engineering better software at microsoft
play

Engineering Better Software at Microsoft Jason Yang - PowerPoint PPT Presentation

Dec 26, 2023 •288 likes •870 views

Engineering Better Software at Microsoft Jason Yang jasony@microsoft.com Principal Development Lead Windows Engineering Desktop Microsoft Corporation Who we are Windows Engineering Desktop Analysis Technologies Team Develops and supports

  1. Engineering Better Software at Microsoft Jason Yang jasony@microsoft.com Principal Development Lead Windows Engineering Desktop Microsoft Corporation

  2. Who we are Windows Engineering Desktop – Analysis Technologies Team Develops and supports some of the most critical compile-time program analysis tools and infrastructures used at Microsoft. Source-level global analyzer  PREfix local analyzer  PREfast/Esp  SAL source code annotation Binary-level binary instrumentation  Vulcan  Magellan code coverage CMU, 11/30/2010 Jason Yang, Microsoft 2

  3. A primer on SAL An introduction to program analysis A glimpse at the engineering process in Windows CMU, 11/30/2010 Jason Yang, Microsoft 3

  4. good APIs + annotations + analysis tools significantly fewer code defects CMU, 11/30/2010 Jason Yang, Microsoft 4

  5. 3,631,361 * * number of annotations in Windows alone more secure and reliable products CMU, 11/30/2010 Jason Yang, Microsoft 5

  6. Why SAL? Manual Review too many code paths to think about Massive Testing inefficient detection of simple programming errors Global Analysis long turn-around time Local Analysis lack of calling context limits accuracy SAL light-weight specifications make implicit intent explicit CMU, 11/30/2010 Jason Yang, Microsoft 6

  7. Evolution of Source Code Annotation Language (SAL) EspX SAL 2.0 2004 2010 Buffer overrun Improves checker coverage and deployed for usability SAL 1.0 EspC 2002 2007 Windows Vista Focuses on Concurrency buffer overrun checker deployed for Windows 7 PFD PREfast & PREfast for PREfix 2007 Drivers shipped VS 2005 Starts to 2003 with DDK SAL aware support 2005 compiler shipped annotations with Visual Studio CMU, 11/30/2010 Jason Yang, Microsoft 7

  8. SAL C0 Contracts For industrial strength C/C++ For a subset of C Current enforcement entirely based Tailored for compile-time analysis vs. on runtime analysis May handle full functional Target critical problem areas specification void * foo(int *p) _Post_ _Notnull_ void * //@requires p != NULL; foo(_Pre_ _Notnull_ int *p) //@ensures \result != NULL; { … } { … } _Pre_satisfies_(p>q)   //@requires p>q; _Post_satisfies_(p>q)   //@ensures p>q; CMU, 11/30/2010 Jason Yang, Microsoft 8

  9. What do these functions do? void * memcpy( void *dest, const void *src, size_t count ); wchar_t *wmemcpy( wchar_t *dest, const wchar_t *src, size_t count ); CMU, 11/30/2010 Jason Yang, Microsoft 9

  10. CMU, 11/30/2010 Jason Yang, Microsoft 10

  11. CMU, 11/30/2010 Jason Yang, Microsoft 11

  12. For every buffer API there’s usually a wide version. Many errors are confusing “byte” vs. “element” counts. CMU, 11/30/2010 Jason Yang, Microsoft 12

  13. For every buffer API there’s usually a wide version. Many errors are confusing “byte” vs. “element” counts. Vital property for avoiding buffer overrun. CMU, 11/30/2010 Jason Yang, Microsoft 13

  14. SAL speak void * memcpy( _Out_writes_bytes_all_(count) void *dest, _In_reads_bytes_(count) const void *src, size_t count ); wchar_t *wmemcpy( _Out_writes_all_(count) wchar_t *dest, _In_reads_(count) const wchar_t *src, size_t count );  Captures programmer intent.  Improves defect detection via tools.  Extends language types to encode program logic properties. CMU, 11/30/2010 Jason Yang, Microsoft 14

  15. Precondition : function can assume p to be non-null when called. _Post_ _Notnull_ void * foo(_Pre_ _Notnull_ int *p); Postcondition : function must ensure the return value to be non-null. struct buf { int n; _Field_size_(n) int *data; }; Invariant : property that should be maintained. CMU, 11/30/2010 Jason Yang, Microsoft 15

  16. What : annotation specifies program property. Where : _At_ specifies annotation target. _At_(ptr, _When_(flag != 0, _Pre _Notnull_)) void Foo( int *ptr, int flag); When : _When_ specifies condition. CMU, 11/30/2010 Jason Yang, Microsoft 16

  17. Type Program Logic Types are used to describe Program logic describes the representation of a value transitions between program in a given program state. states. Enforced by compiler via type Programming errors can be vs. checking. detected by static analysis. Each execution step in a type- Types are often not descriptive safe imperative language enough to avoid errors preserves types, so types by because knowledge about themselves are sufficient to program logic is often implicit. establish a wide class of properties without the need for program logic. CMU, 11/30/2010 Jason Yang, Microsoft 17

  18. Memory cell semantics Memory allocated and can be written to but nothing is known about its contents, for unknown ? example the result of malloc() (that does not zero init the returned buffer) Object has a “well-formed” value: valid initialized + type specific invariants (if any) Memory is read-only read-only Buffer is null-terminated null-terminated ‘\0’ CMU, 11/30/2010 Jason Yang, Microsoft 18

  19. Legend Memory Cells Pointers null unknown state ? non-null maybe null valid p p p read-only x x null-terminated ‘\0’ (b) (c) (a) Diagram (a) abbreviates (b) or (c) CMU, 11/30/2010 Jason Yang, Microsoft 19

  20. Program state ‘a’ x 1 y 1 p CMU, 11/30/2010 Jason Yang, Microsoft 20

  21. Well-typed program state ‘a’ char x 1 int y 1 int *p CMU, 11/30/2010 Jason Yang, Microsoft 21

  22. Well-typed program state ‘a’ char x 1 int y int *p CMU, 11/30/2010 Jason Yang, Microsoft 22

  23. Well-typed program state ‘a’ char x 1 int y 1 int *p C type is not descriptive enough to avoid errors. CMU, 11/30/2010 Jason Yang, Microsoft 23

  24. Program state with qualified type ‘a’ char x 1 int y 1 _Notnull_ int *p Use SAL as a qualifier to be more precise! CMU, 11/30/2010 Jason Yang, Microsoft 24

  25. Qualified type is not always sufficient void foo(_Notnull_ _Writable_elements_(1) int *p) { *p = 1; } void foo(_Notnull_ _Valid_ void *p) { *p = 1; } Which one is right? Problem: types don’t capture state transitions! CMU, 11/30/2010 Jason Yang, Microsoft 25

  26. Pre/post conditions make up a contract _Notnull_ _Writable_elements_(1) int *p ? Precondition foo(&a); Postcondition _Notnull_ _Valid_ int *p 1 CMU, 11/30/2010 Jason Yang, Microsoft 26

  27. Contract for program logic void foo( _Pre_ _Notnull_ _Pre_ _Writable_elements_(1) _Post_ _Notnull_ _Post_ _Valid_ int *p) { *p = 1; } _Post_ _Notnull_ can be removed because C is call by value. CMU, 11/30/2010 Jason Yang, Microsoft 27

  28. Simplified, but still cumbersome to use! void foo( _Pre_ _Notnull_ _Pre_ _Writable_elements_(1) _Post_ _Valid_ int *p) { *p = 1; } CMU, 11/30/2010 Jason Yang, Microsoft 28

  29. C preprocessor macros to the rescue #define _Out_ \ _Pre_ _Notnull_ _Pre_ _Writable_elements_(1) \ _Post_ _Valid_ void foo(_Out_ int *p) { *p = 1; } See how simple the user-visible syntax is! CMU, 11/30/2010 Jason Yang, Microsoft 29

  30. Under the hood—two implementations #define _Out_ \ [SA_Pre(Null=SA_No, WritableElementsConst=1)] \ attributes [SA_Post(Valid=SA_Yes)] #define _Out_ \ __declspec("SAL_pre") __declspec("SAL_notnull") \ __declspec("SAL_pre") \ declspecs __declspec("SAL_writableTo(elementCount(1))") \ __declspec("SAL_post") __declspec("SAL_valid") Historically, there are some key differences between the two mechanisms. With the Visual Studio 2010 compiler, the gap is (almost) eliminated. A consistent user-visible language makes the choice transparent. CMU, 11/30/2010 Jason Yang, Microsoft 30

  31. validity Basic Properties const-ness _Valid_ _Const_ _Notvalid_ string termination buffer size null-ness _Null_terminated_ _Readable_elements_ _Null_ _NullNull_terminated_ _Writable_elements_ _Notnull_ _Readable_bytes_ _Maybenull_ _Writable_bytes_ Examples “Pointer ptr may not be null.” “String str is null terminated.” “Length of string str is stored in count. ” “Object obj is guarded by lock cs. ” CMU, 11/30/2010 Jason Yang, Microsoft 31

  32. Popular annotations in Windows SAL Count _In_ 1961906 _Out_ 381083 _In_opt_ 253496 _Inout_ 185008 _Outptr_ 99447 _In_reads_(size) 71217 _Out_opt_ 63749 _Out_writes_(size) 56330 _In_reads_bytes_(size) 43448 _Out_writes_bytes_(size) 19888 _Inout_opt_ 18845 _In_z_ 17932 _Inout_updates_(size) 14566 _Out_writes_opt_(size) 12701 _In_reads_opt_(size) 12247 _Outptr_result_maybenull_(size) 12054 _Outptr_result_buffer_(size) 9597 _In_reads_bytes_opt_(size) 9138 _Outptr_result_bytebuffer_(size) 7693 _Out_writes_bytes_opt_(size) 7667 _Outptr_opt_ 6231 _Out_writes_to_(size, count) 5498 CMU, 11/30/2010 Jason Yang, Microsoft 32

  33. Single element pointers _Inout_ T* p _In_ T* p _Out_ T* p p p p … … … … x ? … … x Pre Pre Pre Post Post Post p p p … … … … x x … … x’ CMU, 11/30/2010 Jason Yang, Microsoft 33

  34. Single element pointers that might be null _In_opt_ T* p _Out_opt_ T* p _Inout_opt_ T* p p p p … … … … … … x ? x Pre Pre Pre Post Post Post p p p … … … … … … x x x’ CMU, 11/30/2010 Jason Yang, Microsoft 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Tools and Behavioral Abstraction A Direction for Software Engineering K. Rustan M. Leino

Tools and Behavioral Abstraction A Direction for Software Engineering K. Rustan M. Leino

Tools and Behavioral Abstraction A Direction for Software Engineering K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Future of Software Engineering symposium ETH, Zurich, Switzerland 23 November 2010

244 views • 23 slides
Software Engineering Software Applications A.Y. 2020/2021 What is software engineering? What is

Software Engineering Software Applications A.Y. 2020/2021 What is software engineering? What is

Software Engineering Software Applications A.Y. 2020/2021 What is software engineering? What is software engineering? An engineering discipline that is concerned with all aspects of software production from the early stages of system

676 views • 29 slides
Software Engineering Software Engineering 200511357 200511357 1 Software

Software Engineering Software Engineering 200511357 200511357 1 Software

Software Engineering Software Engineering 200511357 200511357 1 Software Engineering 1.Software Engineering The establishment and use of sound engineering principles in order to obtain g g p p economically software

631 views • 27 slides
Software Requirements Engineering Material for Software Engineering for Outsourced &

Software Requirements Engineering Material for Software Engineering for Outsourced &

Software Requirements Engineering Material for Software Engineering for Outsourced & Offshore Development Bertrand Meyer Bernd Schoeller Chair of Software Engineering, ETH Zurich Fall 2005 Softw are Engineering Statements about

1.17k views • 100 slides
Introduction to Software Engineering Week 1 Software Engineering Software Engineering

Introduction to Software Engineering Week 1 Software Engineering Software Engineering

Introduction to Software Engineering Week 1 Software Engineering Software Engineering Software engineering is "(1) the application of Software engineering is (1) the application of a systematic, disciplined, quantifiable approach to the

610 views • 26 slides
Introduction to Software Engineering 1 What is Software Engineering? The establishment and

Introduction to Software Engineering 1 What is Software Engineering? The establishment and

Introduction to Software Engineering 1 What is Software Engineering? The establishment and use of sound engineering principles in order to obtain economically software that is reliable and works efficiently on real machines. As

1.01k views • 59 slides
Software Engineering Topics Computer science v. software engineering Definition of

Software Engineering Topics Computer science v. software engineering Definition of

Software Engineering Topics Computer science v. software engineering Definition of software engineering Types of software The nature of software Software history and the software crisis Software quality Elements of

818 views • 67 slides
Requirements Engineering Software Engineering Software Engineering Andreas Zeller Saarland

Requirements Engineering Software Engineering Software Engineering Andreas Zeller Saarland

Based on the Book by Pressman: Software Engineering a Practitioner s Approach, as well as Wikipedia Requirements Engineering Software Engineering Software Engineering Andreas Zeller Saarland University 1 Waterfall Model

467 views • 15 slides
Microsoft Access 2010 Powerpoint Presentation 2003 Microsoft Access 2010 is a software program

Microsoft Access 2010 Powerpoint Presentation 2003 Microsoft Access 2010 is a software program

Microsoft Access 2010 Powerpoint Presentation 2003 Microsoft Access 2010 is a software program used to build and run databases. Microsoft Excel 2003 is a spreadsheet application and part of Microsoft Office. for five Microsoft Office 2010

86 views • 4 slides
EPUB in the Browser Ben Walters Principle Software Engineering Lead at Microsoft

EPUB in the Browser Ben Walters Principle Software Engineering Lead at Microsoft

EPUB in the Browser Ben Walters Principle Software Engineering Lead at Microsoft ben.walters@microsoft.com Warm up: how many people Warm up: how many people Build EPUB Reading Systems? Warm up: how many people Build

883 views • 23 slides
Deconstructing Concurrency Heisenbugs Shaz Qadeer Research in Software Engineering Microsoft

Deconstructing Concurrency Heisenbugs Shaz Qadeer Research in Software Engineering Microsoft

Deconstructing Concurrency Heisenbugs Shaz Qadeer Research in Software Engineering Microsoft Research Concurrent Programming is HARD Concurrent Programming is HARD Concurrent executions are highly nondeterminisitic Rare thread interleavings

434 views • 11 slides
Requirements Engineering Software Engineering Software Engineering Andreas Zeller Saarland

Requirements Engineering Software Engineering Software Engineering Andreas Zeller Saarland

Based on the Book by Pressman: Software Engineering a Practitioners Approach, as well as Wikipedia Requirements Engineering Software Engineering Software Engineering Andreas Zeller Saarland University

434 views • 18 slides
Circularities and Modularity in the Wild Some F# Perspectives on Software Engineering Don Syme

Circularities and Modularity in the Wild Some F# Perspectives on Software Engineering Don Syme

| Basel Circularities and Modularity in the Wild Some F# Perspectives on Software Engineering Don Syme (Microsoft Research) (fpbridge.co.uk, fsharpforfunandprofit.com) Scott Wlaschin fsharp.org meetup.com/FSharpLondon Type Providers

713 views • 47 slides
Software Engineering Designing, building and maintaining large software systems CS 422

Software Engineering Designing, building and maintaining large software systems CS 422

Chapter 1 Chapter 1 An Introduction to Software Engineering Learning Objective ...to give an appreciation for and to introduce software engineering and to place it into context with the system engineering process , process models and some of the

191 views • 15 slides
SOFTWARE 2.0 Software Engineer - Microsoft SPRING 2019 CSD 439 Big Data Application

SOFTWARE 2.0 Software Engineer - Microsoft SPRING 2019 CSD 439 Big Data Application

David Parker SOFTWARE 2.0 Software Engineer - Microsoft SPRING 2019 CSD 439 Big Data Application Development Basically learn how solve cool problems at scale ABOUT THE SPEAKER SKYNET Source: [19] AMAZON GO Source: [21]

1.21k views • 48 slides
Presentation Software Presentation Software Presentation Software Presentation Software An

Presentation Software Presentation Software Presentation Software Presentation Software An

Presentation Software Presentation Software Presentation Software Presentation Software An introduction to creating electronic presentations using Microsoft PowerPoint 2010 ABT COLLABORATIVE BCCAMPUS Except for third party materials and

1.7k views • 94 slides
Corpus Overview ENG240Y Old English / Wed 3 Nov 2010 Selective preservation oral vs written

Corpus Overview ENG240Y Old English / Wed 3 Nov 2010 Selective preservation oral vs written

Corpus Overview ENG240Y Old English / Wed 3 Nov 2010 Selective preservation oral vs written popular vs aristocratic (and popular vs learned) secular vs religious Cameron classification A Poetry B Prose C Glosses D Glossaries E

467 views • 7 slides
How Can I Do That with ACL2? Recent Enhancements to ACL2 Matt Kaufmann and J Strother Moore 1

How Can I Do That with ACL2? Recent Enhancements to ACL2 Matt Kaufmann and J Strother Moore 1

How Can I Do That with ACL2? Recent Enhancements to ACL2 Matt Kaufmann and J Strother Moore 1 Introduction (1) ACL2 Version 3.5 was released in May, 2009. Release note items (see :DOC release-notes) since then: (+ 41 ; 3.6 (8/2009) 3 ;

622 views • 49 slides
Issue 1, 14 February 2003 ways about it. All staff will readily vouch for the inspirational days

Issue 1, 14 February 2003 ways about it. All staff will readily vouch for the inspirational days

Issue 1, 14 February 2003 ways about it. All staff will readily vouch for the inspirational days (and night, for some) which launched them into the school year. A full day workshop with Fran Rollings (AISQ, Brisbane) and Lesley Brooks (W.A) set

191 views • 4 slides
Text-Denoising mit Go(lang) Bedcon 2015 Dennis Kluge Charit Berlin

Text-Denoising mit Go(lang) Bedcon 2015 Dennis Kluge Charit Berlin

Text-Denoising mit Go(lang) Bedcon 2015 Dennis Kluge Charit Berlin dataflex-science.de Berlin Expert Days 2015 | Dennis Kluge | Slide 3 Berlin Expert Days 2015 | Dennis Kluge | Folie 4 NLP Natural Language Processing Berlin

644 views • 37 slides
Malware: Worms CS 161 - Computer Security Profs. Vern Paxson & David Wagner TAs: John

Malware: Worms CS 161 - Computer Security Profs. Vern Paxson & David Wagner TAs: John

Malware: Worms CS 161 - Computer Security Profs. Vern Paxson & David Wagner TAs: John Bethencourt, Erika Chin, Matthew Finifter, Cynthia Sturton, Joel Weinberger http://inst.eecs.berkeley.edu/~cs161/ April 14, 2010 The Problem of Worms

582 views • 22 slides
Today Memory layout Buffer overflow, worms, and viruses

Today Memory layout Buffer overflow, worms, and viruses

University of Washington Today Memory layout Buffer overflow, worms, and viruses 1 University of Washington not drawn to scale IA32 Linux Memory

446 views • 22 slides
A Calculus for Worms Ana Borges with Joost Joosten Universitat de Barcelona Wormshop 2017

A Calculus for Worms Ana Borges with Joost Joosten Universitat de Barcelona Wormshop 2017

A Calculus for Worms Ana Borges with Joost Joosten Universitat de Barcelona Wormshop 2017 December 19 1 / 12 The Reflection Calculus The Reflection Calculus, RC 0 , in a nutshell: Closed positive fragment of GLP . 2 / 12 The

765 views • 43 slides
Responding to Mobile Worms with Location-Based Quarantine Boundaries Baik Hoh (baikhoh@winlab)

Responding to Mobile Worms with Location-Based Quarantine Boundaries Baik Hoh (baikhoh@winlab)

Responding to Mobile Worms with Location-Based Quarantine Boundaries Baik Hoh (baikhoh@winlab) Marco Gruteser (gruteser@winlab) Research Review 2006 1 Threats of Mobile Worms Current Trends in Pervasive Devices Multi-radio support :

791 views • 20 slides

More recommend