an...@mips.complang.tuwien.ac.at (Anton Ertl) writes:
> Unlikely, at least in full; you probably run into one of Goedel's
> incompleteness theorems or something similar. You can probably have
> the prover prove properties of most of its code, but there will be a
> part P that is beyond its capabilities.
Another approach, used by Microsoft's SPEC prover, is to notice that
Goedel's theorem only applies to theories strong enough to support a
fragment of arithmetic that includes addition and multiplication, since
you need both of those to create the self-referential Goedel sentence.
If you drop multiplication so your arithmetic only supports addition,
you get a weaker theory called Presburger arithmetic, to which Goedel's
theorem doesn't apply, and in fact your prover can work automatically as
long as your program never multiplies two variables together.
(Multiplication a variable by a constant doesn't "count", since it can
be formalized as repeated addition. So that handles most array
subscripting.)
You usually wouldn't use SPEC on an entire program. It is instead used
mostly (I believe, I've never looked at it) to verify that some chunk of
code is free of buffer overflow bugs.
> In theory it's possible to write a more complex prover that can prove
> that part, but then how do you prove that prover? A more practical
> approach is to prove P manually.
Making sure P is small enough to validate by inspection is called the de
Bruijn criterion. Another approach, used by HOL Light, is to use the
same prover, but make its theory more powerful by adding an extra axiom.
That lets the version with the extra axiom check the consistency of the
version without it.
HOL Light is based on set theory (so called Zermelo set theory Z if that
matters), and the extra axiom asserts the exitence of a so-called
inaccessible cardinal in Z. This is a so-called large cardinal axiom,
which even mathematicians (other than set theorists) consider to be one
of the most abstruse and useless topics in mathematics. Yet there it
is, being used in a practical piece of software (HOL Light is used to
verify some things about Intel microprocessors, iirc).
It is worse. What if HOL Light's implementation of Z is inconsistent,
due to a bug or because Z itself is inconsistent? Can't it prove its
own consistency already then? A consistent theory (per Goedel) can't do
that, but of course an inconsistent theory can prove anything, even
2+2=5. And if HOL Light starts out inconsistent, it's still
inconsistent with the new axiom.
But, the idea is that such an self-consistency proof would be very weird
and roundabout, and the proof with the inaccessible cardinal likely
wouldn't go through. That is mathematically unrigorous, but it doesn't
seem worse than the horrible things that electrical engineers have
always done with complex numbers, so we can let it by.
So there you have an *engineering* use of a large cardinal (it's not a
valid mathematical use because of the non-rigor). From a certain
perspective, that is utterly amazing. There was a mathematician named
Solomon Feferman who believed that all the mathematics used in science,
and even almost all of pure mathematics, could be handled with fairly
weak axioms. I wanted to ask him about this large cardinal example but
unfortunately he died a few years ago, before I could do so. He was
mathematically active into his 80's though.