D enters Tiobe top 20

Doc Andrew x at x.com
Fri Nov 8 17:07:59 UTC 2019


On Friday, 8 November 2019 at 16:33:48 UTC, Ola Fosheim Grøstad 
wrote:
> On Friday, 8 November 2019 at 16:10:32 UTC, Doc Andrew wrote:
>> With sufficient pre & post-conditions on "unsafe" functions, 
>> (and maybe, as somebody pointed out, some asserts along the 
>> way to "nudge" the solver in the right direction), you can 
>> prove at that nothing bad happens with an automated solver.
>
> If you talk only about memory safety and require that programs 
> are written in a certain way, then maybe yes.
>
> In the general case this will not be possible though. You 
> certainly need to manually guide the verifier (e.g. "nudge" the 
> solver with asserts). The search space is vast. Keep in mind 
> that when humans do proofs in math they do a lot of pattern 
> matching, use a high level conceptualization of the problem 
> space and only do it on "toy-sized" problems.

Sure, one reason SPARK is amenable to FV is because the language 
restrictions and richness of Ada types does a lot to restrict 
that search space, the same way dependently-typed languages do.

>
>> I'm not an expert, and it's only a hunch, but I suspect that 
>> DbC + CTFE could make formal verification of D code a lot 
>> easier to implement than trying to graft it on to other 
>> languages.
>
> Formal verification is never easy, but certainly less difficult 
> when the programming language is designed with that in mind... 
> D is too flexible.

For sure - but there may be a _useful_ formally-verifiable subset 
of D buried in there somewhere, kind of like MISRA C.

>
> And that's only for single-threaded programs. Add 
> multi-threading and you basically need the programming language 
> to be designed for it to get anywhere realistic. Such languages 
> do exist, but they are not going to give you C-performance.
>

With the way we do multi-threading now, where anything goes, 
absolutely. SPARK can formally verify multi-threaded tasks but 
using a fairly restrictive model (Ravenscar). I don't think 
performance goes absolutely in the tank with Ravenscar, but yeah, 
if you don't worry about synchronization, ignore race conditions, 
and just hope for the best, then sure, you're going to win in the 
benchmarks :)

I look at it a little differently - multi-threaded code is so 
tough to get right that some sort of verified correctness for it 
is becoming _essential_. (see: 
https://www.phoronix.com/scan.php?page=news_item&px=Google-KCSAN-Sanitizer)

It may be that a slightly-different threading model, perhaps like 
that thread "nursery" idea which has been posted here before 
(https://vorpus.org/blog/notes-on-structured-concurrency-or-go-statement-considered-harmful/) will be a magic bullet... or not.

>> My take is that formal verification is sort of where AI/ML was 
>> 20 years ago - academically interesting but of little 
>> practical use. Now it's a big deal, and I think in 10-20 
>> years, FV will be too.
>
>  I think FV is where AI was 70 years ago...

Way too pessimistic! :)

>
> But yeah, maybe neural networks can be used for matching up 
> verification problems with strategies so that the verifier 
> succeeds more frequently, but the fact that an automated 
> verifier frequently will fail to reach any conclusion will 
> remain for practical programming that aim for very high 
> performance in the forseeable future.

One thing that I've looked around for (without much luck) is just 
using GPUs to speed up the solvers themselves. Apparently 
parallelizing SAT solvers isn't the easiest thing in the world, 
but it would be a neat research topic.

>
> A more likely future is that processing performance will be in 
> abundance and that you therefore don't have to write programs 
> that maximize performance and can switch to languages and 
> algorithms that are easier to prove correct...

The cool thing is that, with the right proofs in place, you can 
actually get _faster_ code when formally verified, because all of 
the normal sanity-checks you do in code can get shifted to 
compile-time. You might even be able to reduce  or eliminate 
thread blocking, etc. with the right model (and probably some HW 
assistance).

Your point is well taken, but I do hope that we can get proven 
correctness of bare-metal code without having to write something 
like Liquid Haskell ;)

-Doc


More information about the Digitalmars-d mailing list