{#intro} ========= {#firstbug0} -------------

The First *Bug* ---------------

**Page from Harvard Mark II log** A dead moth removed from the device Slammer Worm (2003) -------------------

**Buffer Overflow** Affected 90% of vulnerable machines in 10 mins Northeast Blackout (2003) -------------------------

**Race Condition** Cut power for 55 million, trigger: lines hitting foliage HeartBleed (2014) -----------------

**Buffer Overflow** Compromises secret keys, passwords ... Goto Fail (2014) ----------------

**Typo (?!)** Bypass critical check, compromise cryptography A Possible Solution =================== Modern Languages -----------------

Modern Languages ----------------
F# Rust Scala OCaml **Haskell** Modern Languages ----------------
Static Typing
First-class Functions
Immutability by Default

Make **good** designs **easy** and **bad** designs **hard**

Modern Languages? -------------------
Not so fast ...

Well-typed programs **can go wrong!**

Well-Typed Programs Can Go Wrong ================================ {#asd} ------- Division By Zero ----------------

\begin{spec} λ> let average xs = sum xs `div` length xs λ> average [1,2,3] 2 \end{spec}

\begin{spec} λ> average [] *** Exception: divide by zero \end{spec}

Missing Keys ------------

\begin{spec} λ> :m +Data.Map λ> let m = fromList [ ("haskell", "lazy") , ("racket" , "eager")] λ> m ! "haskell" "lazy" \end{spec}

\begin{spec} λ> m ! "javascript" "*** Exception: key is not in the map \end{spec}

Segmentation Faults -------------------

\begin{spec} λ> :m +Data.Vector λ> let v = fromList ["haskell", "racket"] λ> unsafeIndex v 0 "haskell" \end{spec}

\begin{spec} λ> V.unsafeIndex v 3 'ghci' terminated by signal SIGSEGV ... \end{spec}

"HeartBleeds" ------------- \begin{spec} λ> :m + Data.Text Data.Text.Unsafe λ> let t = pack "Norman" λ> takeWord16 4 t "Norm" \end{spec}

Memory overflows **leaking secrets**...
\begin{spec} λ> takeWord16 20 t "Norman\1912\3148\SOH\NUL\15928\2486\SOH\NUL" \end{spec}

Goal ----
Extend Type System
+ To prevent *wider class* of errors + To enforce *program specific* properties

**Without sacrificing automation**

Algorithmic Verification ======================== Tension -------

Automation vs. Expressiveness Tension -------

Extremes: Hindley-Milner vs. CoC Tension -------

Trading off Automation for Expressiveness Tension -------

**Goal:** Find a sweet spot? Program Logics --------------
**Floyd-Hoare** (ESC, Dafny, SLAM/BLAST,...)
Automatic but **not** Expressive
+ Rich Data Types ? + Higher-order functions ? + Polymorphism ? Refinement Types ----------------
Generalize *Program Logics* with *Types*
+ **Properties:** Types + Predicates + **Proofs:** Subtyping + SMT Solvers

Towards reconciling Automation and Expressiveness

[[continue]](01_SimpleRefinements.lhs.slides.html)