What is (or should be) the essential Improving Systems Quality preoccupation of computer scientists? — Challenges and Trends — An Abstract Interpretation Perspective The production of reliable software, its Patrick COUSOT maintenance and safe evolution year af- ´ Ecole Normale Sup´ erieure ter year (up to 20 even 30 years). 45 rue d’Ulm, 75230 Paris cedex 05, France Patrick.Cousot@ens.fr www.di.ens.fr/~cousot Remise de la m´ edaille d’argent du CNRS ` a Joseph SIFAKIS Grenoble, France Jeudi 11 avril 2002 ] ⌅ — ⇤⇤ ⌅ J I ⇤ J � �� — — [ ⇤ I M´ edaille d’argent du CNRS de Joseph SIFAKIS Jeudi 11 avril 2002 2 � P. Cousot c Computer hardware change of scale The 25 last years, computer hardware has seen its perfor- mances multiplied by 10 4 to 10 6 ; Motivations 1 Intel/Sandia Teraflops System (10 12 flops) ENIAC (5000 flops) 1 It will be appreciated that the talks are not too technical. Email of J. Sifakis, Sun Mar 31 22:33:11 2002. ] ⌅ — ⇤⇤ ] ⌅ — ⇤⇤ J � �� — — [ ⇤ I J � �� — — [ ⇤ I M´ edaille d’argent du CNRS de Joseph SIFAKIS Jeudi 11 avril 2002 1 � P. Cousot c M´ edaille d’argent du CNRS de Joseph SIFAKIS Jeudi 11 avril 2002 3 � P. Cousot c
The information processing revolution Computer software change of scale (cont’d) A scale of 10 6 is typical of a significant revolution : • Example 2 (professional computer system): - Energy: nuclear power station / Roman slave; - - 30 000 000 lines of code; - - Transportation: distance Earth — Mars / Paris — Nice - - 30 000 (known) bugs! - ] ⌅ — ⇤⇤ ] ⌅ — ⇤⇤ J � �� — — [ ⇤ I J � �� — — [ ⇤ I M´ edaille d’argent du CNRS de Joseph SIFAKIS Jeudi 11 avril 2002 4 � P. Cousot c M´ edaille d’argent du CNRS de Joseph SIFAKIS Jeudi 11 avril 2002 6 � P. Cousot c Computer software change of scale Bugs • Software bugs • The size of the programs executed by these computers has - whether anticipated (Y2K bug) - grown up in similar proportions; - or unforeseen (failure of the 5.01 flight of - • Example 1 (modern text editor for the general public): Ariane V launcher) - > 1 700 000 lines of C - 3 ; are quite frequent; - 20 000 procedures; - • Bugs can be very di ffi cult to discover in huge - 400 files; - software; • Bugs can have catastrophic consequences either very - > 15 years of development. - costly or inadmissible (embedded software in trans- portation systems); 3 full-time reading of the code (35 hours/week) would take at least 3 months! ] ⌅ — ⇤⇤ ] ⌅ — ⇤⇤ J � �� — — [ ⇤ I J � �� — — [ ⇤ I M´ edaille d’argent du CNRS de Joseph SIFAKIS Jeudi 11 avril 2002 5 � P. Cousot c M´ edaille d’argent du CNRS de Joseph SIFAKIS Jeudi 11 avril 2002 7 � P. Cousot c
Responsibility of computer scientists Bugs • Software bugs • The paradox is that the computer scientists do not assume - whether anticipated (Y2K bug) - any responsibility for software bugs (compare to the automo- - or unforeseen (failure of the 5.01 flight of - tive or avionic industry); Ariane V launcher) are frequent; • Computer software bugs can become an important societal • Bugs can be very di ffi cult to discover in huge problem (collective fears and reactions? new legislation?); software; • Bugs can have catastrophic consequences It is absolutely necessary to widen the full set of meth- ⇒ = either very costly or inadmissible (embed- ods and tools used to eliminate software bugs. ded software in transportation systems); ] ⌅ — ⇤⇤ ] ⌅ — ⇤⇤ J � �� — — [ ⇤ I J � �� — — [ ⇤ I M´ edaille d’argent du CNRS de Joseph SIFAKIS Jeudi 11 avril 2002 7 � P. Cousot c M´ edaille d’argent du CNRS de Joseph SIFAKIS Jeudi 11 avril 2002 9 � P. Cousot c The estimated cost of an overflow Capability of computer scientists • The intellectual capability of computer scientists remains es- • $ 500 000 000 sentially unchanged year after year; • Including indirect costs (delays, lost markets, etc): • The size of programmer teams in charge of software design $ 2 000 000 000 and maintenance cannot evolve in such huge proportions; • Classical manual software verification methods (code reviews, simulations, debugging) do not scale up; • So we should use computers to reason about computers! • ] ⌅ — ⇤⇤ ] ⌅ — ⇤⇤ J � �� — — [ ⇤ I J � �� — 10 — [ ⇤ I M´ edaille d’argent du CNRS de Joseph SIFAKIS Jeudi 11 avril 2002 8 � P. Cousot c M´ edaille d’argent du CNRS de Joseph SIFAKIS Jeudi 11 avril 2002 � P. Cousot c
Capability of computers Computer Systems • The computing power and memory size of computers double Model every 18 months; • So computer aided verification will scale up , scale up , scale up , scale up , scale up , scale Program up , scale up , scale up , scale up , scale up, scale up , scale up , . . . ; • But the size of programs grows proportionally; Environment • And correctness proofs are exponential in the program size; • So computers power growth is ultimately not significant . ] ⌅ — ⇤⇤ ] ⌅ — ⇤⇤ J � �� — 11 — [ ⇤ I J � �� — 13 — [ ⇤ I M´ edaille d’argent du CNRS de Joseph SIFAKIS Jeudi 11 avril 2002 � P. Cousot c M´ edaille d’argent du CNRS de Joseph SIFAKIS Jeudi 11 avril 2002 � P. Cousot c Formal Methods Model Formal Methods Program v Environment Specification ] ⌅ — ⇤⇤ ] ⌅ — ⇤⇤ J � �� — 12 — [ ⇤ I J � �� — 14 — [ ⇤ I M´ edaille d’argent du CNRS de Joseph SIFAKIS Jeudi 11 avril 2002 � P. Cousot c M´ edaille d’argent du CNRS de Joseph SIFAKIS Jeudi 11 avril 2002 � P. Cousot c
Deductive methods Static Program Analysis Abstract Semantics Model Why does the Program semantics abstraction proof fails? Program Program v v Environment Environment Specification abstraction Abstract Specification Specification Specification ] ⌅ — ⇤⇤ ] ⌅ — ⇤⇤ J � �� — 15 — [ ⇤ I J � �� — 17 — [ ⇤ I M´ edaille d’argent du CNRS de Joseph SIFAKIS Jeudi 11 avril 2002 � P. Cousot c M´ edaille d’argent du CNRS de Joseph SIFAKIS Jeudi 11 avril 2002 � P. Cousot c Model Checking General-Purpose Static Program Analyzers Finitary Model “The first product to automatically detect 100% of run-time errors at Compilation Time Program Based on Abstract Interpretation, PolySpace Tech- nologies provides the earliest run-time errors detec- v tion solution to dramatically reduce testing and de- bugging costs with : Environment • No Test Case to Write • No Code Instrumentation • No Change to your Development Process • No Execution of your Application” 4 Specification 4 http://www.polyspace.com/ ] ⌅ — ⇤⇤ ] ⌅ — ⇤⇤ J � �� — 16 — [ ⇤ I J � �� — 18 — [ ⇤ I M´ edaille d’argent du CNRS de Joseph SIFAKIS Jeudi 11 avril 2002 � P. Cousot c M´ edaille d’argent du CNRS de Joseph SIFAKIS Jeudi 11 avril 2002 � P. Cousot c
Special-Purpose Static Program Analyzers Challenges “The underlying theory of abstract inter- pretation provides the relation to the pro- gramming language semantics, thus en- abling the systematic derivation of prov- ably correct and terminating analyses.” 5 5 http://www.absint.com/pag/ ] ⌅ — ⇤⇤ ] ⌅ — ⇤⇤ J � �� — 19 — [ ⇤ I J � �� — 21 — [ ⇤ I M´ edaille d’argent du CNRS de Joseph SIFAKIS Jeudi 11 avril 2002 � P. Cousot c M´ edaille d’argent du CNRS de Joseph SIFAKIS Jeudi 11 avril 2002 � P. Cousot c Challenges for abstract interpretation Deductive methods • Semantics of programming • Automatic determination of languages; the origin of the loss of pre- Abstract Model-checking • Separate analysis (modules cision; Interpretation and libraries); • User interaction for refine- • Expressive non-numerical ment; Static analysis abstract domains; • Decomposition of complex • Liveness properties; properties; • Probabilistic properties; • Proving the correctness of • Automatic combination of static analysers; abstractions; • . . . I will try to explain why tomorrow morning! All fascinating problems you are probably not interested in! ] ⌅ — ⇤⇤ ] ⌅ — ⇤⇤ J � �� — 20 — [ ⇤ I J � �� — 22 — [ ⇤ I M´ edaille d’argent du CNRS de Joseph SIFAKIS Jeudi 11 avril 2002 � P. Cousot c M´ edaille d’argent du CNRS de Joseph SIFAKIS Jeudi 11 avril 2002 � P. Cousot c
Recommend
More recommend
