{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,15]],"date-time":"2026-06-15T16:56:09Z","timestamp":1781542569286,"version":"3.54.5"},"reference-count":22,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2015,3,23]],"date-time":"2015-03-23T00:00:00Z","timestamp":1427068800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Commun. ACM"],"published-print":{"date-parts":[[2015,3,23]]},"abstract":"<jats:p>Engineers use TLA+ to prevent serious but subtle bugs from reaching production.<\/jats:p>","DOI":"10.1145\/2699417","type":"journal-article","created":{"date-parts":[[2015,3,24]],"date-time":"2015-03-24T12:26:59Z","timestamp":1427200019000},"page":"66-73","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":270,"title":["How Amazon web services uses formal methods"],"prefix":"10.1145","volume":"58","author":[{"given":"Chris","family":"Newcombe","sequence":"first","affiliation":[{"name":"Oracle, Seattle, WA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Tim","family":"Rath","sequence":"additional","affiliation":[{"name":"Amazon.com, Seattle, WA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Fan","family":"Zhang","sequence":"additional","affiliation":[{"name":"Cyanogen, Seattle, WA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Bogdan","family":"Munteanu","sequence":"additional","affiliation":[{"name":"Amazon.com, Seattle, WA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Marc","family":"Brooker","sequence":"additional","affiliation":[{"name":"Amazon.com, Seattle, WA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Michael","family":"Deardeuff","sequence":"additional","affiliation":[{"name":"Amazon.com, Seattle, WA"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2015,3,23]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/1134285.1134406"},{"key":"e_1_2_1_2_1","unstructured":"Amazon.com. Supported Operations in DynamoDB: Strongly Consistent Reads. System documentation; http:\/\/docs.aws.amazon.com\/amazondynamodb\/latest\/developerguide\/APISummary.html  Amazon.com. Supported Operations in DynamoDB : Strongly Consistent Reads. System documentation; http:\/\/docs.aws.amazon.com\/amazondynamodb\/latest\/developerguide\/APISummary.html"},{"key":"e_1_2_1_3_1","volume-title":"June 2012","author":"Barr J.","year":"2012","unstructured":"Barr , J. Amazon S3: The first trillion objects. Amazon Web Services Blog , June 2012 ; http:\/\/aws.typepad.com\/aws\/ 2012 \/06\/amazon-s3-the-first-trillion-objects.html Barr, J. Amazon S3: The first trillion objects. Amazon Web Services Blog, June 2012; http:\/\/aws.typepad.com\/aws\/2012\/06\/amazon-s3-the-first-trillion-objects.html"},{"key":"e_1_2_1_4_1","volume-title":"Mar. 2013","author":"Barr J.","year":"2013","unstructured":"Barr , J. Amazon S3: Two trillion objects, 1.1 million requests per second. Amazon Web Services Blog , Mar. 2013 ; http:\/\/aws.typepad.com\/aws\/ 2013 \/04\/amazons3-two-trillion-objects-11-million-requests-second.html Barr, J. Amazon S3: Two trillion objects, 1.1 million requests per second. Amazon Web Services Blog, Mar. 2013; http:\/\/aws.typepad.com\/aws\/2013\/04\/amazons3-two-trillion-objects-11-million-requests-second.html"},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-39656-7_10"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/1243418.1243422"},{"key":"e_1_2_1_7_1","volume-title":"Jan. 2013","author":"Brooker M.","year":"2013","unstructured":"Brooker , M. Exploring TLA+ with two-phase commit. Personal blog , Jan. 2013 ; http:\/\/brooker.co.za\/blog\/ 2013 \/01\/20\/two-phase.html Brooker, M. Exploring TLA+ with two-phase commit. Personal blog, Jan. 2013; http:\/\/brooker.co.za\/blog\/2013\/01\/20\/two-phase.html"},{"key":"e_1_2_1_8_1","volume-title":"Software and Complex Electronic Hardware Standardization Conference","author":"Holloway C.","year":"2005","unstructured":"Holloway , C. Michael Why you should read accident reports . Presented at the Software and Complex Electronic Hardware Standardization Conference ( Norfolk, VA , July 2005 ); http:\/\/klabs.org\/richcontent\/conferences\/faa_nasa_2005\/presentations\/cmh-why-read-accident-reports.pdf Holloway, C. Michael Why you should read accident reports. Presented at the Software and Complex Electronic Hardware Standardization Conference (Norfolk, VA, July 2005); http:\/\/klabs.org\/richcontent\/conferences\/faa_nasa_2005\/presentations\/cmh-why-read-accident-reports.pdf"},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1023\/A:1022969405325"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/ISSRE.2006.14"},{"key":"e_1_2_1_11_1","unstructured":"Lamport L. The TLA Home Page; http:\/\/research.microsoft.com\/en-us\/um\/people\/lamport\/tla\/tla.html  Lamport L. The TLA Home Page; http:\/\/research.microsoft.com\/en-us\/um\/people\/lamport\/tla\/tla.html"},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1007\/s00446-006-0005-x"},{"key":"e_1_2_1_13_1","unstructured":"Lamport L. The Wildfire Challenge Problem; http:\/\/research.microsoft.com\/en-us\/um\/people\/lamport\/tla\/wildfire-challenge.html  Lamport L. The Wildfire Challenge Problem; http:\/\/research.microsoft.com\/en-us\/um\/people\/lamport\/tla\/wildfire-challenge.html"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1007\/11864219_11"},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.5555\/646843.706634"},{"key":"e_1_2_1_16_1","volume-title":"The Wildfire Challenge Problem","author":"Lamport L.","year":"2001","unstructured":"Lamport , L. , Sharma , M. , Tuttle , M. , and Yu , Y . The Wildfire Challenge Problem . Jan. 2001 ; http:\/\/research.microsoft.com\/en-us\/um\/people\/lamport\/pubs\/wildfire-challenge.pdf Lamport, L., Sharma, M., Tuttle, M., and Yu, Y. The Wildfire Challenge Problem. Jan. 2001; http:\/\/research.microsoft.com\/en-us\/um\/people\/lamport\/pubs\/wildfire-challenge.pdf"},{"key":"e_1_2_1_17_1","first-page":"258","volume":"244","author":"Lu T.","year":"2011","unstructured":"Lu , T. , Merz , S. , and Weidenbach , C. Towards verification of the Pastry Protocol using TLA+. In Proceedings of Joint 13th IFIP WG 6.1 International Conference and 30th IFIP WG 6.1 International Conference Lecture Notes in Computer Science Volume 6722 (Reykjavik, Iceland , June 6--9). Springer-Verlag , 2011 , 244 -- 258 . Lu, T., Merz, S., and Weidenbach, C. Towards verification of the Pastry Protocol using TLA+. In Proceedings of Joint 13th IFIP WG 6.1 International Conference and 30th IFIP WG 6.1 International Conference Lecture Notes in Computer Science Volume 6722 (Reykjavik, Iceland, June 6--9). Springer-Verlag, 2011, 244--258.","journal-title":"Springer-Verlag"},{"key":"e_1_2_1_18_1","volume-title":"14th International Workshop on High-Performance Transaction Systems","author":"Newcombe C.","year":"2011","unstructured":"Newcombe , C. Debugging Designs . Presented at the 14th International Workshop on High-Performance Transaction Systems ( Monterey, CA , Oct. 2011 ); http:\/\/hpts.ws\/papers\/2011\/sessions_2011\/Debugging.pdf and associated specifications http:\/\/hpts.ws\/papers\/2011\/sessions_2011\/amazonbundle.tar.gz Newcombe, C. Debugging Designs. Presented at the 14th International Workshop on High-Performance Transaction Systems (Monterey, CA, Oct. 2011); http:\/\/hpts.ws\/papers\/2011\/sessions_2011\/Debugging.pdf and associated specifications http:\/\/hpts.ws\/papers\/2011\/sessions_2011\/amazonbundle.tar.gz"},{"key":"e_1_2_1_19_1","volume-title":"Proceedings of the Fourth International Conference Lecture Notes in Computer Science","author":"Newcombe C.","year":"2014","unstructured":"Newcombe , C. Why Amazon chose TLA+ . In Proceedings of the Fourth International Conference Lecture Notes in Computer Science Volume 8477 , Y.A. Ameur and K.-D. Schewe, Eds . (Toulouse, France, June 2--6). Springer , 2014 , 25--39. Newcombe, C. Why Amazon chose TLA+. In Proceedings of the Fourth International Conference Lecture Notes in Computer Science Volume 8477, Y.A. Ameur and K.-D. Schewe, Eds. (Toulouse, France, June 2--6). Springer, 2014, 25--39."},{"key":"e_1_2_1_20_1","volume-title":"et al. The Berkeley\/Stanford Recovery-Oriented Computing Project","author":"Patterson D.","unstructured":"Patterson , D. , Fox , A. et al. The Berkeley\/Stanford Recovery-Oriented Computing Project . University of California , Berkeley; http:\/\/roc.cs.berkeley.edu\/ Patterson, D., Fox, A. et al. The Berkeley\/Stanford Recovery-Oriented Computing Project. University of California, Berkeley; http:\/\/roc.cs.berkeley.edu\/"},{"key":"e_1_2_1_21_1","volume-title":"Proceedings of the Third IEEE International Workshop on Microprocessor Test and Verification","author":"Tasiran S.","year":"2002","unstructured":"Tasiran , S. , Yu , Y. , Batson , B. , and Kreider , S . Using formal specifications to monitor and guide simulation: Verifying the cache coherence engine of the Alpha 21364 microprocessor . In Proceedings of the Third IEEE International Workshop on Microprocessor Test and Verification ( Austin, TX, June). IEEE Computer Society , 2002 . Tasiran, S., Yu, Y., Batson, B., and Kreider, S. Using formal specifications to monitor and guide simulation: Verifying the cache coherence engine of the Alpha 21364 microprocessor. In Proceedings of the Third IEEE International Workshop on Microprocessor Test and Verification (Austin, TX, June). IEEE Computer Society, 2002."},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/2185376.2185383"}],"container-title":["Communications of the ACM"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2699417","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2699417","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T06:16:58Z","timestamp":1750227418000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2699417"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2015,3,23]]},"references-count":22,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2015,3,23]]}},"alternative-id":["10.1145\/2699417"],"URL":"https:\/\/doi.org\/10.1145\/2699417","relation":{},"ISSN":["0001-0782","1557-7317"],"issn-type":[{"value":"0001-0782","type":"print"},{"value":"1557-7317","type":"electronic"}],"subject":[],"published":{"date-parts":[[2015,3,23]]},"assertion":[{"value":"2015-03-23","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}