6

Suppose I have a simple program that implements an algorithm (say depth-first search), written in a simple imperative programming language with the standard for loops, recursions, conditional statements and so on. It takes in a well-specified input and has a well-specified output.

Suppose I want to verify that it always produces the correct output for each input. I can treat the program as a mathematical object subject to certain rules of the programming language. I write a formal mathematical proof, assuming the usual axioms of ZFC and first-order logic, to show that this is true.

How would I know that my program definitely works (i.e. for all inputs, output correctly) due to this proof? I do know that in the ZFC axiom system, my program works because it is defined to work (it is deducible formally). However, it seems that the correctness of my program does not require the full machinery of ZFC; its only axioms are the rules of the programming language. Commonly used proof techniques like mathematical induction are founded on axioms in ZFC, but we do not yet know that these hold due only to the rules of the programming language.

Is it possible that my program does not actually work, but it is proven to work in ZFC? If that's the case, why are all algorithms proven in the usual framework of ZFC (assuming all axioms of set theory, and first-order logic)?

EDIT: Can formal verification of programs (with 100% certainty according to specifications of the programming language) be done in ZFC? I am assuming it can be done under weaker axiom systems (e.g. Hoare logic)?

Wakaka
  • 1,353
  • Although this slightly deviates from your question, Hoare logic might be of interest to you. – Stefan Mesken Dec 16 '15 at 09:16
  • @Stefan Thanks, I have indeed read about that. It assumes much less than ZFC and seems to be able to formally verify programs. Unfortunately most algorithms are proven in ZFC and not Hoare logic, which makes me wonder if it is possible that they are actually incorrect. – Wakaka Dec 16 '15 at 09:47
  • It takes a while to prove $2+2=4$ using ZFC, but the proof makes me very confident that it is a fact – Hagen von Eitzen Dec 16 '15 at 13:05
  • I do not understand at all your new final sentence "Can formal verification of programs (with 100% certainty according to specifications of the programming language) be done in ZFC? I am assuming it can be done under weaker axiom systems (e.g. Hoare logic)?" Can you clarify? For example, by Godel's Incompleteness Theorem there will always be a program which can't be verified to never halt, in a given theory, so doesn't that kill this? – Noah Schweber Dec 16 '15 at 22:58
  • Also, why do you think Hoare logic is sufficient? Can you clarify what properties you are verifying, and for what types of programs? – Noah Schweber Dec 16 '15 at 22:59
  • @NoahSchweber When I say formal verification, I do not mean for all programs, but for any program in which a proof is possible and given. In ZFC, even though we have a proof, it might be the case that it uses axioms of set theory that we do not need to assume for proving the correctness of the program. Hoare logic seems to assume a minimal number of axioms for programming languages compared to ZFC. Thus, we can be 100% certain as long as we trust these minimal axioms for programming. In ZFC however, we need to trust a bit more (i.e. that the full machinery of set theory is consistent). – Wakaka Dec 17 '15 at 05:41
  • Most theorems about program halting are not proven in ZFC but informally. And, although practically all correct mathematical proofs can be translated into ZFC, it does not imply that ZFC is necessary. Almost all real-world applications of mathematics (including vastly more than proofs about actual programs) can be justified in foundational systems far weaker than ZFC. So far, we only seem to need a fragment of SOA (2nd-order arithmetic) called ACA. This involves Godel coding, but it is not a big deal to avoid it. – user21820 Jun 16 '22 at 16:30
  • Noah has already answered that if you prove that your program halts on some input, then you should believe that your foundational system S is Σ1-sound in order to believe your proof's conclusion. Totality is similar. If you prove that you program halts on all inputs, then to believe that conclusion you should believe that S is Σ1-sound, because any actual failure of totality means falsity of some Σ1-sentence that S can prove (by substituting the failure instance). My comment was just to emphasize that ZFC is a red herring and listing just Hoare logic and ZFC is a false dichotomy. – user21820 Jun 16 '22 at 16:46

2 Answers2

6

It depends what you mean by "work."

If you just want to show that a program never exhibits some simple behavior - e.g., if you want to show it doesn't halt - then if ZFC proves this fact, it's correct, as long as ZFC is consistent.

If you want to show that a program will at some point exhibit some simple behavior - e.g., if you want to show it will halt - then knowing the correctness of a ZFC-proof requires a bit more than just the assumption that ZFC is consistent - we need to know that it is $\Sigma^0_1$-sound. This is a technical hypothesis much weaker than the assumption "Every arithmetical consequence of ZFC is true" (which we usually assume).

And, of course, Gödel's theorem shows that ZFC won't always be enough, even for the simplest statements - there is a Turing machine $T$ which never halts (assuming ZFC is consistent) but which ZFC can't prove never halts (again, assuming ZFC is consistent).

But these are general problems you'll have with any background theory, not just ZFC. Every result of this type - actually, every result at all - exists in the context of background assumptions. ZFC happens to occupy that sweet spot of (a) being extremely common to assume, (b) reasonably well-understood, and (c) powerful enough to handle almost all "reasonable" problems. (One can try to make stronger arguments for ZFC as opposed to other theories, but that's a problem for another time.) So the answer to why we use ZFC: well, we gotta use something. :)

Hanul Jeon
  • 27,376
Noah Schweber
  • 245,398
  • So does this mean that we can never really know for sure that a program will exhibit a simple behavior (e.g. output 1) based on a proof in ZFC? This is since we do not know for sure that it is consistent or arithmetically sound. On the other hand, isn't it possible to formally verify programs? Does this mean that formal verification cannot possibly be done in ZFC? – Wakaka Dec 16 '15 at 09:43
  • 2
    @Wakaka: if we have a proof in ZFC, that is very good evidence about what will happen. There are many meanings of "certain". In a particular sense, we can never be "certain" of anything, so if that is the sense you mean then, well, we can't be "certain" of anything! But normally we would say that if we have a proof of something in ZFC then we are certain that the something is correct. – Carl Mummert Dec 16 '15 at 12:59
  • @CarlMummert Has there ever been instances where ZFC proves something about an algorithm and it turns out to be untrue when the algorithm is actually run? (Assuming the mechanical procedure of following the rules of the programming language) – Wakaka Dec 16 '15 at 22:06
  • 1
    @Wakaka No, there has not. In order for "it turns out to be untrue when the algorithm is actually run" to make sense, the "it" here has to be a universal (or $\Pi^0_1$) sentence: of the form, "such-and-such simple behavior never happens." If ZFC disproves a true sentence of this form, then ZFC is inconsistent, as I pointed out above. Currently, ZFC is not known to be inconsistent. – Noah Schweber Dec 16 '15 at 22:57
3

Let's look at this from a far more mathematical point of view.

An algorithm is like a theory $T$ in some first-order logic. And you can ask if the theory proves $\varphi$. And this can be checked syntactically or in other ways. And that's fine.

An implementation is like a model of $T$. So now instead of asking if $T$ proves $\varphi$ you are asking if $\varphi$ is true in the model $M$. This turns out to be equivalent to asking if the theory of $M$ proves $\varphi$, and that's important. Because it means we can jump between the two questions about truth and provability.

If your implementation (including compiler and processor and whatnot) is faithful and does not deviate from the algorithm (and this means that you have to ignore, completely, all physical constraints or push them into the algorithm somehow), then the fact that you proved that the algorithm works means that your implementation works.

If your implementation is not faithful then you are asking if the algorithm which was faithfully implemented is equivalent to the algorithm that you wanted to implement. That's a whole other question, and it depends also on your ability to extract the "true algorithm" from your implementation.

Asaf Karagila
  • 393,674
  • Thanks! What I'm asking is if we try to prove the algorithm in the first-order theory of ZFC. Suppose ZFC does prove it (that it outputs correctly according to each input). Then assuming the implementation is faithful, can we be certain that the algorithm will work based only on the axioms of the programming language (and not the full axioms of ZFC)? – Wakaka Dec 16 '15 at 11:19