From: dewar@cs.nyu.edu (Robert Dewar)
Subject: Re: Problems with proofs
Date: 1995/04/20
Date: 1995-04-20T00:00:00+00:00 [thread overview]
Message-ID: <dewar.798390176@gnat> (raw)
In-Reply-To: cppD7BMEw.2ts@netcom.com
><< I would guess Robin has not actually had experience in proving
>correctness of programs from his comments, since they seem more like
>guesses as to what might be involved in the process (if I am wrong
> Robin, correct me!) >>
You ascribed this to Steve, you are mixed up! It was me (Robert) who asked
this, but in fact this note makes the answer pretty clear. I am beginning
to understand your style. You make pronouncements on things you don't know
much about in an attempt to provoke people into explaining them to you! OK
I'm happy to play that game, once I understand it :-) :-) Anyway, please
be assured this has nothing to do with liking you or not liking you. I don't
even know you (for all I know you are a Turing test teletype doing a
truly brilliant job :-)
><< Nope [to that proofs are based on what appears relevant to a
>human being to prove], proofs are based on formal specifications of
>the task at hand. >>
>So, it's not human beings who decide what belongs in the formal
>specifications?
Sure, at some level this is true, but once the specification is constructed,
it is no longer subject to human interpretation, and this is exactly what
we mean by a formal spec, one whose semantics are mathematically specified,
by some appropriate formalism, e.g. a reasonably powerful example would be
first order predicate theory plus set theory.
><< This [that there is no proof that the proof is equivalent to the
>code] is based on a misconception, a proof of correctness, if is is
>any use at all, must have a formal relationship to the code. >>
>
>Please define the term "formal" as you are using it here.
Again formal means that we have a formal specification as described above
of both the language in which we write, and of the problem, and the formal
relationship between the two is a proof that the program conforms to the
specification.
><< Proofs of correctness must be machine verified to be accepted. >>
>Please define the term "verified" as you are using it here.
Proof verifiers are a very old technology, some early examples exist from
the early 60's and maybe even late 50's. A proof verifier is simply a
program (which had better be verified itself), that checks a proof to make
sure that you have not goofed, i.e. it simulates a VERY accurate high school
math teacher looking at your proofs on an exam. The technology of these
verifiers has been studied for years, and there are many products both
academic and commercial.
><< Interfaces to components are part of the axiomatic structure of
>proven components, and on one side you prove that a component
>properly handles uses that conform to its interface, and on the
>other, you prove that the use by a client conforms to this
>interface. >>
>
>This sounds reasonable, and what I expected, too. However, I'm told that
>valid input parameter ranges are often specified arbitrarily. Invalid
>input is the user's (engineer's) lookout. Have I been misinformed? Is it
>generally more comprehensive?
Sometimes yes, sometimes no, obviously if you are interfacing to the
external world, you may simply have to start with a set of hopefully
correct axioms about the behavior of the external world (here is a good
place to build in your empirical safety factors if your information is
imperfect).
><< I have no idea what you mean by random error. >>
>Cosmic rays, accidents, etc.
From a formal point of view, these are simply hardware errors. Mathematics
does not care whether things have gone wrong because of acts of God, or
because of manufacturing defects, leave that up to lawyers!
><< I think you have an idea that a program that is proved correct
>is guaranteed to work. >>
>A mind reader you're not.
And still many of your comments seen disappointed that proof of correctness
turns out only to be proof of conformance to (possibly incorrect)
specifications.
>Hmmm, I may have to change my mind about the utility of the halting
>problem. Implementing code that exactly conforms to its
>specifications sounds like the halting problem to me.
I hope it is clear from my previous note that while it is trivially true
that the conformance problem is equivalent to the halting problem, this is
irrelevant. There is nothing that says that you can't prove that a given
Turing machine halts, just that you can't do this in general. Similarly,
we can't prove correctness in general, but we can do it in specific cases,
which is what we are interested in.
Robert (not Steve)
(some of your quotes were indeed not from me, I did not answer them!)
next prev parent reply other threads:[~1995-04-20 0:00 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
1995-03-17 0:24 Should internet support software be written in Ada? Bill Brooks
1995-03-17 8:47 ` Anthony Shipman
1995-03-19 22:06 ` David Weller
1995-03-23 15:05 ` Theodore Dennison
1995-03-24 10:26 ` Fred J. McCall
1995-03-27 9:50 ` Robb Nebbe
1995-03-27 19:43 ` State machines and Goto's (was Re: Should internet support software be written in Ada?) Robert I. Eachus
1995-03-27 23:14 ` Arthur Evans Jr
1995-03-29 0:00 ` Dan
1995-04-01 0:00 ` Mike White
1995-04-04 0:00 ` Robert Dewar
1995-04-06 0:00 ` Theodore Dennison
1995-04-06 0:00 ` Norman H. Cohen
1995-04-07 0:00 ` Tucker Taft
1995-04-07 0:00 ` Robert Dewar
1995-04-07 0:00 ` Mike White
[not found] ` <3ma7rt$smt@kaiwan009.kaiwan.com>
[not found] ` <dewar.797514490@gnat>
[not found] ` <3meunj$66u@felix.seas.gwu.edu>
1995-04-20 0:00 ` CS teachers who can't code their way outta a paper bag Richard A. O'Keefe
1995-03-27 14:24 ` Should internet support software be written in Ada? Theodore Dennison
1995-03-28 0:00 ` Robert Dewar
1995-03-28 9:32 ` Fred J. McCall
1995-03-29 0:00 ` Theodore Dennison
1995-03-29 0:00 ` Robert I. Eachus
1995-03-31 0:00 ` Theodore Dennison
1995-04-05 0:00 ` Wes Groleau
1995-04-07 0:00 ` State machines and Goto's (was Re: Should internet support software be written in Ada?) Wes Groleau
1995-04-07 0:00 ` Robert Firth
[not found] ` <D6qyv0.6Jv@nntpa.cb.att.com>
1995-04-19 0:00 ` Fergus Henderson
1995-04-19 0:00 ` Fred J. McCall
1995-04-19 0:00 ` George Haddad
1995-04-20 0:00 ` Bill Winn
1995-04-20 0:00 ` Robert Dewar
1995-04-20 0:00 ` State machines and Goto's (was Re: Sho Brian Hanson
1995-04-20 0:00 ` State machines and Goto's (was Re: Should internet support software be written in Ada?) Mark A Biggar
1995-03-22 23:08 ` Should internet support software be written in Ada? Keith Thompson
[not found] ` <dewar.798207931@gnat>
[not found] ` <cppD78ywq.B31@netcom.com>
[not found] ` <dewar.798240702@gnat>
1995-04-19 0:00 ` Problems with proofs Brian Harvey
1995-04-19 0:00 ` Robert Dewar
1995-04-20 0:00 ` Robin Rowe
1995-04-20 0:00 ` Steve Tate
1995-04-20 0:00 ` Apology to Steve Robin Rowe
1995-04-20 0:00 ` Problems with proofs Robert Dewar
1995-04-20 0:00 ` Robert Dewar [this message]
1995-04-21 0:00 ` Robin Rowe
1995-04-21 0:00 ` Robert Dewar
1995-04-21 0:00 ` Larry Kahn
1995-04-20 0:00 ` Robin Rowe
[not found] ` <3n1fsv$lgd@butch.lmsc.lockheed.com>
1995-04-20 0:00 ` Robin Rowe
1995-04-20 0:00 ` Garlington KE
[not found] ` <3mrv7h$3mq@larry.rice.edu>
[not found] ` <3msnu4$6am@kaiwan009.kaiwan.com>
[not found] ` <KUBEK.95Apr18213646@insage.gerii.insa-tlse.fr>
[not found] ` <cppD792GC.1uI@netcom.com>
1995-04-20 0:00 ` Teaching OO/C++ Philip Machanick
[not found] ` <3me1qs$n4a@theopolis.orl.mmc.com>
[not found] ` <3mevmu$8an@felix.seas.gwu.edu>
[not found] ` <3mh75i$8eu@rational.rational.com>
[not found] ` <3mjihr$iqq@felix.seas.gwu.edu>
[not found] ` <3mp20f$80t@kaiwan009.kaiwan.com>
1995-04-20 0:00 ` Academic CS Losers? Phillip Fanous
1995-04-21 0:00 ` Bill Winn
[not found] ` <dewar.798093453@gnat>
1995-04-20 0:00 ` What good is halting prob? Max Hailperin
[not found] ` <cppD75t6F.47M@netcom.com>
[not found] ` <EACHUS.95Apr17172831@spectre.mitre.org>
[not found] ` <cppD77Ex6.E77@netcom.com>
[not found] ` <3mve9b$gaj@news.cais.com>
1995-04-18 0:00 ` Jay M Martin
1995-04-19 0:00 ` Steve Tate
1995-04-20 0:00 ` Jay M Martin
1995-04-21 0:00 ` Steve Tate
1995-04-21 0:00 ` Ray Toal
[not found] ` <cppD7880n.32B@netcom.com>
1995-04-19 0:00 ` Randolph Crawford
1995-04-19 0:00 ` Robert Dewar
1995-04-20 0:00 ` Robin Rowe
1995-04-20 0:00 ` Robert Dewar
1995-04-20 0:00 ` Robin Rowe
1995-04-21 0:00 ` Brian Hanson
1995-04-21 0:00 ` sxc
[not found] ` <dewar.798172270@gnat>
[not found] ` <cppD786FM.1u9@netcom.com>
[not found] ` <dewar.798207364@gnat>
[not found] ` <cppD78xMv.49w@netcom.com>
1995-04-19 0:00 ` Robb Nebbe
[not found] ` <3n0ka7$b57@hermes.unt.edu>
[not found] ` <dewar.798232482@gnat>
1995-04-19 0:00 ` Mark A Biggar
1995-04-19 0:00 ` Steve Tate
1995-04-19 0:00 ` Robert Dewar
1995-04-19 0:00 ` Mark A Biggar
1995-04-19 0:00 ` Richard Ladd Kirkham
1995-04-19 0:00 ` Robert Dewar
1995-04-20 0:00 ` Richard Ladd Kirkham
1995-04-20 0:00 ` Robert Dewar
1995-04-21 0:00 ` Mark A Biggar
1995-04-21 0:00 ` Robert I. Eachus
1995-04-21 0:00 ` Robert Dewar
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox