not try $2^{256}$ as a magic number. I gave it the budget of 100,000 examples, so it had a chance to try multiple powers of two, but it did not try anything above $2^{256} - 1$.

We can make sure that the identity test indeed fails when we pass $2^{256}$ as an example:

@given(st.integers(0))
@settings(max_examples=100000)
@example(2**256)  # This should fail!
def test_add256_unbounded_inputs_identity(a):
    """Test identity property for add256: a + 0 = a."""
    assert add256(a, 0) == a
    assert add256(0, a) == a

4.4. Catching the adversarial developer with Apalache

Here is how we modify the TLA⁺ specification to use Add256:

Add256(a, b) == (a + b) % (2^256)

InitNat ==
    /\ x \in Nat
    /\ y \in Nat
    /\ z \in Nat

Inv256 ==
    /\ Identity(Add256)
    /\ Commutativity(Add256)
    /\ Associativity(Add256)

Apalache immediately finds the issue with identity when we run it with Add256:

$ docker run --rm -v `pwd`:/var/apalache ghcr.io/apalache-mc/apalache \
  check --length=0 --init=InitNat --inv=Inv256 Add.tla
...
State 0: state invariant 0 violated.
Total time: 2.272 sec

If we check the counterexample, we see that the solver picks the value $2^{256}$ for x:

$ head -n 14 _apalache-out/Add.tla/2025-12-22T15-20-31_8166638658721555415/violation.tla
---------------------------- MODULE counterexample ----------------------------
EXTENDS Add

(* Constant initialization state *)
ConstInit == TRUE

(* Initial state [_transition(0)] *)
State0 ==
  x
      = 115792089237316195423570985008687907853269984665640564039457584007913129639936
    /\ y = 0
    /\ z = 0

This is not just luck and not an heuristic! Apalache delegates solving to the SMT solver Z3, which solves integer constraints. If you want to make sure that it’s not using magic numbers, go and change the modulo operator in Add256 to a large prime number, e.g., $2^{256} + 297$. Rerun the model checker, and it will still find the issue with identity.

4.5. For the curious: how Apalache and Z3 work together

Our example is so simple that we can even go over the actual SMT constraints that Apalache generates. Let’s run Apalache with the option --debug:

$ docker run --rm -v `pwd`:/var/apalache ghcr.io/apalache-mc/apalache \
  check --debug \
  --length=0 --init=InitNat --inv=Inv256 Add.tla

Open the file _apalache-out/Add.tla/2025-12-23T09-31-46_16436938462355564409/log0.smt (the timestamp will be different on your machine). The log is pretty verbose. Here are the crucial parts, which I’ve accompanied with explanations:

-- the initial value of `x`
(declare-const $C$6 Int)
-- `x` is a natural number
(assert (>= $C$6 0))
-- introduce a boolean variable for the identity property
(declare-const $C$9 Bool)
-- Encode the identity property for `Add256` and `x`.
-- The huge number is 2^256.
(assert (= $C$9
   (= (mod $C$6
           115792089237316195423570985008687907853269984665640564039457584007913129639936)
      $C$6)))
-- assert that the identity property is violated
(declare-const $C$10 Bool)
(assert (= (not $C$10) $C$9))
(assert $C$10)
-- check, whether the above constraints have a solution
(check-sat)

If you want to understand what is going on, read the comments above. At first, I was actually surprised that the SMT constraints did not contain addition at all. Then I recalled that Apalache has a bunch of rewriting rules that simplify the constraints. In this case, the symbolic model checker has applied the property a + 0 = a internally to get rid of the addition (yeah, it is the identity property!). It was an equivalent transformation, so we are still left with the modulo operator.

Essentially, we are asking Z3 to solve these inequalities over integers:

What is crucial here is that the SMT solver Z3 has a strict contract with the user. When we give it a set of constraints and ask it to check their satisfiability, it will apply sound algorithms to arrive at one of the three answers:

• sat: there is a solution to the above constraints, i.e., an assignment of values to the variables that makes the constraints true,

• unsat: there is no solution, and

• unknown: the constraints are too hard, or it took the solver too long to solve them.

In contrast to PBT, it is not just like “I tried a few random inputs and did not find a bug”. If Z3 answers sat, there is indeed a solution to the constraints, and the solver gives it to us as a model. If it returns unsat, there is no solution. Whenever you see unknown, it’s a bad day. Sometimes, it also indicates a bug in the solver itself, as I’ve reported to the Z3 developers a few times. However, Z3 is pretty reliable in my experience, and producing an unknown is an achievement, unless you set very tight timeouts, or use tricky non-linear arithmetic.

If you are further interested in how Z3 actually solved the above constraints, a simple answer is that it used something like the Simplex algorithm for integer linear programming. The constraints are linear in our case, so Z3 could apply this algorithm to find a solution. Most likely, Z3 used a more recent algorithm, but the idea is similar.

In case you really want to know how SMT solvers work under the hood, I recommend starting with the book on Decision Procedures by Kroening and Strichman.

5. Conclusions

We all have to learn how to write high-quality properties and understand the boundaries of the “magic” tools. Even if you don’t use LLMs, your peers will.

How to learn writing good properties? We can play with property-based testing. However, PBT tools are not reliable teachers. By their random nature, a PBT tool may miss a bug on one run and find it on another run. Don’t get me wrong. Property-based testing has its value, as many other testing and verification techniques. However, PBT is not a silver bullet. It may miss bugs, especially if the input generator does not cover the right input space well enough.

Shall we use interactive provers like Lean and Rocq? Learning how to prove code correct definitely helps! However, these tools only tell us that the proof does not go through. It would not give us a counterexample. State-of-the-art provers also recommend using PBT for bug finding.

In my opinion, model checking is the best way to learn how to write good properties. You can write as many properties as you like, and the model checker will produce you counterexamples, or not. Importantly, model checkers come with a guarantee of not having a bug in their search scope, if they terminate. See my blog post on the value of model checking on that.

Usually, I recommend people to start with TLC. It works by state enumeration and easy to understand. If your search scope is small, TLC is a good learning tool. In our example, the search scope is astronomical. In this case, Apalache is there to help.

By the way, our example was so simple, that we could encode it in Z3 directly via its python bindings. We could use other model checkers. If you do that, let me know!

6. Bonus: Hypothesis + Crosshair

Hypothesis offers an integration with Crosshair, which is a symbolic execution engine for Python using Z3. I did not explore this integration in depth. Claude told me that it is sufficient to just add this import to the test:

import hypothesis_crosshair_provider

Well, this did not help me to find the violation of identity for add256. If you know how to make Crosshair work with Hypothesis, please let me know!

When we run Crosshair directly on the add256 implementation, it finds the issue with identity right away:

$ poetry run crosshair check tests.test_add_crosshair.check_add256_identity
.../python/tests/test_add_crosshair.py:12: error: false when calling check_add256_identity(115792089237316195423570985008687907853269984665640564039457584007913129639936) (which returns False)

The Crosshair test looks like follows:

from crosshair.core_and_libs import standalone_statespace
from pbt_add import add256


def check_add256_identity(a: int) -> bool:
    """
    Check identity property for add256: a + 0 = a.
    
    pre: a >= 0
    post: _
    """
    return add256(a, 0) == a and add256(0, a) == a

Date: December 15, 2025

Note: I mostly stopped using LLMs for proof-reading my texts, so you know it is not all generated. Enjoy my typos and weird grammar!

Abstract. As promised in the blog post on small-scope hypothesis, I am continuing with the main body of the talk that I presented at the internal Nvidia FM Week 2025. This blog post is rather long. If you do not want to read the whole post, here are the most exciting new developments:

• A new JSON-RPC server API for Apalache, which allows external tools and scripts to drive the symbolic execution of TLA⁺ specifications and interact with the solver. Read the section on The new JSON-RPC API of Apalache.

• A new approach to conformance testing of TLA⁺ specifications and real implementations, called interactive symbolic testing. This approach is inspired by the work of McMillan and Zuck (2019) on testing of the QUIC protocol with IVy and SMT. Read the section on Interactive symbolic testing with SMT.

• A case study on testing multiple open-source implementations of TFTP, including unexpected (but not harmful) deviations from the protocol. This case study includes the experience report on using Claude to bootstrap the harness for testing TFTP implementations against the TLA⁺ specification. Read the section on Bootstrapping the testing harness with Claude and Testing against adversarial behavior. My point is not not to brainwash you into LLMs, but to show what works for me and what does not.

• The specification and the test harness are openly available. Check the Github repository.

In this blog post, I am using TLA⁺. The same tooling and results equally apply to Quint.

Contents:

1. Introduction
2. Model-based testing and trace validation
3. Interactive symbolic testing with SMT
4. The new JSON-RPC API of Apalache
5. Case study: TFTP protocol
6. Initial TLA⁺ specification of TFTP
7. Bootstrapping the testing harness with Claude
8. Debugging the TLA⁺ specification with the implementation
9. Testing against adversarial behavior
10. The specification as a differential testing oracle
11. Prior Work
12. Conclusions

1. Introduction

This work aims at demonstrating how to answer the following two questions with Apalache:

1. How to test the actual implementation against its TLA⁺ specification?

2. How to test the TLA⁺ specification against the actual implementation?

For long time, these questions have been mostly ignored by the TLA⁺ community. Over the last 4-5 years, researchers started to look into these two questions and found out that having a connection between the specification and the implementation is much more useful than it was initially thought. (The engineers were telling this to me all the time!) Check the prior work section for the papers and talks on this topic. Roughly speaking, the approaches follow the two ideas:

• Model-based testing (MBT). The TLA⁺ specification is used to generate test cases that are then executed against the implementation. This is an answer to question 1 above. The state exploration is driven by the specification. Hence, we are testing, whether the implementation matches the inputs and outputs, as produced by the specification.

• Trace validation (TV). The traces are collected from the implementation and checked against the TLA⁺ specification. This is an answer to question 2 above. State exploration is driven by the implementation, e.g., by executing the existing test suites, or just by running the system for some time. Hence, we are testing whether the specification matches the inputs and outputs of the implementation. Alternatively, we may check whether the implementation states may be lifted to the specification states, in order to produce a feasible trace in the specification.

If you re-read the description of MBT and TV above, you may notice that there are two more dimensions of how to do testing:

• State-based. In this case, we have to establish a relation between the implementation states and the specification states in each step of the trace. This usually done by defining mapping functions, either from the implementation states to the specification states, or vice versa. Notice that mapping an implementation state to a specification state is usually much easier, as it involves state abstraction (e.g., dropping some variables). Mapping a specification state to an implementation state is more difficult, as it involves state concretization, e.g., choosing a representative concrete value for each abstract value in the specification state. For example, if the specification says $x \in [10, 20]$, then we have to choose a concrete value for $x$ in this range, e.g., at random.

• Action-based. In this case, we have to establish a relation between the implementation actions and the specification actions. Again, we would need to define mappings. Interestingly, in my experience, defining action mappings is way easier than defining state mappings.

2. Model-based testing and trace validation

2.1. Model-based testing in one picture

Without going into too many details, the following picture illustrates the main idea of model-based testing. We generate an “interesting” trace with a model checker, e.g., with Apalache. This trace is fed to the test harness that: (1) does action concretization, (2) executes the actions against the implementation. The moment the implementation refuses to replay an action, we know that there is a divergence. Notice that we often do not even need to query the system for its current state, as we only care about the actions.

One downside of this approach is that the model checker can be quickly overwhelmed by the many possible action interleavings unless the search scope is further restricted. In my experience, the SMT solver Z3 slows down dramatically when it must solve two problems simultaneously:

1. Choose a sequence of actions (a schedule) to explore, and

2. Find variable assignments (states) that produce a feasible trace for the chosen schedule.

When a schedule is fixed, the SMT solver must solve far fewer constraints because it mainly propagates values through the actions. If the solver must also pick a schedule, it must backtrack along two axes: (1) schedules and (2) states. This increases solving times in practice.

To mitigate this, Apalache lets you randomly sample schedules and execute them symbolically. To enumerate different “interesting” schedules, the user can define a view operator, which usually projects state variables to more abstract values. The model checker will then produce traces projected onto those views. This works significantly better for test generation in practice. However, this exploration strategy is fixed and cannot be changed without modifying Apalache itself.

2.2. Trace validation in one picture

Trace validation is conceptually simpler than model-based testing. We simply execute the system under test (SUT) and collect traces. These traces are then mapped to the abstract states, if necessary, and checked against the specification.

This approach has been tried in multiple projects that use the exhaustive-state model checker TLC as the back-end solver. See the prior work section.

Trace validation also has its challenges:

1. We need a good test suite, in order to produce “interesting” traces. However, test cases are usually written for the happy-path scenarios. Hence, it is easy to miss handling of error cases and faults. Srinidhi Nagendra et al. (2025) address this issue by fuzzing the tests.

2. Someone has to instrument the SUT to trace the relevant events. In some cases, it easy to do, e.g., by tracing message exchanges, as presented by Markus Kuppe et. al. (2024). In other cases, it may be quite difficult to do, e.g., when we want to dump the internal states of the SUT. In a concurrent system this may require a global lock and traversing large data structures. In a distributed system, this may further require a distributed snapshot or using vector clocks.

3. We have to run the whole system to collect traces. It is hard to isolate one component, e.g., one network node.

3. Interactive symbolic testing with SMT

As we can see, both model-based testing and trace validation in their above formulation are non-interactive. They both require a complete trace to be produced first, and there is no feedback loop between the specification and the implementation.

There is a third way to do conformance testing that leverages SMT solvers, yet receives feedback from the implementation during the testing. I will call it interactive symbolic testing. I think the first time I heard about this approach was from Giuliano Losa, when he explained the paper by Ken McMillan and Leonore Zuck (2019) to me. If you have not read this paper yet, I highly recommend doing so. On the naming side, McMillan and Zuck call their approach “specification-based testing”. I find this name to be a bit non-descriptive, as MBT is also specification-based.

The idea is to generate an action with the SMT solver by following the specification, execute it against the implementation, and then feed the results back to the SMT solver to generate the next action. This way, we can systematically explore the protocol specification while getting feedback from the implementation.

The picture below illustrates this approach, by approximately following the internal transition executor of Apalache.

To implement this approach to testing with Apalache, we would have to find a way for Apalache and the test harness to communicate. My experience with development of Apalache shows that fixing exploration strategies inside the model checker is not a good idea. People always want to tweak them a bit for their purposes. Given this observation, Thomas Pani and I have decided to implement a simple server API for Apalache that would allow external tools to drive the symbolic execution of TLA⁺ specifications.

4. The new JSON-RPC API of Apalache

Thomas and I wanted to have a lightweight API that we could use from any programming language without writing too much boilerplate code. At this point, every engineer would whisper: hey, you need gRPC, I’ve got some. Well, we tried gRPC in the integration of Apalache with Quint. It is hard to call gRPC lightweight.

So we have decided to go with JSON-RPC this time, which is a very simple protocol that works over HTTP/HTTPS. Implementing a JSON-RPC server is quite straightforward. Since Apalache is written in Scala, which is JVM-compatible, we can use the well-known and battle-tested libraries. Perhaps, a bit unexpectedly for a Scala project, I’ve decided to implement this server with Jetty for serving the HTTP requests and Jackson for JSON serialization. (The reason is that we have already burnt ourselves with fancy but poorly supported libraries in Scala.) The resulting server is lightweight and fast. Moreover, it can be tested with command-line tools like curl.

The state-chart diagram of the Apalache JSON-RPC server for a single session is shown below.

To see a detailed description of this API, check Apalache JSON-RPC. Just to give you the taste of it, here is how you start the server without having anything installed but Docker:

$ docker pull ghcr.io/apalache-mc/apalache
$ docker run --rm /tmp:/var/apalache -p 8822:8822 \
    ghcr.io/apalache-mc/apalache:latest \
    server --server-type=explorer

Now, we create a new Apalache session with a TLA⁺ specification (in a separate tab):

$ SPEC=`cat <<EOF | base64
---- MODULE Inc ----
EXTENDS Integers
VARIABLE
  \* @type: Int;
  x
Init == I:: x = 0
Next == (A:: (x < 3 /\\ x' = x + 1)) \\/ (B:: (x > -3 /\\ x' = x - 1))
Inv3 == Inv:: x /= 0
\* @type: () => <<Bool, Bool, Bool>>;
View == <<x < 0, x = 0, x > 0>>
=====================
EOF`
$ curl -X POST http://localhost:8822/rpc \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"loadSpec","params":{"sources": [ "'${SPEC}'" ],
       "invariants": ["Inv3"], "exports": ["View"]},"id":1}'

Is not that amazing? No protobuf, no code generation, just pure shell and readable JSON.

Having the specification loaded, we load the predicate Init into the solver context, which is encoded as transition 0:

$ curl -X POST http://localhost:8822/rpc \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"assumeTransition","params":{"sessionId":"1",
       "transitionId":0,"checkEnabled":true},"id":2}'

Assuming that the previous call returned ENABLED, we switch to the next step, which applies the effect of Init to the current symbolic state:

$ curl -X POST http://localhost:8822/rpc \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"nextStep","params":{"sessionId":"1"},"id":3}'

Now, we can check the invariant Inv3 against all states that satisfy Init:

$ curl -X POST http://localhost:8822/rpc \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"checkInvariant",
       "params":{"sessionId":"1","invariantId":0},"id":3}'

Since invariant Inv3 is violated by the initial state, the server returns VIOLATED, along with a counter-example trace:

{
  "jsonrpc": "2.0",
  "id": 3,
  "result": {
    "sessionId": "1",
    "invariantStatus": "VIOLATED",
    "trace": {
      "#meta": {
        "format": "ITF",
        "varTypes": { "x": "Int" },
        "format-description": "https://apalache-mc.org/docs/adr/015adr-trace.html",
        "description": "Created by Apalache on Thu Dec 11 16:56:47 CET 2025"
      },
      "vars": [ "x" ],
      "states": [ {
          "#meta": { "index": 0 },
          "x": { "#bigint": "0" }
      } ]
    }
  }
}

The trace is encoded in the ITF format, which is a simple JSON-based format for TLA⁺ and Quint traces.

Had the invariant been violated on a deeper trace, we would have to assume more transitions by calling assumeTransition and nextStep multiple times.

If you want to access this API from Python right away, use two helper libraries:

• apalache-rpc-client for interacting with the JSON-RPC server of Apalache, and

• itf-py for serializing and deserializing ITF traces.

5. Case study: TFTP protocol

To experiment with interactive symbolic testing and the new JSON-RPC API, I wanted to choose a relatively simple network protocol that had multiple implementations. After several sessions with ChatGPT, I ended up with the Trivial File Transfer Protocol (TFTP) as a reasonable target for this small project.

The Wikipedia page on TFTP gives us a good overview of the protocol. In short, TFTP is a simple protocol to transfer files over UDP. It supports reading and writing files from a remote server. It is mostly used for booting from the network. The protocol is simple enough to be specified in TLA⁺ without too much effort, yet it has enough complexity to make the testing effort interesting. Actually, I’ve only specified reading requests (RRQ) and no writing requests (WRQ) to keep the scope manageable.

You can find more detailed specifications in the original RFC 1350, as well as in its extensions RFC 2347, RFC 2348, and RFC 2349. RFC 1350 defines a simple non-negotated version of the protocol. Below is an example of such an interaction between the client and the server. Notice that the client first sends a read request (RRQ) to the server on the control port 69, which responds with the first data block (DATA) on a newly allocated ephemeral port. The client acknowledges (ACK) the received data block on the same ephemeral port. This continues until the server sends the last data block, which is smaller than the maximum block size (512 bytes by default).

Further, RFC 2347 defines an option negotiation phase that happens right after the read request. The client and the server may negotiate options like block size, timeout, and transfer size. RFC 2348 defines the block size option, while RFC 2349 defines the transfer size option. Below is an example interaction with option negotiation:

The cool thing about TFTP is that it has multiple open-source implementations of TFTP clients and servers in different programming languages. Here are some of them:

• tftp-hpa is the canonical implementation of TFTP for Linux (and UNIX?) in C.

• atftpd is advanced TFTP, which is intended for fast boot in large clusters, also in C.

• dnsmasq is a lightweight DNS and DHCP server that also includes a TFTP server, in C.

• rs-tftpd (Rust) is an implementation of a TFTP server in Rust.

• gotfpd (Go) is an implementation of a TFTP server in Go.

• busybox also has its minimalistic implementation for file reads.

6. Initial TLA⁺ specification of TFTP

In the first stage of this experiment, I read the RFCs and wrote a TLA⁺ specification of the TFTP protocol. At that stage, I did not introduce packet loss, duplication, or reordering. I just wanted to have a simple working specification that I could use for testing the implementations. This stage took me just two days. Well, I have been writing plenty of TLA⁺ specifications in the past.

You can check this initial specification in the initial commit of the testing repo. The main body of the specification lives in tftp.tla, which imports several several auxiliary modules:

• typedefs.tla defines the types of the data structures and the basic constructors for these data structures. Since I am using Apalache, the specification needs type definitions. Luckily, these days, I just write the type definitions in comments and let Claude generate the auxilliary operators such as constructors and accessors. If you already have an untyped specification, Claude is good at figuring out the types in the agent mode. Just use this prompt.

• util.tla defines common utility definitions such as Min, Max, and option conversions.

Finally, MC2_tftp.tla defines a protocol instance of two clients and one server. If you stumble upon the definitions that end with View there, ignore them. They are not essential for this blog post. I used them to experiment with more advanced symbolic exploration scripts.

If you are not familiar with TLA⁺, or your TLA⁺ skills are rusty, I recommend giving one of the definitions and this prompt to ChatGPT. It actually explains TLA⁺ quite well:

Assume that I am a software engineer. I don't know TLA+ but know Golang or Rust.
Explain me this TLA+ snippet using my knowledge: ...

To see the kinds of actions this initial specification had, have a look at the definition of Next in tftp.tla:

Next ==
    \* the actions by the clients
    \/  \E srcIp \in CLIENT_IPS, srcPort \in PORTS:
            \E filename \in DOMAIN FILES, timeout \in 1..255:
                \* "man tftpd": 65464 is the theoretical maximum for block size
                \* https://linux.die.net/man/8/tftpd
                \E tsize \in 0..FILES[filename], blksize \in 0..65464:
                    \* choose a subset of the options to request
                    \E optionKeys \in SUBSET OPTIONS_RFC2349:
                        LET options ==
                            mk_options(optionKeys, blksize, tsize, timeout)
                        IN
                        ClientSendRRQ(srcIp, srcPort, filename, options)
    \/  \E udp \in packets:
            \/ ClientRecvDATA(udp)
            \/ ClientRecvOACK(udp)
            \/ ClientRecvErrorAndCloseConn(udp)
    \/  \E ipPort \in DOMAIN clientTransfers:
            ClientTimeout(ipPort)
    \* the server
    \/  \E udp \in packets:
            \/ ServerRecvRRQ(udp)
            \/ ServerSendDATA(udp)
            \/ ServerRecvAckAndCloseConn(udp)
            \/ ServerRecvErrorAndCloseConn(udp)
    \/  \E ipPort \in DOMAIN serverTransfers:
            ServerTimeout(ipPort)
    \* handle the clock and timeouts
    \/  \E delta \in 1..255:
            AdvanceClock(delta)

Falsy invariants. As I always do, I also specified “falsy invariants” to produce interesting examples. For example, using the invariant RecvThreeDataBlocksEx below, I can easily produce a trace where a client receives three data blocks from the server.

\* Check this falsy invariant to see an example of a client receiving 3 blocks.
RecvThreeDataBlocksEx ==
    ~(\E p \in DOMAIN clientTransfers:
        Len(clientTransfers[p].blocks) >= 3)

If you want to try it right way without installing anything, just do this with docker:

$ git clone git@github.com:konnov/tftp-symbolic-testing.git
$ git checkout 6fb00d1878b7e37a629868ac25b853d95b16cbdc
$ docker pull ghcr.io/apalache-mc/apalache
$ docker run --rm -v `pwd`:/var/apalache ghcr.io/apalache-mc/apalache \
  check --inv=RecvThreeDataBlocksEx MC2_tftp.tla

Trace visualization. Since Apalache emits traces in the ITF format, which has a very simple schema in JSON, it was easy for me to convince Claude to produce a Python script that would convert ITF traces to human-readable state charts in Mermaid. Here is just an example of such a trace produced by Apalache when checking the invariant RecvThreeDataBlocksEx in Mermaid:

sequenceDiagram
    participant ip10_0_0_3_port65000 as 10.0.0.3:65000
    participant ip10_0_0_1_port10000 as 10.0.0.1:10000
    participant ip10_0_0_1_port69 as 10.0.0.1:69

    ip10_0_0_3_port65000->>ip10_0_0_1_port69: RRQ(file1, blksize=0, timeout=4)
    ip10_0_0_1_port10000->>ip10_0_0_3_port65000: DATA(blk=1, 512B)
    ip10_0_0_3_port65000->>ip10_0_0_1_port10000: ACK(blk=1)
    ip10_0_0_1_port10000->>ip10_0_0_3_port65000: DATA(blk=2, 512B)
    ip10_0_0_3_port65000->>ip10_0_0_1_port10000: ACK(blk=2)
    ip10_0_0_1_port10000->>ip10_0_0_3_port65000: DATA(blk=3, 0B)
    ip10_0_0_3_port65000->>ip10_0_0_1_port10000: ACK(blk=3)

This is how it looks like when rendered by Mermaid:

Note on abstractions. Similar to the McMillan and Zuck, I tried to avoid unnecessary abstractions and approximations in the specification. If you look at the type definition of a TFTP packet in typedefs.tla, you will see that all fields except data are modeled as strings and integers:

  // TFTP Packet Types
  @typeAlias: tftpPacket =
    // Read Request (RFC 1350, Figure 5-1, RFC 2347).
    // See RFCs 2348-2349 for the options.
      RRQ({ opcode: Int, filename: Str, mode: Str, options: Str -> Int })
    // Write Request (RFC 1350, Figure 5-1, RFC 2347).
    // See RFCs 2348-2349 for the options.
    | WRQ({ opcode: Int, filename: Str, mode: Str, options: Str -> Int })
    // Acknowledgment (RFC 1350, Figure 5-3)
    | ACK({ opcode: Int, blockNum: Int })
    // Option Acknowledgment (RFC 2347)
    | OACK({ opcode: Int, options: Str -> Int })
    // Data packet (RFC 1350, Figure 5-2)
    // In our specification, we simply pass the length of data instead of the
    // data itself. The test harness should pass the actual data.
    | DATA({ opcode: Int, blockNum: Int, data: Int })
    // Error packet (RFC 1350, Figure 5-4)
    | ERROR({ opcode: Int, errorCode: Int, msg: Str })
  ;

Thinking about it now, I could even model data as a sequence of bytes, but it was obvious to me that only the length of data matters for the protocol logic.

7. Bootstrapping the testing harness with Claude

Now, we have the initial TLA⁺ specification of TFTP and the standard implementation tftp-hpa, which is the default tftpd server on Linux.

I wanted to avoid running the TFTP server on my laptop. What if I accidentally find a bug that corrupts my file system? So I have decided to run the server and the client harnesses in Docker containers. This way, I could easily reset the SUT and have an isolated network for the TFTP server and clients.

Below is the architecture of the test harness that I had in mind. It’s quite a bit overengineered for testing TFTP. I also wanted to experiment with Docker networking and managing multiple containers for potential future projects.

┌──────────────────────────────────────────────────────────────────┐
│                        Host Machine                              │
│                                                                  │
│  ┌────────────────────────────────────────────────────────────┐  │
│  │ harness.py                                                 │  │
│  │  - Coordinates symbolic execution                          │  │
│  │  - Manages Apalache server                                 │  │
│  │  - Controls Docker containers                              │  │
│  │  - Generates and saves test runs                           │  │
│  └────────┬────────────────────────┬──────────────────────────┘  │
│           │                        │                             │
│           ▼                        ▼                             │
│  ┌─────────────────┐     ┌──────────────────────────┐            │
│  │ Apalache Server │     │  Docker Manager          │            │
│  │  (port 8822)    │     │  - Network: 172.20.0.0/24│            │
│  └─────────────────┘     └──────────┬───────────────┘            │
│                                     │                            │
└─────────────────────────────────────┼────────────────────────────┘
                                      │
                         ┌────────────┴──────────────┐
                         │   Docker Network          │
                         │   (172.20.0.0/24)         │
                         │                           │
         ┌───────────────┼───────────────────────────┼─────────────┐
         │               │                           │             │
         ▼               ▼                           ▼             │
  ┌─────────────┐ ┌─────────────┐          ┌─────────────┐         │
  │ TFTP Server │ │  Client 1   │          │  Client 2   │         │
  │ 172.20.0.10 │ │ 172.20.0.11 │          │ 172.20.0.12 │         │
  │             │ │             │          │             │         │
  │ tftp-hpa    │ │ Python      │          │ Python      │         │
  │ Port: 69    │ │ TCP: 15001  │          │ TCP: 15002  │         │
  │ Data:1024-27│ │ (control)   │          │ (control)   │         │
  └─────────────┘ └─────────────┘          └─────────────┘         │
         ▲               │                           │             │
         │               │    UDP TFTP packets       │             │
         └───────────────┴───────────────────────────┘             │
                                                                   │
                         Docker Containers                         │
                                                                   │
                         tftp-test-harness:latest                  │
                                                                   │
└──────────────────────────────────────────────────────────────────┘

LLMs will do the work? As you could have guessed, I had no interest in writing the Docker files and the test harness from scratch. Having heard from so many people that LLMs are so amazing, I have decided to give Claude a try at generating the test harness.

Hence, I spent about four hours writing a very detailed prompt for Claude that explained how I want the test harness to look like (the above architecture diagram is actually generated by Claude from my prompt).

Pushing the button! So I’ve run Claude in the agent mode with my prompt and went for a coffee break. You can see the first generated version in this commit. The result looked so exciting and amazing until I looked at CHECKLIST.md:

## Notes

- The framework is complete and production-ready
- Remaining work is mostly about connecting components
- Each task is independent and can be tackled separately
- Estimated effort: 4-8 hours for core integration (tasks 1-4)
- Additional 2-4 hours for polish and testing (tasks 5-8)

What is going on? Claude left me homework? I was also baffled by the hourly estimates: Are these Claude hours or my hours? In the hindsight, the estimate was surprisingly accurate. It took me about 1.5 days to make this code do the first test run that made the harness exchange UDP packets with the TFTP server.

Then I looked at harness.py, which was supposed to be “complete and production-ready”. Guess what? The main loop was left as a TODO!

        # TODO: Implement actual TFTP operation execution
        # This would involve:
        # - Querying Apalache for the transition details
        # - Sending commands to the TFTP client in Docker
        # - Collecting UDP packet responses
        # - Parsing the responses

The overall structure was there, but the most important pieces were left as TODOs. Fine. It did the tedious part at least. So I started to chat with Claude again to implement the missing pieces. If you look at the commit history, you will see plenty of spaghetti code generated by Claude. In the end, it became a bit better after my guidance, but I had to rewrite it at some point.

Even though I am making jokes about LLMs here, I must say that Claude really helped me to debug the Docker setup and produce the python code for communicating over UDP in modern Python. I could easily lose a couple of days there.

Of course, the exploration logic was totally broken. After all, there is not much for LLMs to learn from. We are doing something new here!

1.5 days later. Something was working, but even the happy path was not there. So I had to do the baby steps with Claude. Here are just a few examples from my Copilot chat:

Let’s implement sending the RRQ packet over the wire.

…

Now I am receiving a response like below. This is good! What I want you to do next. Decode the response and construct the expected packet for the TLA+ specification. Save this as the expectation that we will use in the next step.

…

You should not construct a TLA+ expression. Rather, convert the packet to an ITF value using itf-py.

…

Can you implement this case for receiving OACK from the server and sending ACK by the client to the server.

2 more days later. I had the happy path working. At this point, I was tired of reading the harness logs. So I needed some form of visualization for each run. Obviously, I wanted to have the same kind of Mermaid diagrams as before.

So I asked Claude to generate a script that would reconstruct the sequence diagram from the harness logs. Well, it took me longer than expected. At some point, Claude was producing quite convoluted log parsers with regular expressions and python loops. Of course, it needs a human to define a simple log format instead.

Below is an example of such a test run, visualized from the log by the generated script in Mermaid:

If you look at the above diagram carefully, you will notice that server responses come in two flavors:

1. The dashed arrows indicate that the client has received the UDP packet from the UDP socket.

2. The solid arrows indicate that the UDP packet was successfully replayed with the TLA⁺ specification.

8. Debugging the TLA⁺ specification with the implementation

At that point, the tests started to produce actual interactions between the TLA⁺ specification (as solved by Apalache and Z3) and the real TFTP server. This brought a lot of surprises! I am going to present some of them below.

In this debugging session, I am keeping the scorecard of how many times the TLA⁺ specification was wrong versus how many times the implementation (tftp-hpa) was wrong. The scorecard at this point looks like this:

Actually, tftp-hpa is a quite mature implementation, so I was not expecting any bugs there. Keep reading to see what I found.

8.1. Sending errors on read request

The first surprise came from my misunderstanding of how exactly TFTP is supposed to reply to a malformed read request (RRQ). Since a client sends RRQ to the control port 69 of the server, I thought that the server would reply with an error packet (ERROR) from the port 69, instead of introducing a new ephemeral port.

This is what RFC 2347 says about option negotiation:

…the server should simply omit the option from the OACK, respond with an alternate value, or send an ERROR packet, with error code 8, to terminate the transfer.

No explanation about the port from which the ERROR packet is sent. Well, my understanding was wrong. The server always allocates a new ephemeral port for sending the ERROR packet. This kind of makes sense, as the implementation simply forks on a new request. One score to the implementation:

8.2. The server may send duplicate packets

Well, I knew that, but was lazy to write an action in the specification that would handle duplicate packets. This is a typical shortcut when writing a specification, since duplicate packets do not change the specification state and considered “stuttering” steps. The server implementation retransmitted a DATA packet, which produced a deviation in the TLA⁺ specification. Another score to the implementation:

Formally speaking, this action does not affect protocol safety, so it is tempting to simply skip duplicates. However, in conformance testing, we have to handle all possible actions of the implementation, even if they produce stuttering steps in the theory of TLA⁺.

8.3. Input-output conformance does not work with UDP!

The next issue was quite interesting. When I read the papers on input-output conformance testing from the 1990s, there was always an assumption that the system under test (SUT) is input-enabled. This means that the SUT can always accept any input at any time and respond to it, possibly, with an error message. This assumption makes sense for synchronous systems (such as vending machines?), where the tester can wait for the SUT to be ready to accept the input.

However, TFTP is not like that at all. The client may send an ERROR packet at any point in time, and the server does not have to reply to it! This is exactly a deviating test run I saw produced by the harness.

So instead of waiting for a reply from the server on each client action, the test harness has to optimistically send the next UDP packet and then retrieve the UDP packets from the server (remember that they live in Docker!).

This is where Claude was useful again. It helped me to collect the UDP packets on the Docker client. Before taking the next step, the harness would retrieve the buffered UDP packets from the Docker clients and replay these packets in the TLA⁺ specification, in arbitrary order.

This makes our testing approach a bit more sensitive to the timing of extracting the buffered UDP packets, but it worked for TFTP.

8.4. The server recycles an ephemeral port on ERROR

Another interesting deviation happened when the server recycled an ephemeral port. RFC 1350 explains how the server allocates ephemeral ports:

In order to create a connection, each end of the connection chooses a TID for itself, to be used for the duration of that connection. The TID’s chosen for a connection should be randomly chosen, so that the probability that the same number is chosen twice in immediate succession is very low.

Well, in our test run, the event of low probability happened (actually, I gave the TFTP server a small range of ports to use):

Actually, this theme of reusing the same ephemeral port happened multiple times in the following debugging iterations. It is probably the most problematic aspect of the protocol, as there is no notion of a session in TFTP. Another score to the implementation:

8.5. The server recycles an ephemeral port on success

Guess what? A very similar thing happened on a successful file transfer as well. Here is a pruned version of the trace that shows this behavior (the initial sequence of RRQ-OACK-DATA-ACK is omitted for brevity):

This behavior seems to be consistent with Section 6 of RFC 1350, though it seems to be ambiguous to me. Anyway, another score to the implementation:

8.6. Mixing the protocol versions

TFTP essentially has two versions: the original version defined in RFC 1350 and the extended version with option negotiation defined in RFC 2347. In combination with packet duplication, this produced a very interesting deviation. I’ve not saved the full trace, but here is what happened. The server processes an RRQ with options and sends an OACK, as per RFC 2347. After that, the TLA⁺ specification of the server receives an earlier RRQ without options and sends a DATA packet in response, as per RFC 1350. This corrupts the internal state of the server in the specification.

Obviously, this is caused by non-determinism in the TLA⁺ specification, which allows the protocol to behave according to both protocol versions at the same time. I had to fix the specification by disallowing the server to behave according to RFC 1350, when it receives an RRQ with options. One score to the implementation:

8.7. More deviations on the specification side

At some point, I got tired of collecting the precise deviations. They still can be recovered from the commit log though. Here are some of the further deviations on the specification side that I fixed:

• The client must send tsize = 0 in RRQ.

• The server should send default timeout if it’s not specified in the options.

• The server may send invalid (e.g., outdated) packets.

• My understanding of TFTP timeouts was wrong. I thought that a timeout was meant to close a transfer session. Instead, timeouts in TFTP are just triggering packet retransmissions. The number of retries is not specified in the RFCs. In practice, tftp-hpa seems to retry 5 times before giving up.

• The server specification should store transfers for triplets (clientIP, clientPort, serverPort) instead of pairs (clientIP, clientPort).

In the end, the implementation scored another 7 points, before tests started to work.

It looks like my TLA⁺ specification was a bit sloppy, in comparison to the mature implementation of tftp-hpa. I have not designed this protocol and did not give much thought to it. Obviously, the engineers have spent much more time thinking about its behavior. You can check the specification in the repository.

9. Testing against adversarial behavior

At some point I thought: My clients are too well-behaved! They never lose, duplicate, or reorder packets. What if they start to misbehave within the protocol boundaries? Would I be able to find bugs in the implementation? Yes, I did. Keep reading.

Hence, I have added one more action that simply lets a client retransmit a previously sent packet in Next:

    \/ \E udp \in packets:
        ClientSendDup(udp)

Below is the action ClientSendDup. It does not change the specification state at all. However, it produces an action that retransmits a packet in the harness:

\* A client resends a duplicate packet that it sent in the past.
\* This is to test for the Sourcerer's Apprentice syndrome.
\* @type: $udpPacket => Bool;
ClientSendDup(_udp) ==
    ClientSendDup::
    /\ _udp.destIp = SERVER_IP
    /\ lastAction' = ActionRecvSend(_udp)
    /\ UNCHANGED <<packets, serverTransfers, clientTransfers, clock>>

You can find the complete specification here.

Protocol deviation. It mostly worked as expected. However, a few traces were reporting deviations. Here is one of them. It’s pretty long. Look for an explanation below.

The last UDP packet is an acknowledgment for block 1 from the server. If you think about the protocol, the server should never send an ACK in the sessions associated with read requests (RRQ). ACK packets are only sent by the clients. Yet, this is what was happening. To double check this, I’ve asked Claude to capture the traffic in pcap files in the Docker containers. Indeed, Wireshark was showing the ACK packet from the server. Moreover, the packet was malformed. It looked like the option acknowledgment (OACK) packet, but had the first bytes of an ACK packet. Sounds like memory corruption!

Here is the core sequence of events that produced this behavior (a few details removed):

1. The client sends RRQ("file1", blksize=NN) to the server (172.20.0.10:69).

2. The server sends a few OACK packets to the client.

3. The client erroneously sends ACK(1) to the server, which is a duplicate packet from an earlier transfer. It could be simply a delayed packet though.

4. The server responds with ACK(1) of length 64, which is basically the OACK packet with the first 4 bytes coming from ACK(1).

Investigation. Luckily, the source code is readily available. I’ve looked into the function tftp_sendfile of tftp-hpa that handles read requests. Indeed, the option negotiation loop receives the option acknowledgment packet OACK and waits for an ACK from the client. There are two cases:

• When it receives an ACK for block 0, it breaks out of the loop and continues with sending data blocks. This is the happy path.

• When it receives an acknowledgment for a block other than 0, block, it simply continues the loop, retransmitting OACK. The issue is that the code uses the same buffer for sending OACK and receiving ACK packets via different pointers! Hence, it later sends an OACK packet that is corrupted with the contents of the ACK packet. I don’t think I would have found this by code review!

Just for fun, I checked it with Claude. It could not identify this issue. The trick is that the same buffer is pointed to by two different pointers, so Claude is not clever enough to track this aliasing. When I explained the issue to Claude, it was ecstatic: You have found a critical!

I’ve continued looking for the blast radius of this bug. Even though it somewhat of memory corruption, it cannot crash the server, as the code is still writing to the same buffer, allocated by the server itself. All it can do is to produce malformed packets. Hence, it could probably crash a sloppy client, but would not do much harm to a well-behaved client and itself. Moreover, if a client crashes in such a case, anybody else on the network could have sent the malformed ACK as well.

So this is a bug (from the specification p.o.v.), but it does not result in a vulnerability. In any case, it was a deviation from the protocol specification. Finally, one point to the specification!

Contacting the author. To be on the safe side, before writing this blog post, I’ve contacted the author of tftp-hpa. As I expected, he also replied that TFTP is an unencrypted unauthenticated protocol, so we should not expect much security there.

10. The specification as a differential testing oracle

After finding the above implementation bug, I have decided to test other TFTP implementations as well. This is where Claude was super useful again. I just asked it to generate Dockerfiles for other implementations, which it did quickly. It happened that a similar issue existed in another implementation. I could not figure out the root cause in the source code of that other implementation, as it is a bit harder to read than tftp-hpa. Hence, not giving the details here.

Except this second deviation, the other implementations worked fine. Overall, the specification scored another point:

What I find really interesting here. Whenever I talk to engineers about formal specifications, they tell me that they would like to do differential testing instead of writing specifications. Meaning that they would like to compare the behavior of one implementation against another implementation. However, differential testing is not magic. It requires test inputs to compare the implementations. Hence, if the test suite is missing adversarial test cases, both implementations may pass the tests, even though they are both wrong.

What we did here with the TLA⁺ specification is something more than just differential testing. First, we have debugged the specification against tftp-hpa, so we have extracted its expected behavior into a relatively small and precise formal specification. Second, we have used this specification to produce the tests for another implementation!

11. Prior Work

In this section, I’ve collected the previous work on model-based testing and trace validation with TLA⁺:

• Nagendra et. al. Model guided fuzzing of distributed systems (2025). Check the talk.

• Cirstea, Kuppe, Merz, Loillier. Validating Traces of Distributed Systems Against TLA+ Specifications (2024). Check the arxiv paper.

• Chamayou et. al. Validating System Executions with the TLA+ Tools (2024). See the talk.

• Halterman. Verifiability Gap: Why We Need More From Our Specs and How We Can Get It (2020). See the talk.

• Davis et al. eXtreme Modelling in Practice (2020). See the talk.

• Kupriyanov, Konnov. Model-based testing with TLA+ and Apalache (2020). See the talk.

• Pressler. Verifying Software Traces Against a Formal Specification with TLA⁺ and TLC (2018). Check the paper.

I am pretty sure that this list is incomplete, so please let me know if you are aware of any other relevant work.

12. Conclusions

This was a lot of text! Thank you for reading it till the end. It may look like this project took me eternity to complete. In reality, it took me about two weeks of part-time work to do it from the start to the end. On one hand, I could probably do some parts of it faster, if I did not rely too much on Claude for generating the test harness. On the other hand, Claude quickly generates the code to start and stop services, parse their logs, etc. All the things Docker were done by Claude, and I did not have to touch them. This is the work that I find annoying and LLMs just do. In this experiment, I’ve burned all of my monthly premium requests included in the Copilot plan. To be fair, I also had to add a few features to the new Apalache API, as I was still experimenting with it.

What I find interesting in the approach outlined here is that it presents a (relatively) lightweight way to testing real-world protocols. Thinking of fuzzing in this context, I don’t think a standard fuzzer would have found the above deviations in TFTP. Indeed, the implementation was not crashing. Nor it was accessing memory out of bounds. It was just producing malformed packets occasionally. To detect this, we needed a test oracle that would tell us, whether a deviation happened. Writing such an oracle manually would be tedious and error-prone. Instead, we have used a formal specification as a precise and unambiguous oracle. Unambiguous does not mean deterministic though. Our oracle is non-deterministic, but it precisely defines the allowed behaviors of the protocol.

In addition to that, tftp-hpa is not just a piece of code that was written by a startup over a weekend, or generated by an LLM. It is a very mature project that has been written by professionals in the times when people had time to think. They took care of the Sorcerer’s Apprentice Syndrome. This is why I was quite surprised to see an unexpected packet from the server.

On the Apalache side, we finally have a symbolic approach that scales much better than bounded model checking! In my experiments with TFTP, the new JSON RPC API was showing the signs of slowing down only after about 200 steps of symbolic execution. This is a huge improvement over the previous approach, where Apalache was slowing down after about 10-20 steps. It is easy to see why. We feed the concrete responses from the implementation into the SMT context, which immediately produce a lot of simplifications.

We can improve this even further to essentially unlimited number of steps. All what is needed is to keep the concrete trace on the harness side and initialize the SMT context with the last state of the trace. We can do it every step, or every N steps. The cool thing is that it all can be done outside of Apalache, on the harness side! This opens the door to quick experimentation with various strategies of mixing symbolic and concrete execution.

Date: December 9, 2025

1. Introduction

In August 2025, Aztec Labs engaged Thomas Pani and Igor Konnov to formally specify and verify the new Aztec Governance Protocol – the core on-chain system that governs Aztec Network.

Over the course of five weeks, we reviewed every line of code in scope and developed a precise formal specification, verified automatically with Apalache. The result: scalable, massively parallel automated verification that explored the entire protocol state space to formally confirm correctness and uncover subtle, cross-contract issues that conventional audits or fuzzing can easily miss.

The team at Aztec Labs reviewed our findings and addressed all of them.

At-a-Glance Metrics

For the impatient reader, here are some key figures:

These runtimes are comparable to large-scale fuzzing campaigns – but with a crucial difference: formal verification explores every possible transaction symbolically, offering exhaustive reasoning rather than probabilistic coverage.

Highlights

Some of the key highlights from this article include:

• Representative issue: Governance Insolvency with root-cause analysis and fix (§9.1)
• Choosing the right tools (§4)
• Bootstrapping the formal specification with AI (§5.2)
• Making verification scale with compositional reasoning and inductive invariants (§5.3, §7.3)
• Showing that the protocol can progress: witnesses of liveness (§7.4)

Our formal report can be accessed via this link and the specifications can be found via this link.

2. Overview of Aztec Governance

Aztec Network’s governance is implemented as a suite of on-chain Solidity contracts. We summarize its multi-contract architecture, which required compositional analysis to verify, in the diagram below. The current implementation extends and formalizes the concepts from the Aztec Governance RFC – see Aztec Governance for the canonical documentation. This post reflects the protocol as of the commit used in our engagement. Parts of the codebase have evolved since our engagement.

(We highlight the key contracts, with no special meaning attached to the colors.)

Rollups and Registry. Aztec Network manages a system of rollups recorded in the Registry, which directs inflationary rewards to a single, designated canonical rollup.

GovernanceProposer. GovernanceProposer (derived from EmpireBase) forms the foundational layer of the voting system, implementing a round-based signaling mechanism to determine which proposals advance to Governance.

Governance. The Governance contract manages the full proposal lifecycle, including submission, voting, and execution. Given their critical role in managing the Aztec Network, Governance incorporates access control, such as whitelisting beneficiaries that participate in voting. On top of that, it implements an emergency proposal mechanism which requires a substantial token lock.

Governance Staking Escrow (GSE). Governance stakes and corresponding voting rights are managed by the Governance Staking Escrow (GSE) contract. GSE enables seamless migration of staked assets to new canonical chains, addressing the “cold-start” problem by ensuring immediate operational support during network upgrades. Proposals made through GovernanceProposer tie back to GSE during execution, verifying that at least two-thirds of the total stake is allocated to the latest rollup.

SlashingProposer and Slasher. The SlashingProposer contract, also derived from EmpireBase, uses the same round-based signaling mechanism to determine which slashing proposals are forwarded to the Slasher contract.

Libraries. The main contracts are supported by a set of custom libraries that use storage-layout compression for gas optimization. These libraries enable the system to retrieve historical, checkpointed state for computing voting power, implement a custom checkpointed set data structure built on OpenZeppelin’s Checkpoints.Trace224 library, implement the vote-tallying algorithm, and provide helper functions that encode the proposal lifecycle state machine.

3. Attack Surface

The attack surface of the Governance Protocol is significant – with over 40 external state-mutating functions across multiple contracts in scope. Moreover, problematic scenarios typically:

• involve multiple contracts,
• exercise them over several transactions, and
• can even involve multiple instances of the same contract (e.g., several Rollups, several Governance contracts, etc.).

Reasoning about time. Governance and GovernanceProposer use the block timestamp to organize signaling and voting phases. GovernanceProposer slots are short (fractions of a minute), while Governance voting periods are much longer (minutes to days). We must therefore reason about long time horizons interrupted by short-lived events.

Malicious external inputs. To make things harder, we also considered scenarios in which a canonical rollup produces erroneous readings from time to time, e.g., due to a fault. For example, what if a canonical rollup starts to return slot numbers from the past (or far in the future)?

This poses both a challenge and an opportunity: standard techniques such as fuzzing, random simulation, or bounded model checking would not get us far – the state and action spaces are prohibitively large.

4. Choosing the Right Tools

With the attack surface in view, the next question was tooling: how to verify the protocol logic without drowning in bytecode.

4.1. Protocol-Level Specification

From an engineer’s perspective, the ideal solution would be to verify correctness directly at the implementation level – that is, to automatically reason about the Solidity code itself. Tools such as Certora Prover, Kontrol, Halmos, and HEVM aim to do exactly this by automating formal reasoning over smart contracts. These tools are remarkable engineering achievements, but their task is inherently complex: among other things, they must reason precisely about stack behavior, memory, storage, and external calls – all the way down to the EVM bytecode.

Before diving into such low-level reasoning, however, we believe it is essential to ensure that the protocol’s logic is sound. If high-level properties of the protocol are violated, then verifying bit-level correctness provides limited value. Once the protocol logic is verified, attention can shift to the implementation.

In this project, we focused on specifying the Aztec Governance Protocol at the logic level. Our main objectives were to:

• specify the high-level behavior of the protocol,
• identify its core invariants, and
• prove these invariants correct (or demonstrate violations through counterexamples).

4.2. Languages and Tools

Several specification languages could serve this purpose. For instance, we could have expressed the protocol directly in an interactive theorem prover like Lean or Rocq. However, both would offer little automation, which would make limited progress feasible within our one-month timeframe. (Recently, Lean has seen exciting developments such as the grind tactic and research by the VERSE group. We may explore these in a future engagement!)

TLA⁺ and its tooling. TLA⁺ is perhaps the most well-known practical specification language. It is supported by two model checkers (TLC and Apalache) and an interactive theorem prover TLAPS. We use the methodology of TLA⁺ to reason about the Governance Protocol as a collection of interacting state machines over large state spaces. Since many engineers find the syntax of TLA⁺ confusing, we use the surface syntax Quint to write the specifications. As co-authors of both Quint and the Apalache model checker – together with Gabriela Moreira, Shon Feder, Jure Kukovec, and others – we have a deep understanding of their internals and how to apply them to large-scale protocol verification. This expertise was essential for scaling our analysis to a system as complex as Aztec Governance.

5. Specification Decisions and Challenges

With the goals and tools defined, the next step was to translate the Governance Protocol into a precise, analyzable specification.

5.1. Writing the Specification

Modeling the states. Before specifying the contract behavior, we must decide how to model the contract states. We first define the shape of individual contract states. For example, below is the state of a GovernanceProposer.

// GovernanceProposer contract state
type GovernanceProposerState = {
  // the state of the parent EmpireBase contract
  empireBase: EmpireBaseState,
  // mapping(uint256 proposalId => address proposer)
  proposalProposer: Uint256 -> Address,
  // immutable config (set in constructor)
  REGISTRY: Address,
  GSE: Address
}

You can see that many concepts from Solidity (like mappings) are seamlessly expressed in Quint. The full protocol state – including all relevant contracts – is captured by EvmState. In our case, an EVM state is structured as follows:

type EvmState = {
  block_timestamp: Uint256,
  // all possible instances of ERC20 used as assets
  assets: Address -> ERC20State,
  // all possible instances of Governance
  governances: Address -> GovernanceState,
  // all possible instances of GovernanceProposer
  governanceProposers: Address -> GovernanceProposerState,
  // all possible instances of GSE
  gses: Address -> GSEState,
  // all possible instances of Registry
  registries: Address -> RegistryState,
  // all possible instances of RewardDistributor
  rewardDistributors: Address -> RewardDistributorState,
  // all instances of Slasher
  slashers: Address -> SlasherState,
  // all instances of SlashingProposer
  slashingProposers: Address -> SlashingProposerState,
  // IEmperor(...).getCurrentSlot() for each rollup
  rollupSlot: IHaveVersion -> int,
  // IEmperor(...).getCurrentProposer() for each rollup
  rollupProposer: IHaveVersion -> Address,
  // mapping rollup addresses to their versions
  // Corresponds to _rollup.getVersion() call in Registry.sol:53
  ROLLUP_VERSIONS: IHaveVersion -> Uint256,
  // mapping rollup address to the reward distributors that they create
  REGISTRY_REWARD_DISTRIBUTORS: IHaveVersion -> IRewardDistributor
}

As you can see, we do not have to focus on nitty-gritty low-level details – like how storage is laid out in EVM. This frees us to focus on protocol logic and high-level correctness, rather than low-level implementation concerns. It also makes the reasoning problem more tractable for automated verification.

Modeling the contract functions. The contract functions are simply pure functions over the EVM state. For instance, we define the function initiateWithdraw in Quint as:

// Governance.sol#L341
pure def Governance::initiateWithdraw(__evm_state: EvmState,
      __self: IGovernance, __msg_sender: Address,
      _to: Address, _amount: Uint256): Result[EvmState] = {
  val __state = __evm_state.governances.get(__self)
  val config = __state.configuration

  // ConfigurationLib.sol#L36:
  //   Timestamp.wrap(Timestamp.unwrap(_self.votingDelay) / 5) +
  //     _self.votingDuration + _self.executionDelay;
  val withdrawDelay = config.votingDelay / 5
      + config.votingDuration + config.executionDelay

  // L342: _initiateWithdraw(msg.sender, _to, _amount,
  //                         configuration.withdrawalDelay());
  Governance::_initiateWithdraw(__evm_state, __self, __msg_sender,
                                _to, _amount, withdrawDelay)
}

In Quint, we explicitly model all side-effects of the Solidity code, including exceptions and reverts. While it makes our specification more verbose, all branches and assignments become immediately visible at the code level – auditors do this in their heads all the time. For example, _initiateWithdraw computes and returns an updated EvmState, unless it reverts:

// Governance.sol#L694
pure def Governance::_initiateWithdraw(__evm_state: EvmState,
      __self: IGovernance, _from: Address, _to: Address,
      _amount: Uint256, _delay: Timestamp): Result[EvmState] = {
  val __state = __evm_state.governances.get(__self)
  // L695: users[_from].sub(_amount);
  val fromAmount = __state.users.getOrElse(_from, checkpoints::constructor)
  val userTraceOrError = checkpoints::sub(__evm_state, fromAmount, _amount)
  if (isErr(userTraceOrError)) {
    err(__evm_state, userTraceOrError.err)
  } else {
    // L696: total.sub(_amount);
    val totalTraceOrError = checkpoints::sub(__evm_state, __state.total, _amount)
    if (isErr(totalTraceOrError)) {
      err(__evm_state, totalTraceOrError.err)
    } else {
      // L698: uint256 withdrawalId = withdrawalCount++;
      // L700: withdrawals[withdrawalId] = Withdrawal({...});
      val withdrawal = {
          amount: _amount,
          unlocksAt: __evm_state.block_timestamp + _delay,
          recipient: _to, claimed: false
      }

      val __state1 = {
        ...__state,
        users: __state.users.put(_from, userTraceOrError.v),  // L695
        total: totalTraceOrError.v,                           // L696
        withdrawals: __state.withdrawals.append(withdrawal),  // L700
      }
      ok({...__evm_state,
        governances: __evm_state.governances.put(__self, __state1)
      })
    }
  }
}

Modeling transactions. We model transactions, e.g., initiated by externally-owned accounts (EOAs), via Quint actions:

action governance_initiate_withdraw = {
  nondet _g = evm.governances.keys().oneOf()
  nondet _sender = ALL_SENDERS.oneOf()
  nondet _to = ALL_ADDRESSES.oneOf()
  nondet _amount = 0.to(MAX_UINT256).oneOf()
  val result = Governance::initiateWithdraw(evm, _g, _sender, _to, _amount)
  all {
    is_valid_sender(_sender) and isOk(result),
    evm' = result.v,
    // ...
  }
}

This directly controls the domains from which input parameters are drawn. When we run the Quint randomized simulator, non-deterministic values are sampled uniformly at random. When we run the Apalache model checker, it uses logic constraints in the Z3 SMT solver to reason about all possible non-deterministic values at once.

5.2. Bootstrapping the Formal Specification with AI

The above specification looks a bit machine-generated. This is not far from the truth. We used an LLM to produce the initial specifications, given the source code in Solidity and the Quint data types.

Obviously, an LLM cannot make high-level modeling decisions, like how to structure the EVM state, or how best to turn Solidity into functional definitions – this requires years of practical experience. We developed a custom system prompt that gives the LLM clear instructions and examples for translating Solidity into Quint. (It’s an internal tool we refine and apply with clients when we bootstrap their specifications.)

Of course, as with all AI assistants, we had to carefully proofread the translation results. Also, we were fortunate to have the model checker Apalache on our side – it automatically pointed us to some inconsistencies in the translation. Compared to writing the specification by hand, this approach allowed us to bootstrap the project very quickly and to start evaluating the protocol early on.

5.3. Compositional Reasoning

Some security researchers believe that formal verification does not scale to more than 1–2 smart contracts, or to exploit scenarios longer than 1–2 external calls deep. We have organized our specification in such a way that the verification tools can deal with the behavior of 10–20 smart contracts, and arbitrarily long transaction sequences. This level of scalability requires not just formal verification expertise, but a deep understanding of how model checkers and provers work internally and interact with protocol architecture. It builds directly on our prior formal verification work – including zkSync Governance, ChonkyBFT, and Ethereum 3-slot-finality – where we pushed verification tools to reason compositionally across complex systems. More on this in Section 7.3. Inductive Invariants: Making Verification Scale.

6. Protocol Invariants

From Aztec’s documentation and source code, we extracted and formalized 125 key invariants of the Governance Protocol. To get a taste of the invariants, here are a few examples in English (more of them are in the report):

• GOV-16: If the proposal has not been active yet, then no votes have been cast.
• GOV-20: The timestamps in the users traces are ordered.
• GOV-26: For each timestamp t, total[t] equals the sum of the users’ voting power at t.
• GP-02-01: For each submitted proposal in proposalProposer, there is round accounting for a corresponding executed proposal (i.e., submitted to Governance).
• GP-08: A proposal cannot be executed without a quorum.
• GSE-17: for each proposal that the delegatee has powerUsed on, Governance contains that proposal.
• GSE-19: powerUsed cannot exceed the attester’s voting power at the time of the proposal’s pendingThrough.
• GSE-23: delegation.supply at each checkpoint is the sum of all delegation.ledgers[instance].supply at that time.
• SP-10: lastSignalSlot is in the valid range. This range is [round * ROUND_SIZE, (round + 1) * ROUND_SIZE).
• SP-11: The number of signals is correct. It does not exceed lastSignalSlot % ROUND_SIZE + 1.

Formalized invariants in Quint. We formalized all 125 invariants in Quint as well. For example, the Governance contract should uphold the Solvency Invariant (‘The Holy Grail’, as coined by FV researchers at Certora):

// GOV-28: Solvency: Governance holds enough balance to cover all future
// withdrawals.
pure def governance_solvency_inv(_evm: EvmState, ga: IGovernance): bool = {
  pure val g = _evm.governances.get(ga)
  and {
    // the withdrawals that happen in the future
    pure val payable = g.withdrawals.indices().fold(0, (sum, i) => {
      pure val withdrawal = g.withdrawals[i]
      sum + if (withdrawal.claimed) 0 else withdrawal.amount
    })
    // the total user's balance, add payable, is below the contract's balance
    pure val asset = _evm.assets.get(g.ASSET)
    g.total.latest() + payable <= asset.balances.getOrElse(ga, 0)
  }
}

Turns out, the solvency invariant is actually violated under certain conditions. We will get back to it in Section 9.1. Governance Insolvency.

With the key invariants defined, we started verifying them using Quint and Apalache.

7. Formal Verification Workflow

As soon as parts of the specification stabilized, we began verification – moving from randomized simulation to full symbolic and inductive reasoning.

7.1. Randomized Simulator: Stuck at Unproductive Inputs

The Quint randomized simulator operates similarly to property-based testing for implementation languages: it assigns concrete values to nondet declarations and resolves non-deterministic control choices by selecting one branch at random.

Limitations. We briefly experimented with this approach, but it proved ineffective for our purposes. The simulator’s uniform random sampling consistently failed to produce valid configurations that would even satisfy the protocol’s initial state:

$ quint run --max-samples=100000 --max-steps=10  --invariant=past_signals \
    spec/slashing_proposer_machine.qnt
An example execution:

[ok] No violation found (768ms at 130208 traces/second).
Trace length statistics: max=0, min=0, average=0.00

We believe the randomized simulator could be improved in future versions. If you’d like to explore in more detail why this happens – and how it could be mitigated – check out our workshop 25-Minute Solidity Fuzzer: Fuzzing Smarter, Not Harder.

In its current form, however, it did not help us uncover issues. This led us to use the symbolic analysis tools in Apalache, which can reason over all possible inputs symbolically rather than sampling concrete ones.

7.2. Symbolic Random Walks: Scaling Up

With symbolic random walks (part of Apalache), we quickly checked several invariants. The following run revealed an issue: the system could receive outdated (“past”) signals when the canonical rollup was faulty:

$ quint verify --random-transitions=true --max-steps=10 \
  --invariant=past_signals spec/slashing_proposer_machine.qnt
...
[violation] Found an issue (22181ms)

When an invariant is violated, Apalache produces a counterexample with all details needed to understand the issue. We omit it here because it is quite verbose.

Limitations. Even though this approach proved to be quite useful in bootstrapping and debugging our specification, it reached its limits when we began dealing with multiple contracts. This limitation stems from the protocol’s scale – with over 40 external functions, many of which can be invoked at nearly any point in time, the number of possible symbolic paths grows combinatorially with path length. We then moved to proving inductive invariants automatically.

7.3. Inductive Invariants: Making Verification Scale

To scale our formal verification efforts further, we specified 125 invariants that together capture any arbitrary state of the Governance Protocol. For example, below is the invariant gse_rollups_inv that groups the invariants GSE-28 to GSE-32:

pure def gse_rollups_inv(evm: EvmState, gsea: IGSE): bool = {
  val gse = evm.gses.get(gsea)
  val chkpts = gse.rollups._checkpoints
  and {
    // GSE-28: `rollups` is an ordered checkpointed trace with ascending timestamps
    _trace_is_ordered(gse.rollups),
    chkpts.indices().forall(i => and {
      // GSE-29: `rollups` values are rollup addresses
      chkpts[i]._value.in(ROLLUP_ADDRESSES),
      // GSE-30: the bonus instance does not appear in the `rollups` history
      chkpts[i]._value != BONUS_INSTANCE_ADDRESS,
      // GSE-31: `rollups` values are registered in `instances`
      chkpts[i]._value.in(gse.instances.keys()),
    })
  }
}

The following command checks that all protocol invariants (all_inv) – including gse_rollups_inv – hold whenever the protocol is in a state that satisfies all_inv and one of the contracts makes a single step:

$ ./scripts/quint-inductive.sh spec/invariant_model.qnt 31 32 5 100 all_inv

Beware that the above command runs over 900 verification runs in parallel (in the example above using at most 5 CPUs at once). This can easily overwhelm your laptop. If you want to reproduce our experiments, read the next section on our experimental setup.

Scalable verification. The core technique that enables this level of scalability is the use of inductive invariants. Instead of exploring all possible symbolic paths of the specification from an initial state (this approach, used by most code-level symbolic tools, is called symbolic execution), we start with a much richer set of states (captured by the inductive invariant all_inv) and simply enumerate all possible external functions and make them execute exactly once from any state in the inductive invariant. By assuming that all_inv holds in an arbitrary state and showing that it still holds after symbolically executing any single transaction, our check extends inductively to all possible executions.

Note for sticklers. We still have to show that the initial states satisfy the inductive invariant. In our case, this is easy. Essentially, the initial state of the protocol is an “empty” EVM state where none of the governance contracts are deployed yet.

7.4. Witnesses of Liveness: Proving the Protocol Can Progress

When verifying safety, there is always a risk that we introduce a bug in the specification that restricts the protocol behavior too much. This would still keep the protocol “safe” from the verification point of view, but, obviously, the protocol would not do as many useful things as it is meant to do. To avoid this pitfall, we introduce “falsy invariants” that instruct Apalache to generate a witness of the protocol reaching an “interesting” state. Below is an example to produce an execution to a state in which at least one governance proposal has been executed:

// Check this invariant to find an example of having at least one executed proposal:
// quint verify --max-steps=0 --invariant=gov_proposals_executed_ex \
//   spec/invariant_model.qnt
val gov_proposals_executed_ex = {
  not(evm.governances.keys().forall(ga => {
    val g = evm.governances.get(ga)
    g.proposals.indices().exists(proposalId => {
      val proposal = g.proposals[proposalId]
      proposal.cachedState == ProposalState_Executed
    })
  }))
}

This ability to automatically generate an execution trace to an ‘interesting’ state is a superpower of symbolic model checkers like Apalache – a functionality that would be far more difficult to automate with an interactive theorem prover such as Lean or Rocq. (Provers have property-based testing tools, but they are not tuned to bug finding in distributed protocols like Apalache.)

8. Experimental Setup and Verification Runs

Experimental setup. As mentioned above, checking the inductive invariant of our specification produces 992 verification tasks in total (for the combinations of a specific invariant and an external function call). Apalache decomposes invariant checking into smaller tasks, so we employ GNU parallel to massively parallelize the verification. We use two servers to run the experiments:

1. AMD Ryzen 9 5950X processor (16 physical, 32 logical cores), 128 GB memory
2. 2× Intel Xeon Platinum 8280 processor (56 physical, 112 logical cores total), pinned at 3.1 GHz, 240 GB memory

Verification Runs. Some of the verification tasks take a few minutes to check, and some of them take a few hours. This is caused by the nature of the SMT constraints. It is well-known that SMT solvers, including Z3, are challenged by non-linear integer arithmetic – in this project, they naturally appear, e.g., as part of Aztec’s vote tallying logic.

Instead of writing many words, we simply show you the plot below. It visualizes the running times of Apalache when checking the 992 verification tasks. The X-axis shows the number of verification conditions solved (roughly, individual constraints in the inductive invariant), sorted from fastest to slowest. Each point corresponds to one verification condition. The Y-axis represents the running time per verification condition, formatted in human-readable units (milliseconds to hours). Notice the logarithmic scale!

As we can see from the plot, over 85% of the verification conditions are checked in less than 10 minutes each, about 7% are checked in several hours, and about 8% of the verification conditions require plenty of running time.

Timeouts. As it happens with SMT solvers, 3% of our verification conditions time out. These are the runs at the end of the “hockey stick”. We capped the running time of Z3 at 12 hours. Since we are decomposing the inductive invariant into smaller pieces, these problematic conditions are well-localized. We have investigated these conditions. They all have to do with non-linear arithmetic.

Below is an example of such an invariant. Notice that the very last expression involves modulo over a non-constant value, since ROUND_SIZE is initialized in the contract constructor.

// GovernanceProposer invariant on last signals and total signals
pure def governance_proposer_signal_inv(evm: EvmState,
                                        ga: IGovernanceProposer): bool = {
  val gp = evm.governanceProposers.get(ga)
  gp.empireBase.rounds.keys().forall(rollup => {
    gp.empireBase.rounds.get(rollup).keys().forall(round => {
      val rollupRounds = gp.empireBase.rounds.get(rollup)
      val accounting = rollupRounds.get(round)
      and {
        // GP-12: ...
        // ...
        // GP-13: The number of signals is in the right range
        // It does not exceed `lastSignalSlot % ROUND_SIZE + 1`.
        // This property is very hard for Z3. It is not falsified.
        and {
          gp.empireBase.ROUND_SIZE <= MAX_ROUND_SIZE,
          totalSignalCount >= 0,
          totalSignalCount <= gp.empireBase.ROUND_SIZE,
          totalSignalCount <=
            (accounting.lastSignalSlot % gp.empireBase.ROUND_SIZE) + 1,
        }
      }
    })
  })
}

We classify the small number of the verification conditions that time out as not falsified rather than verified. Usually, we recommend verifying such conditions with a theorem prover such as Lean or Rocq. Another solution is to fix these non-constant values to known production configuration values to gain further confidence.

9. Findings

Our verification of the Aztec Governance Protocol uncovered five Medium, three Low, and six Informational findings. Most arose from subtle cross-contract interactions that are difficult to identify through conventional testing, fuzzing, or simulation alone. We reported all issues to Aztec Labs, who acknowledged and/or fixed them in subsequent pull requests.

Below we explain one representative issue: a violation of the solvency invariant.

9.1. Governance Insolvency

Recall the solvency invariant from Protocol Invariants. When we check it, Apalache produces a counterexample. Below is the root cause of this issue:

function deposit(address _beneficiary, uint256 _amount) external
        override(IGovernance) isDepositAllowed(_beneficiary) {
  ASSET.safeTransferFrom(msg.sender, address(this), _amount);
    // <--- if msg.sender == address(this), then the balances do not change
  users[_beneficiary].add(_amount);
    // <--- ...but the liabilities always get increased
  total.add(_amount);
  emit Deposit(msg.sender, _beneficiary, _amount);
}

In short, executing an approved governance proposal can invoke Governance.deposit(...). Inside deposit, this performs an ERC-20 self-transfer – leaving token balances unchanged – while crediting _beneficiary and increasing total. Governance’s liabilities go up, but its assets don’t – the contract becomes insolvent. The diagram below illustrates the problematic scenario.

On ERC-20 approvals. Most ERC20 token implementations would require Governance to execute an explicit token approval for the self-transfer before the call to deposit() (while executing the governance proposal). Calling ASSET is forbidden by the current Governance implementation. However, certain tokens like WETH do not require approvals for transferFrom() if from == msg.sender.

Resolution. We raised this finding with Aztec Labs who addressed it in PR #16917 by forbidding Governance from calling deposit() itself. In addition, the current AZTEC token implementation uses OpenZeppelin’s ERC-20 implementation, which does require explicit approval of self-transfers.

9.2. Other Findings

For details on all our findings, refer to our formal report.

10. Conclusion: Scalable Formal Verification in Practice

Our formal verification of the Aztec Governance Protocol went far beyond a traditional audit. It was a compositional, protocol-level analysis using state-of-the-art tools and techniques that we helped create. We formally proved 125 high-level invariants across a multi-contract system – reasoning over a search space beyond the reach of traditional testing and most formal verification tools. These invariants were automatically decomposed into 992 verification conditions, which let us further parallelize the verification task.

By combining inductive invariants, symbolic reasoning, and massive parallelization (321 CPU-days of compute), we showed that formal verification can scale to the complexity of modern, mission-critical smart contract systems. Our methodology enables exhaustive, automated reasoning about real-world governance mechanisms and other smart contract protocols.

For systems like Aztec Governance, where bugs are subtle but potentially catastrophic, deep understanding of the tools and underlying logic is essential. This project demonstrates that scalable, unbounded formal verification is not just theoretically possible – it’s practical today for mature, production-grade protocols.

Differential Testing: Spec / Implementation Conformance

A natural next step would be to connect the formal protocol specification with the actual Solidity implementation to close the verification loop (known as differential or conformance testing). With our methodology, it suffices to check that each external function call in Solidity conforms to its formal specification in Quint. Traditionally, this is done by writing and proving pre- and post-conditions in Hoare logic – e.g., using Certora Prover. We suggest that a more pragmatic approach is to fuzz external Solidity functions directly against the formal specification.

Enabling diff testing in Apalache: We have just implemented a new Apalache JSON-RPC API, which enables interactive differential testing between implementation and specification. This delivers fast, actionable, and reproducible results while still providing a high level of assurance grounded in rigorous formal modelling.

Tags: specification tlaplus tlc

A couple of weeks ago, I gave a talk at the internal Nvidia FM Week 2025. Many thanks to Markus Kuppe for the organization and invitation! I am going to write a longer blog post about interactive spec conformance testing with Apalache later. Today, I want to talk a bit about the question posed by Markus (to find the question, continue reading).

Let’s talk about the small scope hypothesis. As formulated by Jackson in the technical report (1997), this hypothesis reads as follows:

"...most errors can be demonstrated by counterexamples within a small scope."

As you will see below, my example fits into this hypothesis quite well. However, having spoken to many engineers over the years, I believe that there is a mismatch between what engineers understand by “small scope” and what verification engineers understand by “small scope”.

In this blog post, I’ve decided to try a new format. Since everyone is using LLMs nowadays, I will follow the protocol. I will present the example and the problem of finding a small scope. Then, it is your turn to decide how this blog post should continue. If someone gives me an interesting example or insight in a comment, I will update this blog post accordingly.

1. Example 1: Buggy circular buffer

1.1. The specification

I started the talk with a TLA⁺ specification of a buggy circular buffer. You can find the full specification, the model checking models, and the TLC configuration files here. The specification looks as follows:

----------------------------- MODULE BuggyCircularBuffer -----------------------------
(**
 * A very simple specification of a circular buffer with a bug.
 * Generated with ChatGPT and beautified by Igor Konnov, 2025.
 * ChatGPT learned abstraction so well that it omitted the actual buffer storage!
 *)
EXTENDS Integers

CONSTANTS
    \* Size of the circular buffer.
    \* @type: Int;
    BUFFER_SIZE,
    \* The set of possible buffer elements.
    \* @type: Set(Int);
    BUFFER_ELEMS

ASSUME BUFFER_SIZE > 0

VARIABLES
    \* The integer buffer of size BUFFER_SIZE.
    \* @type: Int -> Int;
    buffer,
    \* Index of the next element to POP.
    \* @type: Int;
    head,
    \* Index of the next free slot for PUSH.
    \* @type: Int;
    tail,
    \* Number of elements currently stored.
    \* @type: Int;
    count

\* Initial state
Init ==
  /\ buffer = [ i \in 0..(BUFFER_SIZE - 1) |-> 0 ]
  /\ head = 0
  /\ tail = 0
  /\ count = 0

\* Buggy PUT: Advance tail, increment count, but no fullness check!
Put(x) ==
  Put::
  LET nextTail == (tail + 1) % BUFFER_SIZE IN
  /\ buffer' = [buffer EXCEPT ![tail] = x]
  /\ head' = head
  /\ tail' = nextTail
  /\ count' = count + 1

\* GET: Only allowed when count > 0.
Get ==
  Get::
  LET nextHead == (head + 1) % BUFFER_SIZE IN
  /\ count > 0
  /\ UNCHANGED buffer
  /\ head' = nextHead
  /\ tail' = tail
  /\ count' = count - 1

\* Either Put or Get may happen in any step.
Next ==
    \/ \E x \in BUFFER_ELEMS:
        Put(x)
    \/ Get

vars == <<buffer, head, tail, count>>

\* Complete specification
Spec == Init /\ [][Next]_vars

\* Safety property we *intend* to hold, but it is violated:
\* count must never exceed the buffer capacity.
SafeInv == count <= BUFFER_SIZE

Since I wanted to experiment with different buffer sizes and potential buffer elements, I have introduced two parameters in the specification:

• BUFFER_SIZE is the size of the cyclic buffer, and
• BUFFER_ELEMS is the set of possible buffer elements.

Now, my previous experience with introducing TLA⁺ to engineers suggests that there are two ways to set these parameters:

1. The Engineer’s way: Set the parameters to relatively small yet reasonable values. For example, BUFFER_SIZE = 10 and BUFFER_ELEMS = 0..255. These are not the minimal possible values, but they kind of make sense: The buffer should hold up to 10 bytes. Obviously, BUFFER_ELEMS are set to the minimal possible type in their programming language of choice, e.g., char in C, or u8 in Rust.

2. The Verification Engineer’s way: Start with the smallest possible values of the parameters, e.g., BUFFER_SIZE = 2 and BUFFER_ELEMS = {0, 1}. The idea is to check the specification in the smallest possible scope first. If there are no bugs found, increase the parameters gradually until you reach the reasonable values.

1.2. Checking the specification Engineer’s way

To check the specification the Engineer’s way, I have created the TLA⁺ model MC10u8_BuggyCircularBuffer.tla with BUFFER_SIZE = 10 and BUFFER_ELEMS = 0..255. For technical reasons, we also need the TLC config file MC.cfg. Follow the links to see the details. Further, I’ve run TLC on this model to check the invariant SafeInv:

$ java -cp tla2tools.jar "-XX:+UseParallelGC" tlc2.TLC \
  -config MC.cfg MC10u8_BuggyCircularBuffer.tla

I wanted to see how far TLC could go, so I gave it a machine with 128 GB of RAM and 32 cores. TLC has explored around 3 billion states in about 40 minutes. After consuming 400 GB of disk space, it has run out of disk space and terminated. No bug was found. Is this surprising? Not really. In this configuration, TLC has to enumerate $(2^8)^{10} * 10 * 10 * 10 \approx 2^{90}$ states. (Thanks to Thomas Pani for correcting the initially wrong estimate.)

Obviously, anyone who used TLC for some time would have asked the same question as Markus did:

What about the small scope hypothesis? Can we use smaller parameters?

The answer to this question is basically the second approach, which I called the Verification Engineer’s way.

1.3. Checking the specification Verification Engineer’s way

This time, we use the instance MC2u1_BuggyCircularBuffer.tla that has BUFFER_SIZE = 2 and BUFFER_ELEMS = {0, 1}. Let’s run TLC on this instance to check the invariant SafeInv:

$ java -cp tla2tools.jar "-XX:+UseParallelGC" tlc2.TLC \
  -config MC.cfg MC2u1_BuggyCircularBuffer.tla
...
Error: Invariant SafeInv is violated.
...
10 states generated, 10 distinct states found, 5 states left on queue.

Yay! Just after visiting 10 states, TLC has found a violation of the invariant!

So if we pick the right small scope, exhaustive model checking with TLC finds the bug quite fast. In this example, it is hard to find a small scope that would not reveal the bug. Of course, when we know that the bug exists, it is easy to experiment with different values of the parameters and find the bug.

1.4. Checking the specification randomly

Surprisingly, if we forget about exhaustive enumeration, TLC finds an invariant violation for BUFFER_SIZE = 10 and BUFFER_ELEMS = 0..255 in less than a second. To do this, we run TLC with the option -simulate, which simply picks successor states at random:

$ java -cp tla2tools.jar "-XX:+UseParallelGC" tlc2.TLC \
  -simulate -config MC.cfg MC10u8_BuggyCircularBuffer.tla
...
Error: Invariant SafeInv is violated.
...

This effectiveness of randomized search is actually not a one-off thing. The Quint simulator finds the bug in less than a second. Similarly, the Rust property-based testing with proptest finds the bug almost immediately.

Interestingly, we did not have to tune the scope to be as tiny as possible, as we did for exhaustive model checking. Maybe this is why some engineers want to use property-based testing for every problem?

2. Thinking about the small scope hypothesis

In Example 1, we indeed found several assignments to BUFFER_SIZE and BUFFER_ELEMS that revealed an invariant violation. Actually, this bug is so simple that almost any assignment to the parameters would reveal it. We could even set BUFFER_SIZE = 1 and BUFFER_ELEMS = {0} to find the bug! If you want to push it further, think, whether BUFFER_ELEMS = {} would allow us to find an invariant violation.

In fact, if we go back to Alloy, the way Alloy restricts the scope is quite different from what we did in Example 1. Alloy limits the number of elements of each type in the specification. For example, if we had specified the circular buffer in Alloy, we could restrict the search scope as follows:

• All integers, including BUFFER_SIZE and buffer indices, have the bit width of 4.

• The number of unique buffer elements is $2^8$.

As a result, Alloy would consider all possible values of BUFFER_SIZE from 0 to 15, all possible values of buffer elements from 0 to 255, as well as all possible combinations of buffers of size up to 15. This is a much more flexible way to restrict the search space. In case of TLC, we did not have this flexibility: We had to give concrete values to BUFFER_SIZE and BUFFER_ELEMS.

Hence, we have to distinguish between small scopes and small parameter assignments in TLC. After thinking about this question a bit more, I’ve asked myself:

Are there examples of specifications that have a small scope for a specific invariant violation, but it is hard to find concrete parameter assignments within this scope?

Even though my intuition says “yes”, there must be plenty of such examples, I could not come up with with non-artificial examples immediately. On top of my head, I can think of the following directions to look for such examples:

• Examples from abstract interpretation. If we have non-trivial math with overflows and underflows, it might be hard to find concrete assignments that would trigger these overflows and underflows.

• Examples from graph theory. For instance, non-planar graphs must contain subgraphs that are subdivisions of $K_5$ or $K_{3,3}$ (see Kuratowski’s theorem on planar graphs). So if a bug shows up only in non-planar graphs, there must be a small scope that reveals the bug. However, our concrete graph would have to contain a subdivision of $K_5$ or $K_{3,3}$, which is far from an arbitrary graph. Unfortunately, I do not know any concurrent or distributed algorithm that would have something to do with planar or non-planar graphs.

3. Your turn

It is your turn to decide how this blog post should continue. If someone gives me an interesting example or insight in a comment, I will update this blog post accordingly.

Tags: specification tlaplus apalache tlc

This must be my shortest blog post ever. I just wanted to run TLC to check a specification that uses Apalache modules. For example, the typed version of two-phase commit MC3_TwoPhaseTyped.tla uses the module Variants. Sure, TLC can do that, but it requires a small trick.

Let’s do it step by step for MC3_TwoPhaseTyped.tla. Say, we want to see an example of all participants committing:

RMAllCommittedEx ==
    ~(\A rm \in RM: rmState[rm] = "committed")

Step 1. Checkout the Apalache repository, if you don’t have it already:

$ git clone git@github.com:apalache-mc/apalache.git
$ export APALACHE_HOME=$(pwd)/apalache

Step 2. Download TLA⁺ Tools:

$ wget https://github.com/tlaplus/tlaplus/releases/download/v1.7.4/tla2tools.jar
$ export TLC_HOME=$(pwd)

Step 3. Introduce a configuration file MC3_TwoPhaseTyped.cfg with the following content:

$ cd $APALACHE_HOME/test/tla
$ cat >MC3_TwoPhaseTyped.cfg <<EOF
INIT Init
NEXT Next
INVARIANT RMAllCommittedEx
EOF

Step 4. Run TLC with the option -cp, which extends the Java classpath. TLC will look for non-standard modules in the specified directory, that is, in the directory ${APALACHE_HOME}/src/tla. This is the trick!

$ java -cp ${TLC_HOME}/tla2tools.jar:${APALACHE_HOME}/src/tla \
  "-XX:+UseParallelGC" tlc2.TLC \
  -config MC3_TwoPhaseTyped.cfg MC3_TwoPhaseTyped.tla

As expected, TLC finds an example of RMAllCommittedEx:

Running breadth-first search Model-Checking...
...
State 11: <Next line 16, col 1 to line 16, col 22 of module MC3_TwoPhaseTyped>
/\ msgs = { [tag |-> "Commit", value |-> "0_OF_NIL"],
  [tag |-> "Prepared", value |-> "0_OF_RM"],
  [tag |-> "Prepared", value |-> "1_OF_RM"],
  [tag |-> "Prepared", value |-> "2_OF_RM"] }
/\ rmState = [0_OF_RM |-> "committed", 1_OF_RM |-> "committed", 2_OF_RM |-> "committed"]
/\ tmState = "committed"
/\ tmPrepared = {"0_OF_RM", "1_OF_RM", "2_OF_RM"}
...
1119 states generated, 287 distinct states found, 7 states left on queue.

Bottom line

This is it! If you have any questions, please feel free to reach out. I’m happy to help.