> On Thu, 2007-10-04 at 17:29 +0200, Andrej Bauer wrote:
>
>   
>> It is very easy to come up with preconditions that are computationally 
>> unverifiable.
>>     
> []
>   
>> Or to give you a much more simplistic example:
>>
>> fun find_zero (f: int -> int where not (forall n:int, f(n) != 0)) {
>>    int i = 0;
>>    while (f(i) != 0) { i++; }
>>    return i;
>> }
>>
>> How will you verify the precondition on f at runtime?  In this case I 
>> would expect the compiler to list all uses of find_zero applied to 
>> functions which are not known not have a zero. Let the human worry.
>>     
>
>   
What's the problem ? If you program with the above function and apply it
to a function f,
this means you know f will reach zero (otherwise your program will
loop). But if you know it,
this should mean that you can prove it from the definition of f ?

So the only reason to have today programming language that gives not
enough safety is because the cost
of the formal proof is still to big (by cost, I mean cost to write
proof, but also the cost of learning how
to write proof ...)

-- 

Christophe Raffalli
Universite de Savoie
Batiment Le Chablais, bureau 21
73376 Le Bourget-du-Lac Cedex

tel: (33) 4 79 75 81 03
fax: (33) 4 79 75 87 42
mail: Christophe.Raffalli@univ-savoie.fr
www: http://www.lama.univ-savoie.fr/~RAFFALLI
---------------------------------------------
IMPORTANT: this mail is signed using PGP/MIME
At least Enigmail/Mozilla, mutt or evolution 
can check this signature. The public key is
stored on www.keyserver.net
---------------------------------------------