The Verifying The Verifying Compiler: a Grand Compiler: a Grand

Challenge for Challenge for Computing ResearchComputing Research

Tony HoareTony Hoare

LeidenLeiden 5 November, 20035 November, 2003

Typical Grand ChallengesTypical Grand Challenges

Prove Fermat’s last theoremProve Fermat’s last theorem (accomplished)(accomplished)Put a man on the moon Put a man on the moon (accomplished)(accomplished)Cure cancer within ten yearsCure cancer within ten years (failed in 1970s)(failed in 1970s)Map the Human GenomeMap the Human Genome (accomplished)(accomplished)Map the Human Proteome Map the Human Proteome (too difficult (too difficult

now)now)Find the Higgs bosonFind the Higgs boson (in progress) (in progress) Find Gravity wavesFind Gravity waves (in progress)(in progress)Unify the four forces of PhysicsUnify the four forces of Physics (in progress)(in progress)Hilbert’s program for math foundationsHilbert’s program for math foundations (abandoned (abandoned

1930s)1930s)

In Computing ScienceIn Computing Science

Prove that P is not equal to NPProve that P is not equal to NP (open)(open)

The Turing testThe Turing test (outstanding) (outstanding)

The verifying compilerThe verifying compiler (abandoned in 1970s)(abandoned in 1970s)

A championship chess program A championship chess program (completed (completed 1997)1997)

A GO program at professional standard (too hard)A GO program at professional standard (too hard)

Machine translation English to Russian Machine translation English to Russian (failed in (failed in 1960s)1960s)

A Grand ChallengeA Grand Challenge

Is a fifteen-year projectIs a fifteen-year project With world-wide participation,With world-wide participation, And clear test of success or And clear test of success or

failure.failure. It offers fundamental and It offers fundamental and

radical advanceradical advance In basic Science or In basic Science or

Engineering.Engineering.

A Grand Challenge needsA Grand Challenge needs

Maturity of the state of the artMaturity of the state of the art General support from the General support from the

international scientific communityinternational scientific community Long-term commitment from the Long-term commitment from the

teams who engage in itteams who engage in it Understanding from funding Understanding from funding

agenciesagencies

The Verifying CompilerThe Verifying Compiler

A verifying compiler uses automated A verifying compiler uses automated mathematical and logical reasoning mathematical and logical reasoning to check the correctness of the to check the correctness of the programs that it compiles. programs that it compiles. Correctness is specified by types, Correctness is specified by types, assertions, and other redundant assertions, and other redundant annotations that are associated with annotations that are associated with the code of the program.the code of the program.

Test of successTest of success On completion of the project, significant On completion of the project, significant

and representative samples of software and representative samples of software products will be mechanically verified.products will be mechanically verified.

Each sample will be suitable to replace Each sample will be suitable to replace existing software in routine use, and to existing software in routine use, and to serve as a basis for further software serve as a basis for further software evolution. evolution.

A prototype verifying compiler will be A prototype verifying compiler will be available as part of a software available as part of a software engineering toolsetengineering toolset

GC criteriaGC criteria

FundamentalFundamental HistoricalHistorical AstonishingAstonishing IdealisticIdealistic InspiringInspiring

BeneficialBeneficial RevolutionaryRevolutionary FeasibleFeasible RiskyRisky RareRare

FundamentalFundamental

How does a software system work? How does a software system work? Annotation of interfaces explains how. Annotation of interfaces explains how. Why does it work?Why does it work? The theory of programming explains The theory of programming explains

why. why. A verifying compiler checks the A verifying compiler checks the

correctness of the answers… correctness of the answers… And enables the engineer to exploit the And enables the engineer to exploit the

basic science.basic science.

Historical.Historical.

The prestigious challenges are those The prestigious challenges are those which were formulated long ago; which were formulated long ago; without concerted effort, they would be without concerted effort, they would be likely to stand for many years to come.likely to stand for many years to come.

The challenge of program verification The challenge of program verification goes back to Turing (1948), McCarthy goes back to Turing (1948), McCarthy (1962), Floyd (1967).(1962), Floyd (1967).

IdealisticIdealistic

The project does not duplicate The project does not duplicate commercially motivated evolution of commercially motivated evolution of existing products.existing products.

Commercial tools follow market Commercial tools follow market demand, and discover more and demand, and discover more and more faults; only academic research more faults; only academic research pursues ideals of purity, accuracy, pursues ideals of purity, accuracy, completeness and correctness.completeness and correctness.

AstonishingAstonishing

It gives scope for engineering It gives scope for engineering ambition to build something useful ambition to build something useful that was earlier thought impractical.that was earlier thought impractical.

It is amazing that computers can It is amazing that computers can check the correctness of their own check the correctness of their own programs, using logical proof in the programs, using logical proof in the same way as mathematicians same way as mathematicians through the ages.through the ages.

TestableTestable

The project has a clear measure of success The project has a clear measure of success or failure at the end; and ideally, at or failure at the end; and ideally, at intermediate stages too.intermediate stages too.

A verifying compiler will certify total A verifying compiler will certify total correctness of embedded software up to correctness of embedded software up to 10k lines, the safety of critical systems up 10k lines, the safety of critical systems up to 100k lines, and the soundness and to 100k lines, and the soundness and security of software up to a million lines. security of software up to a million lines. Many subtle bugs will be found and Many subtle bugs will be found and removed. removed.

InspiringInspiring

The goals are generally comprehensible, The goals are generally comprehensible, and capture the imagination of the and capture the imagination of the general public, as well as the esteem of general public, as well as the esteem of scientists in other disciplinesscientists in other disciplines

The general public is well aware of the The general public is well aware of the problem of software errors, and should problem of software errors, and should welcome an attempt by computer welcome an attempt by computer scientists to solve a problem attributed scientists to solve a problem attributed to their own creation.to their own creation.

BeneficialBeneficial

The understanding and knowledge The understanding and knowledge gained after completion of the gained after completion of the project could bring scientific, project could bring scientific, economic or social benefits. economic or social benefits.

Reduction in program errors could Reduction in program errors could save $22-60 billion per year in US save $22-60 billion per year in US (US Dept. Commerce Planning (US Dept. Commerce Planning Report 02-03, May 2002 ).Report 02-03, May 2002 ).

Revolutionary.Revolutionary.

The project involves a paradigm shift The project involves a paradigm shift in scientific research practices. in scientific research practices.

At present large-scale long-term At present large-scale long-term projects are rare among computer projects are rare among computer scientists. So is co-operation scientists. So is co-operation between theorists, tool-builders and between theorists, tool-builders and tool users.tool users.

The team must include …The team must include …

Programming theoristsProgramming theorists Programming tool-set buildersProgramming tool-set builders Compiler writers and optimisersCompiler writers and optimisers Sympathetic usersSympathetic users Open source code contributorsOpen source code contributors Proof-tool builders, model checkers,Proof-tool builders, model checkers,

…… Teachers and students can helpTeachers and students can help

Feasible.Feasible.

The reasons for previous failure to The reasons for previous failure to meet the challenge are well meet the challenge are well understood and believable plans are understood and believable plans are under way to overcome them.under way to overcome them.

Gigabytes and Gigacycles are now Gigabytes and Gigacycles are now cheapcheap

Beneficiaries number in billionsBeneficiaries number in billions The state of the art is much advancedThe state of the art is much advanced

State of the artState of the art

Smart-card applications have been Smart-card applications have been manually proved (eg. Logica).manually proved (eg. Logica).

Safety-critical systems have been Safety-critical systems have been developed from specification (eg. Praxis).developed from specification (eg. Praxis).

Commodity software includes many Commodity software includes many assertions (eg. Microsoft Office)assertions (eg. Microsoft Office)

Open Source software is freely available Open Source software is freely available for research as well as use (eg. Apache).for research as well as use (eg. Apache).

Programming theories cover O-O and Programming theories cover O-O and concurrency (eg. this conference)concurrency (eg. this conference)

Available ToolsAvailable Tools Assertion generators (eg. DAIKON)Assertion generators (eg. DAIKON) Program analysers (eg. PREfix, SPLINT)Program analysers (eg. PREfix, SPLINT) Abstract Syntax Tree compiler (eg.PREfast)Abstract Syntax Tree compiler (eg.PREfast) Verification Condition Generator (eg. ESC)Verification Condition Generator (eg. ESC) Program Development Environment (eg.B)Program Development Environment (eg.B) Theorem provers (eg. simplify, HOL)Theorem provers (eg. simplify, HOL) Decision procedures (eg. SAT, PVS)Decision procedures (eg. SAT, PVS) Model checkers (eg. SPIN, FDR)Model checkers (eg. SPIN, FDR)

RisksRisks

Poor quality of legacy code/languages.Poor quality of legacy code/languages. Errors are just missing preconditions.Errors are just missing preconditions. Errors are exploited for functionality or Errors are exploited for functionality or

compatibility reasons.compatibility reasons. Spec of external interfaces impractical.Spec of external interfaces impractical. Build/configuration files can’t be proved.Build/configuration files can’t be proved. Multiple languages in a single Multiple languages in a single

application.application.

RareRare

Requires maturity of the ScienceRequires maturity of the Science (but not too mature)(but not too mature) Requires general support of the Requires general support of the

manymany Long-term commitment of the fewLong-term commitment of the few Sympathy from funding agenciesSympathy from funding agencies It is hard to start the bandwagonIt is hard to start the bandwagon

Early decisionsEarly decisions

What language(s)?What language(s)? What compiler/loaders/run-time What compiler/loaders/run-time

checkers?checkers? Which particular applications?Which particular applications?

SmartcardSmartcard EmbeddedEmbedded CriticalCritical CommodityCommodity

What collaborators?What collaborators?

TimetableTimetable

2005 start of project2005 start of project

2010 smartcard software proved correct2010 smartcard software proved correct

2015 critical applications proved safe2015 critical applications proved safe

2020 commodity software proved secure2020 commodity software proved secure

AcknowledgementsAcknowledgements

Jim WoodcockJim Woodcock Greg MorrisettGreg Morrisett Jay MisraJay Misra Peter O’HearnPeter O’Hearn Richard BornatRichard Bornat Carl GunterCarl Gunter and many othersand many others