Formal Methods: Just Good Engineering Practice? (2024)

211 点作者 aiono4 个月前

20 条评论

Formal verification of software, as the article acknowledges, relies heavily on the type of software and the development process.To use formal verification you need to have formal requirements of the behavior of your software. Most software projects and design philosophies are simply incompatible with this.In software development and design can often fall together, but that means that it is uniquely ill suited for formal methods. If you are developing, before you are sure what you even want, then formal methods do not apply.But I agree that there are certain areas, mostly smaller, safety critical, systems, which rely on upfront specifications, which can heavily benefit from formal verification. E.g. Aerospace software relies heavily on verification.

评论 #42657553 未加载

评论 #42657137 未加载

评论 #42658693 未加载

评论 #42657489 未加载

评论 #42656764 未加载

评论 #42665099 未加载

评论 #42660381 未加载

评论 #42659362 未加载

评论 #42664565 未加载

评论 #42658746 未加载

评论 #42658372 未加载

评论 #42658945 未加载

评论 #42658441 未加载

评论 #42657926 未加载

评论 #42661534 未加载

评论 #42662690 未加载

commandlinefan4 个月前

I see this line of reasoning about formal methods a lot: software is big and complicated and hard to get right... therefore formal methods.On the one hand, I _want_ this to be true both for selfish and practical reasons: selfishly because I'm very very good at learning things that require an academic learning approach (read a book, work some exercises, practice) and if something I'm good at is important, that means more money for me. Practically because they're right, software _is_ big and complicated and hard to get right and as a practitioner, it's really frustrating when it does fail and I'm scrambling to figure out why.On the other hand, though, nobody ever seems to make a compelling case for how formal methods proposes to solve that problem. This author actually does better than most by pointing out how most modern "design" is a waste of time but doesn't really go into why TLA, say, is better than (demonstrably mostly useless) UML. There's sort of an implied suggestion that if you dedicate a few months (or years?) to learning TLA, you'll reach enlightenment and understand how it's helpful in a way that's impossible to articulate to the unenlightened. And that's not impossible to imagine! Calculus and Bayesian statistics are kind of like that; you need to really understand them before you can really see why they're useful.I always find myself left applying what I call "project manager" logic - I need to make a snap decision right now about whether or not I should invest time in this "formal method" stuff or not so I have to be observational: if it was really that helpful, more people would be applying it and the benefits would speak for themselves. They've been around a long, long time, though, and never caught on - it's hard not to conclude that there's probably a reason.

评论 #42657184 未加载

评论 #42657139 未加载

评论 #42657256 未加载

评论 #42658488 未加载

评论 #42663078 未加载

评论 #42665016 未加载

评论 #42659081 未加载

synchronousq4 个月前

I just want to note, there exist two main flavors of formal methods: extrinsic techniques, which are disjoint from the code itself and generally reason about the specifications of code, and intrinsic techniques, which are inline with the code itself and reason about the code more directly. Historically, intrinsic techniques (such as type systems) reason about code at a functional level, while extrinsic techniques (such as decidable model checkers like Spin/P) reason about a model of the code, ascribed to formalism like an automata. But imo we're currently in a complete golden age of formal methods research, and extrinsic techniques are falling out of flavor in comparison to intrinsic methods as pushed by type system advancements and projects like Verus [1].[1] <a href="https://github.com/verus-lang/verus">https://github.com/verus-lang/verus</a>

评论 #42660783 未加载

评论 #42658229 未加载

jcgrillo4 个月前

The lightweight formal methods callout is a good one. Maintaining a suite of proptest[1] strategies alongside the codebase is not a very much larger investment than writing unit tests by hand, but the insights they provide due to extensive coverage and compact understandable failure cases are way better. And crucially this approach does align with normal software development practices.[1] <a href="https://crates.io/crates/proptest" rel="nofollow">https://crates.io/crates/proptest</a>

评论 #42658066 未加载

评论 #42657218 未加载

IshKebab4 个月前

IMO formal software verification is still waaay too difficult to be worth it in all but the most extreme cases. That's really different to formal hardware verification where it is a no-brainer.I keep trying to learn it, but you need to be a real expert. Like "I wrote the compiler" level expert for most systems.For example I tried to prove a varint encoder/decoder. It worked for one or two bytes, but not more. Asking for help the reason was that the compiler internally only unrolls loops 5 times, or some random internal detail like that that you could never really hope to know.I've been learning Lean recently, and ... I mean I like it, but if you learn it you're going to encounter documentation like this:> Definitional equality includes η-equivalence of functions and single-constructor inductive types. That is, fun x => f x is definitionally equal to f, and S.mk x.f1 x.f2 is definitionally equal to x, if S is a structure with fields f1 and f2. It also features proof irrelevance, so any two proofs of the same proposition are definitionally equal. It is reflexive, symmetric, and a congruence.And that's not really a knock on Lean - it seems to have some of the better documentation out of the alternatives.

评论 #42729266 未加载

评论 #42668526 未加载

charleshn4 个月前

On lightweight formal methods, a favorite of mine that's not widely known is trace verification using Linear Temporal Logic [0].Basically you just need to log events - which you can even have for free in event-driven architectures etc - and run some predicates on execution traces, e.g. "Always(Locked, Implies(Eventually(Unlocked)))", etc.One can run it on historical traces, but also couple it to stress tests, fuzzing etc to explore the state space.Quite simple, powerful and widely applicable, and doesn't require a model, just predicates.[0] <a href="https://en.m.wikipedia.org/wiki/Linear_temporal_logic" rel="nofollow">https://en.m.wikipedia.org/wiki/Linear_temporal_logic</a>

评论 #42662184 未加载

ot4 个月前

Previous discussion (Jun 2024): <a href="https://news.ycombinator.com/item?id=40753989">https://news.ycombinator.com/item?id=40753989</a>

评论 #42671149 未加载

评论 #42656682 未加载

franktankbank4 个月前

Too slow, planning==ossification any documentation can and will be used against you in the Agile court of law.

评论 #42657703 未加载

thefaux4 个月前

Most of the articles I've read about formal methods feel like lead gen for consultants. That's fine but feels obnoxious when they implicitly act as though they have reached formal methods induced enlightenment that you can too if you buy a pack of trainings for your employees/coworkers or hire me as an employee to fix your bad (irresponsibly dangerous even!) programming habits.Get back to me when the formal methods actually generate high quality code that cannot deviate from the spec.

评论 #42657648 未加载

评论 #42657970 未加载

jayaprabhakar4 个月前

One issue with the current proponents of formal methods is, they want to claim others who don't use formal methods as "lazy" or "dumb" and want to claim their superiority because they "do the right thing" and "mastered a complex language".Some of them (not all, I know a few good ones) are, actually one trick pony. For example, ask them about other formal methods systems they learnt or tried in the recent years, they would claim they are "too busy" to learn anything new.Recent easier to use formal methods: 1. FizzBee (Uses Python dialect, almost reads like pseudo code) 2. Quint: Another formal language with easier to use syntax 3. P: Use syntax similar to C# users.The author of the posted article himself posted another article that Formal methods solves only half his problems (<a href="https://brooker.co.za/blog/2022/06/02/formal.html" rel="nofollow">https://brooker.co.za/blog/2022/06/02/formal.html</a>) But the problem he mentioned is actually solved by PRISM (It is not new). But Brooker just won'd bother to look around or learn.

AnimalMuppet4 个月前

Good engineering practice is to use the appropriate level of rigor. It depends on what the cost of failure is, and what the cost of the rigor is.

jgalt2124 个月前

If a TLA+ transpiler could emit Python, Javascript, Java, C, Rust, C++, Go (even just one of these), it would be infinitely more usable in that it helps you cross the gap from "I know my TLA+ is correct" to "I know my Go is correct".Or as a baby step, does TLA+ emit comprehensive test cases? Then we as programmers still have to do the hand transpilation step, but at least we can be assured our implementation is correct (if not efficient).

trending4864 个月前

Modern formal methods like TLA+ and Alloy are as easy to pick up as Python, and other than having to write a spec (an ultra-simplified model of part of a system) they are completely automatic (based on model checkers). There is no reason for a modern software engineer not to have them on her radar. As a matter of fact most of the cloud systems you are using everyday have been verified with modern formal tools: Azure Cosmos DB, Dynamo DB, MongoDB, CockroachDB, ... and many others.

评论 #42658447 未加载

评论 #42660817 未加载

评论 #42729310 未加载

brap4 个月前

I’m not super experienced with formal verification, but I did dip my toes in it a few times.My impression is that it’s far from a magic bullet. Writing formal specs is basically like writing the code/tests just differently. And the more it covers the more it becomes the same thing. And it suffers from the same problems.My conclusion every time was that the code itself is the formal spec and the formal spec is the code.By analogy with construction, the code is both the building and the blueprint.

评论 #42660245 未加载

评论 #42657953 未加载

markusde4 个月前

I'd recommend anyone with a passing interest in the role formal techniques can play in software development watch this [1] talk. Mike Dodds is a principal scientist at Galois (a company which has a lot of experience with applying formal methods in industry and government) and the talk does a good job at explaining where they've seen value-added from formal methods, and the right kind of formal methods for different applications.[1]: <a href="https://www.youtube.com/watch?v=gfvvowAc130" rel="nofollow">https://www.youtube.com/watch?v=gfvvowAc130</a>

nimish4 个月前

Formal methods work great when the price of failure is absolute. Mostly pointless otherwise but can be a good exercise I guess.

评论 #42658400 未加载

评论 #42659134 未加载

UltraSane4 个月前

AWS has said that when software has a robust set of formal verification tests they can be very aggressive when optimizing it and be confident that they aren't changing its behavior. They say they were able to optimize their IAM authentication code by over 50% this way.

noelwelsh4 个月前

I would guess a majority of developers use formal methods these days. We just tend to call them type systems, and for some reason consider them a distinct category. If simulations count as formal methods, then tests, and particularly property-based testing, also make the cut.

Animats4 个月前

The article is thin on specifics.Some problems specify well. A database is an example. A spec for a database can be written in terms of exhaustive search, running the query against everything. Now show that an efficient database yields the same output.

begueradj4 个月前

For those interested in the information exchange about this same article: <a href="https://news.ycombinator.com/item?id=40753989">https://news.ycombinator.com/item?id=40753989</a>