 Mae'r dweud yn canel ar mwy bryd yn teimlo y tro. Mae yw meddwl yn gael. Mae'r meddwl yn meddwl mwyn gwnaeth y ffordd yr oedd yn gweithio yn ddeifftd. Felly, y cofnodd pan am yw'r cyfgwn i gyflym iswyr. Mae'r meddwl yn fwy fath o gylwm. Oedd yn sylfa ar meddwl, bydd eich gyrhaf. Ond fe wneud am gylwm i'w ffobl oedd yno? Ond, dwi'n golygu, mae'r trwy ac yn dsiwn i'r munud i ddim yn ddim, mae'n 12 oes gael, gallwn amser Yn ni'n feddwl i wneud gweinol i'r ddarthon, yn anghybdu'r dweud i'r ddweudiaid, i'n ddweud o ffadau Mae'n ddweud? Mae'n ddweud eich ddweud i'n ddweud? Mae'n ddweud? Mae'r ddechrau y pwyllach ddweud. Why? Why because they were using one component of the diamond software for Ariane 4. Ariane 4 didn't go sideways during the launch, as much as Ariane 5 did. Therefore one of the sideways values in the diamond software over flowed. And then it was all going wrong so they threw themselves up. So it was on the land and they threw themselves head. So that sort of looked like a step tactual wrong. Mae'n gwasbwys y gallwch chi gyd yn lle fel y dylau'r ffordd iawn, lle mae'r rhai syniadauau yn ei ddweud, a'r bledd yn gallu'r rhaid ffordd iawn. Efallai rhaid o'u gwneud gan gweithio'r ysgrifwyr, oherwydd, mae'n meddwl meddwl mewn meddwl yn meddwl, yn meddwl am y dylau. Y rhaid o'r rhaid o'r meddwl y bod yn meddwl y meddwl himae, yn y byw. A'r gofodol, mae'n meddwl i'r mynd i ymwneud i'r rhaid. feddwl i'r wych yn i'w gweithio'r cyfnodol yma y ffordd mwy o'r ei hyn yn ffordd mwy o'r ffordd mwy o'r ffordd mwy o'r ffordd. Ond y gynhyrch o'r ffordd, ac i'n gweithio'r bwysig, yn ddiddor i'r problemau. A'r problemau efo'r byw yn ffwrdd o'r ddiffrwyddechrau, oedd yn ddifrwyddiad am ddifrwyddiad hwn, yn ystafell o'r ddiffrwyddiad. Ond ydych chi'n mor hwg ffwrdd o'r ffordd ymlaen, Yn gyfnod o'i cyfnod o beth a'r shedff, ac yna i'n gobl anffod ar holli'n cael sefydliad, a'i ddweud yr ydych chi'n oes yn gallu bod yn roi ymddangos cyllid yn ymddangos cyllid yn grannog, ac rywbeth rhai o bobl cofnodol iawn a'r bobl yn quoteden y gwaith yкwmddir Rice isw. A'i ddweud yr ydych chi'n ymddangos cyllid yn yr ymddangos cyllid, ac oedd yn ymddangos cyllid yn yr ymddangos cyllid yn yr ymddangos cyllid yn yr ymddangos cyllid. Ni'n gweithio fy morth a'r ddweud o'r ddweud, ond mae'n gweithio'r ddweud ar gyfer. Ac ydych chi'n mynd i ddweud yn 90th century? Rhyw hwn y cwylch chi, rwy'r ddweud ddweud. Rhyw hwn yn gweithio'r ddweud, rydyn ni'n cael hollu, mae'r hwn yn oed a fyrdiad, ac we will make awesome bridges with millions of towers and all that kind of thing. And it is often they would fall down, and it will make magical steam engines. See a beautiful, alunion of steam engines. And it is often they would explode the order of steam engines, if a steel's bent all around. Mae'r ddweud yn gwybod amddangos yn y blynedd, yn y cynnwys, y dylai, yna ydyn nhw'n hynny? Mae'r ddweud, 100 y gyfyrdd, mae'n gweithio'r ddweud yn y bod yn ymgyrch yn cael ei hwnnw. Mae'r ddweud yn ymgyrch yn ymgyrch yn ddweud yn y ddweud yn y ddweud yn y ddweud yn rhoi'n cyffredinol, yn y ddweud, gyda'r cyffredinol, yn y ddweud. Mae'n ddweud yn y ddweud yn y ddweud yn y ddweud yn y ddweud, gan y sgwyddiad. Pawn oes mae'r berthynas fel hyn gyfwysglo chi wedi bod ei wc yn fan amser. Mae'r d Along Row Toeiedz yn mawr o hynny yn cael ei gael. Mae'r ddechrau yn mawr o'r ddechrau mynd i'w mwiel. Felly ydych chi'n fwyaf yw'r cyflwyts i chi angen. Felly ydych chi'n iechyd pwysig importol. Mae'r wyf yn casion ar bod yno'r bwysig o'r hyn o'r bwysig o'r ddechrau. Mae'r cyfatru lle, rydyn ni, ddim rydyn ni wedi ddwy i'r ddwy. Rwy'n ddatblywch yn ymweld y cofnog. Rwy'n ddod yw'n ddullt gan i gael cofnog. Felly, bod yw'r ddweud o amser yn gweithio y dyma'r cofnog i gyfan'r cyfwynedd bach o un bod sy'n gallu gwu a'r ceisio. Rwy'n ddweud o hyn yn dweud yn ymhwyrestu'r ddefnyddio, ac ni'n bod ni'n adig arwain, bod mi'n ddweud â'r tyfnol yan yn gyfoddog. Roedd yw'r ddweud yn adewbwerch, ac mae'n ddweud yn leidio. yw'r cydwyddiad yma yn bwyddiad yma yma eich bwyddiad yn ei wneud. Yn gyflaenwch i gyflaenwch cymryddiadau cyflaenwch a'r bwyddiadau sydd wedi'u'n gwybod a'i bwyddiadau cymryddiadau, a mi'n bwyddiad yma yn bwyddiad yma yn ymwyl. Mae'n gyflaenwch yn ymddiad, ac mae'n gwybod i'r byw yw'r cyffredin. Pan ydych chi yma ni'n rheswm y mawr i'r gweithio'r yent, ond yn ymdweithio'r gysyllt hynny, ond mawr i'r llun ar gyfer y mawr i'r pwg, yna hyn sy'n i yma o'r cyflym. ac' i ni'n ddigwyddodio'r lleif iawn. Mae gennym o clywed ac i bryd下去 wedi eu gwirdd. Rwyf am gwirdd, ychydig, those yna i gwych a'r rhaid. Rydym yn ei isol sy'n gydag yng nghymru o'r gwirdd. Ac mae'r gwirdd i ni i'r gwirdd, rhaid i ni'n gwybod hynny'n gwirdd ac eu gwybod traddwy. Erbyn y gwirdd, ydi'r gwirdd ychydig, oherwydd nid i'r gwirdd. Mae'r gwirdd du. Mae'r oedlaeth o'r bopsydd o'r bobl o'r bod ni'n gyrdwyr yng Nghymru, oedd yn rhoi ddweudio i'r bobl o'r hwn o'r hyn o'r cyd-dwylliant. Mae'r oedlaeth o'r system yn oedlifio i gydig, oherwydd o'r ddweudio yn oedlifio'r hyn o'r rhaglen. Rwy'n gynnig o'r bod ni'n gynnig o'r bobl o'r rhaglen, ond oes yn y cyd-dwylliant, ond mae'n gwneud yn llgrwpio'r bwysig o'r bwysig o'r bobl o'r rhaglen. Nowhere, that's become true at the beginning, a tiny change in that 100 million language could make something exploitable and useless. So they're intrinsically harder than British OK, so what can we do? We can give up and go back to pen and paper and books. The way forward, I tell you. The way out and tell all your mates. EMF 2016 Quill pen It's going to be a hard message to get across with everyone now. So, what can we do? What can we do? Can you ask different things? I'm going to reiterate some things. So the first thing we can do is do better sort of normal software engineering with more unit tests and more assertion with better coordination and better management and 15 more version control systems in other words we should understand. So that's all good and it hurts to us that it will probably help a bit but it's never going to get us to high levels of robustness or understanding and it's not really my topic sort of there. So, option two. Use languages based on ideas from 1975 or 1981 instead of 1965 or 1971. So, there's a whole bunch of basically useful ideas developed in the late 70s, early 80s and what have you having expressive types of stuff, having the pile time guarantees of type and memory safety so you invade that whole combinatorial explosion of execution part of things by checking some relatively simple but fantastically useful properties when you build the system and not when you run it. So, then there's a whole bunch of other useful programming languages ideas enforcement of boundaries of these interfaces which is straightforward, it's easy-peasy to design programming languages now which have all of these things built in as it can be compiled to go quite fast. So, there is, for any individual in working in some particular context they might get all of our legacy code that stops you learning it but for us collectively there is no excuse for us not to be learning this all the time and add a stroke that will might have not all but almost all of those security thoughts. Just instant that. It's just stupid. Point 2b, we should use programming languages that have been designed. Not what is up by a bunch of great learning. So, as a programming language research person, this is an intensive process because the reasons why languages become popular have a strong inverse correlation with how good they are and where the people who invented them knew anything about designing programming languages. There are so many examples. I don't want to make a video on YouTube. I don't want too much hate mail. I'm not going to mention any of them. All together now. That's a bit people. Louder! C-H-V wins. V-T-P-L! I don't think people use exactly that anymore. So, there is a whole subject. An engineer you split off. The design and analysis program languages. But do a very good approximation to people that design any of languages that people use know anything about it. Again, not something that some individuals use in this but for us as a community completely trivial to fit. It's easy now if you pay attention to precisely define the semantics of a real programming language. You can define how things can be typed or not typed and how anything in any programming language behaves completely intersectionally and then you can see your design decisions and you can see when you're introducing stupid excessive complexity. In other words, you just have to be able to come up with some kind of interpretation and argue about how many curly braces it should have so you cannot see it. Okay, so I'm going to skip over Option 3 which is my main topic. It's straight to Option 4. Option 4 is proof of directness. Do make an incredible proof that software and hardware will actually meet precisely stated specifications. So this is a long-standing dream and expectation by academics. In ENF 1972 you would have had Tony Law standing up on this stage saying, We should prove directness. I got it. With all his mates. I know Edgar and lots of other guys. So for a long time academics have been saying this and for quite a long time it was not terribly plausible. I remember back when I was a lad in some kind of university, if you reverse the list twice you get back to the same thing. Anything but proof that. Good. So for a long time it wasn't super plausible because we couldn't scale it up. But these things do change. In the last 5 or 10 years various academic, sort of thickest substantial academic project but on an industrial scale tiny have to build up a significant bit of fully formally verified with machine checked proofs of directness software. So there's a bunch of pilot, concert, cake ML, sort of sealer languages and ML languages compile all the way to assembly or binary. We'll quickly verify correct. People in the pen have been verifying LLPM optimization classes. There's verified just the fault isolation which goes faster than unverified version from town, RSF, Cleveland and Harvard. There's the SEO for verified hypervisor from guys in Australia. So we can do this now. For particular things where it was the effort. It's not that much effort but it's higher. High end effort you have to have to know. It's just you who's close off to who can do this kind of thing. So in the long time I'm not going to see any more of the slides. Clouds. In the long term this is vile for software. But in the short term it's tricky. We have hard things we need to sell right now. So what's an intermediate but more tractable alternative is to not fully verify whole components in this stack. Fully verify out production of the pilot but at the very least precisely specify the interfaces between all of these visual pods that we're on the hardware stack and to test that those specifications sound with respect to the implementations. Not just in there for global behaviour but intentionally step by step looking at all the internal states and has gone to turn up to be like that's good. So for my colleagues and I I've been doing this kind of thing for the last few years. You've got the DZP and the C and C++ standards models and standards of camel and the C language that people now have in the TLS stack. So this is far too much stuff to talk about. I'm just going to talk about the multi-pressure part to just give you a little bit of a feeling for what kind of thing is involved in specifying what a new interface is. So let's look at multi-pressure. Multi-pressure is simple idea to make this go faster and in-pressure is what we do in the same memory. So this is not a new idea but there are new ideas that we can do in science. More than what we've had before. This one was first had in 1962. Did you see that? You would see that. I'll show you. Two backgrounds. Very small ones. Each with two threads and two actions. Two memory reads or writes on those two threads. And we'll talk about how they might behave. The first one is this side which if you can see it will say write X is one and then read Y. And on this side write Y is one and read X. And suppose everything is zero again. So not evenly, one might imagine you've got these two things and you've got two instructions on the left and two instructions on the right. So this one might be entirely before that one or that one might be entirely before this one or this might be like that one or like that one or like that one or like that one. There's only six possible interleaming of two lists at length of two and in none of those simultaneously that reads reads from before that one and that reads from before that one. So you'll never get X is zero and Y is zero being read out. Are we all cool with that? You see do you want some other things to work? You want some other things to work. We'll get to that very soon. The first one to run that on a laptop read one and one. We'll get one of those other interleaming and then after we'll read X is zero and Y is not. My hardware is copy. It may be that you've got hardware is copy and it can be that you have found in most of the hardware that we've tested hardware books and you give it a party here but in fact this is perfectly intended by the designers. The hardware designers want to make your computations go fast because you want that. What you want your computations to go fast that's what you pay for so they've added in linear optimizations which this kind of program can see as a biphone buffer for writes that need hardware drift. It's probably more complicated than that inside so the model is not this simple thing that once a process was stored in the shared network. It's more complicated. Second example so on this thread now we'll write some data and then we'll write some kind of a plan. On this thread we'll read that plan until we see it set and then we'll try and read the data. The question is are we guaranteeing to see a good value of the data or might we just see some old architecture? Are you trying to run that on a few kinds of smaller optimizations which make those go fast and also use less power that is involved in the art space? So if you as an innocent programmer want to make these things happen in order which has a number of instructions memory-garrion instructions at all and you might wonder what they do so you might go off and say in this IDM what does this instruction do? and you would see some text like this I'm going to start reading it out. Each clickable pair A be memory-garrion also A will be formed with respect to any processor or mechanism to the extent required by the associated memory to be required to be used before B is formed with respect to that processor or mechanism. A will include all the clickable processor or mechanism for the memory-garrion is created B includes all the clickable processor or mechanism after a load instruction is executed by that processor or mechanism has returned the value stored by stored. Got that? So this is very deceptive this stuff because it looks like they've thought really hard about it and it means something precise that you just don't quite understand. And we thought that for a long time and we tried to make mathematical models of this but in fact when you get to it and you do lots of experiments and you go and talk to the architects which we do because we collaborate with a very smart and fine IBM architect on this stuff you find that this does not describe what they actually do. Okay and if you talk to architects about that text they say this kind of thing all that horrible, horribly incomprehensible and confusing text that no one can pass or reason with not even the people who wrote it and this was one of the people who wrote it. So a misery I say so there's a basic problem here which is that there's a fiction in the industry that we can write pro specifications and say to programmers just read this book and write your program assuming only the facts in this book and then well then what do they do they go away and they read the book and they don't really understand it because it is not comprehensible it does not have a meaning and then they write their code by that trial and error development process by testing against the particular implementations that they have on the particular execution files that they happen to explore. So this is rubbish you can't use these pro specifications to test programs you can't use them to test that the hardware does what's intended you can't use them certainly not to prove properties about anything and as we see you can't even use them to communicate between the organizations that are making the thing and the organizations that are using the thing which is the basic thing a specification ought to be able to do so in this set sense none of these specifications really exist it's all imaginary it's a happy dream so what can we do I was raised up as an experimental scientist and empirical science will come at least slightly to our rescue here so we can and indeed we have invented some mathematically precise models of how we think these things behave not how they work inside but just how they behave from the programmer's point of view and then you can make tools that don't just calculate one path but for these small programs explore all of the possible executions and they give you the set of everything that is allowed and then you can run experiments on the same kind of small programs to compare and then compare that experimental data to check that it's all the experimentally allowed executions are actually allowed by your model and sometimes they're not so if they're not then either you've found a bug in the processor and you think we win or you've found a bug in your model and you get to fix up your model until it's true and then you say we win and then in order to know whether these things are bugs or not you have to talk to the architects what's an architect an architect is someone who can by definition tell you whether observed processor behaviour is a bug or not it's their intent that matters here and also you need to talk to them to make sure the models match their intuition to get some assurance that you're not talking total nonsense and then you can get some other validation so you can prove above these machine models you can prove that you can compile C11 concurrency down to these machine models and that gives you a bit more confidence that all of them are sensible and then because all of these things are iterative you can go back to one and do it all again better so is this rocket science no, rocket science is I think at 145 on stage I can't remember which it's not very hard really so all we've done is write down well we've identified one of these abstraction layers that we really care about and we've written down a description of not just some implementation but all the behavior we think should be allowed at that abstraction layer and then we've tested real systems against that so we've written down those definitions of sets of behavior in some random mathematical language it doesn't really matter what but you could do it in anything which is clear, unconsise and has unambiguous meaning you could if you really had to do it in C code and that you're writing down a definition of all the allowed behavior and that definition must be executable not as a system but as a test oracle to decide if some observed behavior is allowed or not so that's a thing that people don't often do but it's very easy it's not worth it all the time if you're building some app you may not even have any clue beforehand what it's supposed to do but any of these infrastructure things that we depend on and that are re-implemented in many contexts it's clearly worth it and when you've done that then you're not limited your testing process that we're still stuck with for the time being you're not limited to the few ad hoc tests that you write because now you've got an oracle that can tell you whether any behavior is good or not you can do random testing you get amazingly better coverage ok I can't even read that slide I said that so I said that so it's time to stop pretty much so there were some reasons why building robots systems are hard and there are things we can do about it and some of them are absolutely trivial and then in the longer term there is some hope for honestful verification so I give you a sense of very cautious optimism and I exhort you to think about this kind of stuff because you just imagine the situation 50 years from now or 100 years from now or if civilization endures a thousand years from now if we don't fix this stuff up if we don't fix this stuff up we will have the x86 abstraction the sockets API the SSL API embedded through some ghastly stack of emulation layers in everything we use for the rest of civilization the end thank you for your attention if you've got any questions any questions, time for questions ah there's 15 minutes before the next talk have you done any work or even acquired experience of how this process might go is getting easier as you've done it try verifying different interfaces oh yes we know how to do it much better than we did before so there are some questions in relating to how non deterministic or how looser specification you need that relate to how you can write that specification in a way that makes it actually usable and there are other sociological questions in how you talk to the designers or the C Standards Committee or whatever in order to get them to understand that this is a good idea if you walk into a C Standards Committee meeting and you accidentally show them a piece of paper with a little too much mass in like an upside down A then they go all queasy cos that's just not the language they work in so you have to take care with that kind of stuff any more quick questions quick question over there I totally agree on the design of the language but I think most problem with most architects is not only construction architects want to build a cathedral with every architect wants to build a cathedral they have to really stop them to come across the bureaucracy so communication remains key yeah okay but how can you prevent that the architecture becomes too complex if the tools expand to make the structure so this is an interesting question so how can we arrange for there to be a pushback against adding complexity that's really tough but at least for programming language design and for some of these abstractions the mere fact of writing down a clean specification sort of forces you to notice the complexity which otherwise if you just have a textual language spec it's very easy to just say we're going to add a new feature we'll just chuck in a couple of paragraphs of text here and that doesn't force you to understand how it interacts with everything else so this is not a total solution I don't think there is a total solution but that does give you a feedback mechanism that we don't have at the moment one behind you Do you believe there is much of a market at the moment for formal verification not of the language itself but of programs written in the language a market I think not much I think there is potentially a significant market for some very particular systems infrastructure to be verified so if I had a verified hypervisor with a small trusted computing base running on my phone I would be a happier man when I come to EMF camp industry wants that kind of thing and there are some companies doing that this SCL4 thing has some kind of commercialisation room there's another one there last one so if PHP is the worst language of them all which one would you say is the best so I resolved when I was thinking of giving this talk to not answer any question of that general form and in some sense I don't know I'm not in a position to know I don't write a whole lot of code what I do when I and my group do are very good for this kind of semantic infrastructure kind of work in other context I'm not going to comment enough thank you