Browse thread
Programming with correctness guarantees
[
Home
]
[ Index:
by date
|
by threads
]
[ Message by date: previous | next ] [ Message in thread: previous | next ] [ Thread: previous | next ]
[ Message by date: previous | next ] [ Message in thread: previous | next ] [ Thread: previous | next ]
| Date: | -- (:) |
| From: | Robert Fischer <robert@f...> |
| Subject: | Re: [Caml-list] Programming with correctness guarantees |
What, exactly, is the difference between a unit test and formal verification of an application? I've long been under the opinion that Design-by-Contract is just a way to write unit tests quickly -- after all, you write something that looks kinda like code, attach it to something we arbitrarily define as a "unit", run some framework on that, and the framework tells you if something violates those rules. This sounds like unit testing to me. Now, I could be wrong, and there could be something obvious I'm missing, and I'd like to know if there is -- but it just doesn't seem like there's anything like a clear line between unit tests and program verification. Given that there isn't, it seems like people writing verified code aren't really skipping the unit testing phase at all: they're just doing unit testing in a funny way. ~~ Robert Fischer. Fischer Venture Management Corporation On Thu, February 1, 2007 2:12 pm, Jean-Christophe Filliatre wrote: > > Joshua D. Guttman writes: > > oleg@pobox.com writes: > > > > > I remember reading somewhere that after a division of > > > Siemens applied this technique to a high assurance > > > project, they noted an exhilarating feeling of being > > > able to program without unit tests. The code was correct > > > by construction. > > > > This seems really frightening. > > There's a joke around in the formal methods community: ``would you > prefer to get on a plane whose software has been proved correct or > has been tested?'' > > More seriously, I heard a similar remark from a French company which > formally verified the embedded code of an automatic subway line (using > the B method). They explained that, after the verification had been > completed, the unit phase was not suppressed, but greatly reduced. > > -- > Jean-Christophe > > _______________________________________________ > Caml-list mailing list. Subscription management: > http://yquem.inria.fr/cgi-bin/mailman/listinfo/caml-list > Archives: http://caml.inria.fr > Beginner's list: http://groups.yahoo.com/group/ocaml_beginners > Bug reports: http://caml.inria.fr/bin/caml-bugs >