I am nonetheless studying about FM, however I feel I can supply some coarse instance.
To start with, “Formal Strategies” could be many issues, however let’s concentrate on one thing like what you talked about.
There certainly are circumstances the place you would write 2 instances the identical algorithm in numerous methods (completely different languages or not), and be certain that they’re constant. For instance: the Fibonacci collection is well outlined with a mathematical recursive operate. In C:
int fib(int i){
return fib(i-1) + fib(i-2);
}
You possibly can deal with that operate as a specification that’s simple to write down, perceive and confirm; however in case you attempt to use that operate to calculate an extended sequence of the collection, it is terribly costly / gradual.
Now, you would write an optimized model of that very same operate utilizing any variety of tips to make it a lot sooner. Your compiler would possibly even apply some tips robotically! However then, how are you going to ensure that your new optimized operate is absolutely calculating the identical factor because the specification (the unique operate)? Perhaps there’s new nook circumstances that did not exist within the specification? Even, perhaps your compiler has a bug that can make the optimized model fail with massive numbers?
As you stated, testing will solely present that some circumstances are right (i.e., the outcomes of each capabilities are the identical in a finite variety of circumstances).
In distinction, formal verification would can help you:
- be certain that the specification is “ok” and self-consistent.
- be certain that the optimized model is at all times equal to the specification.
How is (1) potential? Effectively, as a substitute of C, we might use some language that might allow you to pin down what you’re verifying, after which truly confirm it. For instance, is i allowed to be adverse? What occurs when i == 0? What if i is massive and the sum of outcomes is just too massive to slot in the kind int?
And so it may very well be that you just develop a specification in a single language (e.g. Isabelle/HOL), after which generate code from it; or confirm that the specification corresponds to code presumably written in a distinct language (e.g. C).