Well done writeup, with enough detail to be interesting but not tedious. I’m looking forward to Part 2.

My impression is that their approach is largely inspired by Google’s ClusterFuzz. Projects that meet Google’s criteria can use their “OSS-Fuzz” infrastructure, but hooray for DIY if you have the resources.

Great advice! Thinking about your three points made me think of the following, I hope you find it useful.

In your comment you linked, I think the list of all the projects is extremely useful to see what’s going on. Related to your point (1), I think is that each of these projects is impressive because they built something within a theorem prover, e.g., no one would be impressed if someone wrote a C-compiler in C++, but verifying non-trivial theorems about a C-compiler is impressive.

Perhaps a better way to look at the problem of “how to get into formal methods?” is to look at it as “what do you want to get from your efforts?”.

This, I believe, expands on your point (2): if you want to reduce the number of bugs in your code, perhaps just fuzzing is the way to go. This probably has the highest return-on-investment for existing projects. I know this is probably no longer “formal” methods but I would consider fuzzing at least a distant cousin. Extending beyond this are more heavy-weight techniques like bounded model checking, abstract interpretation and concolic execution: these again are not full-blown verification but provide some formal guarantees. These are maybe stepping stone before the lightweight stuff mentioned in your comment, or perhaps are around the same area.

If you want to learn how to encode proofs into your type system, then maybe the first few chapters for Software Foundations or some other theorem prover textbook would be great: you won’t build anything “real”, but perhaps will have some extra appreciation for types. This relates to your point (1).

Related also to (1) is the difficulty in formalizing “correctness” of a program: often writing the specification for a program is more difficult than writing the program itself. A contrived example is, is specifying the correctness of int max(int a, int b). Especially for a “real engineering” problem where the problem itself is not very well specified, coming up with a notion of correctness is in and of itself difficult. Stuff like using the runtime sanitizers (ASAN, UBSAN, MSAN) makes encoding some notion of correctness into your existing tests easy.

Anyway, I feel this comment was a bit rambling but I perhaps the ideas will be useful to you: I agree that equating formal-methods with dependent types is maybe too far, and wanted to show some of the other techniques for reducing the number of bugs, which sometimes are not officially included in “formal methods”. (As you can maybe tell, my own interests are in fuzzing/bounded-model checking/symbolic execution/abstract interpretation instead of dependent types ;)

There’s an interesting similar line of work formalizing the C++11 memory model which includes a tool to explore possible behaviors (relative to the stress tester here it systematically explores possible behaviors based on a the model).

Here’s some links for those interested:

Main Page

Online explorer (cppmem)

The artifact evaluations the author talks about is a step in the right direction but it isn’t perfect. First, I don’t believe the submitted code is required to be published publically, its just run by the committee. And second, there’s nothing stopping an unethical researcher from submitting an artifact which just does sleep(8000); printData(); return 0;.

I’m not sure what a better solution would look like.

Would love to see some details on the types of errors it detects. Seems interesting.

I’m lucky enough to be “that guy who always asks questions” in class. I justified it for two reasons: (1) it’s the instructor’s job to teach me, and (2) it’s almost disrespectful not to ask questions. Elaborating on (2), as a presenter/instructor the person asking questions is both paying attention to what you’re doing and showing that your presentation is at least somewhat intelligible.

I was always curious talking to my friends after class and hearing them say “I have no idea what we were just taught.” My (naive) theory is there are a few different archetypes of quiet students.

• I’m too lazy to be here.
• I was on the internet for the first 20 minutes and don’t know where we’re at.
• I told my peers this class was easy so I can’t ask questions.
• My question is stupid.
• I’ll just ask the question after class/in office hours

In my mind, it’s a problem that the “dumb” person is quiet and that many questions get asked one-on-one: the questions help everyone (including the instructor).

The argument that questions slow down the class and prevent material from being covered is nonsense: the question indicates the material was not thoroughly presented; if there are so many questions such that all the material cannot be presented then something needs to be changed. (This does get into a gray area as to when questions are off-topic: the instructor needs to take some discretion and discuss things offline with individuals.)

This seems to be like dialyzer for c? Also has anyone used this and can contrast it with valgrind?

A cheap oscilloscope, multimeter, and bench power supply are always welcome additions to any workbench, as well as an electronics breaedboard.

Depends on how low-level you want to go. Anything with GPIO and I2C will be useful, and the question is what you’d want to go for. If you don’t mind working in lower-level C, AVR has a great set of microcontrollers that are widely used and don’t require a lot of external parts. If your friend is more comfortable with python / sshing into stuff, you might be better off with an Arduino or Raspberry Pi. I would shy away from the esoteric stuff especially if your friend is starting out, you want to work with easily googlable parts that other people have used until you’re more confident. Buying random parts off digikey and discovering that the datasheet is wrong can be extremely frustrating, so it’s helpful to tread where others have tread before you.

I can highly recommend Adafruit’s shop, they explicitly design their modules to be beginner friendly with lots of documentation. If you wanted to go AVR they have nice premade boards, as well as the bigger beaglebone/arduino/raspberrypi stuff as well. They also have generic prototyping stuff, sensors, and a pretty comprehensive beginning electronics toolkit.

This was really cool - anyone have some good references to where I can learn more about SBV in particular and solving problems using SMT in general? (I did review the examples in the repo, and they were helpful, but I’m looking for more of a tutorial-style exposition if one exists.)

I think its great to see “combinator style” parsers; after writing my first parser using Parsec I feel bad when writing quick-and-dirty parsers in C++/Java.

However, and this may be pedantic, but I feel the claim “safe by default” is a bit strong. Seems the authors wants to say that it is memory safe (no use after free/out of bounds access) but in the absence of a safety specification for what the parser should do and a way to show the parser meets that specification I don’t think you could call it safe. Additionally, the fact that the library was fuzzed to “verify” it is safe seems to hint that it does not have a proof of the absence of such errors: such a proof is what I would call safe.

Again, this is probably just me having my own definitions of what “safe” and “verify” mean.

Great tutorial. I consider myself somewhat well versed in LLVM but I had no idea it was so easy to run a pass straight with clang.

The worst part about LLVM is it spoils you: writing analyses for languages without LLVM frontends, like javascript, because working on existing compilers seems much more esoteric. Working with Spidermonkey or V8 seems painful (though, I’d love to be proven wrong).

Interesting to see a more modern Java concurrency approach compared to what I remember from The Art of Multiprocessor Programming.

What wasn’t clear to me on reading is how the example Atom satisfies the property stated by the author:

Every operation will succeed after the finite number of tries

For example, two threads could execute the swap function.

Thread 1            Thread 2
=======================================
oldv = get()
                    oldv = get()
                    newv = swapOp(old)
                    cas(oldv, newv)
newv = swapOp(old)
cas(oldv, newv)
oldv = get()
                    oldv = get()
                    newv = swapOp(old)
                    cas(oldv, newv)
              ...

If this repeats infinitely then thread 1’s swap never succeeds. Did I miss something? I’m never too confident of pen-and-pencil proofs of concurrent programs.

What I always thought was a subtle design challenge for concurrent data structures is that you can have “bugs” in your API. For example, if you expose a read() operation and a write() operation on your lock-free data-structure then you open the user to do something like:

if (read()) {
   write()
}

Allowing an atomicity violation to creep in.