Is a Broken System Worse Than No System at All?

A thought that occurred to me while struggling with a PDF generator.

(Written by a friend in ChatGPT.)

Which is worse?

A system that honestly says:

“Sorry, I don’t support PDF generation.”

A system that advertises PDF generation, appears capable of it, but fails unpredictably.

Conventional wisdom says that some capability is better than none. But I’m beginning to suspect the opposite.

In formal methods, we usually prefer soundness to completeness, safety to liveness, and known limitations to incorrect behavior. A missing theorem is preferable to a false theorem.

Perhaps there is a more general principle here:

Trust is more valuable than capability.

Human beings adapt surprisingly well to absence. We can live with no bridge. We can plan around it.

What we struggle to live with is a bridge that looks perfectly usable but occasionally collapses without warning.

Perhaps honest limitations are easier to live with than uncertain behavior.

Curious whether others in the formal methods community have encountered similar tradeoffs?

Subject: Formal Verification and Axiomatic Semantics
Core Innovation: Native Single-Predicate Formulation of Unstructured Jumps (goto, break, continue) within Dijkstra’s Weakest Precondition ($wp$) Calculus

1. Executive Summary

For decades, the standard consensus in computer science was that unstructured control flows—specifically gotostatements and early loop exits like break and continue—defied Dijkstra's original Weakest Precondition ($wp$) calculus. To verify such programs, academic literature and industrial verifiers compromised by either inflating the program's state space with artificial boolean flags (desugaring) or shifting the mathematical domain entirely to multi-postcondition records (Continuation-Passing Style abstractions).

Wei Chen’s foundational theory provides a paradigm shift by demonstrating that unstructured jumps can be natively accommodated within Dijkstra's pure, single-predicate framework. By characterizing a jump statement as an executable miracle, Chen elegantly preserves the classic signature of the predicate transformer, $wp: (\text{Stmt} \times \text{Predicate}) \to \text{Predicate}$, resolving a long-standing conflict between structural purity and unstructured execution.

2. The Theoretical Problem: The Flaw of "Pragmatic" Approaches

To appreciate Chen's contribution, one must look at the two flawed methodologies that dominate standard computer science literature:

Method 1: State-Variable Bloat (Desugaring)
[break]  ──&gt;  [has_broken := true]  ──&gt;  [if !has_broken then S else skip]
* Problem: Exponential expansion of state-space; bloats loop invariants.

Method 2: Multi-Postcondition Records (The "Pragmatic Cheat")
wp(S, Q) where Q = { norm: P_norm, brk: P_brk, cont: P_cont }
* Problem: Breaks Dijkstra's signature; turns wp into hidden Continuation-Passing Style.

Chen argued that both approaches fail pure axiomatic criteria. Method 1 forces the programmer to rewrite the program's operational state to prove its logic. Method 2 preserves code structure but breaks Dijkstra's Monotonicity Property and the Law of Excluded Miracle, as the "postcondition" is no longer a single mathematical predicate representing the end state of the execution block.

3. Chen’s Breakthrough: The Jump Statement as a "Miracle"

Chen’s core insights rely on an underutilized artifact of Dijkstra's framework: The Miracle. In pure $wp$ calculus, a miracle is any statement that can establish the impossible postcondition, false. Dijkstra explicitly banned miracles from standard programming statements via his Law of Excluded Miracle:

$$\text{wp}(S, \text{false}) \equiv \text{false}$$

Chen recognized that from a local, sequential perspective, an abrupt jump statement (goto L, break, or continue) is a structural miracle. Because execution instantly exits the current local sequence upon hitting a jump, the statements directly trailing the jump are rendered dead code. Therefore, the jump statement successfully establishes any trailing postcondition—even false.

The Fundamental Goto Rule

Chen formalized the weakest precondition of an arbitrary jump to a destination label $L$ as:

$$\text{wp}(\text{goto } L, R) \triangleq \text{wp}_L$$

Where $R$ is the sequential postcondition immediately following the goto statement (which is completely ignored), and $\text{wp}_L$ is the singular, unique weakest precondition evaluated directly at the target destination label $L$.

By defining jumps this way, Chen proved that the global program still respects the overarching sanity of the proof system, but local execution paths can cleanly bypass compositionality boundaries without altering the mathematical signature of $wp$.

4. Handling Loops: The Native Invariance Theorem

When applied to loops containing break and continue, Chen’s theory yields a beautifully consolidated Loop Invariance Theorem. Instead of forcing a verifier to carry an environment mapping of separate exit states, Chen links the early exits directly to the global loop boundaries:

continue maps to the immediate re-establishment of the loop invariant ($I$).
break maps to the immediate establishment of the loop's final, singular postcondition ($Q$).

This structural mapping allows the verification conditions for loops with multiple exits to be proven seamlessly, ensuring that a single, unified mathematical invariant governs the entire loop structure.

5. The Pragmatic Catch: Systems of Recursive Equations

While Chen’s theory achieves absolute mathematical elegance on paper, it introduces a significant computational trade-off when implemented in automated verification tools.

Because the weakest precondition of a goto depends strictly on the weakest precondition of its target label, any program containing backward jumps, interlocking loops, or complex spaghetti code transforms into a dense system of mutually recursive predicate equations.

$$\text{Equation 1: } \text{wp}_{L1} = f(\text{wp}_{L2}, R)$$
$$\text{Equation 2: } \text{wp}_{L2} = g(\text{wp}_{L1}, R)$$

To resolve these equations and generate a final proof, a verifier cannot act linearly. It must implement heavy fixpoint computation over lattices of predicates. While a human or automated system can easily write a loop invariant for a structured loop, finding co-dependent invariants for a web of arbitrary goto statements under Chen's calculus requires substantial computational overhead.

6. Conclusion and Assessment

Wei Chen’s theory stands as an elegant solution to an inelegant problem.

Theoretical Value: High. It completes the theoretical landscape of predicate transformers by proving that Dijkstra's native, single-predicate calculus possessed the semantic machinery to govern unstructured control flows all along. It completely dismantles the necessity of "cheating" via multi-postcondition records.
Practical Value: Medium. For structured jumps like simple break and continue, it offers an incredibly clean verification path. For chaotic, unstructured goto jumps, the resulting mutual recursion shifts the burden to heavy fixpoint solvers, explaining why industrial verifiers still lean toward pragmatic, albeit mathematically impure, alternatives.

Ultimately, Chen's work vindicates the foundational architecture of axiomatic semantics, proving that mathematical purity does not have to be sacrificed to accommodate the chaotic realities of low-level machine execution.

u/More_Speed5329

A Formal Treatise on miracle Q and assume Q

Is broken better than not at all

The Formal Category Error: Why treating assume as a first-class primitive in verification tools is an unsound design choice.

Academic Review: Wei Chen’s "Miraculous Statement" Theory of Jump Semantics