 So thank you for that introduction and to the organizers for this opportunity to speak to you guys So my name is Peter Sewell. I'm an academic computer scientist and as such I Bear a heavy burden of guilt for what we have to work with shared guilt to be fair But guilt I'm the same In many many years of higher education. I know two things about computers Maybe you've figured them out slightly faster First thing there's an awful lot of them about shocking And the second is that they go wrong they go wrong a lot really a lot a lot a lot a lot and they go wrong in many interestingly different ways So sometimes they go wrong in spectacular ways like with fireworks And here we see Here we see half a billion dollars worth of sparkle You don't get that every day and so what was going on? So as I understand it What was going on was that the this was the first flight of the Ariane 5 launcher And it reused some of the guidance software from Ariane 4 That's fine. Good tested code should reuse it But the launch profile for Ariane 5 went sideways a bit more On purpose than the Ariane 5 launch And as a result one of the sideways values in the guidance control software overflowed bad and Hence the guidance software decided that something bad was going wrong and in order to not land rockets on people's heads It kindly blew itself up. So that's a spectacular Sometimes they go wrong in insidious ways and new people probably know much more about that than me Very insidious ways exploited by by bad people to our detriment and they go wrong in insidious ways exploited by our kindly governments for our protection and these There are many many many different causes of these things, but many of these causes are completely trivial You know, you have one line of code in the wrong place something like that So that's very very bad and you're all conscious of how bad that is But from my point of view, this is as nothing With the real disaster that we have been facing and continue to face the real disaster is that Enormous waste of human life and energy and effort and emotion dealing With these crack machines that we build It's hard to quantify that. I did a little experiment a couple of months ago. I googled up Android problem and Windows problem and Got about 300 million hits for each Somehow indicative of the amount of wrongness So this should seem for kind of familiar to you if you think back think back to when you were young Maybe back in the 19th century When you were young and what were you doing then as a community of hackers and makers and builders? Well, this was the the full-on industrial revolution. You were building stuff You were building beautiful bridges of cast iron and stone with numerous arches and pillots and every so often They would fall down Believe someone miscalculated the wind loading and we would build Magical steam engines to whisk us away and every so often They would blow up And that kind of thing as you may have noticed in the last hundred years Sorry blow up that kind of thing doesn't happen very often anymore. We have pretty good Civil and mechanical engineering. What does it mean to have good civil and mechanical engineering? It means that we know enough Thermodynamics and material science and quality control management and all that kind of thing to model our designs Before we build them and predict how they're going to behave pretty well and with pretty high confidence. I See an optimization in this talk For computer science for computing systems, we can predict with 100 percent certainty that they will not work Time for lunch, but it's not a very satisfying answer really. So why is it so hard? Let me discuss a couple of the reasons why computing is tricky in some sense trickier than steam engines The first reason is that there is just too much code All right, so this is one of the more scary graphs. I found on the internet recently This is a measure of code in hundreds of millions of lines each of these blocks I think is 10 million lines of code and in the little letters You might not be able to see we have Android and the large Hadron Convert Collider and Windows Vista and Facebook US Army Future Combat System Mac OS and Software in a high-end car I'm flying home So that's a bit of a problem really. We're never going to get that right Then there's too much legacy complexity there really too much So as right-minded pure-minded people you might think that software and hardware should be architected beautifully with Regular structure a bit like a mead Vandero skyscraper or something clean You know, that's not realistic. All right, you might expect a bit of Baroque nests. You might expect Maybe something more like this, you know, it's a bit twiddley, but it hangs together. It's all got structure still works But then you stop and you think and you realize but software and Hardware it's built by very smart people and usually in big groups and subject to a whole assortment of rather intense commercial pressure and Related open-source pressure and using the best components and tools that they know and that they like and The best management that human beings can arrange So we end up with something spectacularly ingenious And you can see here if you look closely you can see all the parts. This was just a found picture from the internet But you can see there's a bunch of you know Transparent sort of silicon like stuff down here. Let's say that's our hardware and over here. I see a C compiler with all of its phases and These bottles I that's the file system. I reckon and There's a TCP stack in here somewhere and There's a piece that belongs to the NSA, obviously and Up here. I think up here. Yeah. Yeah, there's a JavaScript engine and TLS stack and web browser and Then perched at the top is the software that most people use to talk to their banks It's just It's just insane And then we have to look at how we build these pieces So we build them fundamentally by a process of trial and error, right? Just occasionally we write some specifications in text And then we write some code and maybe we write a few ad hoc tests And then we test and fix until the thing is marked all and then we test and fix and extend Until the thing is no longer marked full And then we keep on using until we can't anymore So the fundamental process that we're using to develop these systems is trial and error by exploring particular execution paths of the code on particular inputs But you know this because I want to highlight there are too many The number of execution paths scales typically at least Exponentially with the size of the code and the number of states scales Exponentially the size of the data that you're dealing with and the number of possible inputs is also shockingly large. There is no way That we can do this and we should perhaps stop deluding ourselves that there is and Then the most fundamental reason But computers are hard is that they are too discreet If you take a bridge or I know a chair or something Where's something slightly bendable You take a chair and you exert a bit more force on it than it's used to I'm not very strong and it bends a bit. It deforms continuously If you take a bridge and you tighten up one of the bolts a bit too much or you undispecify one of the girders by 10% Occasionally you will reach a point of catastrophic failure But usually it will just be a little bit weaker or a little bit stronger or a little bit wibbly But computer systems you change a bit Sometimes it doesn't make any difference, but disturbingly often what you change a line of code as in some of those bugs that we were talking about The whole thing becomes broken So it's quite different from that traditional engineering. It's really different Okay, so a New dawn this thing is titled. What can we do? What might we do? So I'm going to talk about several different possibilities One thing We can do more of the stuff which is traditionally called software engineering It's not really engineering in my book But some of it's good. I mean, it's useful You know, we can do more testing and have more assertions in our code and better management Maybe and all that kind of stuff we can do all that we should do all that but it's not going to make a very big change It's not addressing any of those root causes of the problem or else could be too So as an academic computer scientist, I've devoted several years of my life to working in the area of programming languages And I look at the programming languages used out there in the world today. Oh It's just disgusting. It's shocking the reasons that languages become popular and Built into a shared infrastructure the reasons for that have almost nothing to do with how well those languages are designed and in fact Whether they are designed at all. I didn't really want to get too much hate mail after this talk So I'm going to try and avoid naming particular languages as much as I can But I encourage you to think away as I speak and imagine the examples No, that was I didn't want to get much hate mail. Sorry So at the very least we could use that programming languages based on ideas from the 1970s instead of the 1960s I mean really come on I You know back in 67 or 69 or whatever we had B CPL and C and only a couple of years later We had languages that guaranteed type and memory safety and Enforcement of abstraction boundaries and gave us rich Mechanisms for programming so that we could say what we mean and not fuss about with 23 million pointers About one percent of which were completely wrong So for any particular in the context of any particular project or any particular existing legacy infrastructure There may be very good reasons why one just can't make a switch But for us collectively there is no excuse It's just wrecked it completely bonkers and then the other thing that you see as a programming language researcher is that Well to make another analogy What it looks as if anyone who was capable of driving a car Considered themselves an expert on car design There is in fact a rather well-established subject of You know programming language design and we know how to specify Completely precisely mathematically precisely not just the syntax like we had in these B&F grammars from the 1960s And still have but also the behavior of these things We know how to specify the operational semantics and the type systems and we know how to do mathematical proofs that Our language designs are self consistent, but they do guarantee good properties of Arbitrary well type programs that you're right So we can do this now We can do it if we have to post talk and people are doing this for JavaScript and see and God help them PHP and other such languages But even better we can do it at design time and if you do this at design time you see the structure You have to the act of writing that specification Forces you to consider all the cases and all the interactions between features you can still get it wrong But you get it wrong in more interesting ways So people are starting to do this now So I think there was a talk on the first day of this by Hannes and David who are building system software in Maybe not the bestest language you could possibly imagine but something which compared with C is as manner from heaven An annual matter of petty and his colleagues in Cambridge have been working hard to build system software in at least Moderately modern languages and it works Sometimes you have to you see but surprisingly often you really don't Yeah, so I Teach as my introducer said in University of Cambridge and in fact I teach semantics One of my fears is that I will accidentally let someone out into the world who will accidentally over a weekend find themselves Inventing a little scripting language, which will accidentally take over the world and become popular and I won't have explained to them what they have to do or even that there is a subject They have to understand and if you want to understand it. There's lots of stuff you can look at Okay Let's go to the the uppermost extreme if we want software and hardware that actually works We should prove it correct So this is something which academics especially in the domain of labeled formal methods in the 70s and 80s They've been pushing this Promoting this as an idea and I promise and an exhortation for decades Why don't we just prove our programs correct and for some of those decades it wasn't really plausible I remember back when I was considerably younger It was a big thing to prove that if you took a link list and reversed it twice. You've got back the same thing That was hard then But now Well, we can't do this for the Linux kernel. Let's say but we can surprisingly often do this and I just give you a couple of the examples of modern-day state-of-the-art academic verification projects people have verified compilates all the way from see like languages down to assembly or from ML like languages, you know higher-order functional imperative languages all the way down to binary models of how x86 behaves and People have verified LVM optimization passes. There's verified software fault isolation Which I believe goes fast as in the original non verified form win for them There's a verified hypervisor from the next group in Australia Verified secure hypervisor with proofs of security properties. There's any amount of work verifying crypto protocols Sometimes with respect to assumptions, but I think reasonable assumptions on what the underlying mathematics is giving you So we can do this I maybe have to explain a bit what I mean by prove to a some computery people I proved it works means I Tested it a little bit In extremis it compiled to a program analysis person you might run some sophisticated tool But written in untrusted code and possibly doing approximate and maybe untowned analysis And you might find an absence of certain kinds of bugs. That's tremendously useful It's not what we would really call proof. I mean nor were they to be fair Scientists generally don't use the word because they know they're not doing it All right, they're doing controlled experiments which gives them, you know information for or against some hypothesis mathematicians write proofs And you probably did that when you were young and those proofs are careful mathematical arguments usually written on paper with pencils And their aim is to convince a human being that if that mathematician was really nailed up against the wall and pushed They could expand that into a completely detailed proof but what we have In computing we don't have the the rich mathematical structure But these people are working with we have a tremendous amount of ad hoc and stupid detail Mixed in with a smidgen of rich mathematical structure So and we have Hundreds of millions of lines of code So this is just not going to cut it and if we want to say the word proof ever Then the only thing which is legitimate really is to do honest program proof And that means you need to have some system that machine checks that your proof is actually a proof and Sometimes we also have machines that will sort of help and sort of hinder that process And there's a variety of these systems cock and hole for and is well for is well hole and what have you that one can go and look up So using these systems we can prove Non-trivial facts about these not necessarily that they do what you want them to do But that they meet the precise specification that we've written down We can do that But it's tricky So these projects these are by academic standards all quite big You know, this is something like no ten people for a few years or something by industry Scale maybe not that big by your scale Maybe not that big but still a lot of work for a research group to do and quite high-end work It can take you know, literally a few years to become really fluent in using these tools And there isn't as yet sort of a open-source collaborative Movement doing this kind of stuff. Maybe it's the time to start Maybe in five years ten years. I don't know If you want a challenge There's a challenge But it's really quite hard It's not something that one can quite put forward credibly as a solution for all software and hardware development So that leads me to like an intermediate point. That should have been a four there What can we do which improves the quality of our systems? Which is inject some mathematical rigor, but which is less work, which is kind of easy and what we can do is take some of these interfaces and be precise about what they are and Initially we have to do that after the fact we have to reverse engineer good specs of existing stuff but then we can use the same techniques to Make much cleaner and better tested and things which are easier to test In a future. That's the idea so So my colleagues and I've been doing this kind of stuff for the last quite a few years And I just want to give you just the two two little vignettes Just to sort of show you how it goes. So I can't give you much detail And this is obviously joint work with a whole bunch of Very smart and good people Some of which I name here. I think so This is not me. This is a whole community effort So I'm going to talk for a little bit about the behavior of multi processors So at that hardware interface And I'm going to talk a tiny little bit about the behavior of the TCP and sockets API network protocols So and there'll be some similarities and some differences between these two things So multi processors You probably want your computers to go fast most people do and It's an obvious idea to Glom together because processors don't go that fast Let's glom together a bunch of processors and make them all talk to the same shared memory This is not a new idea It goes back at least to 1962 When the burrows d825 and I think two processors Talking to a single shared memory it had outstanding features including truly modular hardware with parallel processing throughout and Some things do not change very much The complement of compiling languages was to be expanded 1962 so that'll be 52 years ago, dear me Okay, now how do these things behave so let me let me show some code right? It's a hacker conference They should be code. Let me show you two example programs and these will both be programmers with two threads And they'll be acting on two shared variables X and Y and in the initial state X and Y are both zero so first program On this thread we write X and then we read Y and over here we write Y and then we read X And he's operating you know in an interleaving concurrency you might think so There's no synchronization between those threads so we might interleave them We might run all of thread naught before all of thread one or all of thread one before all of thread naught Or they might be like mixed in like that or Like that or like that or like that as six possible ways of interleaving two lists of two things and in all of those ways You never see in the same execution that this reads from the initial state and this reads from the initial state You never see that So you might expect and you might assume in your code that these are the possible outcomes So what happens if you were to actually run that code on my laptop in a particular test harness? Well Okay, you see occasionally they're quite well synchronized and they both read the other guy's right Sorry big call they both read the other guy's right and Quite often one thread comes completely before the other but sometimes Sometimes they both see zero Huh rats Well, that's interesting. Let me show you another program So now Thread nor writes some stuff. Maybe it writes a big bunch of data Maybe multi-word data and then it writes. Let's say that's a flag Announcing to some other thread that that data is ready to go now and the other threads busy waits Reading that value until it gets one till it sees the flag and then it reads the data So you might want the programmer you might want to guarantee that this read will always see the data that you have initialized Okay, that'd be like a message passing kind of an idiom. So what happens if you run that? well On the x86 processors that we've tested you always see that value good This is a decent coding idiom on x86 apparently on Arm and IBM power processors. However, you see Sometimes you just ignore the value written a new read initial state Okay, so this is not a good message passing idiom. All right, so what's going on? well This behavior it might be surprising And when you see surprising behavior in hardware You have two choices either it's a bug in the hardware and we have found a number of bugs in hardware It's always is Very rewarding or It's a bug in your expectation Or it's a bug in your test harness So what and what you do is you walk along and you walk up to your friendly processor architect in IBM or arm or x86 land and we have worked with all of these people And you ask them is this a bug? and a processor architect is a person who is Has the authority to decide whether some behavior is intended or is a bug That's what they do essentially And for these they say oh we meant it to be like that No question. We meant it to be like that. That's perfectly proper We have because you and Everybody else wanted their computers to go fast. We as processor designers have introduced all manner of sophisticated Optimizations, which if you were running sequential code you would never notice But if you start running fancy concurrent code like this fancy concurrent code that isn't just trivially locked You can notice so this is intentional behavior And if you want to write that code like they are mutually exclusion algorithm or a message passing algorithm or something Then you need to insert special instructions memory barrier instructions and so you go away and you say What do they do and you look up in the vendor documentation? You get stuff like this I'll read it out For any applicable pair a B the memory barrier ensures that a will be formed with respect for any first-general mechanism to the extent required by Dissociated memory coherence required attributes before B is performed with respect to that first-general mechanism A includes all applicable storage access by any such first-general mechanism that have been performed with respect to be one before the Pro memory barrier is created B includes all applicable storage access by any such first-general mechanism that are performed after a load instruction executed by That first-general mechanism has returned the value stored by solve it is indeed Hands up if you understand what that means Hands up if you think that if you thought about it and read the rest of the book you would understand or you could understand what that means Hands up the people who think that we doomed forever So I'm sorry to the first few groups, but the last ones are right So this looks Like it's really intricate and really carefully thought out stuff And we thought that for a while and we spent like literally years trying to make precise mathematical models that give precise meaning to all of these words But actually it can't be done so So what do you have to do in that circumstance you have to go away and You have to invent some kind of a model And there's a really fundamental problem that we on the one hand we develop our software by this trial and error process But on the other hand At points like this we have these loose Specifications supposedly that have to cover all manner of behavior of many generations of processes that might all behave the same way Written just in text and we tell people they should write to the spec But the only way they have of developing their code or their hardware usually is to run it and run particular Executions on the particular hardware implementations that they have whose relationship to the spec is very elusive We can't use those thick books that you get all those Quite weighty PDFs that you get these days from the process of vendors to test programs You can't feed a program into that thick book and get output out And you can't test process of implementations and you can't prove anything and you can't even Communicate between human beings So these things really they don't exist So what can we do? Well, the best we can do at this point in time is a bit of empirical science So we can invent some model off the top of our head Trying to describe just the programmer visible behavior not the internal structure and we can Make a tool because that's not froze now now We can now it's stuff It's real mathematics and we can turn that into code and execute it We can make tools that take programs and calculate small programs the set of all the behaviors allowed by that model and then we can compare those sets of behaviors against the experimental observations and You might have to fix the model and you might find hard bugs and then Well, the model also has to make sense to the architect So you can just can discuss with the architects whether it matches what they intend and what their intuition is and then you can Also prove some other facts about it to give a bit more assurance and then because you probably got this wrong in the first couple of times You can go back And this results or has resulted in models which are not guaranteed to be correct, but they are Effectively the de facto standard for understanding the concurrency behavior of these things Yeah, and various people use them And just to give you a tiny snippet I have to speed up a bit a tiny snippet of what the model looks like It's basically just an abstract machine It's got some stuff for the threads that handles the program invisible speculative execution and some stuff for a storage subsystem That handles the fact that in these architectures memory rights can be Propagated to different threads at different times And There's a that model has a state which is just a collection of some sets and lists and partial orders and a few other things Which I won't talk about and it has some transitions in any state There might be several possible transitions. So this is just a sample. I'm not going to explain all of this But when you want to propagate a right to another thread, they have to there are some preconditions that you have to satisfy And then there's an action. It's not amazingly complicated really But this is so this is text and but it's very precisely written text And it has a great advantage that you can go through these bullet points with your friendly architect and say is this what you mean And they can think about it and say yes or no But for the actual definition that's in mathematics But it's mathematics which is quite close to code. I mean it's terribly close to a Pure functional code with outside effects and just to give you an idea This is some of it and those are three of those conditions in like the real honest true version Then we can take this Mathematics and because it's in a particular style we can compile this into actually OCaml and then OCaml bytecode Well, and then we can run that for batch jobs, but then you can compile that OCaml bytecode to JavaScript and glue on a user interface and Stick it into a browser and then you have a web interface that lets people explore This rather intricate model and that's also a necessary part of validating that it makes sense Okay, this is not rocket science. You've missed the talk for rocket science. I'm sorry All we're doing here is specifying the intended behavior of a system Okay, that's it's not very technical, but it's unusual We happen to be doing it in this mathematical language, but you could use in fact almost any language So long as you understand what you're doing what you understand What you have to understand is that you're writing something which is not an implementation It is something which given some observed behavior some arbitrary observed behavior will be able to decide if it's Allowed if you want it to be allowed or not, right? It has to be executable as a test or a call the key question for getting this to work is to Understand how much non-determinism or loose specification there is in the system that you're working with So if everything is completely deterministic you can write a reference implementation in the cleanest language of your choice and Just compare the output of that and the output of your real thing This is more non-determinism then you can't do that I'm gonna have to abbreviate this a little tiny bit So so for TCP and network protocols there is more non-determinism. You know what TCP is yes Protocol gives you sort of reliable connections assuming that the world is made of good people You look at the standards for TCP and they're the same kind of ribbily text from the 1980s And you look at the implementations and they're a ghastly mess And you try and understand the relationship between the two of them and you can't because the standard again There's not he's not a definition. It doesn't define in all circumstances. What behavior is allowed and what isn't So again, we had to make up a specification in the first instance just of this host a single endpoint and Observing its sockets API calls and returns and its behavior on the wire And when you've decided and a few internal debug events when you've decided what to observe then an observation is just a trick It's just a list of those events and you have to ask be able to ask your spec. Is that list? admissible or not? but There's a lot of non-determinism Deration between implementations variation within an implementation and that's internal a lot of it It's not announced in the API or on the wire Maybe until much later when the implementation picks some new I don't know a window size or something You can't tell until quite a lot later in the trace what it's picked And that makes the job of checking whether a trace is admissible by the spec much harder than it has to be And if you had designed the TCP protocol and those implementations For to be testable in this very discriminating way back in the 1980s when you were designing TCP protocol It would be much easier And for new protocols one should make sure that you're doing this in this particular way I answer come on to talk about that slide That's just one of the rules of that specification But the key fact about that spec is that well we handle the real protocols for arbitrary inputs But it's structured not just for this execute of executability as a test oracle, but it's structured for clarity not performance Which is scarcely ever what anyone ever does so it's a whole new kind of thing and The testing is very discriminating so we found all manner of amusing and bizarre bugs Which I think I don't have time to talk about Okay, so So I've described three kinds of things that we might do First thing oh for goodness sake. I mean it's just a no-brainer Just do it already. Everybody. All of you. All of you this middle zone is Very interesting zone as far as I'm concerned It's none of what a place where we can get a very good benefit for not that much effort We can do it if necessary post-talk. We can also do it and even better at design time We have to do this in a way that makes our specifications Executable as test oracles and another thing that enables is completely random testing when you've got a test oracle You can just feed in random goop. You know, this is fuzzing, but better fuzzing feed in random goop and Check at every point whether what the behavior that you're getting is allowed or not and then they're written for clarity not for Not for performance and that means you can see what you're doing You can see the complexity if you go ahead and you add some feature to your protocol or your programming language or whatever And you're working just with text specifications Then you can't see the interactions. You just chuck in a couple of paragraphs and you think for a few minutes And if you're lucky you make an implementation But if you're writing a spec that has to cover all the cases like this The act of doing that encourages you to think or helps you think about the excess complexity And you might think oh, that's too complex. I'm being silly. I'll make it simpler That's the usual for proof So this I think also is pretty much a no-brainer and it doesn't require great technical you know mathematical skill either lots of people can do this and Then there's an option three best option full-on formal verification of the key components And that is now also within reach you can imagine secure systems made using actual verified compilers and Verified hypervisors with possibly verified TLS to acts and you can imagine making things out of those Or making those and then making things out of those and maybe one should be thinking about that so Maybe not appropriate for everything if you are writing word you would not wish to do these things probably you're not But for this key infrastructure that we really depend on that we trust even though it's not trustworthy We have to do this Is this a new dawn? I wonder if there's anyone standing next for light switch that can dim them for me I didn't ask them beforehand so If you think back the last 70 odd years we started building computers in around 1940 It's been pretty dark From the point of view of rigorous solid reliable engineering stuff that is actually trustworthy pretty dark I would say um Maybe just maybe there's a tiny smidgen of light coming through the doors And we start to have a little bit of a clue and we start to get reusable models of Processor architectures and programming languages and network protocols and what have you it's just the beginnings of the analog of that thermodynamics and material science and quality control management and what have you that we have for mechanical engineering and and We've got no choice If we don't the next 75 years is going to be a lot worse You can just imagine all right So I went to this as I'm sure many of you do this great talk on some Apple bootloader Bootloader exploit yesterday, which was relying on some feature that had been introduced in the early 80s and was still present And you can imagine in a hundred years from now you can imagine as long as human civilization endures The x86 architecture and the sockets API and all of this stuff It will be embedded in some monumental ghastly stack of virtualization layers forever So I like to thank Especially all of my colleagues that have been working with me or not with me in these directions I'd like to thank our generous funders who support this stuff I'd like to thank you for your attention and I exhort you Sort it out. Thank you very much Peter for those interesting insights to our programming We have now time for a Q&A so those people who have to leave the room, please do so quietly and As fast as possible so we can go on and hear what the questions are So we start with microphone for please Hello, thanks for the talk and my question is if you got an oracle of the software behavior Which can translate every possible input to a correct output? How can this be less complex and error-prone than a reference implementation? So the good question. So the first point is that this oracle Doesn't have to produce the outputs. It only has to check that the inputs and the outputs match up And then the second point is that in general it might have to have Much of the same complexity, but by writing it to be clear as opposed to be fast You may adopt a completely different structure And so the structure of our TCP spec is organized by the behavior that you see in for particular transitions the structure of a real implementation has a fast path code and lots of complicated intertwined branching in all manner of of Excess complexity of implementation complexity if you will Thanks So microphone free, please. I wanted to ask you what you thought about Programming by manipulating the abstract sentence syntax treat directly so as to not allow Incompilable programs because of some like you're missing a symmetrical or something like that What's your thoughts and something's that so that's in the grand scheme of things? I think that's not a very big deal right so there's people have worked on Structured editors for Lordy knows how many years It's not a big deal because it's very easy for a compiler to detect that kind of thing And even more it's very easy for a compiler of a sensibly design language to detect type errors Even for a very sophisticated type system so I Don't think that that's not I mean some people might find it helpful, but I think it's getting to the heart of the matter Thanks So we got some questions from our signal angels from the IRC Yes, there's one question. It's about the repository for Isabel and whole proofs It's this should be on source forge and you said there are no open source repositories What about them? Not quite sure what the question is really so there's a repository of Isabel formal proofs Which is The archive of form and proofs it's called I didn't really mean to say that there are no open source Repositories and in fact, I don't know under what conditions most of those proofs are licensed They probably are open, but there isn't an open source community building these things It's still pretty much an academic pursuit Microphone to please yeah, hello, thanks again for your talk I just want to add something that you didn't address And That's that we actually need more good studies in software engineering We often hear a lot of experts and also very well known computer scientists say things like Well, we just need to do functional programming and OOP is bad and stuff like that Which there I think there's a lot of truth to it, but Um, we actually need studies where we test these kinds of claims that we make Because when you look at other fields, which you also did compared to like medicine If somebody comes around and is well known and says like things like homeopathy works. We just We don't believe them. We we we do trials. We do good trials and there's a lot of myths out there like or or not well tested things like Hire good hire the best programmers. They are a hundred times more productive to use static type systems and stuff like that And we actually need to verify that this is actually true that this Helps and not just okay, so so in the grand scheme of things Arguably, you're right. I mean in the grandest scheme of things computer science is actually a branch of psychology or Really of sociology We are trying to understand how large groups of people can combine to make things which are insanely complicated now for Would it be good if we had you know a Solid evidence that programming in this language was better than programming in that language well, yes, but It's staggeringly difficult and expensive to do honest experiments of That nature and they're scarcely ever done right you might do you know a little experimental little groups of students But it's really difficult and then some of these things which I'm saying When one is familiar with the different possible options are just blindingly obvious When there are reasons why these people are using OCaml for their system programming It's not you know, it's not homeopathy is right, but homeopathy is wrong Which is the kind of argument being put forward So question from microphone 5 please So where are you using ECC memory for your testing up here? When you say up here, there's a bit of ambiguity Thank you So where are you using ECC memory for the testing you showed about the Results of the multi-threaded Results due to memory barriers and memory reorderings Well Okay, but even if you were or you were not the point I want to make is that you can expect to have about one bit flip each minute in a modern computer system that Might completely change what your software is doing So perhaps we also have in to look in ways how we can Work if something goes wrong at the very low level so that we kind of have a check against our Specification on a more higher level of our software So it is valuable to do good engineering on the low levels But still I think we will not solve the problems of Computation and computer engineering just by proving things in the mathematical domain because computers are physical entities They have errors and so on and we really have to deal with them as well So it's it's certainly true that there are such random errors In fact, I would put the point that I would argue that you have to be able to model the physics well enough And you have to be able to model the statistics of those errors well enough So that's a different kind of mathematics and it's certainly valuable and necessary But if you look at the even the statistics that you just quoted is that the main cause Why systems go wrong? Except possibly for space hardware no So important. Yes, the most important thing that we should be paying our attention to I don't really think so Microphone 6 please Hi I really think that what you're proposing to specify and Verify more key components is it would be a valuable addition But how do you make sure that your specification actually matches the behavior that you want to do want to have? So so as I described we do as partial validation of those specifications We do a lot of testing against the implementations Against a range of existing implementations. That's one source of validation Another source of validation is that you talk to the architects and the designers You want the internal structure to match their intent you want it to be comprehensible to them Another kind of validation that we do is prove properties about them So we prove for example that you can correctly compile from C11 concurrency from a mathematical model of that to IBM power concurrency and that proof that kind of proof gives you a bit more assurance in both So none of this is giving you a total guarantee. You certainly don't claim a total guarantee, but it gives you Pretty good levels of assurance by normal standards Mike for yes, thanks again, you proposed Random and tests and with my expertise. It's very annoying if you have Tests where the outcome is sometimes Failure and you want to have reproducible tests Yeah, to fix a bug. So how do we bring these aspects to test more? More variety and data and to have that reproducible together Well if as I was mentioning for the TCP thing one of the Problem with reproducibility is exactly this internal non-determinism Right the system makes some scheduling choice or what have you and you can't see what it is Or the the checker can't see what it is So one way to do that is to really design the protocols in a different way to expose that non-determinism the other fact about this kind of general purpose specification as test oracle idea is that in some sense, it doesn't have to be reproducible the specification is Giving you a yes. No answer for an arbitrary test and that means you can use arbitrary tests Figuring out and the root causes of the differences afterwards may be tricky, but you can use them for assurance So we now got time for two more questions microphone one please Hi, thanks for a great talk so what you've described seems to be a middle ground between a Like full-on for more verification and more practical testing like in between So where do you see in the future that where for more applications will go with Converge to the middle or whether it will still be there just to verify something that's more well specified but so the the The progress of sort of the whole subject to form of verification in general if you look at that over the last I don't know 10 years or so It's been very it's been really amazing compared with what we could do In the 80s and 90s and early 2000s right so the scope of things the scale of things which are For which it is becoming feasible to do verification is that he's getting bigger and I think that will continue Yeah, I don't know when you might see a completely verified tall client let's say But that's not inconceivable now and 20 years ago that would have been completely inconceivable So that is expanding and at the same time. I hope that we'll see more of this interface Test oracle-based specification and these When you when you're doing full verification of a piece of the system you have to have these interfaces already defined So these two fit very well together So the last question for microphone to please Hi, you mentioned that you often find bugs in hardware Is there any effort to like verify the transistors on chips themselves like the whole design? So there's a whole world of hardware verification. That wasn't really my topic today and the Most of the big process of vendors have teams working on this Unsurprisingly if you remember your history many of them have teams focusing on the floating-point behavior of their processes and They're doing they're also doing By the standards of ten years ago pretty spectacularly well All right, so there are companies that have you know the whole the whole of some execution unit formally verified There's been a lot of work over the years on verification of cash protocols and such like There's a lot of work on Not verifying the hardware as a whole but verifying that you know the RTL level description of the hardware matches some Lower-level description. So there is a lot of that going on Hey, thank you very much again for this great talk. Give him another applause. Thank you Peter