[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Floyd-Hoare Verification Harmful??

       Date: Thu, 19 May 88 10:35:23 EDT
       From: Mitchell Wand <wand%corwin.ccs.northeastern.edu@RELAY.CS.NET>

       One ought not to say things like:

       "F(G(C)) := D ought to ensure that F(G(C)) = D afterwards."

       too blithely.  Consider the array assignment:

       A[A[1]] := 2

       in a two element array A, where initially A[1]=A[2]=1 .  This sort of
       thing had program verifiers confused for a good while in the early

   Date: Fri, 20 May 88 12:54 EDT
   From: Howard Shrobe <hes@scrc-vallecito.arpa>

   I wrote a paper that was distributed by hand to friends in the late '70s
   called "Floyd-Hoare Verifiers Considered Harmful" that pointed this ought.
   It was somewhat tongue in cheek but was based on catching Vaughn Pratt
   making exactly this kind of mistake.  I just moved my office and found
   copies of the paper.  Sussman would remember it well.

That seems like an awfully rash conclusion to draw from this kind of bug.  It
would be more reasonable to say something like "Unrestricted Pointer
Manipulation Considered Harmful" or "Hiding Nasty Pointer Manipulation in
Innocuous-Looking Array Manipulation Considered Harmful" or... :-)

Mitchell Wand
College of Computer Science
Northeastern University
360 Huntington Avenue #161CN
Boston, MA 02115

CSNet:  wand@corwin.ccs.northeastern.edu