From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID
	autolearn=no autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: 103376,42427d0d1bf647b1
X-Google-Attributes: gid103376,public
From: bobduff@world.std.com (Robert A Duff)
Subject: Re: Ada Core Technologies and Ada95 Standards
Date: 1996/04/02
Message-ID: <Dp95rA.E64@world.std.com>#1/1
X-Deja-AN: 145482093
references: <00001a73+00002c20@msn.com> <dewar.828415807@schonberg>
 <3160EFBF.BF9@lfwc.lockheed.com> <828475321.18492@assen.demon.co.uk>
organization: The World Public Access UNIX, Brookline, MA
newsgroups: comp.lang.ada
Date: 1996-04-02T00:00:00+00:00
List-Id: <comp.lang.ada>

In article <828475321.18492@assen.demon.co.uk>,
John McCabe <john@assen.demon.co.uk> wrote:
>As I said before, if I can't prove my software meets all of its
>requirements, my customer will not accept it.

I think different people are using the word "prove" differently.
Clearly, no set of tests can "prove" beyond a doubt that every
combination of inputs is handled correctly, given a moderate-to-complex
program.  I you disagree with that, then I think you're deeply confused.
On the other hand, it is possible to enumerate classes of inputs, and
"prove" (beyond a "reasonable" doubt?) that each such class is handled
correctly.  And it's perfectly reasonable to complain about some
particular test suite, that it doesn't cover a whole class of inputs
that one thinks it ought to.

I suggest that we all use "prove" in a more mathematical sense -- which
rules out any proof by testing.  Even in the mathematical sense, one has
to worry about whether the "proof" is truly correct.

- Bob