Newsgroups: comp.lang.misc Path: utzoo!utgpu!watserv1!watmath!tolstoy.waterloo.edu!mhcoffin From: mhcoffin@tolstoy.waterloo.edu (Michael Coffin) Subject: Re: Formal definitions (Re: ada-c++ productivity) Message-ID: <1991Apr11.161347.26513@watmath.waterloo.edu> Sender: news@watmath.waterloo.edu (News Owner) Organization: University of Waterloo References: <1726@optima.cs.arizona.edu> Date: Thu, 11 Apr 1991 16:13:47 GMT Lines: 43 In article <1726@optima.cs.arizona.edu> gudeman@cs.arizona.edu (David Gudeman) writes: >Can anyone who thinks it is useful to "prove" programs correct provide >me with an explanation of exactly what the proof accomplishes? What >do you know after the proof that you didn't know before the proof? >Before you answer, consider this: the process of deriving a >mathematical proof is every bit as prone to errors as is the process >of writing a computer program. If I prove a program correct I have a high degree of confidence that the program will work. If I both prove it and test it my confidence is extremely high. Even then I'm not *certain* that it will work. I don't "know" anything after the proof than I knew before, but then I don't after testing either. This is especially true of parallel programs, where nondeterminism makes it notoriously difficult to find errors by testing. After testing I suppose I might be said to "know" at least that the program works on the test input, but even there I might make a mistake about what the output should be. Deriving a mathematical proof is error prone, but deriving a proof *and* a program is certainly less prone to error than just writing a program. >Also consider that when you have written a program, you can test it to >get some level of confidence that it works. When you have written a >proof, the only way to "test" it is to let others read it and try to >find problems with it. (Note that "testing" a proof is not the same >as "testing" a theorem. You can test a theorem by looking for >multiple proofs, and by looking for contradictions.) Why do you set proofs against testing? Why not do whichever is appropriate, or do both? For code that counts the lines in a file, testing is fine. For a distributed program that flys an airplane or monitors my vital signs, both testing and proof are appropriate. Also, I don't understand the parenthetical comment. You *can* test a proof by independently deriving another. (The resulting proof may or may not be different.) And you *can* test a proof by looking for counterexamples. What are you getting at here? Michael Coffin mhcoffin@watmsg.waterloo.edu Dept. of Computer Science office: (519) 885-1211 University of Waterloo home: (519) 725-5516 Waterloo, Ontario, Canada N2L 3G1