Your Flying Car is Ready: Amazing Programming From the Future, Today!

CRAIG STUNTZ
PROJECT
DATE CLIENT
2014.09.29
YOUR FLYING CAR IS READY
AMAZING PROGRAMMING TOOLS FROM THE FUTURE, TODAY!
https://www.flickr.com/photos/ellenm1/7847402208

View Slide

SLIDES https://speakerdeck.com/craigstuntz/your-ﬂying-car-is-ready
Slides are already online.

View Slide

“THE FUTURE IS
ALREADY HERE —
IT’S JUST NOT
VERY EVENLY
DISTRIBUTED.”
WILLIAM GIBSON
Spoilers alert! Here’s the whole talk.
1. Software is broken; solves the wrong problem incorrectly.
2. Software is broken for a reason: Inessential complexity.
3. It’s possible to produce software which solves harder problems and isn’t broken.
4. The way to do better exists and is used to produce software you use every day.

View Slide

“A LANGUAGE THAT
DOESN'T AFFECT THE
WAY YOU THINK ABOUT
PROGRAMMING, IS
NOT WORTH
KNOWING.”
ALAN PERLIS
EPIGRAMS IN
PROGRAMMING
https://www.flickr.com/photos/randyread/2385812579
Will talk about tools most people don’t know exist, when it makes sense to use them. When not. “All languages are the same, just syntax.” <- Wrong!

View Slide

“SOMETIMES WE
DON’T PROGRAM
TO SHIP; WE
PROGRAM TO
UNDERSTAND
PROGRAMMING.”
NADA AMIN
PROGRAMMING
SHOULD EAT ITSELF
Do programming languages exist to produce programs? You can create a program without a PL, though it’s harder. We program not for its own sake
(mostly) but to solve business problems. PLs and compilers produce exe code, yes, but find syntax errors, semantic errors, and are “tools of
thought.” (And much more common!)
My real goal here: To expand the set of problems you think you can solve with programming. To do that, you need new ways of approaching a language,
not just tooling.

View Slide

What Is the Upper Limit
of Software Quality?
function three() {
return 1 + 2;
}
Want to show you a function I wrote. I’ll apologize in advance for this slide since it involves math. What’s interesting? It’s perfect! This is the only defect-
free JS I’ll be showing you today. It also composes well.
The notion of “perfect” code is controversial. But it’s clearly possible!
How much quality are we willing to pay for? Does it depend on the application?

View Slide

“LIFE WAS
SIMPLE BEFORE
WORLD WAR II.
AFTER THAT, WE
HAD SYSTEMS.”
GRACE HOPPER
Perfect code is trivial.
Perfect programs, systems harder. Why is composition harder in some cases? This is essential!
There are always external factors. That’s fine.

View Slide

“BEWARE OF BUGS
IN THE ABOVE
CODE; I HAVE ONLY
PROVED IT
CORRECT, NOT
TRIED IT.”
DONALD KNUTH
NOTES ON THE VAN EMDE BOAS
CONSTRUCTION OF PRIORITY DEQUES: AN
INSTRUCTIVE USE OF RECURSION
https://www.flickr.com/photos/gem66/38298868
Dangerous ideas! I'll be showing a lot of languages which are “still in the lab.”
You may find some of this useful in your work tomorrow, but not all experiments succeed.

View Slide

In particular the lab is Microsoft Research. Many people know Kinect, WorldWide Telescope, F#, Entity Framework, Pex.

View Slide

“IF YOU’RE GOING
TO USE CUTTING
EDGE TECHNOLOGY,
DON’T EXPECT NICE
BLOG POSTS THAT
TELL YOU IT’S EASY.”
JOE ARMSTRONG
CHICAGO ERLANG PRESENTATION
https://www.flickr.com/photos/vanchett/3180276972
I have a rule of thumb for application architecture. Consider the tech you want to be using in 5 years, because… Never specify tech the Hacker News
Hipsters tell you that you should be using today. Try to see into the future. This is hard!
However, every tool I discuss is real and is used in production software, including software you might use every day.

View Slide

“YOUNG MAN, IN
MATHEMATICS YOU
DON'T UNDERSTAND
THINGS. YOU JUST
GET USED TO THEM.”
JOHN VON NEUMANN
LETTER TO FELIX T. SMITH
https://www.flickr.com/photos/[email protected]/8378574271
These languages operate very differently than those you probably use in your day to day work. Don't worry if you don't follow every bit of syntax. To be
quite honest, I don't fully understand all of this stuff myself. The important thing is to know what is available, and to think about problems in new ways.

View Slide

Some Specialized
Languages
Assembly

SQL

C

F#

C#?
I’ll be talking about specialized tools.
We’re biased towards general purpose languages.
But we happily use SQL when needed.
We grow domain-specific languages to GP when necessary.

View Slide

“IF DEBUGGING IS THE
PROCESS OF
REMOVING SOFTWARE
BUGS, THEN
PROGRAMMING MUST
BE THE PROCESS OF
PUTTING THEM IN.”
ATTRIBUTED TO
EDSGER DIJKSTRA
Sounds like Dijkstra!
Let’s talk about bugs. Broken code should be obvious.
Cognitive overhead from inessential complexity turns out to be surprisingly high.
Let’s examine some buggy code. Been a hell of a week; the Internet keeps giving!

View Slide

JavaScript
function add(a, b) {
return
a + b;
}
In study of buggy code, makes sense to start with JavaScript.
In contrast to earlier example, completely broken. No error. Anyone know what it returns?
JS, so we never specified the return type. Type checker would find.
A test might find the bug
This is not a good part

View Slide

http://blog.erratasec.com/2014/09/bash-bug-as-big-as-heartbleed.html#.VCN_7StdWwE
PLs are usually specified in EBNF. Machine verifiable specs are easy (not always true!); bash doesn’t use them and has evolved to the point where can’t be
specified.
So there are edge cases…. Syntax which should not be allowed.
Even when (maybe!) not wrong: Also Ruby. parser.y impenetrable. Half the size of all of Lua for parser alone. Other implementations are probably different
than MRI. Formal PL grammars keep parsers maintainable.

View Slide

Goto Fail
static OSStatus
SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams,
uint8_t *signature, UInt16 signatureLen)
{
OSStatus err;
...
!
if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
goto fail;
goto fail;
if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
goto fail;
...
!
fail:
SSLFreeBuffer(&signedHashes);
SSLFreeBuffer(&hashCtx);
return err;
}
Besides the obvious…
$AAPL lost $20B when iOS update couldn’t dial the phone.
“fail” is not always fail, and “err” is not always err.
Crappy code, maybe, but real production code, and not the worst I’ve ever seen.

View Slide

"Quality software costs money — Heartbleed was free." Paul-Henning Kamp DOI:10.1145/2631095
Not a TLS spec bug (though those can happen). Possibly creeping featuritis in spec.
Also, strings are kind of broken. That’s true for most languages, not just C.

View Slide

C#
static Type GetType() where T : new()
{
T t = new T();
return t.GetType(); // *
}
!
static void Main(string[] args)
{
Console.WriteLine(GetType().ToSting());
}
Appears contrived, but useful, because type system is broken and it fits on a slide.
* line throws.
Deeply weird that you can new up something and can’t ask for its type.
Type systems help, but not 100% safe.

View Slide

F#
let average (someList: int list) =
(List.sum someList)
/ (List.length someList)
Type system is restricted. There is no type for a non-empty list. Could check in code, but requires code + test. Better type system could do it for us.

View Slide

CAN WE DO
BETTER?
OR MUST WE DO BETTER?
https://www.flickr.com/photos/jurvetson/5872448596
How?

View Slide

“Attempting to prove any nontrivial theorem
about your program will expose lots of bugs.

“The particular choice of theorem makes little
diﬀerence!

“Typechecking is good because it proves lots and
lots of little theorems about your program.”
–Benjamin C. Pierce
http://www.cis.upenn.edu/~bcpierce/papers/harmful-mfps.pdf
Use strong types! There is a deep relationship between programs and mathematical proofs. Talk to me after, but types good!
Strong types (especially for real strong types) are awesome for refactoring. Slash + burn.
Don’t fix the bug. Change the data types to make the state which caused it impossible.
C# types maybe not strong enough to succinctly only allow state which is correct by construction.

View Slide

“PROGRAM TESTING
CAN BE USED TO
SHOW THE
PRESENCE OF BUGS,
BUT NEVER THEIR
ABSENCE.”
EDSGER DIJKSTRA
STRUCTURED PROGRAMMING
Tests are ∃, strong types are ∀.
Testing is great; property-based testing (QuickCheck, etc.) even better
Testing is evidence, not a proof
But the 80/20 rule may hold

View Slide

“WHAT’S TRUE OF
EVERY BUG FOUND
IN THE FIELD? IT HAS
PASSED THE TYPE
CHECKER… AND ALL
OF THE TESTS.”
RICH HICKEY
SIMPLE MADE EASY
https://www.flickr.com/photos/grouperkun/5351080866
Simplicity, conceptual clarity, is the silver bullet, not languages.
"Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart
enough to debug it.” Brian Kernighan
When you diverge from essential complexity, you’re creating a maintenance problem.
Microkernels!

View Slide

Hoare Veriﬁcation
{P} C {Q}

Partial vs. total correctness

Considered to be high-eﬀort; 100/100
Tony Hoare, Algol (who has heard of Algol?)
Anyone ever seen a null reference error?
One can totally specify software.
Precondition->Command->Postcondition

View Slide

Z3
http://rise4fun.com/Z3
http://z3.codeplex.com/
https://www.flickr.com/photos/laughingsquid/102654032
So here’s your flying car! Z3 is a theorem prover. Sounds like math, but stay with me. When you hear “theorem prover,” think really strong types. Equivalent.
Specification = always true about a system. “Formal specification” = verifiable by a machine.
"Type errors are not just red flags: in a sufficiently well-specified theory, all errors are type errors." Evan Jenkins
SMT solver. Take some specs, simplify them algebraically, and efficiently prove the spec satisfiable or not, with examples.

View Slide

A Simple Problem
Write a Ruby program that determines the
smallest three digit number such that
when said number is divided by the sum
of its digits the answer is 20.
Example: Number = 123. Sum of digits = 6
123/6 = 20.5, so not a solution.
Hate it when speakers read slides out loud, but…
Picked this because it’s a very simple problem.
Z3 is ASM. Usually not used directly. Will see examples of systems which use it.

View Slide

Ruby
Most people would try something like… Seems reasonable, but it’s brute force solution. Have we fully understood the problem?
Also, this is wrong. You probably have to be fairly good with Ruby to figure out why. Ruby is complicated; just try and parse it! Cognitive overhead for
even a simple problem is very high!

View Slide

Ruby
Looks efficient! Is this right? Remember, I like to put buggy code on my slides! Bestowed? Is it the best solution? Do you want this in the code you
maintain?

View Slide

SMT-LIB
I know, (). SMT-LIB language used to compare/benchmark solvers. You don’t typically use this for production. Minimal interface to Z3.
Did live in rehearsal. Awkward! See me in person for demos.
“Formal” spec for most of problem. Machine checkable. Omitted one part.

View Slide

SMT-LIB
Variable?

View Slide

SMT-LIB
Test-only programming.
Does forall make sense?

View Slide

SMT-LIB

View Slide

http://rise4fun.com/Z3/7VZh
Had to write digit-sum

View Slide

Note that the model is valid SMT-LIB code. Optimized! Really important.
Complex definitions tend to be wrong when first written out. They can also be complete nonsense!
!

View Slide

Add one clause

View Slide

Not “can’t find.” Doesn’t exist.

View Slide

Who uses this? Hyper-V hypervisor. If this is wrong the world ends. 100000 lines C, 5000 lines x64 ASM
Complex implementation, fairly simple spec.
Around 1.5 person years, incl learn VCC. 18 hours execution. Xen flaw to be disclosed Wednesday.
Also Dafny, F*, etc.

View Slide

DAFNY
http://rise4fun.com/Dafny
http://research.microsoft.com/dafny
https://www.flickr.com/photos/marcusjb/440973101/

View Slide

Dafny
Useful for education. Correctness more important than executability. Looks like code contracts but proven at compile time! Imperative code. What must
go right?
Solver proves that mathematical and imperative definitions equivalent. Important, especially for optimization. Similar to 180 example.

View Slide

Who uses Dafny? Rice University “Reasoning about algorithms”

View Slide

https://www.flickr.com/photos/ayman/21226117
F* based on F#. Subsumes F7 and other MSR projects.

View Slide

Append function for length-indexed list.
Heavy effort, heavy return.
Remember C# variance annotations: Useful, even if you don’t write them!

View Slide

View Slide

F7 source for miTLS

View Slide

Compiles to…

View Slide

Funny thing about formally verifying specs.
Sounds awesome that the code meets spec.

View Slide

TLA+
http://research.microsoft.com/en-us/um/people/lamport/tla/tla.html
"Writing is nature’s way of letting you know how sloppy your thinking is." Richard Guindon
"Mathematics is nature’s way of letting you know how sloppy your writing is.... Formal mathematics is nature’s way of letting you know how sloppy your mathematics is."
Leslie Lamport
"Specification is not an end in itself; it is just a tool that an engineer should be able to use when appropriate." p. 76
"TLA+ is particularly effective at revealing concurrency errors—ones that arise through the interaction of asynchronous components." TLA book, p. 76.

View Slide

http://lorinhochstein.wordpress.com/2014/06/04/crossing-the-river-with-tla/

View Slide

View Slide

http://somethingofthatilk.com/index.php?id=135

View Slide

View Slide

Who Uses TLA+?
http://research.microsoft.com/en-us/um/people/lamport/tla/formal-methods-amazon.pdf
Anything on AWS: Netflix, Heroku

View Slide

WHAT HAVE WE LEARNED?
Thinking about specification, and formal specs keep you honest! Force you to consider whole problem.
Make a spec which is internally consistent. Double entry check vs. code.
Useful when problem domain too large (AWS) or too complex (Ruby) to test.
Proves optimized code equivalent to readable code.

View Slide

ARE FLYING
CARS A BAD
IDEA?
https://www.flickr.com/photos/bobjagendorf/4934950194/
Tooling is an issue. Proving production code matches spec can be challenging. __agl verify ECC C code
Impractical for complex systems. Good when it makes you simplify!
Exhaustive testing, when possible, can give you similar return for less effort. Not always possible.

View Slide

Gratitude
The people of Microsoft Research

Others I’ve learned from

SMT-LIB: Laurentiu Nicola (blog comment)

Dafny: Swarat Chaudhuri’s articles

TLA+: Chris Newcombe, Tim Rath, Fan Zhang, Bogdan
Munteanu, Marc Brooker, and Michael Deardeuﬀ and
Lorin Hochstein’s blog

Photographers (credited on each slide where used)

My family, employer, and coworkers, for putting up with
me spending time on this stuﬀ

View Slide

CRAIG STUNTZ
@CraigStuntz
[email protected]
http://blogs.teamb.com/craigstuntz
http://www.meetup.com/Papers-We-Love-Columbus/
Least interesting part, but….
Questions?

View Slide

Your Flying Car is Ready: Amazing Programming From the Future, Today!

Your Flying Car is Ready: Amazing Programming From the Future, Today!

Craig Stuntz

More Decks by Craig Stuntz

Other Decks in Programming

Featured

Transcript