Presentation is loading. Please wait.

Presentation is loading. Please wait.

SLAM & Static Driver Verifier: Technology Transfer of Formal Methods in Microsoft Thomas Ball Testing, Verification and Measurement Microsoft Research.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "SLAM & Static Driver Verifier: Technology Transfer of Formal Methods in Microsoft Thomas Ball Testing, Verification and Measurement Microsoft Research."— Presentation transcript:

1 SLAM & Static Driver Verifier: Technology Transfer of Formal Methods in Microsoft Thomas Ball Testing, Verification and Measurement Microsoft Research http://research.microsoft.com/~tball/

2 Overview Software contractsSoftware contracts SLAM analysis engineSLAM analysis engine –brief technical overview Static Driver VerifierStatic Driver Verifier –transfer of technology to Windows

3 A Brief History of Microsoft 198019902000 Richness Win16 Win32 COM MFC Components Services APIs Windows 3.0

4 Client Implementation API But no contracts! Platform Interfaces Everywhere!

5 11. EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL MICROSOFT OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INJURY, FOR LOSS OF PRIVACY, FOR FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, FOR NEGLIGENCE, AND FOR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE SOFTWARE PRODUCT, THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT SERVICES, OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS EULA, EVEN IN THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF WARRANTY OF MICROSOFT OR ANY SUPPLIER, AND EVEN IF MICROSOFT OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.11. EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL MICROSOFT OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INJURY, FOR LOSS OF PRIVACY, FOR FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, FOR NEGLIGENCE, AND FOR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE SOFTWARE PRODUCT, THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT SERVICES, OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS EULA, EVEN IN THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF WARRANTY OF MICROSOFT OR ANY SUPPLIER, AND EVEN IF MICROSOFT OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Microsoft Powerpoint EULA Point 11 11. EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL MICROSOFT OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INJURY, FOR LOSS OF PRIVACY, FOR FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, FOR NEGLIGENCE, AND FOR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE SOFTWARE PRODUCT, THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT SERVICES, OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS EULA, EVEN IN THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF WARRANTY OF MICROSOFT OR ANY SUPPLIER, AND EVEN IF MICROSOFT OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.11. EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL MICROSOFT OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INJURY, FOR LOSS OF PRIVACY, FOR FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, FOR NEGLIGENCE, AND FOR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE SOFTWARE PRODUCT, THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT SERVICES, OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS EULA, EVEN IN THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF WARRANTY OF MICROSOFT OR ANY SUPPLIER, AND EVEN IF MICROSOFT OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

6 The GPL 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

7 Is There any Program That Satisfies Its Contract?

8 Informal Contract: Sockets the "communication domain" in which communication is to take place; see protocols(5). Sockets of type SOCK_STREAM are full-duplex byte streams, similar to pipes. A stream socket must be in a connected state before any data may be sent or received on it. A con- nection to another socket is created with a connect(2) call. Once connected, data may be transferred using read(2V) and write(2V) calls or some variant of the send(2) and recv(2) calls. When a session has been completed a close(2V), may be performed. Out-of-band data may also be transmitted as described in send(2) and received as described in recv(2). The communications protocols used to implement a SOCK_STREAM insure that data is not lost or duplicated. If a piece of

9 Formalizing Contracts Pre/post conditionsPre/post conditions –Hoare logic –Eiffel: “design by contract”, integrated into language –JML: pre/post language (in comments) MonitorsMonitors –security automata –SLIC - SLAM’s API rule language ModelsModels –ASML: separate modeling language

10 Why are Contracts Useful? Precision in specification & designPrecision in specification & design Separation of concernsSeparation of concerns DocumentationDocumentation Checking/TestingChecking/Testing –dynamic (run-time) –static (compile-time) Responsibility, enforceability, liability, …Responsibility, enforceability, liability, …

11 Why Now? Specifications are (still) a good idea!Specifications are (still) a good idea! –focus shifted to critical properties rather than full correctness Bug economicsBug economics Test automation wallTest automation wall Moore’s lawMoore’s law –abundant computational resources Advances in research and technologyAdvances in research and technology –model checking –program analysis –theorem proving –analysis infrastructures

12 Overview Software contractsSoftware contracts SLAM analysis engineSLAM analysis engine –brief technical overview Static Driver VerifierStatic Driver Verifier –transfer of technology to Windows

13 The Windows Driver Problem Device driversDevice drivers –glue between OS and devices –many are kernel plug-ins –huge part of PC ecosystem Windows Driver ModelWindows Driver Model –complex legacy API –direct access to Windows kernel –low-level binary debugging

14 Source Code Testing Development Precise API Usage Rules (SLIC) Software Model Checking Read for understanding New API rules Drive testing tools Defects 100% path coverage Rules Static Driver Verifier

15 State Machine for Locking UnlockedLocked Error Rel Acq Rel state { enum {Locked,Unlocked} enum {Locked,Unlocked} s = Unlocked; } KeAcquireSpinLock.entry { if (s==Locked) abort; if (s==Locked) abort; else s = Locked; else s = Locked;} KeReleaseSpinLock.entry { if (s==Unlocked) abort; if (s==Unlocked) abort; else s = Unlocked; else s = Unlocked;} Locking Rule in SLIC

16 The SLAM Process #include C2BP predicate abstraction boolean program Newton feasibility check Bebop reachability check Harness SLIC Rule + refinement predicates error path

17 do { KeAcquireSpinLock(); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock(); Example Does this code obey the locking rule?

18 do { KeAcquireSpinLock(); if(*){ KeReleaseSpinLock(); } } while (*); KeReleaseSpinLock(); Example Model checking boolean program (bebop) U L L L L U L U U U E

19 do { KeAcquireSpinLock(); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock(); Example Is error path feasible in C program? (newton) U L L L L U L U U U E

20 do { KeAcquireSpinLock(); nPacketsOld = nPackets; b = true; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; b = b ? false : *; } } while (nPackets != nPacketsOld); !b KeReleaseSpinLock(); Example Add new predicate to boolean program (c2bp) b : (nPacketsOld == nPackets) U L L L L U L U U U E

21 do { KeAcquireSpinLock(); b = true; if(*){ KeReleaseSpinLock(); b = b ? false : *; } } while ( !b ); KeReleaseSpinLock(); b b b b Example Model checking refined boolean program (bebop) b : (nPacketsOld == nPackets) U L L L L U L U U U E b b !b

22 Example do { KeAcquireSpinLock(); b = true; if(*){ KeReleaseSpinLock(); b = b ? false : *; } } while ( !b ); KeReleaseSpinLock(); b : (nPacketsOld == nPackets) b b b b U L L L L U L U U b b !b Model checking refined boolean program (bebop)

23 SLAM/SDV History 2000-20012000-2001 –foundations, algorithms, prototyping –papers in CAV, PLDI, POPL, SPIN, TACAS March 2002March 2002 –Bill Gates review May 2002May 2002 –Windows committed to hire two Ph.D.s in model checking to support Static Driver Verifier July 2002July 2002 –running SLAM on 100+ drivers, 20+ properties September 3, 2002 –made initial release of SDV to Windows (friends and family) April 1, 2003 –made wide release of SDV to Windows (any internal driver developer) September, 2003 –team of six in Windows working on SDV –researchers moving into “consultant” role November, 2003 –demonstration at Driver Developer Conference

24 SLAM Results Boolean program model has proved itselfBoolean program model has proved itself Successful for device driver contractsSuccessful for device driver contracts –control-dominated safety properties –few boolean variables needed to do proof or find real errors Counterexample-driven refinementCounterexample-driven refinement –terminates in practice –incompleteness of theorem prover not an issue

25 Overview Software contractsSoftware contracts SLAM analysis engineSLAM analysis engine –brief technical overview Static Driver VerifierStatic Driver Verifier –transfer of technology to Windows

26 Lessons Learned Context mattersContext matters People powerPeople power Focus on problems not solutionsFocus on problems not solutions Exploit synergies and shouldersExploit synergies and shoulders Plan carefullyPlan carefully Cultivate championsCultivate champions Avoid the “root of all evil”Avoid the “root of all evil”

27 Context Matters Microsoft culture changeMicrosoft culture change –Trustworthy Computing Initiative Microsoft ResearchMicrosoft Research –basic research + product group interaction –Microsoft's researchers are brilliant, well-funded and free to advance … "the state of the art" in software and computer science. Their work is published in peer-reviewed scientific journals, presented at conferences and discussed with the hundreds of PhD students who do internships at Microsoft each year. –By locating its researchers cheek by jowl with business managers, Microsoft hoped to encourage more effective transfer of new technologies from its labs to its range of products. –12 March 2004 Financial Times Programmer Productivity Research CenterProgrammer Productivity Research Center –PREfix and PREfast tools –analysis infrastructure –tool pipeline to development organizations

28 People Power Software Productivity Tools group members –Sriram Rajamani, Manuvir Das, Rob DeLine, Jim Larus, Manuel Fahndrich, Rustan Leino, Jakob Rehof, Shaz Qadeer SLAM summer interns –Sagar Chaki, Todd Millstein, Rupak Majumdar (2000) –Satyaki Das, Wes Weimer, Robby (2001) –Jakob Lichtenberg, Mayur Naik (2002) –Jakob Lichtenberg, Shuvendu Lahiri, Georg Weissenbacher, Fei Xie (2003) SLAM Visitors –Giorgio Delzanno, Andreas Podelski, Stefan Schwoon Static Driver Verifier: Windows Partners –Byron Cook, John Henry, Vladimir Levin, Con McGarvey, Bohus Ondrusek, Abdullah Ustuner –Neill Clift, Nar Ganapathy, Adrian Oney, Johan Marien, Bob Rinne, Rob Short, Peter Wieland

29 Focus on Problems not Solutions Device driver problemDevice driver problem –important to Microsoft –testing insufficient to ensure quality –many complexities but code of reasonable size Problem space drives search for solutionProblem space drives search for solution –control-dominated properties  boolean programs –no annotations  counterexample-driven refinement

30 Exploit Synergies and Shoulders Diverse backgrounds of investigatorsDiverse backgrounds of investigators SLAM built on strong foundationsSLAM built on strong foundations –Program analysis –Model checking –Theorem proving InfrastructureInfrastructure –MS compiler front-end and alias analysis –CUDD BDD library –Simplify theorem prover –OCaml programming language

31 Plan Carefully Creativity = 10% inspiration + 90% perspirationCreativity = 10% inspiration + 90% perspiration Initial technical reportInitial technical report –laid out plan, left open problems –recruiting/preparing interns Code ownership, code reviews, code refactoring and cleanupCode ownership, code reviews, code refactoring and cleanup

32 Cultivate Champions Device driver expertsDevice driver experts –Adrian Oney, Peter Wieland –explained subtleties of kernel –reviewed rules and error traces Management championsManagement champions –Bob Rinne, Base OS –Amitabh Srivastava, PPRC

33 Avoid the “Root of All Evil” Premature optimizationPremature optimization –easy to get caught up in new features –time/energy wasted on unprofitable features –optimizations introduce bugs Let application domain drive engineeringLet application domain drive engineering –profiling gives data to help prioritize efforts –measure impact of new optimizations

34 Conclusions The technology now exists for enforcing simple API contractsThe technology now exists for enforcing simple API contracts Rollout/adoptionRollout/adoption –first as out-of-band tools (i.e., SLAM/SDV) –next as in-band tools (part of language/compiler)

Download ppt "SLAM & Static Driver Verifier: Technology Transfer of Formal Methods in Microsoft Thomas Ball Testing, Verification and Measurement Microsoft Research."

Similar presentations

Advanced Information Systems Development (SD3043)

Advanced Information Systems Development (SD3043)
Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
The Static Driver Verifier Research Platform

The Static Driver Verifier Research Platform
The SLAM Project: Debugging System Software via Static Analysis

The SLAM Project: Debugging System Software via Static Analysis
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
.NET Technology. Introduction Overview of.NET What.NET means for Developers, Users and Businesses Two.NET Research Projects:.NET Generics AsmL.

.NET Technology. Introduction Overview of.NET What.NET means for Developers, Users and Businesses Two.NET Research Projects:.NET Generics AsmL.
Pension Fund Trustees Liability Ncedi Mbongwe. Introduction to Camargue Underwriting Managers Established in 2001 Underwriters: Mutual and Federal and.

Pension Fund Trustees Liability Ncedi Mbongwe. Introduction to Camargue Underwriting Managers Established in 2001 Underwriters: Mutual and Federal and.
IMPORTANT READ CAREFULLY BEFORE USING THIS PRODUCT LICENSE AGREEMENT AND LIMITED WARRANTY BY INSTALLING OR USING THE SOFTWARE, FILES OR OTHER ELECTRONIC.

IMPORTANT READ CAREFULLY BEFORE USING THIS PRODUCT LICENSE AGREEMENT AND LIMITED WARRANTY BY INSTALLING OR USING THE SOFTWARE, FILES OR OTHER ELECTRONIC.
Click your mouse anywhere on the screen to advance the text in each slide. After the starburst appears, click a blue triangle to move to the next slide.

Click your mouse anywhere on the screen to advance the text in each slide. After the starburst appears, click a blue triangle to move to the next slide.
Software Testing – Lecture #1 Thomas Ball with material from M. Young, A. Memon and MSR’s FSE group.

Software Testing – Lecture #1 Thomas Ball with material from M. Young, A. Memon and MSR’s FSE group.
1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,

1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,
Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.

Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.
Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.

Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.

An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Product Liability When goods cause injury, there is a question of product liability. There are three main issues related to product liability cases: –

Product Liability When goods cause injury, there is a question of product liability. There are three main issues related to product liability cases: –
Solidifying Software Interfaces: Checkable Contracts Thomas Ball Testing, Verification and Measurement Microsoft Research

Solidifying Software Interfaces: Checkable Contracts Thomas Ball Testing, Verification and Measurement Microsoft Research
Synergy: A New Algorithm for Property Checking

Synergy: A New Algorithm for Property Checking
Secrets of Software Model Checking Thomas Ball Sriram K. Rajamani Software Productivity Tools Microsoft Research

Secrets of Software Model Checking Thomas Ball Sriram K. Rajamani Software Productivity Tools Microsoft Research
Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.

Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.

Similar presentations

Ads by Google