42

Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

Embed Size (px)

Citation preview

Page 1: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation
Page 2: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

Zero Defect Programming:The Impossible Dream

Tony HoarePrincipal ResearcherMicrosoft Corporation

Page 3: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

The impossible dream: 1The impossible dream: 1Software contains no more errors

Page 4: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

The impossible dream: 1The impossible dream: 1Software contains no more errors

software is the most reliable component in any system or product that contains it

Page 5: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

The sordid reality: 1The sordid reality: 1if it’s switched onand it stops workingthe fault is probably in the software.

Whatever it is!

Page 6: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

The sordid reality: 1The sordid reality: 1If it’s switched onand stops workingprobably the fault is in software.If you switch it off and on again,and it now works again, certainly the fault is in the software.

Whatever it is!

Page 7: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

A moreA more possible dream: 1possible dream: 1Software contains no more errors

than any other engineering product

Page 8: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

A more impossible A more impossible dream:2dream:2Programmers make no more mistakes

Page 9: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

The impossible dream: 2The impossible dream: 2Programmers make no more mistakes

programs work the first time they are run,and forever after.even when you change them.

Page 10: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

The sordid reality: 2The sordid reality: 2programmers spend half their time detecting, removing or working roundmistakes made by themselves(or their colleagues)in the other half of their time.

Page 11: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

A more possible dream: 2A more possible dream: 2Programmers make no more mistakes

than any other professional engineer

Page 12: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

$100 billion per year$100 billion per year

world-wide annual cost of software error.40% falls on developers, 60% on users.Estimate based on survey of US industry

Planning report 02-03, prepared by NIST forUS Department of Commerce, May 2002

Page 13: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

Still impossible: 3Still impossible: 3The program verifier

An intelligent programmers’ assistant, that knows what the program should doand what it should not do.

Verifies that the program is correct,with the certainty of mathematical proof,and gives a simple counterexample if not.

Applied also to requirements and designs

Page 14: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

The sordid reality: 3The sordid reality: 3Computers can’t understand the real worldIt’s too hard to tell them what we want.They’re bad at proof,And worse at counter-examples.

…but still we dream…

Page 15: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

Impossible dreams of Impossible dreams of sciencesciencePhysics: accuracy of measurement

Page 16: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

Impossible dreams of Impossible dreams of sciencescience

Physics: accuracy of measurementChemistry: purity of materials

Page 17: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

Impossible dreams of Impossible dreams of sciencesciencePhysics: accurate measurement

Chemistry: purity of materialsBiology: rational drug design

Page 18: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

A Grand ChallengeA Grand ChallengeThe human genome project (1991-2003)planned 15 years aheadinvolving worldwide collaborationdedicated to open publication of resultsand radical improvement of toolsto answer fundamental questionsof Nature’s blueprint for the human being.

Page 19: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

Impossible dreams of Impossible dreams of sciencesciencePhysics: accuracy of measurement

Chemistry: purity of materialsBiology: rational drug designComputer Science: zero defect programs

Page 20: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

Verified Software:Verified Software:Theories, Tools, ExperimentsTheories, Tools, Experiments

IFIP Working Conference,Zurich, October 10 – 13, 2005.A hundred leading researchers

from around the worlddiscussed a possible Grand Challenge.

Follow-up meetings: US, China, EC,...Microsoft Research a leading participant

Page 21: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

A glimmer of hopeA glimmer of hopePrograms have already been verified

For a control system for Paris MetroMondex cash-cardprograms simulating hardware designsSizewell B nuclear power station...

Praxis Ltd. guarantees their software

Page 22: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

ButBut

proofs are often manualprograms have been limited in sizeand do not evolve

A Grand Challenge must solve these problems

Page 23: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

Progress at MicrosoftProgress at MicrosoftProgrammer Productivity tools

driven by immediate needexploiting results of earlier pure researchto find obscure bugsbefore delivery of software.

Page 24: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

Progress at MicrosoftProgress at MicrosoftProgrammer Productivity tools

driven by immediate needexploiting results of earlier pure researchto find obscure bugsbefore delivery of software.

Four steps

Page 25: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

First stepFirst stepProgram analysers like PREfix, PREfast

detect obscure bugs,reduce the cost of testing.They evolve by reducing

false positivesfalse negatives

Page 26: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

First stepFirst stepProgram analysers like PREfix, PREfast

detect obscure bugs,reduce the cost of testing...and they are improving

But removing bugs is also error prone.

Page 27: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

First stepFirst stepProgram analysers like PREfix, PREfast

detect obscure bugs,reduce the cost of testing...and they are improving

But removing bugs is also error prone.Analysis favours malware attackers

Page 28: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

The next step The next step Program analysers like ESPcertify absence of some generic errorslike buffer overflowwith the certainty of mathematical proof

Page 29: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

The next step The next step Program analysers like ESPcertify absence of some generic errorslike buffer overflowwith the certainty of mathematical proof

proof is automatic in 96% of cases

Page 30: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

The next step The next step Program analysers like ESPcertify absence of some generic errorslike buffer overflowwith the certainty of mathematical proof

proof is automatic in 96% of cases(improving to 99% or 99.9% or...)

Page 31: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

The next step The next step Program analysers like ESPcertify absence of specific kinds of errorlike buffer overflowwith the certainty of mathematical proof

proof is automatic in 96% of casesprogrammer annotation is required

Page 32: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

Automatic annotationAutomatic annotationProgram analysers like SLAMuse abstract symbolic interpretationto discover plausible annotationsand then check them by proof.

Counter-example driven predicate abstraction.

Page 33: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

Automatic annotationAutomatic annotationProgram analysers like SLAMuse abstract symbolic interpretationto discover plausible annotationsand then check them by proof.

specialised to one application areadevice drivers

Page 34: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

A prototype program A prototype program verifierverifierThe most advanced program

analysers,like Spec# in Microsoft Research,certify absence of any kind of errorfor any kind of applicationIt a prototype program verifier for C#

Page 35: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

The long-term goalThe long-term goalCertify the absence of any kind of error

for any kind of application

for any programming language

with the certainty of mathematical proof

Page 36: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

Filling the gapsFilling the gaps

Certify the absence of any kind of errorthat can be specified by assertions/contracts

for any kind of application

for any programming language

with the certainty of mathematical proof

Page 37: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

Filling the gapsFilling the gaps

Certify the absence of any kind of errorthat can be specified by assertions/contracts

for any kind of applicationwhich is well enough understood

for any programming language

with the certainty of mathematical proof

Page 38: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

Filling the gapsFilling the gaps

Certify the absence of any kind of errorthat can be specified by assertions/contracts

for any kind of applicationwhich is well enough understood

for any programming languagewhose mathematics is fully understood

with the certainty of mathematical proof

Page 39: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

Filling the gapsFilling the gaps

Certify the absence of any kind of errorthat can be specified by assertions/contracts

for any kind of applicationwhich is well enough understood

for any programming languagewhose mathematics is fully understood

with the certainty of mathematical proofin a theory covered by an automatic prover

Page 40: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

The dream is possible!The dream is possible!

by combining the research of scientistswho pursue long-term idealswith the work of engineerswho pursue immediate advantageto develop a program verifier,and realise the dreamof zero defect programming.

Page 41: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

The dream is possible!The dream is possible!by combining the work of scientistswho pursue long-term idealswith the work of engineerswho pursue immediate advantageto develop a program verifier,and realise the dreamof zero defect programming.

within the next fifty years

Page 42: Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

The dream is possible!The dream is possible!

by combining the work of scientistswho pursue long-term idealswith the work of engineerswho pursue immediate advantageto develop a program verifier,and realise the dreamof zero defect programming.

within the next fifteen years