sign in sign up
<<
Home , Computer science, David Parnas, Formal methods, Richard Hamming, Software development, Software engineer

Teaching

t the ACM Science Conference last Strategic Defense Initiative. William Scherlis is February, Edsger Dijkstra gave an invited talk known for his articulate advocacy of called “On the Cruelty of Really Teaching in . M. H. van Emden is known for Computing Science.” He challenged some of his contributions in programming languages and the basic assumptions on which our curricula philosophical insights into science. Jacques Cohen Aare based and provoked a lot of discussion. The edi- is known for his work with programming languages tors of Comwunications received several recommenda- and programming and is a member of the Edi- tions to publish his talk in these pages. His comments torial Panel of this magazine. brought into the foreground some of the background received the in 1968 and is well known of controversy that surrounds the issue of what be- for his work in communications and . longs in the core of a computer science curriculum. Richard M. Karp received the Turing Award in 1985 To give full airing to the controversy, we invited and is known for his contributions in the design of Dijkstra to engage in a debate with selected col- . is well known for his leagues, each of whom would contribute a short early work in and recent work critique of his position, with Dijkstra himself making in the principles of design. a closing statement. He graciously accepted this offer. I am grateful to these people for participating in We invited people from a variety of specialties, this debate and to Professor Dijkstra for creating the backgrounds, and interpretations to provide their opening. comments. is a noted Peter J Denning who was outspoken in his criticism of the proposed Editor-in-Chief

December 1989 Volume 32 Number 12 Communications of the ACM 1397 Debate

Edsger W. Dijkstra was born in 1930 in Rotterdam, The Netherlands, where he lived until 1948. He studied mathe- matics and theoratical at the University of Leiden, frlom which he gr,aduated in 1958. During that period, in S’eptember 1951. he was introduced to programming in Cambridge, England, and in March, 1952, he was appointed to the Mathematical Centre as The Netherlands’ first profes- sional . In 1959 he earned his Ph.. in Comput- ing Science from the University of Amsterdam. In 1962 he was appointed Full Professor of at the Eindhoven University of . In 1973, while retaining links with the University, he became Fellow of the Blurroughs Corporation, a position he enjoyed until 1984, when he receivecl the Schlumberger Centennial Chair in Computer at the University of Texas at Austin. Dijkstra, recipient of the 1972 ACM Turing Award, is known for early graph-theoretical algorithms, the first imple- mentation of ALGOL. 60, and the first operating com- posed of explicitly synchronized sequential processes. He is also credited with the invention of guarded commands and of predicate transformers as a means for defining , and programming methodology in the broadest sense of the term. His current interests focus on the formal derivation of pro- grams and the streamlining of the mathematical argument. His publications represent only a minor fraction of his writ- ings-he writes, in fact, so much that he cannot afford the use of time-saving devices such as word processors. He owns, however, several fountain pens, three of which are Mont Blancs, for which he mixes his own ink.

ON THE CRUELTY OF REALLY TEACIHINGCOMPUTING SCIENCE

T he underlying assumption of this talk is that com- with the name “common sense,” our past experience is puters represent a rad.ical novelty in our history. The no longer relevant; the become too shallow; first part of this talk will much more precise what and, the metaphors become more misleading 1:han illu- we m’ean in this context by the adjective “radical” and minating. This is the situation that is characteristic of will then supply ample evidence in support of our as- the “radical” novelty. sumption. The second half pursues some of the scien- Coping with radical novelty requires an orthogonal tific and educational consequences of the radical nov- method. One must consider one’s own past, the experi- elty the embody. ences collected, and the habits formed in it as an unfor- The usual way in which we plan today for tomorrow tunate accident of history, and one has to approach the is in yesterday’s vocabulary. We do so because we try radical novelty with a blank , consciously refusing to get away with the use of that we are famil- to try to link history with what is already familiar, iar with and that have acquired their meanings in our because the familiar is hopelessly inadequate. One has, past experience. Of course, the words and the concepts with initially a of split personality, to come to do not quite fit because our future differs from our past, grips with a radical novelty as a dissociated topic in its but then we stretch them a little . It is the most own right. Coming to grips with a radical novelty common way of trying to cope with novelty. Linguists amounts to creating and learning a new foreign lan- are quite familiar with the phenomenon that the mean- guage that cannot be translated into one’s own mother ings of words evolve over time, but also know that this tongue. (Anyone who has learned quantum mechanics is a slow and gradual process. knows what I am talking about.) Needless to say, ad- By means of metaphors and analogies, we try to link justing to radical novelties is not a very popular activity the new to the old, the novel to the familiar. Under for it requires hard work. For the same , the sufficiently slow and gradual change, it works reasona- radical novelties, themselves, are unwelcome. bly wmell; in the case of a sharp discontinuity, however, By now, you may well ask why I have paid so much the method breaks down. Though we may glorify it attention to and have spent so much eloquence on such

1398 Communications of the ACM December 1989 Volume 32 Number 12 Debate a simple and obvious notion as the radical novelty. My and, hence, in the need to learn how to cope with reason is very simple: radical novelties are so disturb- them. It is the prevailing educational practice for which ing that they tend to be suppressed or ignored to the gradual, almost imperceptible, change seems to be the extent that even the possibility of their existence, in exclusive paradigm. How many educational texts are general, is more often denied than admitted. not recommended for their appeal to the student’s intu- On the historical evidence I shall be short. Carl ition! They constantly try to present everything that Friedrich Gauss, the Prince of Mathematicians but also could be an exciting novelty as something as familiar as somewhat of a coward, was certainly aware of the fate possible. They consciously try to link the new material of Galileo-and could probably have predicted the to what is supposed to be the student’s familiar world. calumniation of Einstein-when he decided to suppress It already starts with the teaching of . In- Galileo’s discovery of non-Euclidean , thus stead of teaching z + 3 = 5, the hideous arithmetic leaving it to Bolyai and Lobatchewsky to receive the operator “plus” is carefully disguised by calling it flak. “and,” and the little kids are given lots of familiar ex- It is probably more illuminating to go a little bit fur- ample, first, with clearly visible objects such as apples ther back: to the Middle Ages. One of its characteristics and pears, which are in, in contrast to equally counta- was that “reasoning by ” was rampant; another ble objects such as percentages and electrons, which characteristic was almost total intellectual stagnation, are out. The same, silly tradition is reflected at the and we now see why the two go together. A reason for university level in different introductory mentioning this is to point out that by developing a courses for the future physicist, architect, or keen ear for unwarranted analogies, one can detect a major, each course adorned with examples from the lot of medieval thinking today. respective fields. The educational dogma seems to be The other thing I cannot stress enough is that the that everything is fine as long as the student does not fraction of the population for which gradual change notice that he is learning something really new; more seems to be all but the only paradigm of history is very often than not, the student’s impression is indeed large, probably much larger than one would expect. correct. Certainly, when I started to observe it, their number I consider the failure of an educational practice to turned out to be much larger than I had expected. prepare the next generation for the phenomenon of For instance, the vast majority of the mathematical radical novelties a serious shortcoming. (When King community has never challenged its tacit assumption Ferdinand visited the conservative University of that doing mathematics will remain very much the Cervera, the Rector proudly reassured the monarch same of mental activity it has always been. New with the words: “Far be from us, Sire, the dangerous topics will come, flourish, and go as they have done in novelty of thinking.” Spain’s problems in the century the past, but with the human being what it is, our that followed justify my characterization of the short- ways of teaching, learning, and understanding mathe- coming as “serious.“) This was to show the extent to matics, of , and of mathematical discov- which has adopted the paradigm of gradual ery will remain pretty much the same. Herbert Robbins change. clearly states why he rules out a quantum leap in The of radical novelties is of contemporary mathematical ability: significance because, while we are ill-prepared to cope with them, science and technology have now shown “Nobody is going to run 100 meters in five seconds, themselves expert at inflicting them upon us. Earlier no matter how much is invested in training and ma- scientific examples are the theory of relativity and chines. The same can be said about using the brain. quantum mechanics; later technological examples are The human mind is no different now from what it the atom bomb and the pill. For decades, the former was five thousand years ago. And when it comes to two gave rise to a torrent of religious, philosophical, or, mathematics, you must realize that this is the hu- otherwise, quasi-scientific tracts. We can daily observe man mind at an extreme limit of its capacity.” the profound inadequacy with which the latter two are approached, be it by our statesmen and religious lead- My comment in the margin was “so reduce the use of ers or by the public at large. This illustrates the damage the brain and calculate!” Using Robbins’s own analogy, done to our peace of mind by radical novelties. one could remark that for going from A to B fast, there I raised all this because of my contention that auto- could now exist alternatives to running that are orders matic computers represent a radical novelty, and that of magnitude more effective. Robbins flatly refuses to only by identifying them as such can we identify all the honor any alternative to time-honored brain usage with nonsense, the misconception, and the mythology that the name of “doing mathematics,” thus, exorcizing the surround them. Closer inspection will reveal that it is danger of radical novelty by the simple device of ad- even worse, viz., that automatic computers embody not justing his definitions to his needs. Simply, by defini- only one radical novelty but two of them. tion, mathematics will continue to be what it used to The first radical novelty is a direct consequence of be. Enough said about the mathematicians. the raw power of today’s computing equipment. We all Let me give you just one more example of the wide- know how we cope with something big and complex: spread disbelief in the existence of radical novelties divide and rule, i.e., we view the whole as a composi-

December 1989 Volume 32 Number 12 Communications of the ACM 1399 Debate

turn osfparts and deal with the parts separately. And if It is possible, and even tempting, to view a program a part is too big, we repeat the procedure. The town is as an abstract mechanism, as a device of some sort. To made up from neighborhoods that are structured by do so, however, is highly dangerous. The analogy is too street.s, that contain buildings, that are made from walls shallow because a program is, as a mechanism, totally and floors, that are built from bricks, etc., eventually different from all the familiar analogue devices we down to the elementary particles. And we have all our grew up with. Like all digitally encoded info:rmation, it specia.lists along the line, from the town planner via the has, unavoidably, the uncomfortable property that the architect to the solid physicist, and further. Be- smallest possible perturbations-i.e., changes of a single cause! in a sense, the whole is “bigger” than its parts, bit-can have the most drastic consequences,. (For the the depth of a hierarc:hical decomposition is some sort sake of completeness, I add that the picture is not es- of of the ratio of the “sizes” of the whole and sentially changed by the introduction of redundancy or the ultimate smallest :parts. From a bit to a few error correction.) In the discrete world of computing, hundred megabytes, from a microsecond to half an there is no meaningful metric in which “small” changes hour of computing, it confronts us with the completely and “small” effects go hand in hand, and there never baffling ratio of log! will be. The programmer is in the unique position that his is This second radical novelty shares the usual fate of the only discipline ,and profession in which such a gi- all radical novelties: it is denied because its truth gantic ratio, which totally baffles our imagination, has would be too discomforting. It is hard to estimate the to be bridged by a single technology. He has to be able damage done by this denial, but with million. program- to think in terms of conceptual that are mers in the world, a cost of millions of dollars per day much deeper than a single mind ever needed to face seems a very modest guess. before. Compared to that number of semantic levels, Having described-admittedly in the broadest possi- the average mathematical theory is almost flat. By ble terms-the nature of computing’s novelties, I shall evoking the need for deep conceptual hierarchies, the now provide the evidence that these novelties are, in- automatic computer confronts us with a radically deed, radical. I shall do so by explaining a number of new intellectual challenge that has no precedent in otherwise strange phenomena as frantic-but, as we our history. now know, doomed-efforts at hiding or denying the Aga:in, I have to stress this radical novelty because frighteningly unfamiliar. the true believer in gradual change and incremental A number of these phenomena have been bundled improvements is unable to see it. For him, an automatic under the name “Software .” As ec.onomics computer is something like the familiar cash register, is known as “The Miserable Science,” software engi- only somewhat bigger, faster, and more flexible. But neering should be known as “The Doomed Discipline”: the analogy is ridiculously shallow. It is orders of mag- doomed because it cannot even approach its goal since nitude worse than comparing, as a means of transporta- its goal is self-contradictory. , of tion, the supersonic jet plane with a crawling baby, for course, presents itself as another worthy cause, but that that speed ratio is only a thousand. is eyewash. If you carefully read its literature and ana- The second radical novelty is that the automatic lyze what its devotees actually do, you will d.L:cover compu.ter is our first large-scale digital device. We had that software engineering has accepted as its c:harter, a few with a noticeable discrete component. I just men- “How to program if you cannot.” tioned the cash register and can add the typewriter, The popularity of its name is enough to ma.ke it sus- with its individual keys. With a single stroke you can pect. In what we denote as “primitive societies,” the type either a Q or a W but, though their keys are next superstition that knowing someone’s true name gives to each other, not a mixture of those two letters. But you magic power over him is not unusual. We are such mechanisms are the exception, and the vast ma- hardly primitive. Why do we persist here in an- jority of our mechanisms are viewed as analogue de- swering the telephone with the most unhelpful “hello” vices whose behavior is, over a large range, a continu- instead of our name? Nor are we above the equally ous of all parameters involved. If we press the primitive superstition that we can gain some control point of the pencil a little bit harder, we get a slightly over some unknown, malicious demon by cal.ling it by thicker line; if the violinist slightly misplaces his finger, a safe, familiar, and innocent name, such as “engineer- he plays slightly out of tune. To this I should add that, ing.” But it is totally symbolic, as one of the [J.S. com- to the extent that we view ourselves as mechanisms, puter manufacturers proved a few years ago when it we view ourselves, primarily, as analogue devices. If hired, one night, hundreds of new “software Iengineers” we push a little harder we expect to do a little better. via the simple device of elevating all its to Very often, the behavior is not only a continuous but that exalted rank. So much for that term. even a monotonic function. To test whether a hammer The practice is pervaded by the reassuring illusion suits us over a certain range of nails, we try it out on that programs are just devices like any others, the only the smallest and largest nails of the range, and if the difference admitted being that their manufacture might outcomes of those two experiments are positive, we are require a new type of craftsmen, viz., programmers. perfectly willing to believe that the hammer will suit From there, it is only a small step to measuring us for all nails in between. “programmer productivity” in terms of “number of lines

Communications of the ACM December 1989 Volume 32 .Vumber 12 Debate of produced per month.” This is a very costly the above. The educational consequences are, of measuring unit because it encourages the writing of course, the hairier ones, so let us postpone their discus- insipid code, but, today, I am less interested in how sion and stay for a while with computing science itself. foolish a unit it is from even a pure business point of What is computing? And what is a science of comput- view. My point, today, is that if we wish to count lines ing about? of code, we should not regard them as “lines produced” Well, when all is said and done, the only thing com- but as “lines spent.” The current conventional wisdom puters can do for us is to manipulate symbols and pro- is so foolish as to book that count on the wrong side of duce results of such manipulations. From our previous the ledger. observations, we should recall that this is a discrete Besides the notion of productivity, quality control world and, moreover, that both the number of symbols continues to be distorted by the reassuring illusion that involved and the amount of manipulation performed is what works with other devices works with programs as many orders of magnitude larger than we can envisage. well. It is now two decades since it was pointed out They totally baffle our imagination, and we must, that program testing may convincingly demonstrate the therefore, not try to imagine them. But before a com- presence of bugs but can never demonstrate their ab- puter is ready to perform a class of meaningful manipu- sence. After quoting this well-publicized remark de- lations-or calculations, if you prefer-we must write a voutly, the returns to the order of the program. day and continues to refine his testing strategies, just like the alchemist of yore who continued to refine his chrysocosmic purifications. Unfathomed misunderstanding is further revealed by By evoking the need for deep conceptual hier- the term “,” of which many peo- archies, the automatic computer confronts us ple continue to believe that programs-and even pro- with a radically new intellectual challenge that gramming languages themselves-are subject to wear has no precedent in our history. and tear. Your car needs maintenance too, does it not? Famous is the story of the oil company that believed that its Pascal programs did not last as long as its programs “because Pascal was not main- What is a program? Several answers are possible. tained.” We can view the program as what turns the general- In the same vein, I must draw attention to the aston- purpose computer into a special-purpose symbol ma- ishing readiness with which the suggestion has been nipulator, and it does so without the need to change a accepted that the pains of software production are single wire. (This was an enormous improvement over largely due to a lack of appropriate “programming machines with problem-dependent wiring panels.) I tools.” (The telling “programmer’s workbench” was prefer to describe it the other way round. The program soon to follow.) Again, the shallowness of the underly- is an abstract symbol manipulator which can be turned ing analogy is worthy of the Middle Ages. Confronta- into a concrete one by supplying a computer to it. After tions with insipid “tools” of the “-animation” all, it is no longer the purpose of programs to instruct variety has not mellowed my judgement; on the con- our machines; these days, it is the purpose of machines trary, it has confirmed my initial suspicion that we are to execute our programs. primarily dealing with yet another dimension of the So, we have to design abstract symbol manipulators. snake-oil business. We all know what they look like. They look like pro- Finally, to correct the possible impression that the grams or-to use somewhat more general terminol- inability to face radical novelty is confined to the in- ogy-usually rather elaborate formulae from some for- dustrial world, let me offer you an explanation of the mal system. It really helps to view a program as a continuing popularity of artificial intelligence. You . First, it puts the programmer’s task in the would expect people to feel threatened by the “giant proper perspective: he has to derive that formula. Sec- or machines that think.” In fact, the frightening ond, it explains why the world of mathematics all but computer becomes less frightening if it is used only to ignored the programming challenge: programs were so simulate a familiar noncomputer. I am sure that this much longer formulae than it was used to that it did explanation will remain controversial for quite some not even recognize them as such. Now back to the time for artificial intelligence, as a mimicking of the programmer’s job. He has to derive that formula; he has human mind, prefers to view itself as being at the front to derive that program. We know of only one reliable line, whereas my explanation relegates it to the rear- way of doing that, viz., by means of symbol manipula- guard. (The effort of using machines to mimic the hu- tion. And now the circle is closed. We construct our man mind has always struck me as rather silly. I would mechanical symbol manipulators by means of human rather use them to mimic something better.) symbol manipulation. So much for the evidence that the computer’s novel- Hence, computing science is-and will always be- ties are, indeed, radical. concerned with the interplay between mechanized and And now comes the second-and hardest-part of human symbol manipulation usually referred to as my talk: the scientific and educational consequences of “computing” and “programming,” respectively. An im-

December 1989 Volume 32 Number 12 Communications of the ACM 1401 Debate

medi.ate benefit of this insight is that it reveals “auto- the role of the university is the stress on training its matic programming” as a contradiction in terms. A fur- graduates for today’s entry-level jobs or on providing its ther benefit is that it gives us a clear indication where alumni with the intellectual baggage and attitudes that to locate computing science on the world map of - will last them another fifty years? Do we grudgingly lectual disciplines: in the direction of formal mathemat- grant the abstract sciences only a far-away corner on ics and applied logic, but, ultimately, far beyond where campus, or do we recognize them as the indispensable those are now for computing science is interested in motor of the high-technology industry? Even if we do effective use of formal methods and on a much, much the latter, do we recognize a high-technology industry larger scale than we have witnessed so far. Because, as such if its technology primarily belongs tO formal these days, no computing endeavor is respectable with- mathematics? Do the universities provide for society out an acronym, I propose that we adopt for computing the intellectual leadership it needs or only the training science VLSAL (Very Large Scale Application of Logic), it asks for? and, to be on the safe side, we had better follow the Traditional academic rhetoric is perfectly willing to shining examples of our leaders and make a trademark give to these questions the reassuring answers, but I do of it. not believe them. By way of illustration of my doubts, In the long run, I expect computing science to tran- in a recent article on “Who Rules Canada?,” David H. scend its parent disciplines, mathematics and logic, by Flaherty bluntly states: effectively realizing a significant part of Leibniz’s “Moreover, the business elite dismisses traditional Dream of providing symbolic calculation as an alterna- academics and intellectuals as largely irrelevant and tive IO human reasoning. (Please note the difference powerless.” between “mimicking” and “providing an alternative to.” Alternatives are allowed to be better.) So, if I look into my foggy crystal ball at the future of Needless to say, this vision of what computing sci- computing science education, I overwhelmingly see the ence is about is not umiversally applauded. On the con- depressing picture of “business as usual.” The universi- trary, it has met widespread-and sometimes even vio- ties will continue to lack the courage to teach hard lent--opposition from all sorts of directions. I mention science; they will continue to misguide the students, as examples and each next stage of infantilization of the curriculum will be hailed as educational progress. 0. the mathematical guild, which would rather con- I now have had my foggy crystal ball for quite a long tinue to believe that the Dream of Leibniz is an un- time. Its predictions are invariably gloomy and usually realistic illusion correct. However, I am quite used to that, and they will 1. the business co:mmunity, which, having been sold not keep me from giving you a few suggesti’ons, even if the idea that computers would make life easier, is it is merely an exercise in futility whose only effect is mentally unprepared to accept that they only solve to make you feel guilty. the easier problems at the price of creating much We could, for instance, begin with cleaning up our harder ones language by no longer calling a bug “a bug” but by 2. the subculture of the compulsive programmer, calling it an error. It is much more honest because it wbose ethics prescribe that one silly idea and a squarely puts the blame where it belongs, viz., with the month of frantic coding should suffice to make him a programmer who made the error. The anim.istic meta- life-long millionaire phor of the bug that maliciously sneaked in while the 3. , which would rather continue programmer was not looking is intellectually dishonest to act as if it is all only a matter of higher bit rates as it is a disguise that the error is the programmer’s and more flops pe.r second own creation. The nice thing of this simple change of 4. the military, which is now totally absorbed in the vocabulary is that it has such a profound effect. While, business of using computers to mutate billion-dollar before, a program with only one bug used to be “almost budgets into the illusion of automatic safety correct,” afterwards a program with an error is just 5. all soft sciences for which computing now acts as “wrong” (because in error). some sort of interdisciplinary haven My next linguistical suggestion is more rigorous. It is 6. the educational business that feels that if it has to to fight the “if-this-guy-wants-to-talk-to-that-guy” syn- teach formal math.ematics to CS students, it may as drome. Never refer to parts of programs or pieces of well close its schools. equipment in an anthropomorphic terminal.ogy, nor al- And, with this last example, I have reached, imper- low your students to do so. This linguistical improve- ceptibly but alas unavoidably, the most hairy part of ment is much harder to implement than you might this talk: educational consequences. think, and your department might consider the intro- The problem with educational policy is that it is duction of fines for violations, say a quarter for under- hard1.y influenced by scientific considerations derived graduates, two quarters for graduate students, and five from the topics taught and is almost entirely deter- dollars for faculty members; by the end of the first mined by extra-scientific circumstances such as the semester of the new regime, you will have collected combined expectations of the students, their parents, enough money for two scholarships. and their future employers, and the prevailing view of The reason for this last suggestion is that the anthro-

1402 Communications of the ACM December 1989 Volume 32 Number 12 pomorphic metaphor-for whose introduction we can hence, no placement of dominos yields figure Q. blame -is an enormous handicap Not only is the above simple argument many orders for every computing community that has adopted it. I of magnitude shorter than the exhaustive investigation have now encountered programs wanting things, know- of the possible placements of 31 dominos, it is also es- ing things, expecting things, believing things, etc., and sentially more powerful for it covers the generalization each time that gave rise to avoidable confusions. The of Q by replacing the original 8 by 8 with any analogy that underlies this personification is so shallow rectangle with sides of even length. The number of that it is not only misleading but also paralyzing. such rectangles being infinite, the former method of It is misleading in the sense that it suggests that we exhaustive exploration is essentially inadequate for can adequately cope with the unfamiliar discrete in proving our generalized theorem. terms of the familiar continuous, i.e., ourselves, quod non. It is paralyzing in the sense that because persons And this concludes my example. It has been pre- exist and act in time, its adoption effectively prevents a sented because it illustrates, in a nutshell, the power of departure from and, thus, forces down-to-earth mathematics; needless to say, refusal to people to think about programs in terms of computa- exploit this power of down-to-earth mathematics tional behaviors, based on an underlying computational amounts to intellectual and technological suicide. The model. This is bad because operational reasoning is a moral of the story is: deal with all elements of a by tremendous waste of mental effort. ignoring them and working with the set’s definition.

Back to programming, the statement that a given pro- When all is said and done, the only thing com- gram meets a certain specification amounts to a state- puters can do for us is to manipulate symbols ment about all that could take place un- der control of that given program. And since this set of and produce results of such manipulations. computations is defined by the given program, our re- cent moral says: deal with all computations possible Let me explain to you the nature of that tremendous under control of a given program by ignoring them and working with the program. We must learn to work with waste, and allow me to try to convince you that the term “tremendous waste of mental effort” is not an ex- program texts while (temporarily) ignoring that they aggeration. For a short while I shall get highly techni- admit the interpretation of executable code. cal, but do not get frightened. It is the type of mathe- Another way of saying the same thing is the follow- matics that one can do with one’s hands in one’s ing one. A , with its formal syn- pockets. The point to get across is that if we have to tax and with the proof rules that define its semantics, is demonstrate something about all the elements of a large a for which program execution provides set, it is hopelessly inefficient to deal with all the ele- only a model. It is well-known that formal ments of the set individually. The efficient argument should be dealt with in their own right and not in does not refer to individual elements at all and is car- terms of a specific model. And, again, the corollary is ried out in terms of the set’s definition. that we should reason about programs without even Consider the plane figure Q, defined as the 8 by 8 mentioning their possible “behaviors.” square from which, at two opposite corners, two 1 by 1 squares have been removed. The area of Q is 62, which And this concludes my technical excursion into the equals the combined area of 31 dominos of 1 by 2. reason why operational reasoning about programming The theorem is that the figure Q cannot be covered is “a tremendous waste of mental effort” and why, by 31 such dominos. therefore, in computing science the anthropomorphic Another way of stating the theorem is that if you metaphor should be banned. Not everybody under- start with squared paper and begin covering this by stands this sufficiently well. placing each next domino on two new adjacent squares, no placement of 31 dominos will the I was recently exposed to a demonstration of what figure Q. was pretended to be educational software for an intro- So, a possible way of proving the theorem is by gen- ductory programming course. With its “visualizations” erating all possible placements of dominos and verify- on the screen, it was such an obvious case of curricu- ing for each placement that it does not yield the figure lum infantilization that its author should be cited for Q: a tremendously laborious job. “contempt of the student body,” but this was only a The simple argument, however, is as follows. Color minor offense compared with what the visualizations the squares of the squared paper as on a board. were used for. They were used to display all sorts of Each domino, covering two adjacent squares, covers features of computations evolving under control of the 1 white and 1 black square, and, hence, each place- student’s program! The system highlighted precisely ment covers as many white squares as it covers black what the student has to learn to ignore; it reinforced squares. In the figure Q, however, the number of white precisely what the student has to unlearn. Since break- squares and the number of black squares differ by 2- ing out of bad habits, rather than acquiring new ones, is opposite corners lying on the same diagonal-and, the toughest part of learning, we must expect from that

December 1989 Volume 32 Number 12 Communications of the ACM 1403 Debate

system permanent mental damage for most students ex- who, being unable to accept it, are forced to invent a posed to it. quick reason for dismissing it, no matter how invalid. Needless to say, that system completely hid the fact I will give you a few quick . that, all by itself, a program is no more than half a conjecture. The other half of the conjecture is the func- You do not need to take my proposal seriously be- tional. specification the program is supposed to satisfy. cause it is so ridiculous that I am obviously cc’mpletely The programmer’s task is to present such complete con- out of touch with the real world. But that ki-te will not jectures as proven theorems. fly for I know the real world only too well. The prob- lems of the real world are primarily those you are left Before we part, I would like to invite you to consider with when you refuse to apply their effective solutions. the following way of doing justice to computing’s radi- So, let us try again. cal novelty in an introductory programming course. You do not need to take my proposal seriously be- On the one hand, we teach what looks like the predi- cause it is utterly unrealistic to try to teach such mate- cate calculus, hut we do it very differently from the rial to college freshmen. Would not that be an easy way philosophers. In order to train the novice programmer out? You just postulate that this would be far too diffi- in the manipulation of uninterpreted formulae, we cult. But that kite will not fly either for the postulate teach it more as boolean , familiarizing the has been proven wrong. Since the early 80s, such an student with all alg,ebraic properties of the logical introductory programming course has succes.sfully been connectives. To further sever the links to intuition, we given to hundreds of college freshmen each year. (Be- rename the values (true, false) of the boolean domain cause, in my experience, saying this once does not suf- as (black, white). fice, the previous sentence should be repeated at least On the other hand, we teach a simple, clean, impera- another two times.) So, let us try again. tive programming language, with a skip and a multiple Reluctantly admitting that it could, perhaps, be assignment as basic statements, with a block taught to sufficiently docile students, yet you reject my for local variables, the semicolon as operator for state- proposal because such a course would deviate so much ment composition, a nice alternative construct, a nice from what 18-year-old students are used to and expect repetition, and, if so desired, a procedure call. To this, that inflicting it upon them would he an act of educa- we add a minimum of types, say booleans, inte- tional irresponsibility. It would only frustrate the stu- gers, characters, and strings. The essential thing is that dents. Needless to say, that kite will not fly either. It is for whatever we inlroduce, the corresponding seman- true that the student that has never manipulated unin- tics ar’e defined by i.he proof rules that go with it. terpreted formulae quickly realizes that he is con- fronted with something totally unlike anything he has ever seen before. But fortunately, the rules of manipu- If I look into my fo#ggy crystal ball at the future lation are, in this case, so few and simple that very soon, thereafter, he makes the exciting discovery that of computing science education, I overwkelm- he is beginning to master the use of a tool that, in all its ingl:y see the depmsing picture of “business simplicity, gives him a power that far surpasses his as mual .‘I wildest dreams. Teaching to unsuspecting youngsters the effective use of formal methods is one of the joys of life because it is Right from the beginning and all through the course, so extremely rewarding. Within a few months: they we stress that the programmer’s task is not just to write find their way in a new world with a justified degree of down a program, but that his main task is to give a confidence that is radically novel for them; within a formal proof that the program he proposes meets the few months, their concept of intellectual cuhure has equally formal . While designing acquired a radically novel dimension. To my taste and proofs and programs; hand in hand, the student gets style that is what education is about. Universities ample opportunity to perfect his manipulative agility should not be afraid of teaching radical novelties; on with the predicate calculus. Finally, in order to drive the contrary, it is their calling to welcome the opportu- home the message that this introductory programming nity to do so. Their willingness to do so is ou:r main course is primarily a course in formal mathematics, we safeguard against dictatorships, be they of the lproletar- see to it that the programming language in question has iat, of the scientific establishment, or of the corporate nof been implemented on campus so that students are elite. protected from the temptation to test their programs. And this concludes the sketch of my proposal for an Edsger W. Dijkstra introductory programming course for freshmen. Dept. of Computer Sciences This is a serious proposal and utterly sensible. Its The University of Texas only disadvantage is that it is too radical for many, Austin, TX 78712-1188

1404 Communications of the ACA4 December 1989 Volume 32 Number 12 Debate

Colleagues Respond to Dijkstra’s Comments

There is much in Dijkstra’s statement with which I can would wonder why comments such as Dijkstra’s need agree. Since agreement results in dull commentary, I to be made. They need to be made because the major- shall focus on his vigorous dismissal of the term “soft- ity of those in our profession do not have the benefit of ware engineering” and his denunciation of software an . testing. I am just as critical of much of the work done at Most introductory engineering texts define an engi- software engineering institutes and presented at soft- neer as one who uses science and mathematics to pro- ware engineering conferences as Dijkstra. Most of US duce useful products. That definition clearly allows who use the term “software engineering” do so, not programmers to be considered , but profes- because we think that programming is currently an en- sional societies and/or government licensing agencies gineering profession, but because we think it should add educational and may require an ex- become one. The ability to use formal methods to de- amination before one is permitted to use the rive and validate designs is one of the essential charac- “Professional Engineer.” In fact, there is much better teristics of an engineer. However, an engineering edu- control of the word “engineer” than of the word “math- cation also teaches students to understand the limits of ematician.” Just as some physicists claim to be mathe- mathematical methods. We were taught methods of maticians, other people use the word “engineer” quite dealing with problems where exact mathematical loosely. The fact that some people write poor papers models were intractable. More important, we were and textbooks under the title “software engineering” taught the importance of testing to (a) provide a check does not justify abandonment of the hope that, some on our and (b) verify that our day, programs will be produced by properly educated was an adequate model of the ac- professional engineers. tual devices with which we worked. Anyone can err Those with training in mathematics or one of the when using mathematics, and it is not uncommon to physical sciences often have the impression that engi- find that devices have characteristics that were not re- neering involves the use of sloppy, heuristic methods flected in our mathematical models. and undefined notations. Nothing could be further from The situation is no different in software engineering. the truth! Good engineering programs emphasize the Errors in formal proofs are not uncommon. Further, the use of formal methods in exactly the way suggested by computers and programs that we must use may not Dijkstra. have the characteristics implied by the mathematical My own engineering education included more axioms that we use. Testing can reveal both of those courses in the Mathematics Department (taken side-by- problems. While careful review can reveal mathemati- side with mathematics students) than courses offered cal errors, only testing can reveal the failure of a com- by the Department. Further, ponent, software or hardware, to conform to a mathe- each of the engineering courses emphasised the use of matical model. mathematical methods for design and design verifica- It is certainly true that, in most practical circum- tion. In exams and homework, we were often deliber- stances, testing cannot show the absence of errors; ately given the opportunity to apply formulae in situa- however, properly designed statistical testing can pro- tions where they were not applicable; in this way, we vide about the of an error re- were taught to appreciate the importance of under- maining in the code or the probability of a failure oc- standing the derivation of all and being cer- curring in use. In the imperfect world in which we live tain that the assumptions made in the derivation were such data can be very important. valid for the case at hand. We were taught to under- There is no engineering profession in which testing stand mathematics, its development, and its use in and mathematical validation are viewed as alternatives. solving engineering problems. Great emphasis was It is universally accepted that they are complementary placed on the use of mathematics to define precisely and that both are required. what we were trying to achieve with a particular de- Dijkstra states that the “computer confronts us with a sign and its further use to confirm that our design met radical new intellectual challenge that has no prece- those requirements. dent in our history.” He bases this on two factors: (1) Our engineering instructors repeatedly showed us the sensitivity of program behavior to minor changes the folly of using anthropomorphic analogies. No engi- and (2) the drastic increase in the “size” of the prob- neer talks about “how much the electrons want to get lems. The first of these is not confined to digital tech- to the other side of a capacitor.” Instead, he uses math- nologies and it may be possible, in time, to overcome ematical models to determine the intensity of at the second. The sensitivity to minor changes can also all points between the capacitor’s plates, to look for be present in older where resonance can points of maximum field intensity, etc. lead to very steep gradients when frequency is varied. Those who graduated from such programs were sol- Such resonances can cause unexpected structural col- idly grounded in the use of formal methods. They lapse or component “burnout.” Dijkstra has led the way

December 1989 Volume 32 Number 12 Communications of the ACM 1405 Debate

in showing us how to master drastic increase in com- More significantly, I am troubled by the suggestion of plexity by application of a divide-and-conquer ap- the first recommendation that certain mode:: aofthink- proach. That approach has been used with great suc- ing be avoided in problem solving. A successful prob- cess in other engin.eering disciplines. lem solver will have a broad array of means at hand to Those who are participating in a major upheaval in tackle problems (many of which are enumerated by society rarely have the perspective to judge its histori- Polya in his books) together with the maturity to make cal importance. Only the passage of time will reveal choices of which means are appropriate to circum- whet her we need a radical new way of thinking or just stances. For the programmer, one of the means avail- a return to the more careful and disciplined approaches able is the use of informal operational intuition. Of used by good engineers in the past. course, this does not excuse failures to think. intension- David L. Pumas ally when appropriate (as in the case of the cbecker- Queen’s University board example, which, indeed, is often used in AI Kingston, Ontario K71 3N6 Canada If we are to have a high level of confidence in the software systems we develop, then fbrmal Dijkstra recommends two principal actions concerning methods will have a central role in their devel- computer science education which are (1) that impera- tive and anthropomorphic thinking be eschewed by all opment, and our teaching of programming programmers and (2) 1hat formal methods, specifically should support this view from the start. those based on languages with semantics grounded in first-order predicate logic, be the basis for introductory programming courses. To moti- courses, too, for the same purpose). It also does not vate these recommendations, he makes several excuse failure to come to grips with under1yin.g compu- observations about the nature of computing and soft- tational models, as in parallel systems. Even visualiza- ware which I summarize roughly as follows: tion has a role-mathematicians make use of visualiza- tion, for example, in the illustration of solutions for 1. computing is a “radical novelty” due to the immense fluid flow equations. scaling range it encompasses and due to its discon- But, let us set aside Dijkstra’s recommendations for tinuous nature; radical novelties, like great trage- the moment and consider his motivating observations, die.s, tend to be denied. an analysis of which suggests to me that bolder recom- 2. software engineering as a worthy cause is eyewash, mendations are called for. and the very notion of a “” is cor- Concerning the first observation: I agree with Dijkstra rupt. that, while large scaling ranges and discontinuous be- 3. computer science concerns the interplay of symbol havior do exist in other human-engineered systems, ma:nipulation activity by human and by machine. few have the uniformity of structure over a broad range The extensive and forceful arguments Dijkstra makes of scale that exists in computing technology. I do take in support of these findings are very interesting and exception, however, to Dijkstra’s implication that soft- bear examination. I was surprised that after developing ware systems are unremittingly discontinuous and these arguments, the overall thrust of Dijkstra’s conclu- should be managed as such. While this staternent is sion was so benign: obviously true in principle, designers of large s,ystems (such as a application environment) delib- If we are to have a high level of confidence in the erately seek a kind of continuity property at -the higher software systems we develop, then formal methods levels of scale. The idea is to lower risks for both cus- will have a central role in their development, and tomers and developers by making it possible to obtain our teaching of programming should support this incremental improvments in capability for incremental view from the start. investments. This amounts to a notion of “coarse conti- While I agree with the overall thrust of Dijkstra’s nuity,” which has been well approximated in many conclu:sion, I do not fully concur with the particulars of clever software engineering designs (such as and Dijkstra’s recommendation. There are, of course, nits to GNU Emacs). Of course, the appearance of continuity at pick. For example, if scaling is one of the two “radical one level of may, in fact, be obtai:ned only novelties” in computing, why propose teaching the use through gross redesign of a subcomponent. There is, of a programming language that does not provide the nonetheless, a kind of continuity at the higher level principal linguistic means for scaling up-namely, com- of abstraction. “Software maintenance” is, thus, the posite data types, date abstraction mechanisms, and (attempted) incremental adaptation of large systems in other means to explicitly represent system interfaces response to small changes in requirements folr which and abstraction boundaries. Edinburgh ML demon- this “coarse continuity” property holds. strates how very simple these language can Concerning Dijkstra’s second observation: most large be. Also, if operational thinking is to be eschewed, why software problems involve complexity and detail that insist on an imperative programming language? exceeds the capacity of one person to develop solutions.

1406 Communications of the ACM December 1989 Volume 32 Number 12 Debate

In these cases, major decisions must be made under mal methods to larger systems. Specifications and docu- circumstances where all the details cannot be pre- mentation can involve formal and informal compo- sented to all parties involved since there are too many nents. Formal methods can, thus, be used to establish details. The numbers of people involved and the lack of certain key properties while informal (and less reliable) perfect knowledge create the software engineering means are used to increase confidence with respect to challenges of estimation of costs and risks, the imple- other system properties. The effect is of proving small mentation of procedures to enable management of the theorems about large systems rather than large theo- process, the development of automation to assist, the rems about (inevitably) small systems. This “scalable” need to design systems that can be readily adapted, and approach has the advantage of drastically moderating so on. Basic automation support can include object adoption risks for software managers. management, version and , The final conclusion concerns education. In many process and administrative support, and consistency curricula, as Dijkstra has noted, we are already teach- support for both formal and informal documentation. ing formal methods at the earliest levels. My experi- These needs are real, even if many products are indeed ence is that the principal difficulties in teaching formal “snake oil.” methods do not have to do with symbol manipulation Concerning the third observation: one of the greatest skills, but rather, with formalization issues-represent- difficulties in is formalization- ing symbolically and providing structure for actual capturing in symbolic representation a worldly compu- computational problems from the world-and with tational problem so that the statements obtained by fol- metatheoretic issues-understanding, from example, lowing rules of symbol manipulation are useful state- what sorts of assurance can be provided by proofs in a ments once translated back into the language of the given formal deductive system. It is even more chal- world. The formalization problem is the essence of re- lenging to create an appreciation for the extent of the quirements engineering, an area left largely untouched scaling range of computing (as Dijkstra has noted) along in Dijkstra’s position statement. Concerning symbol with techniques for addressing scaling problems, manipulation, at the level both of specific problem do- particularly abstraction mechanisms for programs mains and of programming itself, it is important to have and specifications. fluidity in shifting various aspects of the symbol manip- W.L. Scherlis ulation task between humans and machine and to have Carnegie Mellon University linguistic means to organize large problems to facilitate Dept. of Computer Science this. Pittsburgh, PA 15213-3890 More can be said about Dijkstra’s observations and scherlis@vax..mil the arguments supporting them, but the above remarks are enough, I believe, to suggest a set of conclusions concerning formal methods that more effectively ad- I agree that the proposed program derivation course is dresses Dijkstra’s observations, particularly concerning more valuable than the other courses in a typical com- the “radical novelties” of scaling and non-continuity. puter science curriculum. In the following, I explain My first conclusion is that we should distinguish the that such a course should not be taught purely as exer- necessary qualities of the result of the programming cises in symbol manipulation and that the ability to process from the means by which the results are ob- derive a program from a formal derivation only solves a tained. The software practitioner should be able to minor part of the problems we are having with soft- bring all intellectual and mechanical tools to bear on ware. devising a as long as certain con- People who know neither programming nor mathe- straints concerning the structure and presentation of matics (i.e., almost everyone) take for granted that pro- the result are satisfied. The “theorem” Dijkstra refers to gramming is like mathematics. Yet, it turns out that is, thus, really part of a larger result, which is more English majors are as likely to be as successful at pro- likely a documentation record that links together im- gramming as mathematics graduates are. In practice, plementation, specification, design and interface deci- the worlds of mathematics and programming are just sions, informal rationale, and formal proof, all in their about disjoint. Dijkstra argues that this should not be several versions and configurations. The intent is that the case, that mathematics is a formal game of symbol this documentation-record supports adaptation, reuse manipulation and that programming should become (of appropriate assets), and analysis by capturing infor- one. I must confess that the role of symbol manipula- mation ordinarily lost (or, worse, never present) during tion in mathematics has me thoroughly confused. conventional software development, including the On the one hand, it is clear that symbolism is ex- means, formal and informal, by which confidence is tremely powerful in a positive way. To see that, try to raised concerning consistency of specification and do something simple, say long division, in English. The . most powerful, single experience I had in my university The second conclusion is that an appropriate means education was getting a grip on ghostly things like grav- must be found to incorporate formal-methods tech- itational or electromagnetic fields with using niques into software engineering practice and tools in div, grad, , and, possibly, other operators long for- order to provide a “scalable” approach to applying for- gotten.

December 1989 Volume 32 Number 12 Communications of the ACM 1407 Debate

On the other hand, what makes all this so appealing also like to teach students that it is necessary to run the is that there is an :intuition behind it. Axiomatization programs, not to the programs, but to debug the and formalization, by themselves, do not make a theory specifications. But, perhaps, that should be another, into mathematics; they only mark its maturity. To be later course so that the program derivation course can mathematics, the theory has to be significant, to appeal be kept pure. to the intuition. The experts do not agree: one mathe- matician may denounce another’s paper as empty for- M. H. van Emden malbm, devoid of mathematical content. This sounds Dept. of Computer Science fuzzy, and it is. Hilbert is famous for viewing mathematics as a game Victoria, B.C. with symbols, devoid of meaning. What he must have V8W 2Y2 Canada meant (and probably also said) is that the meaning is irrelevant to the validity of a formal argument. But to make the formal game worth playing, it better have The early papers of Dijkstra are gems polished by the meaning. Even games have meaning, at least the ones, hand of an expert lapidary. I first became ac:quainted like chess, that get played. It is easy to make up a with his work in the early 1960s. He had then pub- system that formally is a two-person game. It is hard to lished a paper on a stack machine model for the inter- make it such that people will want to play it. Successful pretation of Algol 60: a landmark in the desjgn and games have a meanin.g to their players. implementation of block-structured languages. Follow- Wh.y am I saying all this? I think the course described ing that work, there were two major contributions by by Dijkstra, where students derive programs from logic Dijkstra which appeared in Communications. A short ar- specifications into an unimplemented language, is a ticle (“Go-To’s ”) gave us ample great idea. However, it will only work if the symbols food for thought about writing readable progr,ams. The manilpulated have meaning for the players. And I do third, a concise article on synchronization of parallel not see where that meaning can come from other than processes, introduced the concept of semaphores and having messed around with programs that run or fail paved the way for the current work on programming to. But, perhaps that should be another, earlier course parallel computers. so that the program derivation course can be kept pure. These early articles and papers have made an im- I agree with Dijkstra that great improvements can be plicit revolution in computer science. The statement made by using a and by proving appearing in this issue explicitly advocates a revolution that the program conforms to it. Should such proofs be and, in my view, presents a somber, often sarcastic formal, i.e., valid deductions in a sound formal system? view of our field; it offers disappointingly few construc- I suggest not to wait till this is technically possible for tive suggestions. interesting programs. The analogy with mathematics is First, let me attempt to summarize Dijkstra’s state- valid: theorems worth believing are not believed be- ment to bring out its true purpose (without i-he embel- cause of formal proofs which probably do not even lishments and inconsistencies of the author). ‘The scien- exist. Because this is the current state of affairs, it does tific community is unprepared to understand the “radi- not follow that things will always be this way. It may cal novelty” brought up by computers because of (1) the be that the enterprise started with Automath ultimately sheer speed of these machines and their vast range of continues to success. If so, formal derivations of inter- computing and storing power and (2) the fact’that they esting programs will also be possible. In this way, pro- are digital, which implies that a minuscule change in a gramming may become like mathematics, even though program may elicit the most unexpected of responses. it is different from both programming and from mathe- Remedy: (1) teach the new generation of scientists one matics in their present form. way of dealing with this problem and (2) choose the Suppose we reach the stage of always formally speci- simplest (imperative) language and use logic (predicate fying our programs and proving them correct. Then we calculus) to ascertain that a program really works for will only have eliminated the minor part of the prob- all its intended data. Dijkstra presented this message in lems we are having with software. The big problem is detail in the book A Discipline of Programmin,g which that it is hard to say precisely what we want. It is hard provides convincing arguments for this approach. to do so in C; it is not as hard to do so in predicate My initial comments about the statement have to do calctdus, but it is still hard. with inconsistencies. For example, is re- The reason why it is so hard to say what we want is ferred to as “the miserable science”; yet, the author that we do not really know what we want (at least not proceeds to guess the enormous daily econolmic costs of in a , which is where the problems are). introducing redundancy or error correction into com- One way of discovering what we want is to draw up a puter hardware and software. In another instance, he formal specification, derive a program conforming to it, claims that the problems that computer scient.ists have and run it. Often, we will discover that the specifica- to face make the application of “the average mathemat- tion is wrong, or, rather, we discover that we want ical theory [look] almost flat.” Yet, he later ar:gues in something different than what we thought we did. I favor of “the power of down-to-earth mathematics.” would like to teach that also to the students. I would Unfortunately, the tone of the statement is uniformly

1408 Commwkations of the ACM December 1989 Volume 321 Number 12 Debate negative. The quotations include a view from one math- paradigms. They all share a common denominator: urge ematician about the limitations of the brain, a remark the student to have a healthy respect for the craft of by the rector of a university reassuring the King of programming. By offering a menu of approaches, the Spain of its faculty’s conservativeness, the statement of students will be better prepared to face whatever “radi- a technocrat from an oil company comparing the vir- cal novelties” may appear in the future. I also feel that tues of Fortran and Pascal, and so forth. These quota- learning the foundations for writing sound programs tions may render the statement colorful, but they do ought to be fun and there should be a genuine sense of not provide evidence for its message. It is hard to imag- accomplishment when a student actually runs a pro- ine that these specific views are espoused by a major- gram, finds unexpected errors, and corrects them. This, ity. The same holds true when all practitioners of artifi- of course, requires inspired, broad-minded teachers; cial intelligence and software engineering are lumped forming them is a problem for any field of endeavor, together as evil groups. There is no doubt in my mind not only computer science. that there is high-quality work being done in these To summarize: on one hand, it is distressing to see areas! Hackers are also unfairly treated in Dijkstra’s the lack of realistic constructiveness in a statement by statement. In my view, we owe them a great deal for a pioneer in our field; on the other hand, the airing of their creativity and for the interesting new paths they the issues from Dijkstra’s statement should have suggested. make computer science a better, more mature disci- Dijkstra feels that analogue models (i.e., those with pline. gradual changes) are inadequate to cope with the exist- Jacques Cohen ence of digital machinery. In a way, he wishes that the Zayre/Feldberg Professor scientific community and society would react digitally Department of Computer Science (i.e., by step functions) to face the problems posed by Ford Hall digital machines. As I see it, gradual changes are inher- Brandeis University ent to human nature and human societies, and even Waltham. h4A 02254 the revolutions we have had in history actually took place at a relatively gradual pace, the definition of “gradual” being necessarily vague (e.g., consider the current views about the French revolution.) Dijkstra’s Perhaps it is best to begin by recalling that long ago statement also conveys the message that the dictum “to Dijkstra led a crusade for the total abolition of the err is human” is hardly acceptable. GOT0 instruction. Currently, it is widely believed that The example on covering a given chessboard with the GOT0 instruction is used much too often but that it dominos and the arguments used by Dijkstra in favor of also has its place in programming. The present state- simple proofs instead of exhaustive searches are to be ment by Dijkstra is another example of Moses laying taken with a grain of salt. There are many instances in down the law to us sinners in programming. As before which such searches are unavoidable and constitute it is both very right and very wrong. the only hope of finding solutions to interesting prob- Unfortunately, in his statement, there is much lems. For example, the proof of the four-color conjec- “sound and fury” and non sequiturs, the extensive use ture using a large search space is definitely a valid of color words, a gratuitous swipe at the military, and, approach, even if some mathematicians may yearn for a often, little content beyond his assertions; you can de- simpler proof (just in case it exists). tect the extent of this if you try to rewrite his state- I agree with Dijkstra that computer programs should ment, as I did, in simple language and clear reasoning. be considered as symbolic formulas. What is not yet Just as in the GOT0 article, there is much truth in established and is constantly evolving is the kind of this statement. I agree wholeheartedly that we should formulas (i.e., the level of languages) which will allow the word “bug” with the word “error” and sup- us to perform convenient manipulations, minimize the press all anthropomorphic words as being misleading to possibilities of errors, and yield efficient code. As com- the beginners. puters become more powerful, it is likely that very- The major trouble is, I think, that Dijkstra believes high-level languages will play an important role in ex- that programming should resemble mathematics and pressing programs as increasingly more concise formu- believes that mathematics is what one is taught 1 la las. This situation parallels the one which occurred 30 Euclid. One first lays down postulates, makes a few years ago when the first programming languages re- appropriate definitions, states theorems, and then placed assembly languages. After all, as believers in proves them-after all, that is how mathematics is typi- computer science, we should be among the first to ex- cally taught. He refuses to recognize that often the pos- ploit the advantages of computers. tulates follow from the theorems, as do many of the This response gives me an opportunity to express my definitions, and often the theorems follow from the own views as an educator in computer science. Our proofs we are able to generate-they are then called goal should be to provide not one but several ap- “proof driven theorems.” Furthermore, Dijkstra, in his proaches in teaching our students how to reason about sober moments, well knows that human proofs in programs. Dijkstra’s approach is one of them. Among mathematics are unreliable, that many famous proofs the others are the functional and have been repeatedly “patched up” by subsequent gen-

December 1989 Volume 32 Number 12 Communications of the ACM 1409 Debate

erations; hence, even if we tried to use his idea that “object-oriented” and “functional” programKing, to programs should be “proved” by humans before they mention two other approaches--after all, he is Moses, are run, the proofs alre fallible, and, in any case, are and he knows what programming is. merely paper problems run on a paper machine. It is Returning to the main theme OFthis reply, his desire this that I believe is behind much of the statement. to map software onto his conception of mathematics is One of Dijkstra’s major points is that the rapid foolish. His idea that a program be “proved” CObe cor- growth of computers represents a unique change of rect before running it applies, as noted befclre, to a mag,nitude so large that no one can comprehend it; but paper program on a paper machine and not to . largfe changes are more common than he thinks, for When you have to make a for a new mathe- example, the bandwidth available for signalling. The matically defined language, this approach i.3 both very unique features h.e attributes to computer science occur reasonable and valuable, but in many, if not most, engi- in other fields of ‘human activity: neering cases where the design criteria arise from what you are able to do this approach simply does not work particle accelerators have similarly increased in size very well (as can be seen from the government procure- and power con.sumption ment policy in action). Even more than in mathematics, the complexity of the telephone system of intercon- in engineering, there is a “give and take” between the nected central offices was around long before the design proposal and what can be done in current prac- first of the electronic computers and is still probably tice; hence, his desire to start with an exact description more complex than any computer for the program that is to be written works mainly in the claim of unique vulnerability to a single error is his “reality.” c’ertainly shared by our common languages. Anyone who reads the above objections to mean that Dijkstra excoriates “software engineering” by deliber- what Dijkstra writes can be safely ignored is a fool. I ately comparing it to his conception of mathematics have documented some of the errors that his extre- rather than to, say, “effective writing” which I feel is a mism has produced, but there is much truth in his far better analogy. I also doubt that it is always wise to statement. Apparently, reformers must often be ex- equate a program to a mathematical formula as he does. treme in what they say and do if they are tl3 achieve a Dijkstra uses the well-known example of trying to reformation. Read with charity, Dijkstra’s statement is a valuable contribution; Moses has indeed led us a bit further out of our wilderness. Di’kstm flatly asserts that he knows “reality” R. W. Hamming and his opponents do not, but I put about as Naval Postgraduate School muck faith in this as in the statement, “I am Monterey, CA 93943 Napoleon .I’

In the space available it would be impossible to com- cover with dominos a checker board, without the diag- ment on all the provocative suggestions in :Dijkstra’s onal corners, to illustrate the value of the mathemati- statement. Instead, I shall confine myself to challenging cal, analytical approach and concludes immediately two of his basic premises: that computing science can that all programs ,will similarly benefit--the reasoning be equated with the very large scale applic,ation of logic is fal.lacious and, from him, shocking! and that the programmer’s main task should be to give Dijkstra flatly asserts that he knows “reality” and his a formal proof that the program he proposes meets the opponents do not, but I put about as much faith in this equally formal functional specification. I will also take as in the statement, “I am Napoleon.” Indeed, in my issue with his proposal that the introductory program- opinion he comes to grief simply because his “reality” is ming course should primarily be a course i:n formal so far from most other people’s, which he admits. mathematics and that students should be protected Dijkstra objects to measuring programming by lines from the temptation to test their programs. I believe of code, conveniently forgetting that authors are often that the wide acceptance of these ideas would be dam- paid by the word. In both cases, it is ridiculous at times aging to the field of computer science. to do so, but he offers no other practical measure of Dijkstra’s dangerous recommendations stem from a programming (or writing) effort. misunderstanding of the role of formal logic in mathe- Dijkstra willfully misunderstands “software mainte- matical reasoning. It is, indeed, a fundamental insight nance,” pretending that it means repairing parts that that, in principle, a can. be reduced have failed rather than what everyone else under- to the manipulation of uninterpreted strings of symbols stands, mainly, altering the current software to meet according to formal syntactic rules. But, as irnportant as changing needs and environments; hence, contrary to this insight may be for the foundations of mathematics, his sneer, software that is not maintained is apt to be of it has little bearing on the way mathematical truths are much less value to the than software that is. discovered or communicated in practice. Dijkstra seems to identify programming languages The discovery of mathematical truth is invariably an with “imperative languages” and deigns not to notice unsystematic, trial-and-error process that leans on

1410 Communications of the ACM December 1989 Volume .32 Number 12 Debate models, pictures, analogies, examples, counterexam- fixing bugs like this in Sprite). In such an environ- ples, and intuitions about time, space, and number that ment, it seems to me that formal logic is unlikely to have little relation to the rearrangement of symbols root out the problems . . . Dijkstra would probably according to formal rules. Once a mathematical truth is claim that we have no business building a system discovered, the “proofs” used to communicate it from until we understand exactly how it should behave, one human to another are never formalized completely, but I think this is impossible in any new engineering if only because such formalization is a hideously tedi- domain.” [John Ousterhout] ous process and because the resulting formal proofs would be opaque to human readers. The proofs that are I am led to the conclusion that formal proof and for- communicated between humans are best viewed as mal specification are not among the most promising persuasive arguments which, although not entirely avenues toward getting useful and dependable results complete or airtight, are often remarkably effective in from computers. Instead, I would advocate increased transmitting mathematical insights from the mind of their discoverer to the of their readers.

One might argue that inasmuch as computer pro- It would be ironic if Dijkstra’s prescriptions for grams are nothing more than formal expressions and their execution is nothing more than the application of introductory computer scienceeducation were formal transformation rules, computer scientists must to gain acceptanceand the next generation of inevitably work in the arena of formal methods. Indeed, students were to be denied the thrill of seeing it seems to me that formal proof can play an indispen- their programs come to life on the CRT screen. sable role in certain special situations such as the vali- dation of short, logically intricate programs involving The result would be a fiasco unmatched since the coordinated action of several processors. But I am the introduction of the New Math. convinced that, for the great majority of programming problems, the modalities of thought and expression that are most useful are very similar to those that prevail in research on methods, on the use of modern other areas of mathematical work. The mass of tedious programming environments including work stations, detail that is involved in a formal correctness proof of revision control aids, editors, and high-level pro- even a moderately complex algorithm is beyond the gramming languages, and on the development of limits of human toleration; and, alas, at the present special-purpose software packages, such as state of the art of automatic theorem proving, the pros- systems and spreadsheet programs, that enable even pects of obtaining correctness proofs automatically or non-programmers to use computers productively. semi-automatically are rather bleak. Computers are becoming indispensable in nearly all Of course, it is possible to reject formal correctness fields of endeavor. For example, despite Dijkstra’s proofs and still embrace the use of formal program claims to the contrary, they play an increasingly impor- specifications. However, a major impediment to the use tant role in mathematical research, where they are of formal specifications is the inevitable intertwining of used to simplify algebraic expressions, to explore exam- software development with specification. This point has ples, and to generate graphical representations of com- been well made by two of my colleagues who have plex geometric objects. In view of this trend, it would extensive experience in the design of large software be ironic if Dijkstra’s prescriptions for introductory systems: computer science education were to gain acceptance and the next generation of students were to be denied “I do not view the process of programming, espe- the thrill of seeing their programs come to life on the cially programming in the large, as that of discover- CRT screen. The result would be a fiasco unmatched ing an algorithm to a prespecified and unalterable since the introduction of the New Math. logic. It is more often a process of discovery and adaptation, as various relevant components of Nevertheless, many of the concepts behind Dijkstra’s a problem are examined in turn, and a goal, approach, if leavened with a bit of common sense, are initially specified incompletely, is reached.” well worth conveying. It is important for our students [Richard Fateman] to gain facility with the elegant notation of and the predicate calculus since these notations are “In my view, large computer programs tend to be useful in informal proof as well as formal proof. Our inherently unspecifiable, in the sense that there is students should certainly be taught to give reasonably not even a clear notion of how the programs precise informal specifications of what their programs “should” behave. In such systems, many of the most are intended to do and what their data structures are subtle bugs occur because our view of how the sys- intended to represent before plunging into writing code. tem “should” behave turned out to be wrong (we’ve And the discipline of maintaining loop invariants and spent a lot of time over the last couple of years satisfying and postconditions for subrou-

December 1989 Volume 32 Number 12 Communications of the ACM 1411 Debate

tines. (even if these conditions are not stated in a formal but it presupposes that someone else has done all the language) is highly valuable to any programmer. But, it hard work by managing to create a formal functional is even more important that the next generation of specification that is appropriate to the task at hand. computer science students be exposed, as early as pos- Dijkstra must face the unpleasant truth that it is the job sible, to the practical art of constructing large programs, of someone (again to avoid quibbling, let us call this with its intertwined processes of specification, program- person a “computing professional” rather than a “pro- ming, testing, and documentation. grammer”) to produce a collection of instruct.ions that allow the computing device to function appropriately in practice. In some cases, this might be best done by Richard M. Karp producing a full formal specification and then - Dept. of Computer !jcience ing that into code, but that methodology is debatable, at 571 Evans Hall best, and far from universally applicable. Univ. of California Berkeley, CA 94720 In all his carping about the sad state qf com- puter education, Dijkstra seems not to have noticed that a huge number of complex pro- Behind Dijkstra’s bravado and invective there lurks a grams DO work. . . coherent argument about the nature of computer sci- ence education. Coherent and interesting, but wrong, becau.se it is based on faulty premises. To start out Dijkstra’s idealized view of programming shows its with, Dijkstra is wrong about what computers do, inadequacy immediately when I try to imagine a formal wrong about what programmers do, and wrong about functional specification of the drawing program I use. what engineers do. He says, “deal with all the elements of a set by ignoring them and working with the set’s definition.” Consider the set of different ways in which the motions of the The problem begins with his definition of computers: mouse and its buttons are used to create and modify “When all is said and done, the only thing computers images on the screen. He says, “we should rceason about can do for us is to manipulate symbols and produce programs without even mentioning their possible ‘be- results of such manipulations.” In my vicinity of the haviors’.” How can we do this and consider what is to “real world,” I see computers doing lots of other things. happen if I drag the cursor outside of the window while They issue payroll checks, control the motions of in the process of specifying a rectangle? In other words, metal-working machines, format and print architectural once we recognize that we are engaged in the design of drawings and newsletters, and keep my car’s brakes operational computing devices, we must train people to from locking. In do:ing all this, they may manipulate think well in operational terms. symbols (and also manipulate electrical and magnetic fields), but that is instrumental-the means to an end. The third error is in his peculiar view of “software engineering” and his pronouncement that its goal is Now Dijkstra may object that computers are not self-contradictory. Engineering disciplines are con- doing all those things--I am talking about devices that cerned with the construction of devices that can be employ computers in their functioning. Fine, let us not relied upon to perform a function. The success of such quibble over terms. Let us call this thing on my desktop disciplines derives from the fact that past experience a “computing device” which employs a computer in can help us avoid future breakdowns. By drawing on helping me with editing, formatting, and printing this the accumulated experience of the profession, an engi- response. As a profession, we are concerned with the neer approaches a design task with a collection of tech- overall education of people who will be responsible for niques, tools, and previous designs which make it possi- specifying and implementing such devices (the software ble to create reasonably reliable devices at reasonable and hardware) in such a way that they will work effec- cost with a reasonable amount of effort. The key word tively--not just perform symbol manipulations validly, in this is “reasonable,” not “optimal” or “perfect.” There but actually print a paycheck with the legal deductions, are indeed failures. Sound engineering is not a guaran- put the specified headings at the top of newsletter tee of perfect results. And there are times when a radi- pages, and produce the desired machine part. cal departure is required to achieve a new design, but this is the rare exception, not the work of the everyday The second error is in his vision of what program- practitioner. mers do: “The programmer’s task is . . . to give a formal proof that the program he proposes meets the equally In all of his carping about the sad state of computer formal functional specification.” This is a noble goal, education, Dijkstra seems not to have noticed that a

1412 Communications of the .AC,M December 1989 Volume 32 Number 12 Debate huge number of complex programs DO work, not al- of what he says may be applicable, for example, to the ways, and not necessarily in the most elegant way, but training of theoretical physicists who at times need to in an incredible variety of circumstances and without engage in purely formal manipulations without precon- the benefit of formal proof. Furthermore, we are able to ceptions in order to allow for radical novelty. But, it make more and more complex programs work, as we does not apply to the people who apply physical princi- learn from the experience of past successes and fail- ples to designing bridges, airplanes, or disk-drives. Al- ures. The goal of systematizing the knowledge gained though they should certainly be proficient in mathe- from this experience is hardly self-contradictory, unless matics, they would fail miserably at their tasks if they one has unrealistic or idealized expectations. did not have a substantial knowledge of a very different kind. I take Dijkstra’s argument not to be just about the training of the small elite cadre of theoreticians, but, There are, indeed, important differences between rather, about his hundreds of freshmen-the broad computing devices and other kinds of devices, for the population of people who work with computing reasons that Dijkstra points out. It would be foolish to expect the methods of other engineering disciplines to devices. apply without change. On the other hand-despite Dijkstra’s grandiose statements about “a radically new Their education should include a solid grounding in intellectual challenge that has no precedent in our his- formal methods, but this is just one piece of the prepar- tory” and his questionable analogies with quantum atory background. To be educated, they need a ground- physics and non--the alleged “rad- ing in the experience of the profession-the examples, ical novelty” of computers is not so earth-shattering as methods, and practices. They need more than just a to justify throwing away past experience in order to description of these. Effective learning comes from the gain the pristine virtue of the “blank mind.” experience of developing the skills they will be em- ploying in their work, with observation and coaching This is not to say that everything done under the from those who have expertise. This experience should banner of “software engineering” is good or that all of go beyond the building and testing of small program- Dijkstra’s criticisms are wrong. Occasionally, one of his ming exercises to include working with larger-scale systems and the design considerations that come from errant fusillades hits a deserving target, and I find my- their embedding in situations of use. self agreeing with the content of one of his remarks, if not with the ill-tempered style. But it would be just as wrong to condemn software engineering for the occa- In this last question-the relation between mecha- sional stupidities of people who claim to be doing it as nism and use-the current vision of “software engi- it would be to condemn all of mathematics for the occa- neering” is too narrow and needs to be expanded into a sional stupidities of mathematicians. vision of design. A building is created by a combination of people including both engineers and architects. The architect’s skill includes knowledge of materials and From the fact that Dijkstra’s premises are false, it building techniques, but has a primary focus on func- does not logically follow that his conclusions are false, tion. The key questions go beyond construction to so let us examine them separately. He mixes two argu- “What will make the building be appropriate to its ments, one of which is appealing and the other of which is misguided. uses? What will function as a good design when people in?” We need to develop effective (and rigorous) training that builds the skills to answer these questions The primary subtext of his diatribe is a complaint in designing computing systems. about the lack of rigor in computer science education. I fully support his pleas that as educators we demand It may well be that in the future there will be spe- rigorous thinking, teach the beauty of mathematics, and cialized professions within computing, and that there encourage the virtue of facing uncomfortable truths. will be different kinds of training for its architects, en- But, he confuses this with the claim that the essential gineers, and theoreticians. It would be foolish to ignore part of computing education lies in the ability to ma- the value of the abstract mathematical skills Dijkstra nipulate formal , detached from considera- advocates, but it would be even more foolish to indulge tions of operational devices, their behaviors, or their the fantasy that they offer some magic that allows stu- embedding in a world of people and activities. If he dents to escape the hard work of learning about real deludes his students into thinking this, they are in for a computing. rude awakening when they try to function as comput- ing professionals. Terry Winograd If he is talking about the education of “computer sci- Dept. of Computer Science entists” in the narrow sense of theoreticians of formal Univ. of California at Stanford , there is a bit of sense to his claim. Much Stanford, CA 93439

December 1989 Volume 32 Number 12 Communications of the ACM 1413 Debate

Dijkstra’s Repl:y To Comments

Dear Colleagues, ferred to mathematical methodology in general. I shall Since your comments are not disjoint, allow me to ad- indicate them briefly. dress you collectively in principle. The presumed dogma that calulational proofs are an Of course, there is more to digital system design than order of magnitude too long to be practical has not the formal derivat.ion of programs from their equally been confirmed by my experience. On the contrary, formal specifications; accordingly, I expect a full-blown well-chosen formalisms provide a shorthand with computer science curriculum to comprise more than which no verbal rendering can compete. “an introductory programming course for freshman.” Please remember that my modest proposal only per- Through most of this century, tained to the latter. has primarily been used for soul-searching. As a tool Th.e choice of functional specifications-and of the for daily, practical proof design it has hardly been notation to write them down in-may be far from ob- given a fair chance. To realize its potent:ial, it seems vious, but their role is clear: it is to act as a logical essential to view the purpose of logic not as mimick- firewall between two different concerns. The one is the ing human reasoning but as providing a calcula- “pleasantness problem,” i.e., the question of whether an tional alternative to it. engine meeting the specification is the engine we In proof design, strong heuristic guidancl? can be ex- wou1.d like to have; the other one is the “correctness tracted from a syntactic analysis of the theorem and problem,” i.e., the question of how to design an engine from (baby) proof theory. Both possibilities require meeting the specification. I firmly believe that when- formalization of the proof structure for their exploi- ever we succeed in erecting such a firewall, the effort tation. will :pay off handsomely. The reason for this belief of mine is that the two concerns deserve separation be- While , with its ties to elusive cause the two problems are most effectively tackled by entities such as “intuition” and “the huma.n mind,” totally different techniques. (They are currently psy- is a hard topic to teach explicitly, symbol manipula- chology and experimentation for the pleasantness prob- tion is tangible. The effective techniques of symbol lem and symbol manipulation for the correctness prob- manipulation are well within the teachable domain, lem.) hence my estimate of 50 years. Several of you h.ave voiced a wider concern, viz., serious doubts about the viability of a much more for- The possible that I envisage is malized mathematics. I can understand your concern very different from what the dyed-in-the-wool member because, for many years, I shared your doubts. Over the of the mathematical guild of today is used and probably last decade, however, those doubts have largely evapo- attached to. My dream could very well be his night- rated., to the extent that I expect, say 50 years from mare. So be it. I cannot consider such discrepancy my now, the mathematic:al informality of today definitely fault. If you have a technical argument-why my ex- to be a thing of the past. (I realize that this is a some- pectation of the future of mathematics cannot come what gratuitous statement because, if my expectation true-please let me know, for it would save me a lot of will not be fulfilled, I: will not be there to be confronted work and a lot of animosity. with my mistake. But, I cannot help having expecta- Finally, allow me to express my appreciation for the tions beyond my lifelime.) The expectations are based care with which you phrased your comments. I end on the experiences a:nd observations collected since I with my greetings and best wishes to you all. started to explore the extent to which the experience gathered in programming methodology could be trans- E. D.

1414 Communications of the ACM December 1989 Volume 32 Number 12