2015: I consider a concrete case to motivate the distinctions made <a href=../Psychology/Transitive.html>here</a>.
Suppose that I need to write a program that, among other things, must compute the area of the intersection of two polygons.
I find on the net a program, <a href=../MathPhys/IP><tt>inter</tt></a>, that claims to do just that.
My program must do other even more critical things.
It would be bad if I got the wrong area.
It would be much worse if other parts of the program were compromised which might happen if the routine <tt>inter</tt> were to store anywhere other than its own stack frame.
<tt>inter</tt>’s signature promises just that but it is written in C.
Another worse thing is for one of the polygons delivered to <tt>inter</tt> were delivered further to some program outside the current memory space, exfiltrated.
Yet another would be if data not furnished to <tt>inter</tt> were exfiltrated.
These latter ‘worse things’ are bad in part because I may never become aware of them.
They may occur without the signals that would lead to fixing the flaw.

<p>I need to prove that much worse things will not happen.