From: "Joshua D. Guttman" <guttman@mitre.org>
To: oleg@pobox.com
Cc: caml-list@inria.fr, Andrej.Bauer@fmf.uni-lj.si,
guttman@mitre.org (Joshua D. Guttman)
Subject: Re: [Caml-list] Programming with correctness guarantees
Date: Thu, 01 Feb 2007 08:07:37 -0500 [thread overview]
Message-ID: <nha8xfini06.fsf@oolong.mitre.org> (raw)
In-Reply-To: <20070201050431.E278AAB40@Adric.metnet.fnmoc.navy.mil> (oleg@pobox.com's message of "Wed, 31 Jan 2007 21:04:31 -0800 (PST)")
oleg@pobox.com writes:
> I remember reading somewhere that after a division of
> Siemens applied this technique to a high assurance
> project, they noted an exhilarating feeling of being
> able to program without unit tests. The code was correct
> by construction.
This seems really frightening. Don't the unit tests also
serve another purpose, namely to confirm that the formal
model of the software environment is correct?
That is, that all of the libraries you're linking against
(and the compiler itself) are behaving in a way that matches
the expectations you formalized?
As well as a concrete confirmation that the formalized ideas
match correctly against what you really wanted in specific
instances: the formal insight of human beings is imperfect.
(:-)
I hope that the words "exhilarating feeling" were meant to
indicate that they didn't really do this, but had the
impression that they could *almost* do so.
You don't want to lose contact with the real world
constraints when programming in a formally supported way.
I suppose that this doesn't really have much to do with
OCaml; apologies.
Joshua
--
Joshua D. Guttman
The MITRE Corporation
next prev parent reply other threads:[~2007-02-01 13:07 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-02-01 5:04 oleg
2007-02-01 8:45 ` Andrej Bauer
2007-02-01 13:00 ` [Caml-list] " Chris King
2007-02-01 20:39 ` Jean-Christophe Filliatre
2007-02-01 13:07 ` Joshua D. Guttman [this message]
2007-02-01 20:12 ` [Caml-list] " Jean-Christophe Filliatre
2007-02-01 20:35 ` Robert Fischer
2007-02-01 20:57 ` Jean-Christophe Filliatre
2007-02-02 5:47 ` skaller
2007-02-01 20:43 ` Jacques Carette
2007-02-02 0:38 ` Bob Williams
2007-02-02 14:09 ` Jean-Christophe Filliatre
2007-02-03 8:09 ` Tom
2007-02-04 15:47 ` Design-by-contract and Type inference? David MENTRE
2007-02-04 16:04 ` [Caml-list] " Benedikt Grundmann
2007-02-04 16:35 ` Kenn Knowles
2007-02-06 9:29 ` Hendrik Tews
2007-02-06 20:45 ` Oliver Bandel
2007-02-06 21:35 ` Alwyn Goodloe
2007-02-06 21:50 ` Jacques Carette
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=nha8xfini06.fsf@oolong.mitre.org \
--to=guttman@mitre.org \
--cc=Andrej.Bauer@fmf.uni-lj.si \
--cc=caml-list@inria.fr \
--cc=oleg@pobox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).