Decades ago I headed a project to build a proof of correctness system.[1] It was for a rather dialect of Pascal for real-time engine control programs. Some of the comments I made back then still apply.
- Assertions belong in the program source, and in the same syntax as the language of the program. They're mostly written by the people writing the code. The proof of correctness work can and should be integrated with development.
- Most, but not all, of the theorem proving can be automated with what's now called a "SAT solver". We had the original Oppen-Nelson simplifier for that.
- Sometimes you need more theorem proving power than a SAT solver. We used the original Boyer-Moore theorem prover for that. It's automatic, but you can help it by suggesting intermediate theorems.
- To tie complex theorems to concrete code, programmers should write
assert(a);
assert(b);
where a can be proved from the code above by the SAT solver, and b is what you need to prove constraints on the following code. Now you have to prove a implies b. That's when you need a more interactive prover, or one with more power. a implies b should be a statement that stands alone, without reference to other code. This allows turning the problem over to the people who are into theorem proving, while the programmers can get on with coding.
- Many of the people involved in program verification are heavily into the formalism, rather than seeing this as a way to eliminate bugs. This leads to excessive formalism. That tendency has to be restrained.
Was that project a success? Was it used in practice? Was the effort justified by any usages?
The repository readme doesn't seem to go into that.
Animats•8mo ago
It was used a little, but the actual code that shipped in the engine controller was not written in Pascal-F, because the compiler generated inefficient code.
MaxBarraclough•8mo ago
> Assertions belong in the program source, and in the same syntax as the language of the program. They're mostly written by the people writing the code. The proof of correctness work can and should be integrated with development.
SPARK Ada takes this approach, what do you make of it?
Animats•8mo ago
Looking around for examples. Google can't find anything non-trivial. Do you know of something I can look at?
MaxBarraclough•8mo ago
Perhaps the Ironclad kernel [0] and SPARKNaCl? [1]
Here's a search of the Alire packages for 'spark' [2].
Merely using SPARK doesn't mean full formal verification of all correctness properties, as SPARK can be used at different 'assurance levels' from stone (no real formal verification but you restrict yourself to the SPARK subset of Ada) to platinum (full verification). [3]
Animats•8mo ago
Decades ago I headed a project to build a proof of correctness system.[1] It was for a rather dialect of Pascal for real-time engine control programs. Some of the comments I made back then still apply.
- Assertions belong in the program source, and in the same syntax as the language of the program. They're mostly written by the people writing the code. The proof of correctness work can and should be integrated with development.
- Most, but not all, of the theorem proving can be automated with what's now called a "SAT solver". We had the original Oppen-Nelson simplifier for that.
- Sometimes you need more theorem proving power than a SAT solver. We used the original Boyer-Moore theorem prover for that. It's automatic, but you can help it by suggesting intermediate theorems.
- To tie complex theorems to concrete code, programmers should write
where a can be proved from the code above by the SAT solver, and b is what you need to prove constraints on the following code. Now you have to prove a implies b. That's when you need a more interactive prover, or one with more power. a implies b should be a statement that stands alone, without reference to other code. This allows turning the problem over to the people who are into theorem proving, while the programmers can get on with coding.- Many of the people involved in program verification are heavily into the formalism, rather than seeing this as a way to eliminate bugs. This leads to excessive formalism. That tendency has to be restrained.
[1] https://github.com/John-Nagle/pasv
staunton•8mo ago
The repository readme doesn't seem to go into that.
Animats•8mo ago
MaxBarraclough•8mo ago
SPARK Ada takes this approach, what do you make of it?
Animats•8mo ago
MaxBarraclough•8mo ago
Here's a search of the Alire packages for 'spark' [2].
Merely using SPARK doesn't mean full formal verification of all correctness properties, as SPARK can be used at different 'assurance levels' from stone (no real formal verification but you restrict yourself to the SPARK subset of Ada) to platinum (full verification). [3]
[0] https://ironclad-os.org/
[1] https://github.com/rod-chapman/SPARKNaCl
[2] https://alire.ada.dev/search/?q=spark
[3] https://docs.adacore.com/spark2014-docs/html/ug/en/usage_sce...