I am flexible in terms of storage space; I currently have an 80GB disk, but I'm using less than 5GB of it. I'd like to start using a bit more, but not having more bandwidth makes this difficult.
Can anyone recommend a hosting company that would offer this kind of set-up for under about $50/month? DedicatedNow seemed like they had a reasonable offer, but they had some quite unreasonable demands, such as needing a copy of my passport faxed to them to complete the transaction (and I don't do that for any business, particularly not one I have had no prior dealings with).
In unrelated news, it looks like I'm getting a Google-sponsored minion for the summer. The SoC results were announced this morning, and the project I am mentoring got accepted. Should be fun.
You might come to wonder what the point of learning English was. In response perhaps the teachers and education system might decide that, to help make English relevant to students, they need to introduce more "Applied English". This means teaching English students with examples from "real life" (for varying degrees of "real") where English skills are important, like how to read a contract and locate the superfluous comma. Maybe (in an effort by the teachers to be "trendy") you'll get lessons on formal diary composition so you can better update your MySpace page. All of that, of course, will be taught using a formulaic cookbook approach based on templates, with no effort to consider underlying principles or the larger picture. Locating the superfluous comma will be a matter of systematically identifying subjects, objects, and verbs and grouping them into clauses until the extra comma has been caught. Your diary will be constructed from a formal template that leaves a few blanks for you to fill in. Perhaps you might also get a few tasks that are just the same old drills, just with a few mentions of "real world" things to make them "Applied": "Here is an advertisement for carpets. How many adjectives does it contain?".
In such a world it wouldn't be hard to imagine lots of people developing "English anxiety", and most people having a general underlying dislike for the subject. Many people would simply avoid reading books because of the bad associations with English class in school. With so few people taking a real interest in the subject, teachers who were truly passionate about English would become few and far between. The result, naturally, would be teachers who had little real interest in the subject simply following the drilling procedures outlined in the textbooks they were provided; the cycle would repeat again, with students even worse off this time.
And yet this is very much how mathematics tends to be taught in our schools today. There is a great focus on the minutiae of the subject, and almost no effort to help students grasp the bigger picture of why the subject might be interesting, and what it can say about us, and about the world. Mathematics has become hopelessly detail oriented. There is more to mathematics than mindlessly learning formulas and recipes for solving problems. And just like our imaginary example, the response to students lack of interest in mathematics has only served to make the problem worse. The "applications" and examples of using the mathematics in the "real world" are hopelessly contrived at best, and completely artificial at worst, and still keep a laser like focus on formulas and memorizing methods without ever understanding why they work.
Of course the opposite situation, with no focus on details, can be just as bad. Indeed, that is where English instruction finds itself today, with students never learning the spelling, formal grammar, and vocabulary needed to decently express the grand big picture ideas they are encouraged to explore. What is needed is a middle ground. Certainly being fluent in the basic skills of mathematics is necessary, just as having a solid grounding in spelling and grammar is necessary. What is lacking in mathematics instruction is any discussion of what mathematics is, and why mathematics works as well as it does.
The discovery and development of mathematics is one of the great achievements of mankind -- it provides the foundation upon which almost of all modern science and technology rests. This is because mathematics, as the art of abstraction, provides us the with ability to make simple statements that have incredibly broad application. For example, the reason that numbers and arithmetic are so unreasonably effective is that they describe a single simple property that every possible collection possesses, and a set of rules that are unchanged regardless of the specific nature of the collections involved. No matter what collection you consider, abstract or concrete, it has a number that describes its size; no matter what type of objects your collections are made up of, the results of arithmetic operations will always describe the resulting collection accurately. Thus the simple statement that 2 + 3 = 5 is a statement that describes the behaviour of every possible collection of 2 objects, and every possible collection of 3 objects. Algebra can be viewed the same way, except that instead of abstracting over collections we are abstracting over numbers: elementary algebra is the combination of objects that represent any possible number (as numbers represent any possible collection with the given quantity), and the set of arithmetic rules for which all numbers behave identically. Numbers let us speak about all possible collections, and algebra lets us speak about all possible numbers. Each layer of abstraction allows us to use an ever broader brush with which to paint our vision of the world.
If you climb up those layers of abstraction you can use that broad brush to paint beautiful pictures -- the vast scope of the language that mathematics gives you allows simple statements to draw together and connect the unruly diversity of the world. A good mathematical theorem can be like a succinct poem; but only if the reader has the context to see the rich connections that the theorem lays bare. Without the opportunity to step back and see the forest for the trees, to see the broad landscape that the abstract nature of mathematics allows us to address, it is rare for people to see the elegance of mathematical statements. By failing to address how mathematics works, how it speaks broadly about the world, and what it means, we hobble children's ability to appreciate mathematics -- how can they appreciate something when they never learn what it is? The formulas and manipulations children learn, while a necessary part of mathematics, are ultimately just the mechanics of the subject; equally important is why those mechanics are valuable, not just in terms of what they can do, but in terms of why they can do so much.
So why is it that this broader view is so rarely taught? There are, of course, many reasons, and it is not worth trying to discuss them all here. Instead I will point to one reason, for which clear remedies to exist, and immediate action could be taken. That reason is, simply, that far too many people who teach mathematics are unaware of the this broader view themselves. It is unfortunately the case that it is only at the upper levels of education, such as university, that any broader conception about mathematics becomes apparent. Since it is rare for people going into elementary school teaching to take any university level mathematics, the vast majority of elementary teachers -- the math teachers for all our children in their early years -- have little real appreciation of mathematics. They teach the specific trees outlined in textbooks, with no real idea of forest. A simple but effective measure that could be taken is to provide stronger incentives and encouragement for prospective elementary school teachers to take extra math; whether it takes the form of courses, or math clubs, doesn't matter, the aim is to get teachers more involved and better exposed to mathematics in general so that they can become familiar with the richer world beyond the specific formulas and algorithms. This exact approach was tried in Finland as part of their LUMA project starting in 1992. As a result the number of teachers graduating with higher level had increased dramatically by 1999. And the results are also clear: Finland finished first, showing continued improvement in mathematics and science, in the 2003 PISA survey of the reading, math, and science skills of 15-year-olds in OECD countries (Finland finished second, just behind Hong Kong, in the mathematics section). Finland has continued to do extremely well in other more recent (though less major) studies.
Whether you view mathematics as an important subject or not, it is hard to deny that, currently, it is being taught poorly in many countries around the world. With such scope for improvement, and clear examples such as Finland showing the way, isn't it time that we took at least some of the obvious steps toward improving the quality of mathematics education?
The NetBSD and OpenBSD articles got between 15-30K unique readers in the first seven days. I don't have figures for after that. I've been contacted by a few people who said they started using NetBSD as a result of the article. The moral of this story? If you want free publicity, try being polite.
Today, I got a reply, saying:
Thank you for your communication of the
1/2/2007, By E-Mail
which will receive attention
Now, normally, I would expect a reply of this nature to be sent by email, since it's basically an auto-responder. In this case, however, it was sent via a different mechanism. Second class mail.
Yes, my MP employs someone to act as an email auto-responder, replying by postcard to all emails. Isn't technology great?
Ping Wales have the full story. From the article:
A straw poll of businesses in Wales which use Macs reveals that no business customers have been informed of the change to the repair service.
Apparently customers were not the only ones kept in the dark over this:
Apple resellers in the region told Ping Wales that they hadn't been informed of the change either, adding that this did explain why the number of repairs coming in had increased significantly over the last few weeks.
Can anyone recommend a good supplier for Opteron machines at a reasonable price? I need a minimum of two CPUs (or cores), a reasonably sized (but not necessarily fast) hard disk, a couple of GB of RAM. It's going to run headless, so no graphics card is required (the Sun workstation line looks nice, but I object to spending money on an nVidia Quadro card that is never going to be used).
On the more geeky side, there are a couple of large SGI SMP boxes (one 60 CPU, one 30) for me to play with and a Linux cluster.
Today we warned the technicians that we might need to use a big chunk of disk space. We were told that there might not be enough, since they only had about 200GB free on the RAID array we wanted to use (the one local to the 60 CPU box). Back home, our technicians complained when I dumped a 2GB DVD image in my home directory...
Sometimes ideas don't get the attention that they deserve. The Java Modelling Language (JML) is just such an idea. JML is something every Java programmer should know about. That does not mean every project in Java should make use of JML, only that developers should be aware of it so they can use it wherever it does make sense. The fact is that JML provides so many benefits for so little extra work that it deserves far more use than it gets. If you program in Java it could make your life a lot easier.
What is JML?
In a sense JML is just a way to document your code better. JML provides simple intuitive syntax to provide concise descriptions of behaviour in a Java module. JML uses annotations to document all the mundane things you would normally document. For example you might want to note which fields are allowed to ever be null, or whether a particular method requires one of its parameters to be greater than zero, or if a method is side-effect free. What JML really offers, however, is the tools to make use of these extra comments to save you time and effort later. JML simply asks you to do what you would normally do, and in return offers improved productivity when it comes to documenting, testing, and debugging your code.
So what exactly does JML look like? Here's a simple toy example that, while contrived, manages to demonstrate a lot of basic JML and will be useful later for demonstrating what tools that use JML can do.
public class Example {
public int modifiable = 0;
private/*@ spec_public @*/int additional_value = 5;
private/*@ spec_public non_null @*/ String current_substring;
//@ invariant additional_value >= 5; //@ invariant current_substring.length() == modifiable;
//@ requires ((String) o).length() > modifiable; //@ assignable current_substring;
public void castExample(/*@ non_null @*/ Object o) {
additional_value = o.hashCode()%5;
current_substring = ((String) o).substring(0, modifiable);
}
//@ requires x >= -5; //@ ensures \result > 0;
public/*@ pure @*/ int pureFunction(int x) {
return x + additional_value;
}
//@ assignable modifiable; //@ signals (ExampleException e) additional_value <= 4;
public void unreachable() throws ExampleException {
if (additional_value > 4 && modifiable > 0) {
modifiable++;
}
else if (modifiable == 0) {
throw new ExampleException();
}
else {//@ unreachable;
}
}
}
Most of the JML annotations should be clear: We are simply documenting constraints on inputs (requires clauses) and outputs (ensures clauses, noting when fields or parameters cannot be null or when code is (we presume) unreachable, and what invariant properties that we expect the objects to have. A little less immediately obvious are the assignable and signals clauses. An assignable clause declares what is allowed to be written/assigned to from within the method, and a signals clause declares conditions that must be met in the case of an exception being thrown. Finally spec_public simply declares that these private fields have public visibility to the specification. You may note a few errors where the specification and the code don't agree - we'll come to those shortly.
This is, of course, only a small sample of what JML offers. JML provides a lot of useful syntactic sugar to make stating your intentions as easy and natural as possible. For a proper introduction to JML there are some presentations on basic JML and more advanced JML. Full documentation can be found in the JML Reference Manual.
What do I get out of it?
JML provides an easy to use language with which you can concisely say how you intend your code to behave. More importantly it provides tools to make full use of that. For the small amount of extra effort of documenting your intentions with JML you get a lot of easy gains.
The JML tools
The JML distribution comes with a number of tools that use JML annotations. The four most useful are jmldoc, jmlc, jmlrac, and jmlunit. The first, jmldoc performs the same function as Javadoc, producing almost identical API documentation. The advantage of jmldoc is that it understands JML annotations and includes suitable extra information in the API documents based on the annotations. As long as you document requirements and guarantees for modules in JML you can be sure that the API documentation will always include those constraints. Furthermore because JML annotations become integral for testing and debugging it is far more likely that the annotations are kept up to date with the code, meaning that documentation is also more likely to be up to date.
The tools jmlc and jmlrac provide a JML aware compiler and runtime environment. The advantage of compiling and running code with such tools is that JML annotations are converted into assertions which are checked at runtime, making it easier and faster to discover and locate bugs. For the small cost of writing a few annotations you can significantly speed up the testing and debugging cycle.
You can get the similar results by liberally sprinkling assertions through your code, but JML offers several advantages over such a scheme:
Of course having assertions based on intended behaviour is no substitute for a decent unit testing framework. JML has an answer for this too however. The jmlunit tool can read a Java module with JML annotations and automatically generate a JUnit test class based on the annotations. For example running jmlunit over our example above creates two new files Example_JML_Test.java and Example_JML_TestData.java. The first of those files is a JUnit test suite, and the second is used to generate test data. JML attempts to come up with a reasonable test data generation strategy, but leaves space for you to enter your own set of test data instead should you prefer.
Extended Static Checking
Extended static checking is where JML annotations begin to truly come into their own. ESC/Java2 is an extended static checking tool for Java that uses JML annotations to catch errors before you even compile, let alone run, the code. You can think of it as type checking on steroids - using the information in the annotations to warn you about a wide variety of potential errors. It runs about as fast as compilation, so there's no waiting for results.
Consider what happens when we run the example above through ESC/Java2. We get a series of warnings (some not revealed until others have been corrected):
Most of the errors listed above are either errors in code, or in our expectations of what the code will do. Some of these errors can be remedied by strengthening the constraints. For example we can add
While the errors are necessarily simple in this toy example, hopefully this gives you the flavour of what ESC/Java2 can do for you - it has very powerful algorithms and scales to remarkably complex code, easily finding errors that would be hard to spot by inspection. For more examples of what ESC/Java2 can do for you (and it is well worth reading) try this introduction to ESC/Java2. ESC/Java2 offers a robust and powerful tool for finding subtle errors in your code earlier when they are easier to fix.
Conclusions
JML is simple to use: it has an expressive and intuitive syntax, and you can write the annotations at the same time the code. JML is also flexible: you an use as much or as little in the way of annotations as you need. Perhaps you simply want to add some pre- and post-conditions, or just keep track of which methods can access or alter certain fields; perhaps you want to use the full power of the theorem provers in ESC/Java2. Most of all JML makes many aspects of development, from debugging and testing to documenting, easier and more efficient, all for very little extra effort. If you program in Java for a living then JML can almost certainly make your code better, and your life easier.
OS X sucks at system calls. Due to the Mach+BSD kernel design, system calls are very expensive on OS X. On Mach, the system call cost is around 10x the cost on BSD - on OS X it's some combination of the two depending on what you do. The next thing to realise is that all of the POSIX thread synchronisation mechanisms are implemented using Mach-level synchronisation primitives. This means every time you lock a mutex (for example) you need to dive down through the BSD layer to the Mach layer. This gives you the horrible overhead of checking the permissions on a Mach port (something that sane Microkernels like L4 abandoned), and is expensive. This makes locking operations on OS X much more expensive than on BSD-like kernels. This, in turn, can make threaded code much slower. If you are Adobe, and you are rendering an entire image transformation in a small number of threads, then you will only lock at the beginning and the end of the operations, so it will be nice and fast. If you are doing low-level parallel operations for scientific computing (when not bitching about the OS X kernel), then you should really try harder to persuade someone to buy you a nice Solaris box.
This is why I like Objective-C, and why using languages like C++ feels so painful in comparison. Oh, and for reference, enumerating the classes was around half a dozen lines. Sure, this kind of thing is possible in C++, but only if you build a huge amount of extra stuff on top.
This is all well and good, but FPGAs don't offer the same feature density as even ASICs (although they are re-writable), so this raises the question of whether it would be commercially viable to do a run of ASICs based on an open core, with a motherboard also based on an open design. Would you buy a motherboard / CPU that could run, for example, NetBSD and was entirely open source? How much of a premium would you be willing to pay for such a thing?
I really like the design of the Alpha CPU, and I would be interested in a machine that had a similar core design, and maybe willing to pay around a 50% premium over x86 for the elegance of the system - particularly if I could also download the core design to an FPGA, modify it, and submit changes back for inclusion in the next revision.
One of the real advantages of open source software is that it can easily be compiled for multiple architectures, so once you've written a GCC back-end and a boot loader for your system you suddenly have a huge amount of usable software.
I am rapidly coming to the conclusion that the ideal CPU would have a very simple instruction set, and not even do out-of-order execution. Code running on it should be compiled first into some kind of byte-code, and any re-scheduling should occur in the bytecode JIT - move as much complexity into software as possible, since it's much easier to upgrade (and to configure at run-time).
Formal Specification helps build more robust, more maintainable software with fewer bugs and defects. It has a long history, but it is still a developing field. While it may not be suitable for all software projects, a case can be made that there are many projects not currently using formal specification that stand to benefit from it. As the methods and tools for formal specification develop it is increasingly becoming something that developers and software engineers should learn to use to their advantage.
What is Formal Specification
Formal specification is simply a matter of being more explicit and specific in defining the requirements of software. At the simplest level this can take the form of Design by Contract, where functions and procedures specify pre- and post-conditions and loops and objects include a set of invariant properties. In the more rigorous case formal specification involves building an explicit mathematical definition of the requirements of the software. Using such a definition one can prove the correctness of the system, or simply prove theorems about properties of the system. An implementation can also be checked against such a formalised specification, verifying that the implemented code does indeed do precisely what the requirements claim. At the most rigorous level the initial formal requirement specification can be expanded, through (mathematically rigorous) refinement, to ever more specific and detailed specifications resulting eventually in executable code.
All of these different levels allow a significantly greater degree of analysis of the software, be it improved static and runtime checking with contracts, to more complex data flow analysis and proof with more complete specifications. In the same way that static types allow more rigorous checking at compile time, catching a lot of simple errors, contracts and specifications allow even more analysis and checking, catching even more errors at the early stages of development when they are most easily and efficiently fixed.
A Simple Example
For good examples of formal specification at work I would suggest you try this Z case study or the case study for CASL in the CASL user manual. For those who want something more immediate I have a warning: To be short enough to present easily in this space the specifications are necessarily very simple and should be taken as a sample of the flavour of formal specifications rather than a serious example.
The specification for a simple stack, in SPARK, a version of Ada that adds formal specification semantics, would look something like the following:
package Stack
--# own State: Stack_Type;
--# initializes State;
is
--# type Stack_Type is abstract
--# function Not_Full(S: Stack_Type) return Boolean;
--# function Not_Empty(S: Stack_Type) return Boolean;
--# function Append(S: Stack_Type; X: Integer) return Stack_Type;
procedure Push(X: in Integer);
--# global in out State;
--# derives State from State, X;
--# pre Not_Full(State);
--# post State = Append(State~, X);
procedure Pop(X: out Integer);
--# global in out State;
--# derives State, X from State;
--# pre Not_Empty(State)
--# post State~ = Append(State, X);
end Stack;
The package body, containing the implementation, can then follow.
The own simply declares the variable State to be a package global variable, and initializes means that the variable State must be initialized internally in this package. We then declare an abstract type (to be defined in implementation) and some simple functions. The in and out keywords in the procedure declarations tag the parameters: in means that the parameters current value will be read in the procedure, and out means the parameter will be written to in the procedure. The global keyword declares the the package global variable State will be used in the procedure (and both read from and written to). The derives keyword provides explicit declarations of which input will be used in determining values for variables that will be output or written to. The pre- and post-conditions should be largely self explanatory.
As you can see, mostly all we are doing is making explicit exactly how we intend the procedures to operate. This specificity provides automated verification tools the information necessary to properly analyse and validate implemented code: Prior to a compile step you can run a verification and flow analysis tool that catches many subtle errors.
A similar object, specified in an algebraic specification language like CASL might look something like this:
spec Stack[sort Elem] =
sort
stack
ops
empty: stack
push: stack * Elem -> stack
pop: stack ->? stack
top: stack ->? Elem
axioms
not def pop(empty)
not def top(empty)
forall s : stack; e : Elem
pop(push(s,e)) = s
top(push(s,e)) = e
end
CASL offers syntax that can compact this considerably, but this longer version makes the workings of the specification more clear.
We declare a specification for a stack of generic elements, of sort stack; and with operations empty (which is in a sense the constructor creating and empty stack); push which maps a stack and an element to a "new" stack; pop a partial function (denoted by the question mark) which maps a stack to "new" stack; and top another partial function which maps a stack to an element. We then define axioms: first, as pop and top are partial functions, we say they are not defined on empty stacks; secondly we declare that pop and top should behave as (partial) inverses for push for all stacks and elements.
This is sufficient information to completely specify stacks as a universal algebra and brings a great deal of powerful mathematical machinery to bear on the problem, much of which has been coded into a set of analysis tools for CASL.
While these examples are very simple, they should give you the flavour of how formal specification can work. Both SPARK and CASL support structured specifications, allowing you to build up libraries of specification, making them scalable to very large problems.
Why Use Formal Specification?
Why use static types? Why do any compile time checking? Why produce design documents for your software? Not every project is worth writing design documents for, and some projects are better off being developed quickly using a dynamically typed language and runtime checking. Not every project really needs formal specification, but there are a great many software projects that could benefit greatly from some level of formal specification - a great many more than make use of it at present.
I would suggest that it is probably unimportant whether your paint program, music player, word processor or desktop weather applet uses formal specification. What about your spreadsheet application? Bothering with formal specification for the GUI might be a waste of time. Bothering to do some specification for the various mathematical routines, ensuring their correctness, would potentially be worth the extra trouble. Formal specification doesn't need to be used for a whole project, only those parts of it that are sensitive to error. Likewise any network services could easily benefit from formal specification on the network facing portions of the code to significantly reduce the possibility of exploits: it is far easier to audit and verify code that has been properly specified. Security software, and implementations of cryptographic protocols, are far safer if formally specified: with cryptography the protocols are often rigorously checked, and many exploits relate to errors where the implementation fails to correctly follow the protocol. Finally mission critical business software, where downtime can costs millions of dollars, could most assuredly benefit form the extra assurances that formal specification and verification can provide.
None the less, barring a few industries, formal specification has seen little use in the past 25 years. Developers and software engineers offer many excuses and complaints as to why formal specification isn't suitable, isn't required, or is too hard. Many of these complaints are founded in a poor understanding of how formal specification works and how it can be used. Let's consider some of the common complaints:
But Formal Specification is Too Much Work...
Formal specification can be as much work as you choose to make it. You can do as little as adding contracts to critical functions or classes, or you can write the entire project from the top down by progressive refinement of (and verification against) a specification for which you have created formal proofs of all important properties. There is a sliding scale from a dynamically typed script with no documentation or comments, all the way up to a completely explicitly specified and proven system. You can choose the level of specificity and verification, and you can specify as much or as little of the system as you need. Formal specification covers everything from adding contracts to a couple of critical routines to complete specification of the entire project.
Formal specification isn't necessarily significantly more work than you do now. Writing contracts is only a little more work than static typing: you are simply declaring formally what you intend the function to do, something you ought to have a clear idea of before you write the function anyway. Writing a basic specification is only a little more work that writing a design document: you are simply formalising the diagrams and comments into explicit statements. For a little extra work in the initial stages you gain considerably in debugging and testing. Extended static checking based on contracts can catch many simple errors that would otherwise go unnoticed, and debugging is significantly accelerated by the added information contracts supply about runtime errors. If you've gone to the trouble of writing a formal specification, you can statically verify properties of the system before it is even implemented. Once implemented you can validate the implementation against the specification. When performing testing you can use the specification to help determine the best coverage with the least testing.
Formal specification does work in practice, and the gains in efficiency in testing and debugging can often outweigh the potential extra overhead during design. Design by Contract, for instance, is often cited as saving time in the development process, and there are many real world success stories where systems were developed faster by using contracts. A 20 person team completed in 5 months what took a team of 100 people using standard C++ almost a year. For projects where robustness is critical, full formal specification has been used successfully. Companies like Praxis High Integrity Systems use formal methods successfully in the rail, aerospace, nuclear, finance and telecommunications industries (among others), and have sold their formal method tool-set to a variety of large companies. Reading through some of their recent work and case studies makes it clear that formal specification and verification can prove to be more efficient and faster to use.
But Formal Specification is Not Practical...
On the contrary, formal specification is used all the time in many industries, and there are various companies like Praxis High Integrity Systems, B-Core, Eiffel Software, Kind Software, and Escher Technologies who provide formal specification tools as a major part of their business.
Formal specification has proved to be practical in the real world. What it has lacked is mature tools to make development using formal specification faster and easier (try writing code without a good compiler; try doing formal specification without good static checking tools), developer awareness, and developers skilled in the languages and techniques of formal specification. It doesn't take much to learn - learning a specification language is not much harder than learning a programming language. Just as programming appears to be a difficult and daunting task to a person who doesn't know any programming languages, specification looks difficult and impractical to people who don't know specification languages. Take the time to learn and your perspective will change.
But the Project Requirements are Always Being Changed...
It is true that many projects face ever changing requirements. The question is not whether this renders formal specification useless (it doesn't) but how formal specification compares to informally specified software in such a situation.
First of all it should be noted that engaging in formal specification can help reduce the problem to begin with. By requiring you to rigorously specify at least some portions of the software, formal specification can assist in finding ambiguities, cases that were not covered, and other problems much earlier in the development cycle when changes are easiest to make. Those parts of the system, such as GUIs, that are often the target of more whimsical design or requirements changes are precisely the parts that benefit least from, and are least likely to use, formal specification. Changes to design or requirements for those parts of the system, then, are not likely to be more detrimental than for informally specified projects.
Secondly formal specification is quite capable of dealing with change, and even offers benefits in the face of changing requirements. A change in requirements results in a change in specification, but because the specification is formally written the impact of the changes can be analysed. You can check that new requirements remain consistent with the rest of the system. You can also determine all parts of the system that will be impacted by the change and avoid bugs introduced by the changes. Having a formal specification for the system when a change in requirements occurs makes it easier to see how the change will effect the system and easier to make the changes consistently and completely. Formal specification can make changes in requirements easier to deal with, not harder.
But I Already do Unit Testing...
Unit testing is fantastic, and there's no reason to stop just because you can write proofs for some aspects of your code. Unit testing is not a replacement for formal specification however. Testing only verifies the component for a very limited and specific range of cases. Specifically testing covers the cases that the developer thought of. A great many bugs, however, are those that occur from situations the developer didn't consider, and probably wouldn't have included in his test. You can improve the situation with testing tools like fuzzers, but you're still only checking a sampling of the whole space. Formal specification, on the other hand, allows construction of formal proofs that cover all possible cases. I would much rather specify and prove Pythagoras' theorem than simply assume it is true by testing it on random right angled triangles. Likewise, while testing is valuable (and easy) when assurance matters it is no replacement for proof based on a specification.
Does this mean you should give up Unit testing? In no way shape or form. Just as formal proofs in mathematics are much harder than trying a few cases, formal proofs from specifications require significant work - you most likely can't prove everything. That means the best method is prove those properties that are critical, and continue testing the system much as you normally would. Hopefully you'll see a lot less errors to debug based on the extended static checking of course.
But Formal Specification Still Can't Guarantee Perfect Software...
Correct, there are no guarantees. Complete proofs are often too complicated to perform, so theorem proving for specific properties is usually undertaken instead. Static checking can be enhanced significantly with suitable specifications, but not all errors can be caught. Your software is only going to be as stable and secure as the system it is running on. If you can't be perfect why try at all? Because significant gains can be made and the costs may be smaller than you think. Even if the whole system can't be proved, managing to prove key properties may well be all the assurance of correctness that is required for the application at hand. Even if you can't catch all the errors statically, reducing the number and severity of runtime errors can bring significant efficiency gains in the testing phase. Furthermore the cost of errors in software found after release can be sufficiently high that any reduction is worthwhile. Finally if you can't trust your compiler and operating system, then everything is compromised. At some level you have to trust something - we all trust a great deal of software right now that we expect to have flaws - reducing the source of errors to trusted components is still a significant gain.
But Formal Specification Is Only Viable for Trivial Examples...
Not even close to the truth. Formal specification and formal methods have been used for large projects involving hundreds of thousands of lines of code. Just look at many of the examples provided above: these were not small projects, and they were not toy trivial examples; these were large scale real world software systems. Examples of formal specification tend to be small simplistic cases because they are meant to be just that: easily comprehensible examples. In the same way that programming languages often use "Hello World" and quicksort as examples, formal specification languages use equally simple but demonstrative examples. Don't take this to mean that the language and method doesn't scale.
Conclusions
Formal specification isn't a silver bullet, and it isn't the right choice for every project. On the other hand you can use as much specification and verification as is suitable for your project. You can apply formal specification only to the portions that are critical, and develop the rest normally. More importantly, the techniques, languages and tools for formal specification continue to improve. The more powerful the methods and the tools, the more projects for which formal specification becomes a viable option. In an increasingly network oriented computing world where security and software assurance is becoming increasingly important, the place for formal specification is growing. If you are a software engineer it makes sense to be aware of options available to you.
"But what we need to know is, do people want nasally-insertable computers?"
