Specs (and proof checkers) can have bugs too! [LWN.net]

Specs (and proof checkers) can have bugs too!

Posted Apr 26, 2026 4:52 UTC (Sun) by cypherpunks2 (guest, #152408)
In reply to: Specs (and proof checkers) can have bugs too! by DemiMarie
Parent article: Firefox: The zero-days are numbered

> Formal verification checks that your code meets your spec. It doesn’t check that your spec matches your intent.

That's true, but those kinds of mistakes wouldn't be considered a software bug than an LLM would find anyway.

to post comments

Specs (and proof checkers) can have bugs too!

Posted Apr 27, 2026 9:17 UTC (Mon) by farnz (subscriber, #17727) [Link]

The thing that makes LLM-based security analysers interesting is that they're good at finding what amount to "bugs in the specification", where it's implausible that the human intended something that they wrote.

This is in contrast to formal verification, where an error in the spec results in verification passing, but the software not functioning as intended. An LLM looking at your code will do the equivalent of "there's no plausible sequence of tokens that would represent a specification for this code that a human would write", where a formal verifier does not look to see if the specification is plausibly human written.