LLMs vs. Formal Verification: The Reality Gap in TLA+ System Modeling

Core Summary

This report evaluates the efficacy of Large Language Models (LLMs) in generating TLA+ formal specifications, revealing a significant “logic gap” when transitioning from simple syntax to the complex state spaces of real-world distributed systems.

• ▶ Syntax vs. Semantics: LLMs excel at generating syntactically correct TLA+ snippets but fail catastrophically in maintaining logical consistency required for rigorous verification via the TLC model checker.
• ▶ Data Scarcity Bottleneck: The niche nature of TLA+ compared to mainstream languages like Python limits the training signal, leading to frequent “logical hallucinations” when modeling non-trivial protocols.
• ▶ Co-pilot, Not Architect: LLMs currently function best as boilerplate generators rather than autonomous system architects; their output remains a liability without human-in-the-loop auditing.

Bagua Insight

At 「Bagua Intelligence」, we view TLA+ modeling as the ultimate stress test for “System 2” reasoning in AI. The fundamental tension lies between the probabilistic nature of LLMs and the deterministic rigor required for formal verification. This study underscores that while LLMs are proficient at mimicking the style of formal logic, they lack the grounding to navigate complex concurrency. For mission-critical infrastructure, the “Stochastic Parrot” effect is a feature, not a bug, but in the world of formal methods, it is a fatal flaw. We are seeing the limits of pattern matching in the face of combinatorial state explosions.

Actionable Advice

For engineering teams integrating AI into their verification workflows: 1. Implement a Verification Loop: Treat LLM-generated specs as raw drafts. Use the TLC model checker to generate error traces and feed them back into the LLM for iterative refinement. 2. Augment with RAG: Use Retrieval-Augmented Generation to inject TLA+ standard modules and design patterns into the prompt to mitigate syntax drift. 3. Focus on Boilerplate: Leverage LLMs for the tedious aspects of TLA+ (like defining state variables and basic transitions) while reserving the core safety and liveness invariants for expert human definition.