Program verification is not all-or-nothing| lawrencecpaulson.github.io
This week I reached a milestone in my most useless side project so far. I finished writing a tic-tac-toe game in Lean 4, along with proofs to guarantee that the game behaves correctly! It “only” took me 20 hours, 1000 lines of code and endless suffering… Totally worth it, as you might expect. Chances are you haven’t heard about Lean before, so I’ll share more details below. But first, let’s have an overview of this article’s contents, since it ended up quite long:| Adolfo Ochagavía
Sharing is Scaring: Why is Cloud File-Sharing Hard?| blog.brownplt.org
Everybody Loves My Baby is a Jazz Standard from 1924 with the famous lyric: Everybody loves my baby, but my baby don’t love nobody but me. Which is often formalized as: \begin{align} \text{Axiom}_1 . & \forall x. \text{Loves}(x, \text{Baby}) \\ \text{Axiom}_2 . \forall x. & \text{Loves}(\text{Baby}, x) \implies x = me \end{align} Let’s prove in Haskell (in one line) that these two statements, taken together, imply that I am my own baby.| in Code
2 comments| lobste.rs
Cloud databases face a fundamental challenge: how to remain available and durable under node failures? Modern cloud databases approach this by separating two concerns that used to be tightly coupled: compute and storage. The database engine becomes stateless, while the write-ahead log gets replicated across multiple nodes to guarantee durability. If a database server dies, another one can pick up exactly where it left off by reading from the replicated log.| Benjamin Hilprecht
Asymmetry of verification is the idea that some tasks are much easier to verify than to solve. With reinforcement learning (RL) that finally works in a general sense, asymmetry of verification is becoming one of the most important ideas in AI. Understanding asymmetry of verification th| Jason Wei
I’ve worked on binary verification tooling for a while.| Hey There Buddo!
In the 1950s and 1960s, there was an explosion of innovation in programming languages. Programmers went from programming in assembly language and machine code, to writing programs in higher-level, portable, languages. Pioneers like John Backus, Jean Sammet, and Grace Hopper had the foresight to see what is now common knowledge: software is at the core of technology, and improving the speed and cost of software development would accelerate the rise of computing, and rise of the world’s economy.| kiro.dev
Permission is granted to copy, distribute and/or modify this| harmony.cs.cornell.edu
The program consists of 80-minute lectures.| www.cs.uoregon.edu
Writing the most useless Lean tactic ever| unnamed.website
Here I’ll talk about a type of TLA⁺ contract I’ve worked on a few times, and why it didn’t work out as well as hoped. I’m not trying to torpedo other peoples’ contracts here - I just hope to share this experience so others can structure their TLA⁺ contracts differently, hopefully leading to greater success for both parties and industry usage of TLA⁺ as a whole. The proposal The contract proposal goes like this: a client wants to build a distributed system, and has read that TL...| Andrew Helwer
Something I’ve been seeking for a while is a notion of a “refinement e-graph”.| Hey There Buddo!
It seems to me that telescopes https://ncatlab.org/nlab/show/type+telescope , the dependently typed notion of context, is more central to the topic of dependent types than the dependent types are.| Hey There Buddo!
100 years of Zermelo’s| research.mietek.io
Author: Igor Konnov| Protocols Made Fun
There has never been a better time to learn formal specification.| buttondown.com
Amazon Web Services (AWS) strives to deliver reliable services that customers can trust completely. This requires maintaining the highest standards of security, durability, integrity, and availability—with systems correctness serving as the cornerstone for achieving these priorities. An April 2015 article published in Communications of the ACM, titled “How Amazon Web Services Uses Formal Methods,” highlighted the approach for ensuring the correctness of critical services that have since...| cacm.acm.org
Formal verification has long been the gold standard for uncovering subtle bugs in distributed system design [1]. While AI has already proven its ability to accelerate verification processes [2], recent breakthroughs suggest a far more transformative potential: AI can now autonomously generate accurate formal specifications directly from very large production codebases. This capability marks a pivotal moment in software engineering, pointing toward a future where AI-driven correctness verifica...| Cheng Huang’s corner
TLDR. Types are basically sets. Why not python sets?| Hey There Buddo!
How to test for leap years (until year 102499) in the proleptic Gregorian calendar with just three 32-bit instructions, with detailed explanation of the bit-level tricks.| hueffner.de
The 2025 TLA⁺ Community Event was held last week on May 4th at McMaster University in Hamilton, Ontario, Canada. It was a satellite event to ETAPS 2025, which I also attended, and plan to write about in the near future. I gave a talk somewhat-hucksterishly titled It’s never been easier to write TLA⁺ tooling! which I will spin into a general account of the state of TLA⁺ development here. The conference talks were all recorded, so if you’d like this blog post in video form you can wat...| Andrew Helwer
Should the temporal logic of actions also do performance modeling?| emptysqua.re
In a recent post, I talked about a proof of concept tool to verify estimates automatically. Since that post, I have overhauled the tool twice: first to turn it into a rudimentary proof assistant th…| What's new
The TLA+ Foundation, in collaboration with NVIDIA, is pleased to announce the GenAI-accelerated TLA+ challenge—an open call for submissions that explore the intersection of TLA+ and generative AI. This initiative aims to foster practical and innovative tooling, workflows, and approaches that bring the capabilities of generative AI and LLMs to TLA+. Participants are invited to develop engineering-oriented solutions that advance the usability, accessibility, and automation of formal specifica...| TLA+ Foundation
In my previous blog post, I showed how we can solve a puzzle in the IDP-Z3 reasoning engine. | simonvandevelde.be
Controlling Nondeterminism in Model-Based Tests with Prophecy Variables| concerningquality.com
Author: Igor Konnov| Protocols Made Fun
Author: Igor Konnov| Protocols Made Fun
Although it isn’t usually taught that way, a lot of TLA⁺ newcomers develop the understanding that TLA⁺ is just a fancy domain-specific language (DSL) for breadth-first search. If you want to model all possible executions of a concurrent system - so the thinking goes - all you have to do is define: The set of variables modeling your system The values of those variables in the initial state(s) Possible actions changing those variables to generate successor states Safety invariants you wan...| Andrew Helwer
Authors: Denis Kolegov (Matter Labs), Igor Konnov| Protocols Made Fun
Optimizations for Amazon's Graviton2 chip boost efficiency, and formal verification shortens development time.| Amazon Science
I’ve been working on Knuckledragger, my Z3 based semi-automated python proof assistant, on and off for 6 months (or arguably five years). I’ve realized I’ve done a bunch of stuff and despite writing often, not written the slightest bit about much of it.| Hey There Buddo!
I’ve been reading Alex Petrov’s Database Internals to learn more about how databases are implemented. One of the topics covered in the book is a data structure known as the B-tree. Rela…| Surfing Complexity
Last year a client asked me to solve a problem: they wanted to be able to compose two large TLA+ specs as part of a larger system. Normally you’re not supposed to do this and instead write one large spec with both systems hardcoded in, but these specs were enormous and had many internal invariants of their own. They needed a way to develop the two specs independently and then integrate them with minimal overhead.| Hillel Wayne
Z3 can be used for proofs. The input language isn’t anywhere near as powerful as interactive theorem provers like Coq, Isabelle, or Agda, but you can ask Z3 to prove pretty interesting things. Although the theorems that follow aren’t hard in interactive theorem provers, they would take beyond complete novice level skills to state or prove.| Hey There Buddo!
This blog post details an example of how to use our hax toolchain for verifying the security of cryptographic protocol implementations written in Rust.| cryspen.com
This post is answer to Jesper Cockx's article "1001 Representations of Syntax with Binding", so you can read it first (but this is not re...| Askar Safin
Posted| jesper.cx
My main project is to create an executable spec of the Intel Architecture but, every now and then, I get to take a broader look at ISA specifications and think about the strengths and weaknesses of other ISA specs: what makes them work well; and what techniques they could borrow from other specifications. Earlier this month, someone asked me for my thoughts on the RISC-V specification and I thought that it would be useful to share what I found out.| alastairreid.github.io
Proofcraft part of DARPA's PROVERS program to reduce reliance on experts| Proofcraft
I’ve recently done a lot of work in Alloy and it’s got me thinking about a common specification pitfall. Everything in the main post applies to all formal specifications, everything in dropdowns is for experienced Alloy users. Consider a simple model of a dependency tree. We have a set of top-level dependencies for our program, which have their own dependencies, etc. We can model it this way in Alloy:| Hillel Wayne
Last weekend I wanted to get some inspiration to write some TLA+ spec and I got my hands back on the paper Time, Clocks, and the Ordering of Events...| blog.fponzi.me
In this blogpost we discuss function contracts which are now available as an unstable feature, enabled with the -Zfunction-contracts flag. If you would like to learn more about the development and implementation details of this feature please refer to the RFC. If you try out this new feature and want to leave feedback join the discussion in the feature tracking issue.| Kani Rust Verifier Blog
This is just a way of thinking about formal specification that I find really useful. The terms originally come from Michael Jackson’s Software Requirements and Specifications. In specification, the machine is the part of the system you have direct control over and the world is all the parts that you don’t. Take a simple transfer spec: ---- MODULE transfer ---- EXTENDS TLC, Integers CONSTANTS People, Money, NumTransfers (* --algorithm transfer variables acct \in [People -> Money]; define \...| Hillel Wayne
A Beginner's Companion to Theorem Proving in Lean 4| emallson.net
Distributing the Great Backyard Bird Count| bytes.zone
More than just a first impression| Cheng Huang’s corner
Checking my assumptions about syncable data structures| bytes.zone
Compiling a Test Suite| concerningquality.com
