StilgherrianMay 12
Has anyone thought about shipping software that doesn’t contain bugs?
Show threadbignoseMay 12

The trouble we always encounter is, people *also* want the software to *do* something.

No one has figured out how to make software that always does the right thing, never does the wrong thing, and is still useful enough that people want it.

@stilgherrian

Show threadZimmieMay 12
@bignose @stilgherrian There’s always formal verification, which proves the software does everything in the specification and nothing which isn’t in the specification. At that point, the specification can have issues or limitations, but those aren’t really software bugs.
Show threadbignoseMay 12

@bob_zim, I would bet money that no system which does something of interest to @stilgherrian has been formally verified to the complete degree you say.

Which is why my description includes the requirement that the software does something people are interested in. Yes, there might exist formally-verified systems with no detectable bugs; but likely that doesn't describe any system we directly use.

Show threadZimmie
@bignose @stilgherrian seL4 is formally verified, and it’s extremely widely used. Several other operating systems are, too. Big chunks of the OS used by Qualcomm modems (so, present in ~95% of smartphones sold in the last year) are formally verified.
May 12 at 3:50amWeb
Show threadDavid Chisnall (*Now with 50% more sarcasm!*)May 12

@bob_zim @bignose @stilgherrian

seL4 is formally verified and went almost 24 hours between being open sourced and the first security vulnerability being reported. That one was because the verification didn't cover all of the code, but seL4's verification was also done against a quiet simplified model of an MMU, so there may be other soundness issues.

My favourite verification story is when some colleagues adopted EverCrypt in a previous job. EverCrypt is verified against a bunch of properties (including constant time execution). It is also proven to be memory safe. They expressed temporal safety as a property that no object is accessed after it was freed. It turned out that the codebase complied with this trivially: it never freed memory.

Oh, and the proofs treat as axiomatic that the C code calling the APIs has no memory safety bugs.

Show threadvrekMay 12
@david_chisnall @bob_zim @bignose @stilgherrian my favorite example I've personally seen was requirements stated "operator shall be able to log into system with company assigned username and password". When you started the application there was a log in prompt for username and password. Problem was the requirements never stated that those should be verified as accurate. Sure login with your credentials... Or just smash your head on the keyboard... Same result