From owner-freebsd-chat Sat May 15 9:33:56 1999 Delivered-To: freebsd-chat@freebsd.org Received: from peach.ocn.ne.jp (peach.ocn.ne.jp [210.145.254.87]) by hub.freebsd.org (Postfix) with ESMTP id C3C4A15027; Sat, 15 May 1999 09:33:52 -0700 (PDT) (envelope-from dcs@newsguy.com) Received: from newsguy.com by peach.ocn.ne.jp (8.9.1a/OCN) id BAA28238; Sun, 16 May 1999 01:33:47 +0900 (JST) Message-ID: <373DA158.62F01B6B@newsguy.com> Date: Sun, 16 May 1999 01:31:20 +0900 From: "Daniel C. Sobral" X-Mailer: Mozilla 4.51 [en] (Win98; I) X-Accept-Language: pt-BR,ja MIME-Version: 1.0 To: Dag-Erling Smorgrav Cc: chat@FreeBSD.ORG, Wes Peters , hackers@FreeBSD.ORG Subject: Formal methods References: <199905131530.LAA04222@etinc.com> <373CB22B.4843BD45@softweyr.com> <19990515014823.A82329@catkin.nothing-going-on.org> <373D5F5C.4D19831F@newsguy.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dag-Erling Smorgrav wrote: > [invariants, pre-conditions, post-conditions] > > As long as programs are written by humans, making human assumptions, > humans will be required to document their assumptions. Such as in modern structured languages. :-) (No, Perl and Python do not qualify! :) Anyway, SPIN does not avoid this, just make it more practical. > One other problem is proof of termination. A computerized proof system > may be able to prove termination of simple loops and some cases of > recursion, but anything more than that gets dangerously close to the > halting problem, which is unsolvable by a deterministic computer. Ghod > knows termination is hard enough to prove for humans... But one can use progress states to determine liveness properties, instead of proving termination. This is a much easier proof, and all that is really needed in most cases. That does not cover all cases, to be sure, and still requires you to know what you are doing, but does not make it unpractical. Finally, there are the partial exaustive searches. A partial exaustive search can cover much more states than a full exaustive search, as it can be restricted to as little as one or two bits of storage for each state. While they do not result in proofs, they do, in practice, find out the bugs. :-) -- Daniel C. Sobral (8-DCS) dcs@newsguy.com dcs@freebsd.org "Proof of Trotsky's farsightedness is that _none_ of his predictions have come true yet." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message