Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

Download Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

Post on 26-Mar-2015

219 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

<ul><li>Slide 1</li></ul> <p> Slide 2 Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation Slide 3 The impossible dream: 1 Software contains no more errors Slide 4 The impossible dream: 1 Software contains no more errors software is the most reliable component in any system or product that contains it Slide 5 The sordid reality: 1 if its switched on and it stops working the fault is probably in the software. Whatever it is! Slide 6 The sordid reality: 1 If its switched on and stops working probably the fault is in software. If you switch it off and on again, and it now works again, certainly the fault is in the software. Whatever it is! Slide 7 A more possible dream: 1 Software contains no more errors than any other engineering product Slide 8 A more impossible dream:2 Programmers make no more mistakes Slide 9 The impossible dream: 2 Programmers make no more mistakes programs work the first time they are run, and forever after. even when you change them. Slide 10 The sordid reality: 2 programmers spend half their time detecting, removing or working round mistakes made by themselves (or their colleagues) in the other half of their time. Slide 11 A more possible dream: 2 Programmers make no more mistakes than any other professional engineer Slide 12 $100 billion per year world-wide annual cost of software error. 40% falls on developers, 60% on users. Estimate based on survey of US industry Planning report 02-03, prepared by NIST for US Department of Commerce, May 2002 Slide 13 Still impossible: 3 The program verifier An intelligent programmers assistant, that knows what the program should do and what it should not do. Verifies that the program is correct, with the certainty of mathematical proof, and gives a simple counterexample if not. Applied also to requirements and designs Slide 14 The sordid reality: 3 Computers cant understand the real world Its too hard to tell them what we want. Theyre bad at proof, And worse at counter-examples. but still we dream Slide 15 Impossible dreams of science Physics: accuracy of measurement Slide 16 Impossible dreams of science Physics: accuracy of measurement Chemistry: purity of materials Slide 17 Impossible dreams of science Physics: accurate measurement Chemistry: purity of materials Biology: rational drug design Slide 18 A Grand Challenge The human genome project (1991-2003) planned 15 years ahead involving worldwide collaboration dedicated to open publication of results and radical improvement of tools to answer fundamental questions of Natures blueprint for the human being. Slide 19 Impossible dreams of science Physics: accuracy of measurement Chemistry: purity of materials Biology: rational drug design Computer Science: zero defect programs Slide 20 Verified Software: Theories, Tools, Experiments IFIP Working Conference, Zurich, October 10 13, 2005. A hundred leading researchers from around the world discussed a possible Grand Challenge. Follow-up meetings: US, China, EC,... Microsoft Research a leading participant Slide 21 A glimmer of hope Programs have already been verified For a control system for Paris Metro Mondex cash-card programs simulating hardware designs Sizewell B nuclear power station... Praxis Ltd. guarantees their software Slide 22 But proofs are often manual programs have been limited in size and do not evolve A Grand Challenge must solve these problems Slide 23 Progress at Microsoft Programmer Productivity tools driven by immediate need exploiting results of earlier pure research to find obscure bugs before delivery of software. Slide 24 Progress at Microsoft Programmer Productivity tools driven by immediate need exploiting results of earlier pure research to find obscure bugs before delivery of software. Four steps Slide 25 First step Program analysers like PREfix, PREfast detect obscure bugs, reduce the cost of testing. They evolve by reducing false positives false negatives Slide 26 First step Program analysers like PREfix, PREfast detect obscure bugs, reduce the cost of testing... and they are improving But removing bugs is also error prone. Slide 27 First step Program analysers like PREfix, PREfast detect obscure bugs, reduce the cost of testing... and they are improving But removing bugs is also error prone. Analysis favours malware attackers Slide 28 The next step Program analysers like ESP certify absence of some generic errors like buffer overflow with the certainty of mathematical proof Slide 29 The next step Program analysers like ESP certify absence of some generic errors like buffer overflow with the certainty of mathematical proof proof is automatic in 96% of cases Slide 30 The next step Program analysers like ESP certify absence of some generic errors like buffer overflow with the certainty of mathematical proof proof is automatic in 96% of cases (improving to 99% or 99.9% or...) Slide 31 The next step Program analysers like ESP certify absence of specific kinds of error like buffer overflow with the certainty of mathematical proof proof is automatic in 96% of cases programmer annotation is required Slide 32 Automatic annotation Program analysers like SLAM use abstract symbolic interpretation to discover plausible annotations and then check them by proof. Counter-example driven predicate abstraction. Slide 33 Automatic annotation Program analysers like SLAM use abstract symbolic interpretation to discover plausible annotations and then check them by proof. specialised to one application area device drivers Slide 34 A prototype program verifier The most advanced program analysers, like Spec# in Microsoft Research, certify absence of any kind of error for any kind of application It a prototype program verifier for C# Slide 35 The long-term goal Certify the absence of any kind of error for any kind of application for any programming language with the certainty of mathematical proof Slide 36 Filling the gaps Certify the absence of any kind of error that can be specified by assertions/contracts for any kind of application for any programming language with the certainty of mathematical proof Slide 37 Filling the gaps Certify the absence of any kind of error that can be specified by assertions/contracts for any kind of application which is well enough understood for any programming language with the certainty of mathematical proof Slide 38 Filling the gaps Certify the absence of any kind of error that can be specified by assertions/contracts for any kind of application which is well enough understood for any programming language whose mathematics is fully understood with the certainty of mathematical proof Slide 39 Filling the gaps Certify the absence of any kind of error that can be specified by assertions/contracts for any kind of application which is well enough understood for any programming language whose mathematics is fully understood with the certainty of mathematical proof in a theory covered by an automatic prover Slide 40 The dream is possible! by combining the research of scientists who pursue long-term ideals with the work of engineers who pursue immediate advantage to develop a program verifier, and realise the dream of zero defect programming. Slide 41 The dream is possible! by combining the work of scientists who pursue long-term ideals with the work of engineers who pursue immediate advantage to develop a program verifier, and realise the dream of zero defect programming. within the next fifty years Slide 42 The dream is possible! by combining the work of scientists who pursue long-term ideals with the work of engineers who pursue immediate advantage to develop a program verifier, and realise the dream of zero defect programming. within the next fifteen years </p>