Presentation is loading. Please wait.

Presentation is loading. Please wait.

Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation.

Similar presentations


Presentation on theme: "Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation."— Presentation transcript:

1

2 Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation

3 The impossible dream: 1 Software contains no more errors

4 The impossible dream: 1 Software contains no more errors software is the most reliable component in any system or product that contains it

5 The sordid reality: 1 if its switched on and it stops working the fault is probably in the software. Whatever it is!

6 The sordid reality: 1 If its switched on and stops working probably the fault is in software. If you switch it off and on again, and it now works again, certainly the fault is in the software. Whatever it is!

7 A more possible dream: 1 Software contains no more errors than any other engineering product

8 A more impossible dream:2 Programmers make no more mistakes

9 The impossible dream: 2 Programmers make no more mistakes programs work the first time they are run, and forever after. even when you change them.

10 The sordid reality: 2 programmers spend half their time detecting, removing or working round mistakes made by themselves (or their colleagues) in the other half of their time.

11 A more possible dream: 2 Programmers make no more mistakes than any other professional engineer

12 $100 billion per year world-wide annual cost of software error. 40% falls on developers, 60% on users. Estimate based on survey of US industry Planning report 02-03, prepared by NIST for US Department of Commerce, May 2002

13 Still impossible: 3 The program verifier An intelligent programmers assistant, that knows what the program should do and what it should not do. Verifies that the program is correct, with the certainty of mathematical proof, and gives a simple counterexample if not. Applied also to requirements and designs

14 The sordid reality: 3 Computers cant understand the real world Its too hard to tell them what we want. Theyre bad at proof, And worse at counter-examples. …but still we dream…

15 Impossible dreams of science Physics: accuracy of measurement

16 Impossible dreams of science Physics: accuracy of measurement Chemistry: purity of materials

17 Impossible dreams of science Physics: accurate measurement Chemistry: purity of materials Biology: rational drug design

18 A Grand Challenge The human genome project ( ) planned 15 years ahead involving worldwide collaboration dedicated to open publication of results and radical improvement of tools to answer fundamental questions of Natures blueprint for the human being.

19 Impossible dreams of science Physics: accuracy of measurement Chemistry: purity of materials Biology: rational drug design Computer Science: zero defect programs

20 Verified Software: Theories, Tools, Experiments IFIP Working Conference, Zurich, October 10 – 13, A hundred leading researchers from around the world discussed a possible Grand Challenge. Follow-up meetings: US, China, EC,... Microsoft Research a leading participant

21 A glimmer of hope Programs have already been verified For a control system for Paris Metro Mondex cash-card programs simulating hardware designs Sizewell B nuclear power station... Praxis Ltd. guarantees their software

22 But proofs are often manual programs have been limited in size and do not evolve A Grand Challenge must solve these problems

23 Progress at Microsoft Programmer Productivity tools driven by immediate need exploiting results of earlier pure research to find obscure bugs before delivery of software.

24 Progress at Microsoft Programmer Productivity tools driven by immediate need exploiting results of earlier pure research to find obscure bugs before delivery of software. Four steps

25 First step Program analysers like PREfix, PREfast detect obscure bugs, reduce the cost of testing. They evolve by reducing false positives false negatives

26 First step Program analysers like PREfix, PREfast detect obscure bugs, reduce the cost of testing... and they are improving But removing bugs is also error prone.

27 First step Program analysers like PREfix, PREfast detect obscure bugs, reduce the cost of testing... and they are improving But removing bugs is also error prone. Analysis favours malware attackers

28 The next step Program analysers like ESP certify absence of some generic errors like buffer overflow with the certainty of mathematical proof

29 The next step Program analysers like ESP certify absence of some generic errors like buffer overflow with the certainty of mathematical proof proof is automatic in 96% of cases

30 The next step Program analysers like ESP certify absence of some generic errors like buffer overflow with the certainty of mathematical proof proof is automatic in 96% of cases (improving to 99% or 99.9% or...)

31 The next step Program analysers like ESP certify absence of specific kinds of error like buffer overflow with the certainty of mathematical proof proof is automatic in 96% of cases programmer annotation is required

32 Automatic annotation Program analysers like SLAM use abstract symbolic interpretation to discover plausible annotations and then check them by proof. Counter-example driven predicate abstraction.

33 Automatic annotation Program analysers like SLAM use abstract symbolic interpretation to discover plausible annotations and then check them by proof. specialised to one application area device drivers

34 A prototype program verifier The most advanced program analysers, like Spec# in Microsoft Research, certify absence of any kind of error for any kind of application It a prototype program verifier for C#

35 The long-term goal Certify the absence of any kind of error for any kind of application for any programming language with the certainty of mathematical proof

36 Filling the gaps Certify the absence of any kind of error that can be specified by assertions/contracts for any kind of application for any programming language with the certainty of mathematical proof

37 Filling the gaps Certify the absence of any kind of error that can be specified by assertions/contracts for any kind of application which is well enough understood for any programming language with the certainty of mathematical proof

38 Filling the gaps Certify the absence of any kind of error that can be specified by assertions/contracts for any kind of application which is well enough understood for any programming language whose mathematics is fully understood with the certainty of mathematical proof

39 Filling the gaps Certify the absence of any kind of error that can be specified by assertions/contracts for any kind of application which is well enough understood for any programming language whose mathematics is fully understood with the certainty of mathematical proof in a theory covered by an automatic prover

40 The dream is possible! by combining the research of scientists who pursue long-term ideals with the work of engineers who pursue immediate advantage to develop a program verifier, and realise the dream of zero defect programming.

41 The dream is possible! by combining the work of scientists who pursue long-term ideals with the work of engineers who pursue immediate advantage to develop a program verifier, and realise the dream of zero defect programming. within the next fifty years

42 The dream is possible! by combining the work of scientists who pursue long-term ideals with the work of engineers who pursue immediate advantage to develop a program verifier, and realise the dream of zero defect programming. within the next fifteen years


Download ppt "Zero Defect Programming: The Impossible Dream Tony Hoare Principal Researcher Microsoft Corporation."

Similar presentations


Ads by Google