Comment by pjmlp
2 days ago
From my point of view, they cannot even prove that, because in most cases there is no validation if the TLA+ model actually maps to the e.g. C code that was written.
I only believe in formal methods where we always have a machine validated way from model to implementation.
Well Coq has program extraction built in.
Yeah and that's why it's way better than the likes of TLA+.
See Dafny
I know it, :)
preach