|
|
|
|
|
|
by zozbot234
1714 days ago
|
|
|
> tl;dr TLA+ is a lot more practical if you care about bug-free software TLA+ is not generally used for end-to-end checking of actual program code, unlike Coq. Usually you build a simplified "toy" model in TLA+ of some architecture of interest, then use model checking to try and refute some claimed properties of that model. If the model checker finds a refutation of some property, then yes, that's a verified bug in your toy model. If it fails to find one, that's not a proof of correctness other than in very special cases where a property can be checked finitely. So yes, model checking is helpful in some cases, but it's not a generally useful tool. And there are ways to do the same things in general proof assistants, e.g. by interfacing them with external SMT tools. The TLA language in itself is also unproblematic, it simply adds modalities for time, state and non-determinism to ordinary logic, and there are well-known ways to convert ("embed") those features to a form that a proof assistant can work with. |
|
|
To my knowledge, TLA+ is never used for checking program code. At least, I've never heard of anyone doing it.
> model checking is helpful in some cases, but it's not a generally useful tool
I strongly disagree. Spending time trying to "prove" in Coq an incorrect, flawed specification is an insane waste of time. A model checker can show you the problems in (literally) seconds.
Consider Raft, for instance, which was formally verified in Coq. You know what they did first? Write a TLA+ model, and then model check that until they got the design right. Trying to start in Coq (with an incorrect design) would not have been smart.
Model checkers are extremely useful tools.
----
Going further, the TLA+ spec of Raft is less that 500 lines.
The Coq proof of TLA+ is ~50,000 lines. It resulted in a verified implementation that to the best of my knowledge, no one uses in production.
It's a nice achievement, but in terms of usefulness? TLA+ has Coq beat by a country mile.