slam & static driver verifier: technology transfer of formal methods in microsoft thomas ball...
Post on 19-Dec-2015
215 views
TRANSCRIPT
SLAM & Static Driver SLAM & Static Driver Verifier: Verifier: Technology Transfer of Technology Transfer of
Formal Methods in MicrosoftFormal Methods in Microsoft
Thomas BallThomas BallTesting, Verification and Testing, Verification and
MeasurementMeasurementMicrosoft ResearchMicrosoft Research
http://research.microsoft.com/http://research.microsoft.com/~tball/~tball/
OverviewOverview
• Software contractsSoftware contracts
• SLAM analysis engine SLAM analysis engine – brief technical overviewbrief technical overview
• Static Driver VerifierStatic Driver Verifier– transfer of technology to Windowstransfer of technology to Windows
A Brief History of A Brief History of MicrosoftMicrosoft
19801980 19901990 20002000
Ric
hn
ess
Ric
hn
ess
Win16Win16 Win32Win32COMCOM
MFCMFCComponents
ComponentsServicesServices
APIsAPIs
Windows3.0
Client
Implementation
API But noBut nocontracts!contracts!
Platform Interfaces Platform Interfaces Everywhere!Everywhere!
• 1111. EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND . EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL IN NO EVENT SHALL MICROSOFT OR ITS SUPPLIERS BE LIABLE FOR ANY MICROSOFT OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVERDAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INJURY, FOR LOSS OF PRIVACY, FOR FAILURE TO MEET ANY INJURY, FOR LOSS OF PRIVACY, FOR FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, FOR NEGLIGENCE, AND FOR ANY OTHER PECUNIARY OR FOR NEGLIGENCE, AND FOR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) OTHER LOSS WHATSOEVER) ARISING OUT OF OR IN ANY WAY ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE RELATED TO THE USE OF OR INABILITY TO USE THE SOFTWARE PRODUCT, SOFTWARE PRODUCT, THE PROVISION OF OR FAILURE TO THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT SERVICES, OR OTHERWISE UNDER OR IN PROVIDE SUPPORT SERVICES, OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS EULA, EVEN IN CONNECTION WITH ANY PROVISION OF THIS EULA, EVEN IN THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF WARRANTY OF MICROSOFT OR ANY SUPPLIER, AND EVEN IF WARRANTY OF MICROSOFT OR ANY SUPPLIER, AND EVEN IF MICROSOFT OR ANY SUPPLIER HAS BEEN ADVISED OF THE MICROSOFT OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. POSSIBILITY OF SUCH DAMAGES.
Microsoft Powerpoint EULA Microsoft Powerpoint EULA Point 11Point 11
• 1111. EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND . EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL IN NO EVENT SHALL MICROSOFT OR ITS SUPPLIERS BE LIABLE FOR ANY MICROSOFT OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVERDAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INJURY, FOR LOSS OF PRIVACY, FOR FAILURE TO MEET ANY INJURY, FOR LOSS OF PRIVACY, FOR FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, FOR NEGLIGENCE, AND FOR ANY OTHER PECUNIARY OR FOR NEGLIGENCE, AND FOR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) OTHER LOSS WHATSOEVER) ARISING OUT OF OR IN ANY WAY ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE RELATED TO THE USE OF OR INABILITY TO USE THE SOFTWARE PRODUCTSOFTWARE PRODUCT, , THE PROVISION OF OR FAILURE TO THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT SERVICES, OR OTHERWISE UNDER OR IN PROVIDE SUPPORT SERVICES, OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS EULA, EVEN IN CONNECTION WITH ANY PROVISION OF THIS EULA, EVEN IN THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF WARRANTY OF MICROSOFT OR ANY SUPPLIER, AND EVEN IF WARRANTY OF MICROSOFT OR ANY SUPPLIER, AND EVEN IF MICROSOFT OR ANY SUPPLIER HAS BEEN ADVISED OF THE MICROSOFT OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. POSSIBILITY OF SUCH DAMAGES.
The GPLThe GPL• 11.11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE
IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOUQUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. . SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
• 12.12. IN NO EVENTIN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAMPROGRAM AS PERMITTED ABOVE, AS PERMITTED ABOVE, BE LIABLE TO YOU FOR BE LIABLE TO YOU FOR DAMAGESDAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR , INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAMINABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. POSSIBILITY OF SUCH DAMAGES.
• 11.11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOUQUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. . SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
• 12.12. IN NO EVENTIN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAMPROGRAM AS PERMITTED ABOVE, AS PERMITTED ABOVE, BE LIABLE TO YOU FOR BE LIABLE TO YOU FOR DAMAGESDAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR , INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAMINABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. POSSIBILITY OF SUCH DAMAGES.
Is There Is There anyany Program Program ThatThat
Satisfies Its Contract?Satisfies Its Contract?
Informal Contract: Informal Contract: SocketsSockets
the "communication domain" in which communication is to takethe "communication domain" in which communication is to takeplace; see protocols(5).place; see protocols(5).
Sockets of type SOCK_STREAM are full-duplex byte streams,Sockets of type SOCK_STREAM are full-duplex byte streams,similar to pipes. similar to pipes. A stream socket must be in a connectedA stream socket must be in a connectedstate before any data may be sent or received on it. A con-state before any data may be sent or received on it. A con-nection to another socket is created with a connect(2) call.nection to another socket is created with a connect(2) call.Once connected, data may be transferred using read(2V) andOnce connected, data may be transferred using read(2V) andwrite(2V) callswrite(2V) calls or some variant of the send(2) and recv(2) or some variant of the send(2) and recv(2)calls. When a session has been completed a close(2V), maycalls. When a session has been completed a close(2V), maybe performed. Out-of-band data may also be transmitted asbe performed. Out-of-band data may also be transmitted asdescribed in send(2) and received as described in recv(2).described in send(2) and received as described in recv(2).
The communications protocols used to implement a SOCK_STREAMThe communications protocols used to implement a SOCK_STREAMinsure that data is not lost or duplicated. If a piece ofinsure that data is not lost or duplicated. If a piece of
Formalizing ContractsFormalizing Contracts
• Pre/post conditionsPre/post conditions– Hoare logicHoare logic– Eiffel: “design by contract”, integrated Eiffel: “design by contract”, integrated
into languageinto language– JML: pre/post language (in comments)JML: pre/post language (in comments)
• MonitorsMonitors– security automatasecurity automata– SLIC - SLAM’s API rule languageSLIC - SLAM’s API rule language
• ModelsModels– ASML: separate modeling languageASML: separate modeling language
Why are Contracts Why are Contracts Useful?Useful?
• Precision in specification & designPrecision in specification & design• Separation of concernsSeparation of concerns• DocumentationDocumentation• Checking/TestingChecking/Testing
– dynamic (run-time)dynamic (run-time)– static (compile-time)static (compile-time)
• Responsibility, enforceability, Responsibility, enforceability, liability, …liability, …
Why Now?Why Now?
• Specifications are (still) a good idea!Specifications are (still) a good idea!– focus shifted to critical properties rather than focus shifted to critical properties rather than
full correctnessfull correctness• Bug economicsBug economics• Test automation wallTest automation wall• Moore’s lawMoore’s law
– abundant computational resourcesabundant computational resources• Advances in research and technologyAdvances in research and technology
– model checkingmodel checking– program analysisprogram analysis– theorem provingtheorem proving– analysis infrastructuresanalysis infrastructures
OverviewOverview
• Software contractsSoftware contracts
• SLAM analysis engine SLAM analysis engine – brief technical overviewbrief technical overview
• Static Driver VerifierStatic Driver Verifier– transfer of technology to Windowstransfer of technology to Windows
The Windows Driver The Windows Driver Problem Problem
• Device drivers Device drivers – glue between OS and devices glue between OS and devices – many are kernel plug-insmany are kernel plug-ins– huge part of PC ecosystem huge part of PC ecosystem
• Windows Driver Model Windows Driver Model – complex legacy API complex legacy API – direct access to Windows kerneldirect access to Windows kernel– low-level binary debugging low-level binary debugging
Source Code
TestingDevelopment
PreciseAPI Usage Rules
(SLIC)
Software Model Checking
Read forunderstanding
New API rules
Drive testingtools
Defects
100% pathcoverage
Rules
Static Driver VerifierStatic Driver Verifier
State State Machine for Machine for
LockingLocking
Unlocked Locked
Error
Rel Acq
Acq
Rel
state {state {
enum {Locked,Unlocked} enum {Locked,Unlocked}
s = Unlocked;s = Unlocked;
}}
KeAcquireSpinLockKeAcquireSpinLock.entry {.entry {
if (s==Locked) if (s==Locked) abortabort;;
else s = Locked;else s = Locked;
}}
KeReleaseSpinLockKeReleaseSpinLock.entry {.entry {
if (s==Unlocked) if (s==Unlocked) abortabort;;
else s = Unlocked;else s = Unlocked;
}}
Locking Rule Locking Rule in SLICin SLIC
The SLAM ProcessThe SLAM Process
#include <ntddk.h>
C2BPpredicate abstraction
booleanprogram
Newtonfeasibility
check
Bebopreachability
check
HarnessSLICRule
+
refinementpredicates
errorpath
do {KeAcquireSpinLock();
nPacketsOld = nPackets;
if(request){request = request->Next;KeReleaseSpinLock();nPackets++;
}} while (nPackets != nPacketsOld);
KeReleaseSpinLock();
ExampleExampleDoes this code
obey the locking rule?
do {KeAcquireSpinLock();
if(*){
KeReleaseSpinLock();
}} while (*);
KeReleaseSpinLock();
ExampleExampleModel checking boolean program
(bebop)
U
L
L
L
L
U
L
U
U
U
E
do {KeAcquireSpinLock();
nPacketsOld = nPackets;
if(request){request = request->Next;KeReleaseSpinLock();nPackets++;
}} while (nPackets != nPacketsOld);
KeReleaseSpinLock();
ExampleExampleIs error path feasible
in C program?(newton)
U
L
L
L
L
U
L
U
U
U
E
do {KeAcquireSpinLock();
nPacketsOld = nPackets; b = true;
if(request){request = request->Next;KeReleaseSpinLock();nPackets++; b = b ? false : *;
}} while (nPackets != nPacketsOld); !b
KeReleaseSpinLock();
ExampleExampleAdd new predicateto boolean program
(c2bp)b : (nPacketsOld == nPackets)
U
L
L
L
L
U
L
U
U
U
E
do {KeAcquireSpinLock();
b = true;
if(*){
KeReleaseSpinLock();b = b ? false : *;
}} while ( !b );
KeReleaseSpinLock();
b
b
b
b
ExampleExampleModel checking
refined boolean program
(bebop)
b : (nPacketsOld == nPackets)
U
L
L
L
L
U
L
U
U
U
E
b
b
!b
ExampleExample
do {KeAcquireSpinLock();
b = true;
if(*){
KeReleaseSpinLock();b = b ? false : *;
}} while ( !b );
KeReleaseSpinLock();
b : (nPacketsOld == nPackets)
b
b
b
b
U
L
L
L
L
U
L
U
U
b
b
!b
Model checking refined
boolean program(bebop)
SLAM/SDV HistorySLAM/SDV History• 2000-20012000-2001
– foundations, algorithms, foundations, algorithms, prototypingprototyping
– papers in CAV, PLDI, POPL, papers in CAV, PLDI, POPL, SPIN, TACASSPIN, TACAS
• March 2002March 2002– Bill Gates reviewBill Gates review
• May 2002May 2002– Windows committed to hire Windows committed to hire
two Ph.D.s in model two Ph.D.s in model checking to support Static checking to support Static Driver VerifierDriver Verifier
• July 2002July 2002– running SLAM on 100+ running SLAM on 100+
drivers, 20+ propertiesdrivers, 20+ properties
• September 3, 2002September 3, 2002– made initial release of SDV to made initial release of SDV to
Windows (friends and family)Windows (friends and family)
• April 1, 2003April 1, 2003– made wide release of SDV to made wide release of SDV to
Windows (any internal driver Windows (any internal driver developer)developer)
• September, 2003September, 2003– team of six in Windows team of six in Windows
working on SDVworking on SDV– researchers moving into researchers moving into
“consultant” role“consultant” role
• November, 2003November, 2003– demonstration at Driver demonstration at Driver
Developer ConferenceDeveloper Conference
SLAM ResultsSLAM Results
• Boolean program model has proved itselfBoolean program model has proved itself
• Successful for device driver contractsSuccessful for device driver contracts– control-dominated safety propertiescontrol-dominated safety properties– few boolean variables needed to do proof or few boolean variables needed to do proof or
find real errorsfind real errors
• Counterexample-driven refinementCounterexample-driven refinement– terminates in practiceterminates in practice– incompleteness of theorem prover not an issueincompleteness of theorem prover not an issue
OverviewOverview
• Software contractsSoftware contracts
• SLAM analysis engine SLAM analysis engine – brief technical overviewbrief technical overview
• Static Driver VerifierStatic Driver Verifier– transfer of technology to Windowstransfer of technology to Windows
Lessons LearnedLessons Learned
• Context mattersContext matters• People powerPeople power• Focus on problems not solutionsFocus on problems not solutions• Exploit synergies and shouldersExploit synergies and shoulders• Plan carefullyPlan carefully• Cultivate championsCultivate champions• Avoid the “root of all evil”Avoid the “root of all evil”
Context Matters Context Matters • Microsoft culture change Microsoft culture change
– Trustworthy Computing Initiative Trustworthy Computing Initiative
• Microsoft ResearchMicrosoft Research– basic research + product group interactionbasic research + product group interaction– Microsoft's researchers are brilliant, well-funded and free to advance Microsoft's researchers are brilliant, well-funded and free to advance
… "the state of the art" in software and computer science. Their work … "the state of the art" in software and computer science. Their work is published in peer-reviewed scientific journals, presented at is published in peer-reviewed scientific journals, presented at conferences and discussed with the hundreds of PhD students who do conferences and discussed with the hundreds of PhD students who do internships at Microsoft each year.internships at Microsoft each year.
– By locating its researchers cheek by jowl with business managers, By locating its researchers cheek by jowl with business managers, Microsoft hoped to encourage more effective transfer of new Microsoft hoped to encourage more effective transfer of new technologies from its labs to its range of products.technologies from its labs to its range of products.
– 12 March 200412 March 2004Financial TimesFinancial Times
• Programmer Productivity Research Center Programmer Productivity Research Center – PREfix and PREfast tools PREfix and PREfast tools – analysis infrastructure analysis infrastructure – tool pipeline to development organizations tool pipeline to development organizations
People PowerPeople PowerSoftware Productivity Tools group membersSoftware Productivity Tools group members
– Sriram RajamaniSriram Rajamani, Manuvir Das, Rob DeLine, Jim Larus, Manuel , Manuvir Das, Rob DeLine, Jim Larus, Manuel Fahndrich, Rustan Leino, Jakob Rehof, Shaz QadeerFahndrich, Rustan Leino, Jakob Rehof, Shaz Qadeer
SLAM summer internsSLAM summer interns– Sagar Chaki, Todd Millstein, Rupak Majumdar (2000)Sagar Chaki, Todd Millstein, Rupak Majumdar (2000)– Satyaki Das, Wes Weimer, Robby (2001)Satyaki Das, Wes Weimer, Robby (2001)– Jakob Lichtenberg, Mayur Naik (2002)Jakob Lichtenberg, Mayur Naik (2002)– Jakob Lichtenberg, Shuvendu Lahiri, Georg Weissenbacher, Fei Xie (2003)Jakob Lichtenberg, Shuvendu Lahiri, Georg Weissenbacher, Fei Xie (2003)
SLAM VisitorsSLAM Visitors– Giorgio Delzanno, Andreas Podelski, Stefan SchwoonGiorgio Delzanno, Andreas Podelski, Stefan Schwoon
Static Driver Verifier: Windows PartnersStatic Driver Verifier: Windows Partners– Byron Cook, John Henry, Vladimir Levin, Con McGarvey, Bohus Ondrusek, Byron Cook, John Henry, Vladimir Levin, Con McGarvey, Bohus Ondrusek,
Abdullah UstunerAbdullah Ustuner– Neill Clift, Nar Ganapathy, Adrian Oney, Johan Marien, Bob Rinne, Rob Neill Clift, Nar Ganapathy, Adrian Oney, Johan Marien, Bob Rinne, Rob
Short, Peter WielandShort, Peter Wieland
Focus on Problems not Focus on Problems not SolutionsSolutions
• Device driver problem Device driver problem – important to Microsoftimportant to Microsoft– testing insufficient to ensure qualitytesting insufficient to ensure quality– many complexities but code of reasonable many complexities but code of reasonable
sizesize
• Problem space drives search for solutionProblem space drives search for solution– control-dominated properties control-dominated properties boolean boolean
programsprograms– no annotations no annotations counterexample-driven counterexample-driven
refinementrefinement
Exploit Synergies and Exploit Synergies and ShouldersShoulders
• Diverse backgrounds of investigatorsDiverse backgrounds of investigators
• SLAM built on strong foundationsSLAM built on strong foundations– Program analysisProgram analysis– Model checkingModel checking– Theorem provingTheorem proving
• InfrastructureInfrastructure– MS compiler front-end and alias analysisMS compiler front-end and alias analysis– CUDD BDD libraryCUDD BDD library– Simplify theorem proverSimplify theorem prover– OCaml programming languageOCaml programming language
Plan CarefullyPlan Carefully
• Creativity = 10% inspiration + 90% Creativity = 10% inspiration + 90% perspirationperspiration
• Initial technical report Initial technical report – laid out plan, left open problemslaid out plan, left open problems– recruiting/preparing internsrecruiting/preparing interns
• Code ownership, code reviews, code Code ownership, code reviews, code refactoring and cleanuprefactoring and cleanup
Cultivate Champions Cultivate Champions
• Device driver expertsDevice driver experts– Adrian Oney, Peter Wieland Adrian Oney, Peter Wieland – explained subtleties of kernel explained subtleties of kernel – reviewed rules and error tracesreviewed rules and error traces
• Management champions Management champions – Bob Rinne, Base OS Bob Rinne, Base OS – Amitabh Srivastava, PPRC Amitabh Srivastava, PPRC
Avoid the “Root of All Avoid the “Root of All Evil”Evil”
• Premature optimizationPremature optimization– easy to get caught up in new features easy to get caught up in new features – time/energy wasted on unprofitable featurestime/energy wasted on unprofitable features– optimizations introduce bugs optimizations introduce bugs
• Let application domain drive engineering Let application domain drive engineering – profiling gives data to help prioritize effortsprofiling gives data to help prioritize efforts– measure impact of new optimizationsmeasure impact of new optimizations
ConclusionsConclusions
• The technology now exists for The technology now exists for enforcing simple API contractsenforcing simple API contracts
• Rollout/adoptionRollout/adoption– first as out-of-band tools (i.e., first as out-of-band tools (i.e.,
SLAM/SDV)SLAM/SDV)– next as in-band tools (part of next as in-band tools (part of
language/compiler)language/compiler)