Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754782AbcKUPfN (ORCPT ); Mon, 21 Nov 2016 10:35:13 -0500 Received: from mail-qt0-f177.google.com ([209.85.216.177]:34536 "EHLO mail-qt0-f177.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754185AbcKUPfL (ORCPT ); Mon, 21 Nov 2016 10:35:11 -0500 MIME-Version: 1.0 In-Reply-To: References: <20161107103819.GA11374@rei.lan> From: Tavis Ormandy Date: Mon, 21 Nov 2016 07:34:49 -0800 Message-ID: Subject: Re: Formal description of system call interface To: Dmitry Vyukov Cc: Cyril Hrubis , linux-api@vger.kernel.org, LKML , Michael Kerrisk-manpages , Thomas Gleixner , Sasha Levin , Mathieu Desnoyers , scientist@fb.com, Steven Rostedt , Arnd Bergmann , carlos@redhat.com, syzkaller , Kostya Serebryany , Mike Frysinger , Dave Jones Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 694 Lines: 18 On Mon, Nov 21, 2016 at 7:14 AM, Dmitry Vyukov wrote: > > > Re more complex side effects. I always feared that a description suitable > for automatic verification (i.e. zero false positives, otherwise it is useless) > may be too difficult to achieve. > > Cyril, Tavis, can you come up with some set of predicates that can be > checked automatically yet still useful? > We can start small, e.g. "must not alter virtual address space". Yes, I've been working on creating something like this, I have a simple working prototype. I cant promise it has zero false positives right now, but I think that is achievable. Let me dig it up (I had put it on the back burner). Tavis.