| ▲ | youknownothing 4 hours ago | |||||||||||||||||||||||||
I'll probably get a lot of hate mail for this but here goes nothing... Despite what many people like to claim, you cannot prove that a program has no bugs. That means proving the absence of bugs, and you cannot prove a negative. The best thing you can do is fail to find a bug, but that doesn't mean it isn't there. Before everyone starts blabbing about formal verification, etc., consider this: how do you know that you didn't make a mistake in your formal verification? IOW, how do you know your formal verification is bug-free? Answer: you don't. Or if you try to formally verify your formal verification then you're just translating the problem to a new layer. It's just a chain of proofs that is always ultimately based on an unproven one, which invalidates the whole chain. You can get asymptotically close to zero-bug proof, but you can never get there 100% of the way. | ||||||||||||||||||||||||||
| ▲ | Paracompact 3 hours ago | parent | next [-] | |||||||||||||||||||||||||
Formal methods practitioner here. > That means proving the absence of bugs, and you cannot prove a negative. The best thing you can do is fail to find a bug, but that doesn't mean it isn't there. You can conclusively (up my next point) prove a specific bug or class of bugs aren't there. But "entirely free of (all) bugs" is indeed a big misconception for what formal methods does. > how do you know your formal verification is bug-free? Answer: you don't. Or if you try to formally verify your formal verification then you're just translating the problem to a new layer. It's just a chain of proofs that is always ultimately based on an unproven one, which invalidates the whole chain. It's another misconception of formal methods to say that any result is established conclusively, without any caveats whatsoever. But then again neither is mathematics, or any other intellectual discipline. What formal methods does is reduce the surface area where mistakes could reasonably be expected to reside. Trusting the Rocq kernel, or a highly scrutinized model of computation and language semantics, is much easier than trusting the totality of random unannotated code residing in the foggiest depths of your average C compiler, for instance. | ||||||||||||||||||||||||||
| ▲ | thatguysaguy 4 hours ago | parent | prev | next [-] | |||||||||||||||||||||||||
What is up with people saying you cannot prove a negative? Of course you can! (At least in formal settings) For example it's extremely easy to prove there is no square with diagonals of different lengths. I'm the hard end, Andrew Wiles proved Fermat's Last Theorem which expresses a negative. That's just a nit though, you're right about the infinite regress problem. | ||||||||||||||||||||||||||
| ||||||||||||||||||||||||||
| ▲ | lmm 3 hours ago | parent | prev | next [-] | |||||||||||||||||||||||||
> That means proving the absence of bugs, and you cannot prove a negative. You can prove that the program implements a specification correctly. That doesn't require proving a negative, but it does prove the absence of bugs. (I think you know this argument is weak, since your next paragraph is a complete non-sequitur) > Or if you try to formally verify your formal verification then you're just translating the problem to a new layer. It's just a chain of proofs that is always ultimately based on an unproven one, which invalidates the whole chain. All proofs ultimately rest on axioms. That's normal and not really an argument unless you want to doubt everything, in which case what's the point in ever saying anything? | ||||||||||||||||||||||||||
| ▲ | zitterbewegung 4 hours ago | parent | prev | next [-] | |||||||||||||||||||||||||
The better look at this is not to prove that you have no bugs is that to prove that a program conforms to a specification that Lean can verify. Even with the addition of two numbers the execution of a program can be wrong if the CPU has a fault or if the runtime of the program has a bug. I think you just need to look at why formal verification exists. | ||||||||||||||||||||||||||
| ▲ | _alternator_ 4 hours ago | parent | prev | next [-] | |||||||||||||||||||||||||
This comment conflates a number of ideas that obscures its own epistemological point. For example, yes, you can prove a negative (for instance, you can prove there is no largest integer). The question of who validates the validator is real, but the abstraction of "formal verification" does serve a purpose, like any good mathematical or programming abstraction. Whole classes of bugs are removed; what's left to verify is usually much shorter. | ||||||||||||||||||||||||||
| ▲ | yjftsjthsd-h 43 minutes ago | parent | prev | next [-] | |||||||||||||||||||||||||
Even if all your claims are true (which I'm not 100% sold on but bear with me)... who cares? Sure, it won't get literally 100% of the way, but if we can get to a place where the only bugs in software are in the spec, in the proof assistants, and in weird hardware bugs, that would be an enormous win! | ||||||||||||||||||||||||||
| ▲ | kvuj 3 hours ago | parent | prev | next [-] | |||||||||||||||||||||||||
This feels like a thought exercise rather than an argument. By your logic, it's impossible to prove that a car is driving at 60mph. There could be an error in the speedometer which makes it impossible to verify that said car is going at the speed. You can get asymptomatically close to being sure that you're driving at 60 mph but you can never be 100% sure. This is useless and serves no purpose. | ||||||||||||||||||||||||||
| ||||||||||||||||||||||||||
| ▲ | aaronblohowiak 4 hours ago | parent | prev [-] | |||||||||||||||||||||||||
I disagree but the constraints required to get there are probably untenable for most practical applications, so in practice I agree. | ||||||||||||||||||||||||||