In a controversial paper at the end of 1970's, R.A. De Millo, R.J. Lipton and A.J. Perlis (DeMillo, Lipton and Perlis, 1979) argued against formal verifications of programs, mostly motivating their position by an analogy with proofs in mathematics, and in particular with the impracticality of a strictly formalist approach to this discipline. The recent, impressive achievements in the field of interactive theorem proving provide an interesting ground for a critical revisiting of those theses. We believe that the social nature of proof and program development is uncontroversial and ineluctable but formal verification is not antithetical to it. Formal verification should strive not only to cope, but to ease and enhance the collaborative, organic nature of this process, eventually helping to master the growing complexity of scientific knowledge.
IntroductionHeavier than air flying machines are impossible.-S.P. Langley (Langley, 1891) Formal verification of programs, no matter how obtained, will not play the same role in the development of computer science and software engineering as proofs do in mathematics.-R.A. De Millo, R.J. Lipton, A.J. Perlis (DeMillo et al., 1979) Samuel Pierpont Langley was a professor of astronomy and physics, and a world-expert in aerodynamics during the late nineteenth and early twentieth century. The esteem with which he is held can be seen from the fact that one of the research centers of NASA is named after Langley. At the height of his research career, Samuel Langley published a result (Langley, 1891) which came to be known as "Langley's Law." According to this erroneous law -higher the speed, lower the drag -more power was required in order to make an aircraft fly slower, and if this were to be true then heavier than air flying machines would certainly have been an impossibility. Fortunately the Wright Brothers Andrea Asperti, Herman Geuvers and Raja Natarajan 2 had not read Langley's book, and they went on to develop the first manned aircrafts which could be controlled in-flight from the aircraft itself.In It is precisely in view of these achievements, however, that we can look back at (DeMillo et al., 1979) with a less passionate and more objective spirit, making a more stringent analysis of their thesis and arguments, without focusing on the polemic frame intentionally chosen by its authors, viz., in Lamport's words † , as a debate between a reasonable engineering approach that completely ignores verification and a completely unrealistic view of verification advocated only by its most naive proponents.In fact, some of the thesis advocated by De Millo, Lipton and Perlis are sharable, very pertinent and still relevant; on the other hand, most of their arguments, after thirty years of research, sounds obsolete and a bit trite, asking for a critical reappraisal. Here is a quick summary of our critique, before we enunciate it in detail.-De Millo et al. state that . . . intuition is the final authority (quoting the logician Rosser).: Intuitions and analogies may help in the explanation a...
