You On AI Field Guide · Provable Correctness The You On AI Field Guide Home
Txt Low Med High
CONCEPT

Provable Correctness

Dijkstra's insistence that a program's correctness should be established by proof — formal reasoning from specification to implementation — not by the accumulated evidence of tests that passed.
Provable correctness is the standard Dijkstra held up against the software industry for fifty years and that the industry spent fifty years finding reasons not to meet. The claim is simple: a program is a formal argument; its correctness is either demonstrable through logical reasoning or it is not; and the accumulation of successful test executions, however voluminous, does not constitute a demonstration. It can at most establish that the program behaves correctly for the tested cases. The untested cases remain, and in principle any one of them might trigger a failure that no tested input revealed. The difference between tested and verified is the difference between evidence and proof, and in domains where failure has consequences — infrastructure, medicine, finance, anything that affects human safety — the difference is not pedantic.
Provable Correctness
Provable Correctness

In The You On AI Field Guide

The background claim is logical, not empirical. Programs accept inputs from effectively infinite spaces. Testing examines a finite subset of those spaces. No finite subset of an infinite space can stand proxy for the whole. This is not a limitation of current testing methodology that better tooling might overcome. It is a fixed property of the relationship between finite observation and universal claim. Dijkstra stated it in the form that has been quoted ever since: "Program testing can be used to show the presence of bugs, but never to show their absence."

The industrial objection to formal verification was always that it was impractical at real-world scale. Programs were too large, too complex, too entangled with messy requirements to submit to the clean lines of mathematical proof. Dijkstra's reply was that the programs were too large and too complex precisely because they had been built without the discipline that would have kept them manageable. Complexity was not a given but a consequence of intellectual laziness — the accumulated result of decisions made by people who could not be bothered to think clearly about what they were building.

Testing Is Not Verification
Testing Is Not Verification

In Dijkstra's own practice, the discipline took the form of program derivation: the program and its correctness proof were constructed simultaneously, so that the finished program was correct by construction rather than by coincidence. The programmer did not write the code and then verify it. She derived the code from its specification through a sequence of formal steps, each of which preserved correctness. The result was a program whose reliability was a property built in from the first line rather than a property tested after the fact.

The AI era has raised the stakes of the distinction by eliminating the verification layer entirely. AI-generated code exists wholly in the domain of evidence. The builder tests. The output passes. She ships. At no point does anyone demonstrate, through formal reasoning, that the code is correct — not because anyone has decided that proof is unnecessary, but because the builder often cannot read the code well enough to construct such a demonstration, and the generating system cannot provide it. The industry's historical preference for tested code over verified code has been amplified into a structural default.

Origin

The intellectual foundations of provable correctness were laid by Hoare's 1969 paper "An Axiomatic Basis for Computer Programming," which introduced the triple notation and the inference rules now known as Hoare logic. Dijkstra's 1975 paper on guarded commands and the predicate transformer semantics extended the framework and tied it more directly to program construction. His 1976 book A Discipline of Programming was the mature statement of the methodology.

Formal verification has continued as a research program and has produced operational tools — the CompCert verified compiler, the seL4 verified microkernel, the Astrée static analyzer that has been used on Airbus flight-control software. But these remain exceptions. The industry's default remains testing, and the gap between default practice and verified practice is where most of the software the world depends on lives.

Key Ideas

Structured Programming
Structured Programming

Testing is induction; verification is deduction. Successful tests generalize from observed cases to unobserved cases; proofs derive conclusions from premises with logical necessity. One can fail; the other cannot.

Correctness should be constructed, not discovered. If the program's correctness is a property to be verified after the fact, the verification is already at a disadvantage; if it is a property built in during construction, every line earns its place by contributing to the proof.

The gap widens with AI generation. When the builder does not understand the implementation, her tests reflect her understanding of the requirements, not her understanding of the code. The tests answer "does it do what I wanted?" but not "does it do what I wanted under conditions I did not think to test?"

Impossibility results are real. The 2026 verification trilemma — that soundness, generality, and tractability cannot be simultaneously achieved for sufficiently complex systems — puts a mathematical ceiling on how much proof is available. But incomplete verification is still more reliable than no verification.

Testing is induction; verification is deduction

Acceptable track records are bets. A program that has worked for all tested inputs has an acceptable track record. Acceptable track records say nothing about untested inputs. Shipping on that basis is not confidence; it is a wager whose payoff is invisible until it fails.

Debates & Critiques

The enduring argument inside the discipline is whether the insistence on provable correctness has ever been practical for the scale at which software is actually built. Partisans of lightweight methods — extensive testing, fuzzing, property-based checking — argue that Dijkstra's standard was aspirational from the beginning and that modern statistical verification captures most of the benefit at a fraction of the cost. Partisans of the Dijkstrian position reply that every decade's "acceptable" becomes the next decade's scandal, and that the question is not whether the standard is practical but what the consequences are of not meeting it.

Related Entries

Adjacent concepts in the You On AI Field Guide
Testing Is Not Verification
Structured Programming
Stepwise Refinement
Hoare Logic
Verification Trilemma

Further Reading

  1. Edsger W. Dijkstra, A Discipline of Programming (Prentice-Hall, 1976)
  2. C.A.R. Hoare, "An Axiomatic Basis for Computer Programming" (Communications of the ACM, October 1969)
  3. Edsger W. Dijkstra, "Guarded Commands, Nondeterminacy and Formal Derivation of Programs" (Communications of the ACM, August 1975)
  4. Xavier Leroy, "Formal Verification of a Realistic Compiler" (Communications of the ACM, July 2009)
  5. Gerwin Klein et al., "seL4: Formal Verification of an OS Kernel" (SOSP, 2009)
Explore more
Browse the full You On AI Field Guide — over 8,500 entries
← Home 0%
CONCEPT Book →