|
|
|
|
|
|
by pjmlp
168 days ago
|
|
|
From my point of view, they cannot even prove that, because in most cases there is no validation if the TLA+ model actually maps to the e.g. C code that was written. I only believe in formal methods where we always have a machine validated way from model to implementation. |
|
|