TLA+ Formal Verification

Discussions center on TLA+ as a formal specification language, its practical usefulness for verifying system designs especially in distributed systems, user experiences, limitations, and comparisons to tools like Coq, TLC, and PlusCal.

➡️ Stable 0.9x Programming Languages

1,857

Comments

Years Active

Top Authors

#9071

Topic ID

Activity Over Time

2009

2012

2013

2014

2015

2016

125

2017

183

2018

134

2019

278

2020

228

2021

167

2022

137

2023

117

2024

158

2025

217

2026

Top Contributors

pron (300) hwayne (98) agentultra (53) nickpsecurity (35) ahelwer (34)

Keywords

e.g AWS youtube.com UNIX FAQ Z3 TLC ycombinator.com azurewebsites.net FWIW tla checker specification model formal proof coq language formally verification

Sample Comments

dahfizz • Jun 3, 2020 • View on HN

TLA+ is basically an academic tool. It allows you to verify your specification, but it is useless to detect bugs in your implementation. In my experience, the process of writing your specification in TLA is a buggy enough process to make it all a waste of time.

timClicks • Jan 22, 2018 • View on HN

Does anyone have any experience regarding TLA+. Does it make formal verification at least slightly less painful?

naringas • Oct 11, 2019 • View on HN

how does this relate to tools like TLA+? coq?

ahelwer • Oct 30, 2017 • View on HN

TLA+ is a specification language, not a verification language. There is currently no way of establishing correspondence between a TLA+ spec and the code you (presumably) write to implement that spec. There are benefits to this, like using TLA+ to spec the difficult parts of your system without having to buy the whole formal verification farm.

dqpb • Apr 14, 2019 • View on HN

Can someone who has learned TLA+ comment on how useful it is has been for you?

csb6 • Sep 28, 2022 • View on HN

The FAQ [0] clarifies some of what TLA+ is good for[0] https://learntla.com/intro/faq.html

codepie • Feb 3, 2022 • View on HN

TLA+ is mentioned a lot here and many people point out how it's practically infeasible to use it in real world systems. Just curious, is there any alternative to write specifications which are more closer to common programming languages and can be used by an average programmer to formally prove correctness?

polyglotfacto2 • Oct 24, 2025 • View on HN

Use TLA+ (which I thought they did)

pron • Apr 28, 2017 • View on HN

TLA+ is not a model checker. It is a specification and proof language. However, it has verification tools that include a model checker (TLC) and a mechanical proof system (TLAPS), both support a large and useful subset of the language. There are also other TLA+ model checkers under development or already available with some effort. In many ways it is more similar to Coq and Isabelle than to Alloy. For one, it has proof of relative completeness: anything that can be proven about a system, can be

ahelwer • Aug 6, 2015 • View on HN

TLA+ is a formal specification language, not a model checker. There exists a model checker called TLC which works with TLA+. There also exists an associated proof system called TLAPS; TLAPS has been used to formally prove correctness of Byzantine Paxos.