Formal Verification Complete: TLA+ model checking — 136K states, 8 safety invariants, zero violations #2
arcadamarket
announced in
Announcements
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Phase 1 of formal verification for the RAG Runtime Kernel state machine is complete.
What was verified
We wrote a 555-line TLA+ specification encoding the exact transition table, WAL (write-ahead log) semantics, proposal lifecycle, and crash/recovery behavior from the Python runtime (
rag_kernel/state_machine.pyandrag_kernel/persistence.py).The TLC model checker exhaustively explored 136,193 states (84,261 distinct) in 6 seconds.
Results: 8 safety invariants — all passed
Bug found and fixed
TLC discovered a genuine BOOTING↔RECOVERY livelock —
RecoveryCompletecould nondeterministically choose BOOTING over READY indefinitely. This was not caught by 337 unit tests.Fix: Strengthened fairness from WF to SF on
RecoveryComplete(READY), ensuring recovery always eventually reaches READY. This matches the Python implementation’s deterministic behavior.Liveness properties (Phase 2)
Three temporal properties are defined but deferred:
These need a model with WAL truncation/compaction to avoid false positives from the finite bound.
Files
All formal verification artifacts are in
formal/:RAGKernel.tla— TLA+ specification (555 lines)RAGKernel.cfg— TLC model configurationTLC_RESULTS.md— detailed resultsWhat’s next
Phase 2 will add WAL compaction to the model and verify liveness properties at full depth. Phase 3 will auto-generate transition guard code from the formal model. Phase 4 will embed those guards into the Python runtime.
See the full roadmap for details.
Beta Was this translation helpful? Give feedback.
All reactions