Feedback on De Millo et al Paper
Hypotheses:
De Millo, Lipton and Perlis advance many hypotheses, but there is
one major one which is:
Mathematical proof involves an essential social process,
but such social processes are impossible in formal
verifications because of their huge size and
uninteresting nature.
Evidence:
The authors advance informal arguments based on their experience
of mathematics and formal verification. They exhibit one short
example of a conjecture from formal verification to illustrate
their claim about its lack of simplicity.
Most of you identified this hypothesis and the evidence
for it, although many of you broke it into smaller chunks and
added some of the subsidiary hypotheses. Many of you accepted the
argument uncritically, so I'll focus below on some of the
criticisms that you might have made. I'll also point up some of
the more common errors made in the critiques.
Possible Criticisms:
Although you should always review these papers from the viewpoint
of their times, it is also useful to look ahead at some of the
developments since then, since these may help identify gaps or
errors. Currently, we can see that formal verification has had
some significant successes. For instance, model checking, which is
logic-based, black-box proof of the kind that the authors thought
would be useless, is in widespread use, especially for
hardware verification. Also, we have tactic-based, interactive
theorem provers and proofs of properties, such as exception
freedom, which stop short of full functional verification. These
all suggest some possible gaps. On the other hand, we now know
that the paper caused a huge controversy and was influential in
the way that formal verification developed. Their prediction was
correct in that full functional correctness of complete,
industrial-strength programs has never become routine.
* It could be (and has been) argued that a full, logical proof
was the ideal, even for mathematicians, but that its
unattainability for non-trivial proofs, at least without a
computer, had led to the development of the social process as an
imperfect substitute. This would turn the authors' argument on its
head. Since they rehearsed their argument to hostile audiences
before publication, they would certainly have heard this
counter-argument, so it is surprising that they do not even
discuss it, let alone argue against it.
* It is crucial to their argument that formal verification proofs
defy readability. However, with the aid of tactic-based provers,
long proofs can be chunked, with long, routine passages hidden
from the reader. By doing this hierarchically, even very long
proofs can be abstracted to resemble human proofs. Also, such a
high-level proof account can sometimes be unpacked in different
ways, e.g. one way to verify the original program and another
way to verify a modified version. Thus, there is reason to
believe that verifying a modified program is easier than
verifying the original, in contradiction to the claim at the
bottom of p278.
* Their argument refers to full, functional proofs, i.e. that a
program's outputs have some mathematical relation to its
inputs. However, it is possible to prove simpler properties with
correspondingly simpler proofs. For instance, exception freedom
proofs ensure that a program will not produce a runtime error and
just stop, even if they produce the wrong output or
behaviour. Such proofs are important, for instance, for
fly-buy-wire aircraft. These proofs may be more understandable.
* Similarly, formal verification can be applied, not to the whole
of a program, but to some part that is especially critical,
e.g. for safety or security reasons. This also simplifies the
verification proof.
* They point out, correctly, that a verifier is much more likely to
fail than to succeed. However, they fail to mention that such
verification failures can be accompanied by a counter-example,
that can then be used to locate a bug. Model-checkers, for
instance, are mostly used in this way to find bugs, rather than
to prove correctness. Finding bugs is useful even if the failed,
partial proof is totally opaque.
* Their Fig 1 is a straw man. I've never known a formal
verification expert draw this analogy. They all use the analogy
in Fig 2, which the authors claim, incorrectly, as a novel
contribution.
Common Errors:
* Informal argument, perhaps appealing to analysis of case
studies, is a common and legitimate form of evidence for a
hypothesis. Sometimes it is the only kind of evidence that can be
feasibly provided. Of course, it is especially prone to error, so
care must be taken to consider all counter-arguments and
non-supporting case studies.
* "One step ahead of the pack" is a poor summary of the originality
of this work, which was novel and not subsequently duplicated. In
fact, none of the summaries offered in the ERA drop-down menu is
appropriate. [This is one of the many deficiencies of ERA. Is any
MSc student interested in improving it for their project?]
* This paper does not really describe a new problem as much as
advance a hypothesis. Nor is it a literature survey in the normal
understanding of that term.