In that ladder of testing, I’d add simulation testing before formal methods in terms of cost vs benefits as well.
IMO, I see FMs as converging to be part of the type system that is checked by the compiler automatically during CICD.
If it’s not, it’s adoption cost is too high 90% of the time.
The only things that gets widely adopted follow that idea: types, unit tests, properties, fuzzing, integration test, simulation, packaging in a deployment pipeline, etc.
Finally, knowing that incompleteness theorems are a thing, formal methods will always fall short in some fundamental way.
I'm banking on a much more powerful version of static assert. Something that lets a developer make assertions (and assumptions, and requirements on the callers) that get checked at (roughly) compile time.
IMO, I see FMs as converging to be part of the type system that is checked by the compiler automatically during CICD.
If it’s not, it’s adoption cost is too high 90% of the time.
The only things that gets widely adopted follow that idea: types, unit tests, properties, fuzzing, integration test, simulation, packaging in a deployment pipeline, etc.
Finally, knowing that incompleteness theorems are a thing, formal methods will always fall short in some fundamental way.