upvote

points

by specvsimpl17 hours ago |
comments
upvoteby AlotOfReading16 hours ago|
[-]
I don't know why you created a new account for this, but take the textbook example of a nontrivial formally verified system: SeL4. That implementation was 8.7k of C code, which correspondend to 15k lines of Isabelle that ultimately needed 100k+ lines of proof to satisfy. And that was with the formal model excluding lots of important properties like hardware failure that actual systems deal with.
reply
upvoteby auggierose12 hours ago|
parent|
next
[-]
You are confusing the proof with the spec/theorem. A correct proof and a valid proof are the same thing. It doesn't really matter how long the proof is, and you don't even need to understand it for it to be correct, the machine can check that.

But indeed, if the spec includes 8.7k of C code, that is problematic. If you cannot look at the theorem and see that it is what you mean, that is a problem. That is why abstraction is so important; your ultimate spec should not include C-code, that is just too low-level.

reply
upvoteby AlotOfReading7 hours ago|
parent|
[-]
I'm not confusing them. That's why I gave each of the numbers for SeL4 separately.

Knowing whether those theorems are the right theorems for the problem can be as difficult as understanding the implementation itself. Hence the example of SeL4 where the number of theorems exceeds lines of code in the original implementation and the formal model is large.

It's my experience that most people doing formal methods have seen cases where they actually proved something slightly different than what they intended to. This usually involves an unintentional assumption that isn't generally true.

reply
upvoteby auggierose6 hours ago|
parent|
[-]
I think you have been confusing them. Two theorems are the same if they have the same statement (spec). A proof is not a theorem, nobody cares about when two proofs are the same or not.
reply
upvoteby xpe7 hours ago|
parent|
prev|
[-]
> I don't know why you created a new account for this

What value does this add to the conversation? I’m not seeing it: am I missing something? It comes across as a kind of insult.

They made a good point in my opinion! (The “Uhm no” part got it off on the wrong foot, I will admit.) But even if you felt annoyed or didn’t agree with the point, it was substantive and moved the conversation forward. I’m here for the (genuine) questions and (constructive) debate and (civil) pushback.

I like to welcome new users before they take too much of a beating. That can come later when they are too invested to leave and/or when morale needs improving.

So welcome! Bring a helmet, and don’t stop disagreeing.

reply