[akiarie]

> I don't think you're under any obligation, I just think that not discussing prior art is a bad look.

See [0] where our reliance on Dijkstra is transparent.

> I don't see anything new about the application of these well-known ideas either. Especially nothing that could explain why Xr0 would be widely used, while Frama-C is extremely niche.

Begin with the fact that Xr0 is written in C and feels like C. We're building it so that C programmers will be able to use it without explicitly learning about formal verification.

> Proving (the correctness of code) is an inherently mathematical task. So if by "mathematician" you mean someone who does mathematics, then all of your users will be mathematicians.

Absolutely true. But what I mean by "mathematician" is a self-conscious mathematician, or at least someone with a background in formal mathematics.

(Edit: forgot to add link.)

[0]: https://xr0.dev/dijkstra-paradox

[muldvarp]

> See [0] where our reliance on Dijkstra is transparent.

Mentioning that you're vaguely inspired by Dijkstra is not the same as discussing prior art. And it's not like there isn't enough prior art about "safe C" out there [0, 1, 2, 3, 4, 5, 6, 7, 8, 9].

> Begin with the fact that Xr0 is written in C and feels like C. We're building it so that C programmers will be able to use it without explicitly learning about formal verification.

Most of the people interested in formally verifying their C code will already know about formal verification and absolutely don't care about whether Xr0 is written in C or not.

> But what I mean by "mathematician" is a self-conscious mathematician, or at least someone with a background in formal mathematics.

I'm doubtful Xr0 will be useful for someone without a background in formal verification.

To me, the whole project seems like vapourware. It currently works on an extremely limited subset of C. In fact, this subset is so limited that from a computation theory standpoint, the current capabilities of Xr0 are trivial. Supporting while loops (or general recursion) on the other hand is impossible (from a computation theory standpoint).

Even on this small subset of C it took me five minutes to get an out of memory error and a further five minutes to craft a C program with a double free that passes verification [10].

All this combined with a website that makes great promises about how awesome Xr0 is (or rather going to be) and handwavy explanations about how easy adding the missing features will be that don't hold up to any scrutiny. Dozens of similar projects exist, few of them work at all on non-trivial C programs and all of them require herculean effort (and are thus only used for safety critical software) to correctly annotate C code (often this includes rewriting parts of the code to make the annotations simpler or unnecessary). There is no discussion at all how Xr0 is going to solve the problems that killed these projects.

[0]: https://link.springer.com/chapter/10.1007/978-3-642-03359-9_...

[1]: https://link.springer.com/chapter/10.1007/978-3-540-71316-6_...

[2]: https://link.springer.com/chapter/10.1007/978-3-642-33826-7_...

[3]: https://ieeexplore.ieee.org/document/8543387

[4]: https://dl.acm.org/doi/10.1145/2594291.2594296

[5]: https://link.springer.com/chapter/10.1007/978-3-642-32347-8_...

[6]: https://link.springer.com/chapter/10.1007/978-3-642-20398-5_...

[7]: https://dl.acm.org/doi/10.1145/503272.503286

[8]: https://www.sciencedirect.com/science/article/pii/S157106611...

[9]: https://dl.acm.org/doi/abs/10.1145/3453483.3454036

[10]: https://pastebin.com/raw/JbzMj2Bg

[akiarie]

> Even on this small subset of C it took me five minutes to get an out of memory error and a further five minutes to craft a C program with a double free that passes verification [10].

Nice work with the program. However, the only reason it verifies is we haven't yet implemented `||`, so in the parser the phrase `if (x || !y)` is being interpreted as `if (x)` (see [0] for the relevant production). This may seem like another frustrating indiction of how "extremely limited" the subset of C that Xr0 works on is, and indeed it is. But the most important point is there is no logical flaw in Xr0's design here, and no reason whatever that an error of this kind wouldn't be detected. [1] is an equivalent program that shows the logical cogency of our approach (I know it's ugly!).

> I'm doubtful Xr0 will be useful for someone without a background in formal verification.

> Most of the people interested in formally verifying their C code will already know about formal verification and absolutely don't care about whether Xr0 is written in C or not.

We aren't making Xr0 for people (self-consciously) interested in formal verification, but for C programmers interested in safety of the kind that Rust provides. And I can tell you that C programmers prefer their tools in C.

> All this combined with a website that makes great promises about how awesome Xr0 is (or rather going to be) and handwavy explanations about how easy adding the missing features will be that don't hold up to any scrutiny. Dozens of similar projects exist, few of them work at all on non-trivial C programs and all of them require herculean effort (and are thus only used for safety critical software) to correctly annotate C code (often this includes rewriting parts of the code to make the annotations simpler or unnecessary). There is no discussion at all how Xr0 is going to solve the problems that killed these projects.

Fair enough. The proof is in the pudding. Give us a few months. But understand that we have limited resources (this is an open source project and we're working on it part-time). We could either stop and make long-form arguments with full bibliographies or focus on building Xr0 into what we say it's going to be.

[0]: https://git.sr.ht/~lbnz/xr0/tree/master/item/src/ast/gram.y#...

[1]: https://pastebin.com/raw/7EpcUVzv

[muldvarp]

> However, the only reason it verifies is we haven't yet implemented `||`

You should error on constructs you don't yet support. Not doing so makes it very difficult to ascertain how well Xr0 works.

> We could either stop and make long-form arguments with full bibliographies or focus on building Xr0 into what we say it's going to be.

You didn't do either though. You wrote long-form arguments about how awesome Xr0 is (or going to be) and how groundbreaking the idea of "interface formality" is. If instead you actually produced a working prototype (or even any technical argument why such a prototype is feasible) I'd be way less doubtful.

[akiarie]

> You should error on constructs you don't yet support. Not doing so makes it very difficult to ascertain how well Xr0 works.

You're right. We should. (We will be adding this as we are able.)

> You didn't do either though. You wrote long-form arguments about how awesome Xr0 is (or going to be) and how groundbreaking the idea of "interface formality" is. If instead you actually produced a working prototype (or even any technical argument why such a prototype is feasible) I'd be way less doubtful.

A 7-point blog post is hardly "long-form" :)

But more to the point, Rust has already achieved this "interface formality", as we state in the second paragraph of this "long-form" piece. That achievement on the part of Rust is indeed groundbreaking. Is it so crazy to claim that this can be replicated for C, without encumbering it with ownership considerations that have no relationship to interface formality?

Fair enough. We have a much more generous definition of "working prototype" than you do. Hopefully one day soon we'll have something that clears yours.

[muldvarp]

> Is it so crazy to claim that this can be replicated for C, without encumbering it with ownership considerations that have no relationship to interface formality?

You're not replicating what Rust does, you're replicating what Frama-C does.

Then again, even just replicating what Rust does would be extremely difficult (if not impossible) given the pervasiveness of undefined behavior in C.

> Fair enough. We have a much more generous definition of "working prototype" than you do.

How many useful C programs do you know that require no loops and no binary operators?

[akiarie]

> Xr0 1.0.0 will enable programming in C with no undefined behaviour, but for now it's useful for verifying sections of programs.

Literally on the website. The purpose of the prototype is to show the feasibility of the approach we've taken, not to work on whole programs.