[trustable-software] Model Checkers

Tom Eccles tom.eccles at codethink.co.uk
Fri Sep 21 14:50:31 BST 2018 

Hi Ben,

Thanks for the feedback. Responses inline.

> I tried CBMC rather than ESBMC because it seemed easier to install and use (was 
> in apt). I found when running it that it stuck for about 20 minutes trying to 
> test every iteration of a potentially boundless loop.
> I believe this is the correct behaviour for a model checker, but it's not very 
> useful for the purposes of running over an entire Linux distribution because 
> we'll likely hit this issue thousands of times.
>
> The documentation for CBMC does tell you how to specify specific bounds for 
> loops to work around this issue, however this would effectively remove one of 
> the checks, and would be a very manual (impractical) process.

(Reposting comment for the mailing list)
It may be possible to prove properties of long loops by induction. However, I
agree that this will take too much developer time to scale to anywhere near the
amount of code we would need to check.

> On further reading it seems to me like these bounds checkers are more designed 
> for very constrained embedded systems where you actually want to ensure these 
> things are known or knowable.

Yes this is the context in which I have heard of them too.

> I then looked into MOPS which is described by the paper you referenced in [2], 
> the paper was released in 2005 and the latest release of MOPS is from 2004.
> The website for MOPS states that it's not a checker itself, but a framework for 
> adding your own checks, so I highly suspect that the reason it could be run over 
> an entire distro is that they ran a very minimal set of checks; the paper also 
> suggests this as they only found 138 bugs in the distribution, while I believe 
> it's reasonable to assume that there are a lot more than that.

Agreed. However, I think some variation of this will be the only practical
solution because anything more rigorous will have the issues you encountered
with CBMC.

> I guess to bring this closer to reality, the discussion we really need to have is:
> How can we practically produce useful static code analysis results for a full 
> distro using BuildStream or similar?

I agree, although this will be very challenging for the reasons you specified. I
think this is likely to be a balancing act between false positives and missed
bugs - which is not good news for safety. However, if we can at-least find some
bugs using something similar to MOPS, it will help.

Regards,
Tom

More information about the trustable-software mailing list