For instance, I can mathematically prove that 4195835 / 3145727 > 1.3338. However, I know of certain Pentium processors that would disagree with me. If I try to prove that the following bit of C code prints out "Hello World":

if (4195835.0 / 3145727.0 > 1.3338)I might be a bit surprised when it deletes my hard drive instead ;)

printf("Hello World\n");

else

system("rm -rf /");

1 bunny + 1 bunny = 2 bunnies, right? Well it depends on their sexes. It's possible that in a given time period, 1 bunny + 1 bunny might equal 5 bunnies. As I joked in a previous blog post, "All models are wrong. Some models are useful."

I really think this same thing applies to proving programs. Donald Knuth famously said, "Beware of bugs in the above code; I have only proved it correct, not tried it."

## 2 comments:

Weary of their validity, or weary of their utility?

For any consistent proof, there is a category of sets of fundamental axioms such that if any one element of the set does not hold, the hypothesis is not implied by the proof. I don't think this is interesting at all - any sort of modelling makes its assumptions, and if any result in computer science needed to state that on real hardware, alpha radiation or magnetic interference or insufficient power supply may impact the result, anything useful would quickly be drowned out by irrelevant details.

Proofs are useful because the assumptions made can be quite obvious. From the perspective of a VM implementer, it is a feature to be able to say "there is no input which results in a violation of memory safety or some capability security property". More importantly, it is *awesome* to be able to use that proof machinery to show that your JIT compiler preserves these properties, because they are very easy to break within a compiler.

If it were more common for such critical architecture (I don't think anyone suggests it for the bulk of applications software, even in the fire & medical sectors where I've worked - easier just to use a safe language and hope nothing goes wrong), the malware industry would be close to dead, as would a broad class of system-level bugs.

BTW, off the top of my head, I can only think of two serious vulnerabilities in the last twenty years due directly to implementation details of commodity hardware. Most of it has been bugs in software written in unsafe languages.

verte, thank you for your excellent response. You've reminded me about fundamental axioms (which I should not have forgotten considering my degree is in math). You've also helped me clarify my thoughts on this subject.

I'm weary of the validity of proving programs, hence I'm also weary of its utility. (Although I do agree that symbol manipulation, for instance during refactoring, is a useful way of thinking.) Part of the problem is that it's so difficult for me to trust in the axioms.

For instance, the law of associativity says that "a + (b + c) = (a + b) + c". You can prove higher order things because you can rely on the law of associativity. However, the law of associativity does not hold for either integers (because of overflow) or floats (because of roundoff error).

My buddy used to say that you can't have a useful logical system without the law of identity which says that a thing equals itself. However, in Python, it's perfectly valid to define __equals__ to always return False. Similarly, in SQL NULL does not equal NULL.

I remember reading in a book recently where one of the authors of Haskell wanted to prove something about a certain class of functions. What he was proving seemed very valid from a math perspective, but I could think of certain hand-crafted "naughty" functions that would violate his "theorem".

Let me summarize. Every theorem must rely on the theorems and axioms below it. I have a difficult time accepting with certainty axioms at any level. It's unfortunate that I think it's all too possible for something to not act in the way it was proven to act.

Post a Comment