TLC explores all successors of every state it analyzes. The algorithm for checking invariants can be given as follows: queue = [s : s is an initial state of the spec] \* queue of states to explore visited = [] \* set of states already visited while queue != [] : s = head(queue) queue = tail(queue) if ~(s in visited) : visited += [s] if ~(s satisfies invariant) : return false \* compute and display counter-example succs = [t : t is a successor of s w.r.t. the next-state relation] queue += succs return true You can visualize the state graph as a .dot file, this works for small state spaces (it might still be OK for your example). In any case, it is a good idea to check properties that you expect to be false and inspect the counter-example to check that it corresponds to the computation that you expect. For example, you could check properties such as hash[10] ~= 101 (invariant stating that one can not assign value 101 to key 10) [][hash[10] = 101 => hash'[10] = 101]_vars (temporal property asserting that once key 10 has that value, it will never be assigned a different value) etc. I am sure that more could be done for visualizing and exploring state graphs. Stephan
