Make formal verification and provably correct software practical and mainstream

I really want to like this, but it really comes across as more of a wishful thinking project without a lot of experience or intuition about how to solve the very real problems that formal methods run into in this domain. Like, the design goals literally include &quot;verify <i>any</i> program&quot; [1], which is almost certainly impossible.<p>Important questions like how you implement the design pillars without running smack into the issue of decidability seem entirely ignored. They have a whole section on how &quot;this idea exists in an incentive no man&#x27;s land&quot; without seemingly being aware of the rich history of formal methods in low level programming, from Ada through Java through formal C through Rust itself. The common issues these encountered like decidability, holes in the formal model (which contributed to the downfall of the Java sandbox as a security boundary), and the combinatorial explosion inherent in verification tools are all huge looming questions that should at least be mentioned.<p>Maybe I&#x27;m being overly critical here and partial improvements are still improvements, but it&#x27;d be nice to see more moderate claims from authors tackling such an ambitious project.<p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;magmide&#x2F;magmide&#x2F;blob&#x2F;main&#x2F;posts&#x2F;design-of-magmide.md" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;magmide&#x2F;magmide&#x2F;blob&#x2F;main&#x2F;posts&#x2F;design-of...</a>

<i>&quot;And all existing proof languages are hopelessly mired in the obtuse and unapproachable fog of research debt created by the culture of academia.&quot;</i><p>Yes. As I wrote 40 years ago:<p><i>&quot;There has been a certain mystique associated with verification. Verification is often viewed as either an academic curiosity or as a subject incomprehensible by mere programmers. It is neither. Verification is not easy, but then, neither is writing reliable computer programs. More than anything else, verifying a program requires that one have a very clear understanding of the program’s desired behavior. It is not verification that is hard to understand; verification is fundamentally simple. It is really understanding programs that can be hard.&quot;</i>[1]<p>What typically goes wrong is one or more of the following:<p>1) The verification statements are in a totally different syntax than the code.<p>2) The verification statements are in different files than the code.<p>3) The basic syntax and semantics of the verification statements are not checked by the regular compiler. In too many systems, it&#x27;s a comment to the compiler.<p>4) The verification toolchain and compile toolchain are completely separate.<p>None of this is theory. It&#x27;s all tooling and ergonomics.<p>Then, there&#x27;s<p>5) Too much gratuitous abstraction. The old version was &quot;everything is predicate calculus&quot;. The new version is &quot;everything is a type&quot; and &quot;everything is functional&quot;.<p>[1] <a href="http:&#x2F;&#x2F;www.animats.com&#x2F;papers&#x2F;verifier&#x2F;verifiermanual.pdf" rel="nofollow">http:&#x2F;&#x2F;www.animats.com&#x2F;papers&#x2F;verifier&#x2F;verifiermanual.pdf</a>

As the article mentions, formal verification techniques are primarily used today for two things:<p>- Creating secure &quot;core&quot; code -- library functions and kernels and stuff, where the things they&#x27;re supposed to do are very well-defined.<p>- Verifying specific, narrowly defined properties, like how Rust&#x27;s borrow checker guarantees that your program doesn&#x27;t try to write to the same value from two different threads at once.<p>I&#x27;m not sure formal techniques will be as useful when expanded to other areas. Most of the bugs I encounter day-to-day happen because the programmer had the wrong goal in mind -- if you asked them to create a formal proof that their code worked, they would be able to do that, but it would be a proof that their function did a thing which was not actually the thing we wanted. (Similarly to, e.g., unit tests that do not actually test anything because they&#x27;re just line-by-line reproductions of the original code but with every function call mocked out.)<p>Has anyone successfully applied proof techniques to reduce defects in UI development, &quot;business logic&quot;, or similarly fuzzy disciplines?

I am strongly inclined toward verifying my software to the extent possible but there are many practical challenges. I think academic formal verification methods look elegant, which appeals to me, but are extremely human intensive when what I really want to do is throw machines at the problem to the extent possible. There are also some important types of software correctness that are still difficult to capture with these methods, though the state-of-the-art has improved with time.<p>I&#x27;ve toyed with many methods, tools, techniques, and approaches to get a sense of where the ROI maxima is for my own purposes. In practice, I&#x27;ve found that sophisticated and comprehensive application of less elegant methods amenable to throwing hardware at them, like exhaustive functional testing, thorough fuzzing infrastructure, systematic fault injection coverage, various types of longevity testing, etc when done well often found all the same design flaws as a tractable level of more academic formal verification. Also easier to maintain as code evolves. Furthermore, these less elegant approaches also found the occasional compiler and hardware bug that more elegant formal verification methods typically do not.<p>I have wondered if developing and standardizing this less elegant tooling to a high level, so that it is easier to be lazy and throw hardware at the problem, would have at least as much impact on software quality as trying to get everyone to apply very academic formal verification methods, with their current limitations and theoretical constraints. As much as I like the concept of very pure formal verification, I lean toward whatever makes maximizing software quality practical and economic.

Outside of mission critical applications, if the cost involved to make software &quot;provably correct&quot; (time, salaries) is greater than the cost of the bugs, it will never be adopted.<p>Believe me, I see the appeal, but it&#x27;s kind of like demanding your house have all perfect right angles and completely level surfaces. Living with manageable imperfection is far more realistic.

Microsoft developed the excellent Code Contracts[1] project. From the user&#x27;s perpective, tt was a simple class called Contracts with a few methods such as Require(), Ensure() and Invariant()<p>Underneath the hood it used the Z3 Solver[2], which is both intuitive, flexible and fast. It validated the contracts while coding and highlighted in the Visual Studio IDE when a contract was broken.<p>You could write something like: Contracts.Requires(x &gt; 5 &amp;&amp; y &gt; x);<p>Which would get translated to a compile time check as well. Unfortunately, Code Contracts has been dead for years now, and it was even removed entirely from .NET[3] due to being hard to maintain, and the verifier stopped working in newer versions of VS.<p>Luckily, C# developers now have a small taste of contracts due to nullability analysis[4], but even more exciting is that contracts is making its way into C# as a first-level standard[5].<p>[1] <a href="https:&#x2F;&#x2F;www.microsoft.com&#x2F;en-us&#x2F;research&#x2F;project&#x2F;code-contracts&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.microsoft.com&#x2F;en-us&#x2F;research&#x2F;project&#x2F;code-contra...</a><p>[2] <a href="https:&#x2F;&#x2F;github.com&#x2F;Z3Prover&#x2F;z3" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;Z3Prover&#x2F;z3</a><p>[3] <a href="https:&#x2F;&#x2F;github.com&#x2F;dotnet&#x2F;runtime&#x2F;issues&#x2F;20006" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;dotnet&#x2F;runtime&#x2F;issues&#x2F;20006</a><p>[4] <a href="https:&#x2F;&#x2F;docs.microsoft.com&#x2F;en-us&#x2F;dotnet&#x2F;csharp&#x2F;nullable-references" rel="nofollow">https:&#x2F;&#x2F;docs.microsoft.com&#x2F;en-us&#x2F;dotnet&#x2F;csharp&#x2F;nullable-refe...</a><p>[5] <a href="https:&#x2F;&#x2F;github.com&#x2F;dotnet&#x2F;csharplang&#x2F;issues&#x2F;105" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;dotnet&#x2F;csharplang&#x2F;issues&#x2F;105</a>

While I laud the goals, I am skeptical of the ability to met them.<p>I very much believe that there is an industry-wide crisis of terrible software, but I don&#x27;t believe that it&#x27;s practical to go directly from &quot;garbage to gold.&quot; The path is long, and far from straight.<p>Best Practices are how engineering disciplines, throughout history, have achieved progress in Quality.<p>Currently, Best Practices aren&#x27;t really a &quot;thing,&quot; in software development, and it shows. People like Steve McConnell are not really respected, and a general culture of &quot;move fast and break things&quot; is still pervasive. Engineers flit around companies like mayflies, techniques and libraries come and go, and there&#x27;s an enormous reliance on dependencies with very little vetting. We spend so much time, trying to perfect our tools, without trying to perfect ourselves.<p>Academics and theorists have been proposing languages, libraries, infrastructure, and management practices that are designed to change lead into gold for decades, yet it never seems to happen.<p>I have always been a fan of self-Discipline, and the apprenticeship model. That requires a lot of social infrastructure that does not currently exist. It&#x27;s as old as human history, and absolutely proven to achieve results.<p><i>&quot;In theory, there is no difference between theory and practice; while in practice, there is.&quot; -Benjamin Brewster<p>&quot;It is not enough to do your best; you must know what to do, and THEN do your best.&quot; -W. Edwards Deming<p>&quot;The significant problems we face cannot be solved by the same level of thinking that created them.&quot; -Albert Einstein<p>&quot;Everyone thinks of changing the world, but not one thinks of changing himself.&quot; -Tolstoy</i><p><a href="https:&#x2F;&#x2F;xkcd.com&#x2F;2030&#x2F;" rel="nofollow">https:&#x2F;&#x2F;xkcd.com&#x2F;2030&#x2F;</a>

Formal verification needs machine readible formal specifications, but any kind of written specification, informal or not was pretty hard to find in my career at internet giants. Maybe you can get a formal spec in aerospace or FDA regulated implanted devices, but cost to write the spec, let alone to follow the spec is way too high when the spec needs to change at the whim of a hat.

One thing that will help drive adoption is the ability to run SMT solvers more quickly so the proof stage of your design&#x2F;build has a faster feedback loop.<p>I ran some experiments with the Z3 and alt-ergo solvers (verifying SPARK&#x2F;Ada code using GNATprove) on a base M1 Mini and it absolutely screamed, I’m not normally a Mac fan-boy but new chips like the M1 Ultra might have the possibility of driving a mini-renaissance in FV.<p>I’d like to see more attention being given to GPU accelerated SMT solvers too but haven’t seen much movement outside of a handful of research papers.

I&#x27;ve started watching Lamport&#x27;s TLA+ course in YT and it totally blew my mind.<p>What are other good resources in formal verification?

Been following the development of Dafny: <a href="https:&#x2F;&#x2F;www.microsoft.com&#x2F;en-us&#x2F;research&#x2F;project&#x2F;dafny-a-language-and-program-verifier-for-functional-correctness&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.microsoft.com&#x2F;en-us&#x2F;research&#x2F;project&#x2F;dafny-a-lan...</a>

“Complexity is the business we are in, and complexity is what limits us.”<p>Yet, just as Turski recognized, some people seem to be philosophically offended by this notion, and try to fight the proven limitations. They are under the impression that the world — and I’m not just talking about computing now — is essentially simple, and it the stupidity of people and institution that needlessly complicate it (or, in the case of software, “stupid” programming languages). If we apply careful mathematical reasoning, we could find solutions to anything.<p>Computer science is the very discipline that proved that essential complexity can arise even in the smallest of systems. Yet sometimes it is computer scientists and software developers who attempt to challenge the very foundation of their own discipline. Complexity is essential. It cannot be tamed, and there is no one big answer.<p>The quote is from excellent <a href="https:&#x2F;&#x2F;pron.github.io&#x2F;posts&#x2F;correctness-and-complexity" rel="nofollow">https:&#x2F;&#x2F;pron.github.io&#x2F;posts&#x2F;correctness-and-complexity</a> and it would be really good if the authors read it carefully first.

I think there is a project quite similar to this one called Verifiable Software Toolchain (VST) in which you can write a C program, convert it into a massive Coq expression, and then write theorems about that expression in Coq. The Software Foundations series has a volume about it [1], which I found to be an order of magnitude harder to understand than the other volumes.<p>It feels like the magmide project aims to the same goal as VST. It&#x27;s unclear how it will improve on what VST has done. It may just be that formal verification of real world languages is inherently complex.<p>[1] <a href="https:&#x2F;&#x2F;softwarefoundations.cis.upenn.edu&#x2F;vc-current&#x2F;index.html" rel="nofollow">https:&#x2F;&#x2F;softwarefoundations.cis.upenn.edu&#x2F;vc-current&#x2F;index.h...</a>

While this is a very ambitious goal, Nim implements formal proof for invariants using a theorem prover:<p><a href="https:&#x2F;&#x2F;nim-lang.org&#x2F;docs&#x2F;drnim.html" rel="nofollow">https:&#x2F;&#x2F;nim-lang.org&#x2F;docs&#x2F;drnim.html</a>

Do we have formal verification for formal verification yet? I want to make sure my verification does not have bugs.

<i>&gt; ...existing uses of Iris perform the proofs &quot;on the side&quot; using transcribed syntax tree versions of the target code rather than directly reading the original source.</i><p>I&#x27;m a formal verification dummy, so can someone please confirm if this means these uses of Iris are creating an Abstract Syntax Tree (AST) of the source, then operating upon that AST?<p>If so, can I please get an ELI5 why there is a salient formal verification outcomes difference between using the AST and &quot;directly reading the original source&quot;?

So this actually looks really neat if it works. <i>However,</i> hopefully in the spirit of constructive criticism, I would be very nervous about sticking this in big letters at the top of the introduction:<p>&gt; Software can literally be perfect<p>because that is a wonderful way to get people to invest in really robust, excellent, high-quality software - and then trust it blindly and ignore that even if everything goes well and the software is itself perfect, and the verification has no bugs, and the model that it perfectly implements actually maps the problem space correctly, it will still run on fallible hardware, interfacing with other software that is imperfect, taking direction and data from humans who can make mistakes. Now to the author&#x27;s credit! Further down, under &quot;Do you think this language will make all software perfectly secure?&quot; and &quot;Is logically verifying code even useful if that code relies on possibly faulty software&#x2F;hardware?&quot;, this is discussed. And I think the writer actually does appreciate the limits of what this can actually do, and I very much appreciate them explaining that in what I&#x27;d call clear terms. Just... maybe don&#x27;t headline with a claim like that when it has caveats and people are liable to read the claim and ignore the caveats?

Honestly, to me this project is a means seeking an end, the same way JS devs love to play around with frontend frameworks, the author saw a bunch of shiny powerful (highly complex) tools and decided that combining them all was the solution to our problems.<p>I don&#x27;t want to discourage them from learning Iris, or designing a dependently typed language, but I really think that&#x27;s missing the difficulty in formal verification.<p>I think the two areas that need focus are: ease of specification and automation. In short, we need to lower the cost of verifying a line of code, by at least an order of magnitude. These two objectives are also directly opposed to the direction Magmide sets as the goal. Ease of specification means we want to use the <i>least</i> amount of seperation logic possible, and hide it from the user if possible. Doing proofs &#x2F; writing specs in seperation logic <i>sucks</i> and not for interesting reasons. Automation means favoring simpler logics, specifically we want to stick as much as possible to FOL since that&#x27;s where we have good automation. By doing everything in a rich dependently typed language from the start it also makes it harder to do <i>incremental</i> verification, I think there is a lot of value in having a &#x27;pyramid of trust&#x27; with more and more powerful tools which take you up a level of trust and verification, potentially requiring more input from engineers as they go up.<p>Finally, I think there&#x27;s a lot of potential to explore in the interfaces we use to write, read, and debug proofs. I don&#x27;t think tactic languages (as exist today) are the last word, and I think we should be doing a lot more interesting things to interface with and explore the proofs.

Try the proof assistant Agda without installation directly in your browser:<p><a href="https:&#x2F;&#x2F;agdapad.quasicoherent.io&#x2F;" rel="nofollow">https:&#x2F;&#x2F;agdapad.quasicoherent.io&#x2F;</a><p>Or Lean: <a href="https:&#x2F;&#x2F;www.ma.imperial.ac.uk&#x2F;~buzzard&#x2F;xena&#x2F;natural_number_game&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.ma.imperial.ac.uk&#x2F;~buzzard&#x2F;xena&#x2F;natural_number_g...</a>

One of the approaches for formal program verification is to convert an unrestricted grammar G_1 into a context-sensitive grammar G_2 subject to some constraints C. We then derive a linear bounded automaton A_2 that accepts the language L(G_2). We then transform the input program i.e., a string S_1 in L(G_1) to a modified program i.e., a string S_2 in L(G_2). If A_2 halts on S_2 then A_1 halts on S_1. By definition, A_2 accepts S_2. Therefore, A_1 accepts S_1.<p>Of course, L(G_2) is a subset of L(G_1) which means that many programs written in G_1 that do not meet the constraints C cannot be verified. But the benefit is that programs that do meet the constraints C are provably verified.<p>The tension lies in keeping C small and maximizing utility of the approach for a wide class of programs&#x2F;libraries&#x2F;programming paradigms etc.,

This builds on the success of Rust, but Rust has not been a success when it comes to [number of engineers writing professional code in the language]. By that measure it&#x27;s still incredibly niche compared to interpreted languages.<p>The main reason why formal verification has not had even the success of Rust is that most developers (myself included) don&#x27;t know enough about the area to take an interest, and <i>certainly</i> don&#x27;t know enough about the area to pursuade skeptical managers.<p>Unless a big company comes forward with a bunch of case studies about how they used formal verification successfully I can&#x27;t see the developer mindset changing.

For functional stuff, sure, but I don&#x27;t think this is achievable within the UI domain. CSS rules have implementation details that change how you write it (some problems have workarounds), for example there&#x27;s a documented set of issues in flex implementations maintained here: <a href="https:&#x2F;&#x2F;github.com&#x2F;philipwalton&#x2F;flexbugs" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;philipwalton&#x2F;flexbugs</a><p>It might be practical and possible to become mainstream for some domains, but it&#x27;s doubtful for others. The most practical solution for UI is visual regression testing across browsers.

Is it even realistic to make a provably secure&#x2F;stable applications on an OS like windows or linux? This (provable correctness of programs, at the expense of performance) is one of the explicit design goals or urbit. I know HN hates urbit and don&#x27;t want to rehash that, but it seems like a good goal for some use cases and I&#x27;m not sure it&#x27;s possible to achieve without building the OS around it.

I applaud the research. Of course, those organizations creating and suffering from the most bugs will be the least able to utilize such a language.

I suspect that verifying software is a lot like the termination problem of Turing machines: the more useful properties you want to verify, the closer it is to NP completeness. So a practical verifier should limit its scope to a modest subset of software and settle on verifying sonething with a sufficient degree of confidence, which is lower than 100%.

I want to understand what is verification process? How would programming will take new step forward if this is achieved? I have been programmer for a while but I don&#x27;t understand context and discussion around verification. Please point me any useful resources which can give me deep understanding of what&#x27;s being discussed here.

I recently came across Ur&#x2F;web. It makes some promises that are quite attractive. One of the benefits of having a DSL rather than something general purpose is that it can make these promises in a more comprehensive and focused manner.<p>But despite being around for a while now it didn’t get adopted very widely.

Many engineers and teams are aware that they write bad code, and they love it. You can get very far as a clumsy code vendor. Even if formal verification was practical, it would be pretty difficult to make it mainstream.

You can prove that an algorithm is correct most of the time (yes, halting and decidability but for practical purposes you mostly can).<p>How do you prove an event driven application is correct?

Wow, the language here is even more optimisitc than the rosiest descriptions you see from young researchers, which prompted me to check if the author has had much experience deductively verifying interesting &quot;deep&quot; functional properties of non-trivial programs. The answer seems to be no.<p>Like a newcomer to the field, he focuses on &quot;first-day&quot; problems such as language convenience, but the answer to his question of why this hasn&#x27;t been done before is because that&#x27;s not the hard problem, something he&#x27;ll know once he obtains more experience.<p>One of the biggest issues — indeed, the problem separation logic tries to address, but does so successfully only for relatively simple properties — is that &quot;correctness&quot; does not feasibly (affordably) compose. The difficulty of proving the correctness of a program made out of components, each of which has already been proven correct for <i>any</i> desired property is not easier than proving the correctness of the program from scratch, without concern for its decomposition. I.e. proving the correctness of a program made of ten provably-correct 500-line components is no easier than proving the correctness of all 5000 lines at once. This has been shown to be the case not only in the theoretical worst case, but also in practice.<p>Here&#x27;s an example to make things concrete. Suppose we have the following (Java) method, calling some unknown, pure, `bar` method:<p><pre><code> long foo(long x) { if (x &lt;= 2 || (x &amp; 1) != 0) return 0; for (long i = x; i &gt; 0; i--) if (bar(i) &amp;&amp; bar(x - i)) return i; throw new Error(); } </code></pre> It is very easy to describe exactly under what conditions an error would be thrown. Similarly, it is easy to describe the operation of the following method, and prove that it performs its function correctly:<p><pre><code> boolean bar(long x) { for (long i = x - 1; i &gt;= 2; i--) for (long s = x; s &gt;= 0; s -= i) if (s == 0) return false; return true; } </code></pre> However, it is not easy to determine which inputs, if any, would cause foo to throw an error using that particular bar. In fact, we only happen to know that this particular question is extremely hard because it is one that has interested mathematicians for 300 years and remains unanswered.<p>While most verification tasks don&#x27;t neatly correspond to well-known mathematical problems, and most require far less than 300 years to figure out, this kind of difficulty is encountered by anyone who tries to deductively verify non-trivial programs for anything but very specific properties (such as &quot;there&#x27;s no memory corruption&quot;, which separation logic does help with). Various kinds of non-determinism, such as the result of concurrency or any kind of interaction, only makes the possible compositions more complex.<p>In short, the effort it takes to verify a program does not scale nicely with its size, even when it is neatly decomposed, and it is this practical affordability — which is not a result of the elegance of the tools used — that makes this subject so challenging (and interesting), and requires some humility and lowering of expectations even when it is useful (and it can be certainly useful when yielded properly and at the right scope).<p>Another problem is an incorrect model of how programs are constructed. One might think that if a programmer has written a program, then they must have some informal (but deductive) model of it in their mind, and all that&#x27;s missing is &quot;just&quot; formally specifying it. But that is not how programs are constructed over time when many people are involved. In practice, programmers often depend on <i>inductive</i> properties in their assumptions, such as &quot;if the software survived for many years, then local changes are unlikely to have global effects that aren&#x27;t caught by existing tests.&quot; Those assumptions are good enough for providing the (often sufficient) level of correctness we already reach, but insufficient for constructing software that can be formally specified, let alone deductively proven correct.<p>That is why much of the contemporary research focuses on less sound approaches, that aren&#x27;t fully deductive, such as concolic testing (e.g. Klee), that allow better scaling for both specification and verification at the cost of &quot;perfection&quot;.<p>The reason why both research and industry don&#x27;t all do what is proposed here is because they know that&#x27;s not where to real problems are. There are bigger issues to tackle before making the languages more beginner-friendly.

Can we formally verify the software cannot be used for evil?

I&#x27;ve been looking at writing a code generator, which spits out vectorized code for multi-way joins (kind of like &quot;dynamic programming&quot; to not suffer from being locked in a specific order of binary joins), with the additional complications of being for the incremental&#x2F;difference-based &quot;Differential Dataflow&quot;[0], the multi-temporal aspect DDFlow needs to handle it&#x27;s iterative&#x2F;fixpoint operator, and dynamically adjusting IO concurrency (the asymptotics of part of the &quot;dynamic programming&quot; index traversal suffer when squeezing concurrency out of it, as it&#x27;s pretty much cache prefetching).<p>It&#x27;s been about a year since I realized the impact of a JIT-like query compiler for these kinds of join-project queries, but needing to balance IOPS, vectorization, and likely even applying (vectorized) B-tree tactics within a 4k page, on top of the weirdness from multi-temporal (not just bi-temporal) delta-based records (~change-data-capture stream; needs to be integrated&#x2F;materialized to get a point-in-time view)... sounds like a recipe for logic bugs&#x2F;off-by-one errors.<p>They are already hard-to-impossible to notice if it&#x27;d be used in production, it being a code generator allows situations with only edge case queries having data-dependent edge case bugs, and the addition of dynamic&#x2F;adaptive IO concurrency makes reproducing&#x2F;debugging a detected error next to impossible.<p>I wouldn&#x27;t dare to trust the code generator I&#x27;d write, if not formally verified. Not because I don&#x27;t have faith in my skills, but because it&#x27;s extremely complex code that has to be fast and fall out of a JIT and it&#x27;s nature makes off-by-one errors in index access unusually likely. And debugging a known error might well be harder than formally verifying to find the bug.<p>[0]: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=25867693" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=25867693</a> <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=27512224" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=27512224</a><p>TL;DR: There is code that would be useful if written, but is so complex and neigh-impossible to debug that formally verifying it might be easier than debugging it to &quot;production-grade&quot;. I hope this project makes that kind of approach practical for those engineers who could write the code and make it pass integration tests.