Zero Defect Programming:The Impossible Dream
Tony HoarePrincipal ResearcherMicrosoft Corporation
The impossible dream: 1The impossible dream: 1Software contains no more errors
The impossible dream: 1The impossible dream: 1Software contains no more errors
software is the most reliable component in any system or product that contains it
The sordid reality: 1The sordid reality: 1if it’s switched onand it stops workingthe fault is probably in the software.
Whatever it is!
The sordid reality: 1The sordid reality: 1If it’s switched onand stops workingprobably the fault is in software.If you switch it off and on again,and it now works again, certainly the fault is in the software.
Whatever it is!
A moreA more possible dream: 1possible dream: 1Software contains no more errors
than any other engineering product
A more impossible A more impossible dream:2dream:2Programmers make no more mistakes
The impossible dream: 2The impossible dream: 2Programmers make no more mistakes
programs work the first time they are run,and forever after.even when you change them.
The sordid reality: 2The sordid reality: 2programmers spend half their time detecting, removing or working roundmistakes made by themselves(or their colleagues)in the other half of their time.
A more possible dream: 2A more possible dream: 2Programmers make no more mistakes
than any other professional engineer
$100 billion per year$100 billion per year
world-wide annual cost of software error.40% falls on developers, 60% on users.Estimate based on survey of US industry
Planning report 02-03, prepared by NIST forUS Department of Commerce, May 2002
Still impossible: 3Still impossible: 3The program verifier
An intelligent programmers’ assistant, that knows what the program should doand what it should not do.
Verifies that the program is correct,with the certainty of mathematical proof,and gives a simple counterexample if not.
Applied also to requirements and designs
The sordid reality: 3The sordid reality: 3Computers can’t understand the real worldIt’s too hard to tell them what we want.They’re bad at proof,And worse at counter-examples.
…but still we dream…
Impossible dreams of Impossible dreams of sciencesciencePhysics: accuracy of measurement
Impossible dreams of Impossible dreams of sciencescience
Physics: accuracy of measurementChemistry: purity of materials
Impossible dreams of Impossible dreams of sciencesciencePhysics: accurate measurement
Chemistry: purity of materialsBiology: rational drug design
A Grand ChallengeA Grand ChallengeThe human genome project (1991-2003)planned 15 years aheadinvolving worldwide collaborationdedicated to open publication of resultsand radical improvement of toolsto answer fundamental questionsof Nature’s blueprint for the human being.
Impossible dreams of Impossible dreams of sciencesciencePhysics: accuracy of measurement
Chemistry: purity of materialsBiology: rational drug designComputer Science: zero defect programs
Verified Software:Verified Software:Theories, Tools, ExperimentsTheories, Tools, Experiments
IFIP Working Conference,Zurich, October 10 – 13, 2005.A hundred leading researchers
from around the worlddiscussed a possible Grand Challenge.
Follow-up meetings: US, China, EC,...Microsoft Research a leading participant
A glimmer of hopeA glimmer of hopePrograms have already been verified
For a control system for Paris MetroMondex cash-cardprograms simulating hardware designsSizewell B nuclear power station...
Praxis Ltd. guarantees their software
ButBut
proofs are often manualprograms have been limited in sizeand do not evolve
A Grand Challenge must solve these problems
Progress at MicrosoftProgress at MicrosoftProgrammer Productivity tools
driven by immediate needexploiting results of earlier pure researchto find obscure bugsbefore delivery of software.
Progress at MicrosoftProgress at MicrosoftProgrammer Productivity tools
driven by immediate needexploiting results of earlier pure researchto find obscure bugsbefore delivery of software.
Four steps
First stepFirst stepProgram analysers like PREfix, PREfast
detect obscure bugs,reduce the cost of testing.They evolve by reducing
false positivesfalse negatives
First stepFirst stepProgram analysers like PREfix, PREfast
detect obscure bugs,reduce the cost of testing...and they are improving
But removing bugs is also error prone.
First stepFirst stepProgram analysers like PREfix, PREfast
detect obscure bugs,reduce the cost of testing...and they are improving
But removing bugs is also error prone.Analysis favours malware attackers
The next step The next step Program analysers like ESPcertify absence of some generic errorslike buffer overflowwith the certainty of mathematical proof
The next step The next step Program analysers like ESPcertify absence of some generic errorslike buffer overflowwith the certainty of mathematical proof
proof is automatic in 96% of cases
The next step The next step Program analysers like ESPcertify absence of some generic errorslike buffer overflowwith the certainty of mathematical proof
proof is automatic in 96% of cases(improving to 99% or 99.9% or...)
The next step The next step Program analysers like ESPcertify absence of specific kinds of errorlike buffer overflowwith the certainty of mathematical proof
proof is automatic in 96% of casesprogrammer annotation is required
Automatic annotationAutomatic annotationProgram analysers like SLAMuse abstract symbolic interpretationto discover plausible annotationsand then check them by proof.
Counter-example driven predicate abstraction.
Automatic annotationAutomatic annotationProgram analysers like SLAMuse abstract symbolic interpretationto discover plausible annotationsand then check them by proof.
specialised to one application areadevice drivers
A prototype program A prototype program verifierverifierThe most advanced program
analysers,like Spec# in Microsoft Research,certify absence of any kind of errorfor any kind of applicationIt a prototype program verifier for C#
The long-term goalThe long-term goalCertify the absence of any kind of error
for any kind of application
for any programming language
with the certainty of mathematical proof
Filling the gapsFilling the gaps
Certify the absence of any kind of errorthat can be specified by assertions/contracts
for any kind of application
for any programming language
with the certainty of mathematical proof
Filling the gapsFilling the gaps
Certify the absence of any kind of errorthat can be specified by assertions/contracts
for any kind of applicationwhich is well enough understood
for any programming language
with the certainty of mathematical proof
Filling the gapsFilling the gaps
Certify the absence of any kind of errorthat can be specified by assertions/contracts
for any kind of applicationwhich is well enough understood
for any programming languagewhose mathematics is fully understood
with the certainty of mathematical proof
Filling the gapsFilling the gaps
Certify the absence of any kind of errorthat can be specified by assertions/contracts
for any kind of applicationwhich is well enough understood
for any programming languagewhose mathematics is fully understood
with the certainty of mathematical proofin a theory covered by an automatic prover
The dream is possible!The dream is possible!
by combining the research of scientistswho pursue long-term idealswith the work of engineerswho pursue immediate advantageto develop a program verifier,and realise the dreamof zero defect programming.
The dream is possible!The dream is possible!by combining the work of scientistswho pursue long-term idealswith the work of engineerswho pursue immediate advantageto develop a program verifier,and realise the dreamof zero defect programming.
within the next fifty years
The dream is possible!The dream is possible!
by combining the work of scientistswho pursue long-term idealswith the work of engineerswho pursue immediate advantageto develop a program verifier,and realise the dreamof zero defect programming.
within the next fifteen years
Top Related