The Importance of Programming Language Design and the Challenges of Undecidability

As I recall, Peter Reynolds once asked me to share with him the dirtiest program I knew. To my surprise, he came back the next morning and said it was no longer a dirty program. This experience left a lasting impression on me, highlighting the importance of programming language design. As a result, I firmly believe that programming languages are crucial, and their design is equally important.

When it comes to attacking complex problems like deleting all nodes in a tree, using mathematical logic can be a powerful tool. A recursive procedure can be written to accomplish this task, making it possible for programmers to dispose of all the nodes with ease. However, the complexity of these problems often leads to undecidability, making it challenging to find a solution that works for everyone.

The Undecidability Problem

One of the fundamental challenges in programming is the undecidability problem. This refers to the difficulty in determining whether a given problem has a solution or not. In other words, there may be cases where a problem can be solved, but there's no algorithm that can guarantee a correct solution. This issue arises when working on undecidable problems, and it's essential to acknowledge its significance.

The Importance of Human Judgment

While tools like Infer can provide suggestions for fixing errors, human judgment is still necessary. Often, there's more than one cause for an error, making it difficult to pinpoint the root problem. Moreover, finding a unique fix requires a deep understanding of the code and the specific issue at hand. In such cases, humans must be involved in the decision-making process.

The Role of Tools in Code Development

Despite the challenges posed by undecidability, tools like Infer can still play a significant role in code development. They can provide suggestions for fixes, reduce the time spent on bug hunting, and help identify potential errors. However, it's crucial to recognize that these tools are not infallible. False positives and missed bugs are common issues, highlighting the need for human oversight.

Comical Instances of Error

There have been instances where Infer has gone wrong, providing comical examples of its limitations. One such instance involved a developer who received 60 copies of the same bug report, which might not be the best thing if repeated with all developers. This experience illustrates the importance of moving quickly to resolve issues and minimize the impact on others.

The Facebook Project

In another project at Facebook, Infer has been used to automatically suggest fixes for some errors. While it doesn't fix them entirely, it does provide a starting point for human developers to work from. In this case, the final decision lies with the humans, who must decide whether to accept the suggested fix or explore alternative solutions.

A Reasonable Approach

In light of these challenges and limitations, I believe that a reasonable approach is to have tools like Infer suggest multiple fixes and then involve humans in the decision-making process. This allows for a balance between the efficiency of machines and the critical thinking required by humans.

The Significance of Bletchley Park

Finally, it's worth noting that the work being done on undecidable problems has historical significance. The British codebreaking efforts at Bletchley Park played a crucial role in World War II, demonstrating the importance of human ingenuity and computational power. While we may not be working on cryptographic codes anymore, the lessons learned from these experiences remain relevant today.

The Role of Math in Software Engineering

As Peter Reynolds pointed out, math is essential in software engineering. However, it's also important to recognize that software development is a complex process that cannot be reduced to simple mathematical formulas. While math provides a powerful toolset for solving problems, it's only one part of the equation.

The Slogan "Move Fast and Break Things"

One interesting slogan at Facebook is "move fast and break things." While this might seem counterintuitive, it highlights the importance of being proactive in addressing issues that arise during software development. By moving quickly to resolve errors and minimize the impact on others, we can ensure a smoother experience for our users.

The Importance of Continuous Learning

In conclusion, programming language design is crucial, and working with undecidable problems requires continuous learning and adaptation. As we strive to create more efficient and effective tools like Infer, it's essential to acknowledge their limitations and involve humans in the decision-making process. By doing so, we can harness the power of both machines and human judgment to create better software solutions.

The Project Touring

In terms of intellectual heroes, I'd like to mention Touring, a programming language designer who made significant contributions to our field. His work on automating code analysis has inspired many researchers and developers. For those interested in learning more about the impact of computing on society during World War II, Bletchley Park is an excellent resource.

"WEBVTTKind: captionsLanguage: eninfer is a tool that tries to find bugs in computer code and it does this it's called a static program analyzer it does this without running the program so it takes the program in as input then it examines the program and it tries to reason about the program in something like how a human would do it and as it's doing this it makes guesses about the program and sometimes the guesses are oh there will be a bug there will be a null point or crash there will be a race condition amongst concurrent threads things like this so once it finds potential bugs it tells the facebook developers and they get to act upon them also it's an open source tool so it's used by other companies try to find um as many bugs as we can to prevent them from getting into production we've done one or two videos on touring and undecidability on all these sort of issues with paradox etc has this been done with machine learning or something can you talk to me about that it's done with um some techniques in the older kind of ai called symbolic ai and so our tools have two techniques in them um that are ai related one is called the frame problem which is about describing what the what the program can do without listing all of the myriad of things that it can't do and then the other problem is called abductive inference which is something from the philosophy of science by the philosopher charles pierce this is about making hypotheses usually it's about making scientific hypotheses but our tools make guesses about the computer program the guess might be this bit of code needs an acyclic linked list in order to run without producing a crash so we our tool would look at the code and make that guess and then try to confirm that guess so it's so this is how a human might do it a human might look at a code see a while loop and then hypothesize oh i betcha this needs an acyclic linked list or it's a click linked list and so the tool tries to make these kinds of guesses and it does it using symbolic logic using a form of symbolic logic called separation logic and it makes the guesses then it tries to confirm the guesses as i understand it the key to what turing said was that it was in general you couldn't do this so turing showed that in general a certain problem the halting problem can't be solved by a computer algorithms and it follows that many other problems something called rises theorem it follows that many other problems can't be solved by an algorithm but can be solved means for all input programs can we answer in a perfect yes no way whether say the program might crash the program has a race condition the program has a security violation so there's two parameters here for all input programs and perfect yes no so if you relax the for all input programs and look at a smaller collection of programs then there's something you can do and then the other way you can play is you can relax the perfect yes no answers and so our tools do both of those so we're concentrating on the programs that humans write at facebook which is a small small small subset of all programs so we don't have to work for all input programs and then the other thing that we do is the perfect yes no answers are still very difficult so there's something about computability theory which says when you've got an undecidable problem you need to approximate it so you can get bigger and bigger subsets of the undecidable problem or bigger and bigger subsets of the of the no part of the undecidable problem but you will never get the perfect answer so you have to approximate and so this is an interesting thing about this is this this means you know that you'll never be finished you'll never find the algorithm to do the perfect yes no answers but what we do is we train our our techniques on the facebook code basis and then we listen to what the programmers say and to what production crashes say to try to make these approximations better so we are working on formally undecidable problems but we're trying to approximate them and they're we're using what the facebook engineers and what the production statistics tell us they guide us towards good approximations so that's what's quite fascinating to me when i was an academic before and i thought oh undecidable problems this is a show stopper you shouldn't try to answer these problems but as soon as you get in the game and you realize oh what i need to do is approximate then you're in a better position there's a whole computer science theory called abstract interpretation about this approximation this is a bit like kind of the computer version if you can't please all of the people all the time right well yeah especially i mean it's all of the people we would like to be able to because again um all of the people aren't still aren't going to write those infinitely many programs right but it's it's impossible at the moment to make one of these tools to tackle an undecidable problem that works for all input code bases in the world it's not possible but what we've found is that we can train them for certain specific kinds of code bases and a good place to do this as an industry like facebook has various code bases very big hundreds of millions of lines of code but there is some regularity to that code and there are design principles that the the engineers use so we try to get to know the mind of the engineers get to know the mind of the programmers and we can just know that by feedback from them we don't just dream up what it is and we tailor our algorithms to that and then we start getting good results but if we try to just apply to all random code in the world then we don't get good results and i think that's true in general for the area you've got these titans of computer science as you mentioned you know touring and various other people kind of working on this problem where do you come in i come in in the early 2000s i was part of a i had a research team and and i was um working on a theory called separation logic which i developed with my colleague professor john reynolds from carnegie mellon this built on another another of the things that touring did so touring did all of the bit about undecidability but he also founded the area of program verification he wrote a paper in i think 1949 called checking a large routine for him large was a few tens of lines of code he showed how the human could write little logical statements around various parts of the code and then confirm that the code did the right thing we made a theory to try to do similar sorts of stuff for more modern software with the pointers and the objects and things that one finds in modern software and this worked very very well for proving programs by hand like touring was doing we scaled his techniques so we could do better and then i had um some a graduate student cristiano calcanya who said maybe we can convert this into a tool that tries to do the same thing and then cristiano and a number of other people joined me and we did years of research and then him and another fellow destefano they decided let's make a startup company and try to make this real and facebook bought the startup company in 2013 a company called menoydix and then presto i ended up at facebook so i started from proving programs by hand like touring was doing this is like take this infinite collection of input programs let's make it one program right now we can get a perfect yes no answer but the human has to guide it then we made very efficient techniques for the human to do the proof using separation logic then we said let's make the computer mimic what we're doing in our hand proofs and so we did that and oddly enough it all worked out and i never never never expected to be able to run these algorithms on tens of millions of lines of code never but there are some technical reasons why it worked but we made it there so i didn't plan to apply these techniques to tens of millions lines of code but it happened we've done a number of videos on things like functional programming and i know there's a lot of talk about um using functional programs to prove things to do with programs will this work on any kind of say programming language and things or are you set on whatever code base facebook is using see it works on any kind of programming language and there is a school of thought which says we need to change the programming language to make it easier to verify but i come from the different point of view i say there's billions of lines of code out there and instead of rewriting the world what mathematical logic is very powerful why don't we try to deal with that code as is and this theory separation logic when we discovered it we were shocked because we were able to give nice mathematical pretty proofs for not only c programs but assembly language programs and this was a shock because my prejudice at the time and my co-author john reynolds prejudice was thou shalt use functional programming languages or lovely things like that but then i found that certain very dirty algorithms had beautiful proofs like there's a an algorithm for coding doubly linked lists where instead of having having forward and back pointers use the xor of them in order to um use less memory and this is it's a funny program but one day john reynolds said to me peter tell me the dirtiest program you know i told him this program and then the next morning he came into the office and said it's not a dirty program anymore here's the proof this was really a shock and an eye opener and so as a result i i feel like yes programming languages are important and programming language design is so important but using mathematical logic there's no reason why we can't attack all of the code if a programmer wants to dispose all of the nodes in a tree to delete them they can write a recursive procedure that works like this if i if i you mentioned it's open source we have a lot of coders who watch the the videos here if somebody wants to go and have a look at it or have a try over a play of it how did they go about that where would they go yeah there's they can go to our website called it's fbiinfer.com they can go to our website but once they're there they can download infer from github they can run it on their own code they can search for integrations with whatever build system they might be using we use a build system called buck there's another build system called gradle which people use there's various build systems so they can do that they can get community support and maybe ask a few questions is the next step for it to then start fixing the code for them that's very interesting so um that's a dream and there is a project at facebook not by my team but by another team which you does automatically fix some of infers warnings simpler ones no pointer exceptions um now that's that's pretty remarkable um it doesn't automatically fix it automatically suggest it suggests a fix but we're letting the human decide so the humans are the final they have the final say whether to accept that fix or not so that's really exciting but i don't try to i don't tend to think that the robots are going to fix all of our code for us because for any given bug often there's more than there's no unique cause and there's no unique fix and at this moment and for the first sealable future human judgment is needed especially on the more subtle ones to know which of the fixes is is the right one and right i think a a reasonable approach is to have a tool suggest several fixes and then the humans to decide but i'm not in the camp of thinking that the the bots are going to give us the right fixes i don't think it's really possible in the foreseeable future development is a process have you had anything where it's gone wrong at all have you had problems with it at all now we're in the realm of software engineering we're not in the realm of mathematical logic so it's it can't be perfect you can't be perfect um here's one example one example oh so we have false positives where we give wrong answers but there are more comical things that we've gone wrong one time um infer ran wild and and it spammed one of the developers so it found a potential error or what i thought was a potential error and instead of re reporting it once it reported it 60 times and luckily the developer that did it to did not get upset he just laughed and he sent us a message saying is is in fur gone a little bit insane today there's a very interesting slogan at facebook called move fast and break things there's an old slogan if we were to break things with the infer tool so say we spammed the developer by giving them 60 copies of the same bug report which might not be the best thing if we did this to all the developers so if we make a mistake and it's on honest mistake and then we move fast to resolve it to help the people then it's good so i gave you a comical instance of where infer went wrong but um on any given day infer we'll make bug report suggestions which are not true and it will miss potential bugs too and this is all related to the undecidability right the undecidability of the problems we're working on the undecidability in the sense of touring and girdle you're going to run into these problems if you've got an undecidable if you're working on undecidable things so yeah it's another another way to say it is because it's imperfect because of undecidability but it also means we'll never be finished so our job will never be finished it's like a job for life working on an undecidable problem we're contributing some funds to help support bletchley park there's the link to touring which is um one of my intellectual heroes but also um bletchley park historically was important in computing and in society for the role that it played in in the second world war parallel way of removing all the nodes in the treeinfer is a tool that tries to find bugs in computer code and it does this it's called a static program analyzer it does this without running the program so it takes the program in as input then it examines the program and it tries to reason about the program in something like how a human would do it and as it's doing this it makes guesses about the program and sometimes the guesses are oh there will be a bug there will be a null point or crash there will be a race condition amongst concurrent threads things like this so once it finds potential bugs it tells the facebook developers and they get to act upon them also it's an open source tool so it's used by other companies try to find um as many bugs as we can to prevent them from getting into production we've done one or two videos on touring and undecidability on all these sort of issues with paradox etc has this been done with machine learning or something can you talk to me about that it's done with um some techniques in the older kind of ai called symbolic ai and so our tools have two techniques in them um that are ai related one is called the frame problem which is about describing what the what the program can do without listing all of the myriad of things that it can't do and then the other problem is called abductive inference which is something from the philosophy of science by the philosopher charles pierce this is about making hypotheses usually it's about making scientific hypotheses but our tools make guesses about the computer program the guess might be this bit of code needs an acyclic linked list in order to run without producing a crash so we our tool would look at the code and make that guess and then try to confirm that guess so it's so this is how a human might do it a human might look at a code see a while loop and then hypothesize oh i betcha this needs an acyclic linked list or it's a click linked list and so the tool tries to make these kinds of guesses and it does it using symbolic logic using a form of symbolic logic called separation logic and it makes the guesses then it tries to confirm the guesses as i understand it the key to what turing said was that it was in general you couldn't do this so turing showed that in general a certain problem the halting problem can't be solved by a computer algorithms and it follows that many other problems something called rises theorem it follows that many other problems can't be solved by an algorithm but can be solved means for all input programs can we answer in a perfect yes no way whether say the program might crash the program has a race condition the program has a security violation so there's two parameters here for all input programs and perfect yes no so if you relax the for all input programs and look at a smaller collection of programs then there's something you can do and then the other way you can play is you can relax the perfect yes no answers and so our tools do both of those so we're concentrating on the programs that humans write at facebook which is a small small small subset of all programs so we don't have to work for all input programs and then the other thing that we do is the perfect yes no answers are still very difficult so there's something about computability theory which says when you've got an undecidable problem you need to approximate it so you can get bigger and bigger subsets of the undecidable problem or bigger and bigger subsets of the of the no part of the undecidable problem but you will never get the perfect answer so you have to approximate and so this is an interesting thing about this is this this means you know that you'll never be finished you'll never find the algorithm to do the perfect yes no answers but what we do is we train our our techniques on the facebook code basis and then we listen to what the programmers say and to what production crashes say to try to make these approximations better so we are working on formally undecidable problems but we're trying to approximate them and they're we're using what the facebook engineers and what the production statistics tell us they guide us towards good approximations so that's what's quite fascinating to me when i was an academic before and i thought oh undecidable problems this is a show stopper you shouldn't try to answer these problems but as soon as you get in the game and you realize oh what i need to do is approximate then you're in a better position there's a whole computer science theory called abstract interpretation about this approximation this is a bit like kind of the computer version if you can't please all of the people all the time right well yeah especially i mean it's all of the people we would like to be able to because again um all of the people aren't still aren't going to write those infinitely many programs right but it's it's impossible at the moment to make one of these tools to tackle an undecidable problem that works for all input code bases in the world it's not possible but what we've found is that we can train them for certain specific kinds of code bases and a good place to do this as an industry like facebook has various code bases very big hundreds of millions of lines of code but there is some regularity to that code and there are design principles that the the engineers use so we try to get to know the mind of the engineers get to know the mind of the programmers and we can just know that by feedback from them we don't just dream up what it is and we tailor our algorithms to that and then we start getting good results but if we try to just apply to all random code in the world then we don't get good results and i think that's true in general for the area you've got these titans of computer science as you mentioned you know touring and various other people kind of working on this problem where do you come in i come in in the early 2000s i was part of a i had a research team and and i was um working on a theory called separation logic which i developed with my colleague professor john reynolds from carnegie mellon this built on another another of the things that touring did so touring did all of the bit about undecidability but he also founded the area of program verification he wrote a paper in i think 1949 called checking a large routine for him large was a few tens of lines of code he showed how the human could write little logical statements around various parts of the code and then confirm that the code did the right thing we made a theory to try to do similar sorts of stuff for more modern software with the pointers and the objects and things that one finds in modern software and this worked very very well for proving programs by hand like touring was doing we scaled his techniques so we could do better and then i had um some a graduate student cristiano calcanya who said maybe we can convert this into a tool that tries to do the same thing and then cristiano and a number of other people joined me and we did years of research and then him and another fellow destefano they decided let's make a startup company and try to make this real and facebook bought the startup company in 2013 a company called menoydix and then presto i ended up at facebook so i started from proving programs by hand like touring was doing this is like take this infinite collection of input programs let's make it one program right now we can get a perfect yes no answer but the human has to guide it then we made very efficient techniques for the human to do the proof using separation logic then we said let's make the computer mimic what we're doing in our hand proofs and so we did that and oddly enough it all worked out and i never never never expected to be able to run these algorithms on tens of millions of lines of code never but there are some technical reasons why it worked but we made it there so i didn't plan to apply these techniques to tens of millions lines of code but it happened we've done a number of videos on things like functional programming and i know there's a lot of talk about um using functional programs to prove things to do with programs will this work on any kind of say programming language and things or are you set on whatever code base facebook is using see it works on any kind of programming language and there is a school of thought which says we need to change the programming language to make it easier to verify but i come from the different point of view i say there's billions of lines of code out there and instead of rewriting the world what mathematical logic is very powerful why don't we try to deal with that code as is and this theory separation logic when we discovered it we were shocked because we were able to give nice mathematical pretty proofs for not only c programs but assembly language programs and this was a shock because my prejudice at the time and my co-author john reynolds prejudice was thou shalt use functional programming languages or lovely things like that but then i found that certain very dirty algorithms had beautiful proofs like there's a an algorithm for coding doubly linked lists where instead of having having forward and back pointers use the xor of them in order to um use less memory and this is it's a funny program but one day john reynolds said to me peter tell me the dirtiest program you know i told him this program and then the next morning he came into the office and said it's not a dirty program anymore here's the proof this was really a shock and an eye opener and so as a result i i feel like yes programming languages are important and programming language design is so important but using mathematical logic there's no reason why we can't attack all of the code if a programmer wants to dispose all of the nodes in a tree to delete them they can write a recursive procedure that works like this if i if i you mentioned it's open source we have a lot of coders who watch the the videos here if somebody wants to go and have a look at it or have a try over a play of it how did they go about that where would they go yeah there's they can go to our website called it's fbiinfer.com they can go to our website but once they're there they can download infer from github they can run it on their own code they can search for integrations with whatever build system they might be using we use a build system called buck there's another build system called gradle which people use there's various build systems so they can do that they can get community support and maybe ask a few questions is the next step for it to then start fixing the code for them that's very interesting so um that's a dream and there is a project at facebook not by my team but by another team which you does automatically fix some of infers warnings simpler ones no pointer exceptions um now that's that's pretty remarkable um it doesn't automatically fix it automatically suggest it suggests a fix but we're letting the human decide so the humans are the final they have the final say whether to accept that fix or not so that's really exciting but i don't try to i don't tend to think that the robots are going to fix all of our code for us because for any given bug often there's more than there's no unique cause and there's no unique fix and at this moment and for the first sealable future human judgment is needed especially on the more subtle ones to know which of the fixes is is the right one and right i think a a reasonable approach is to have a tool suggest several fixes and then the humans to decide but i'm not in the camp of thinking that the the bots are going to give us the right fixes i don't think it's really possible in the foreseeable future development is a process have you had anything where it's gone wrong at all have you had problems with it at all now we're in the realm of software engineering we're not in the realm of mathematical logic so it's it can't be perfect you can't be perfect um here's one example one example oh so we have false positives where we give wrong answers but there are more comical things that we've gone wrong one time um infer ran wild and and it spammed one of the developers so it found a potential error or what i thought was a potential error and instead of re reporting it once it reported it 60 times and luckily the developer that did it to did not get upset he just laughed and he sent us a message saying is is in fur gone a little bit insane today there's a very interesting slogan at facebook called move fast and break things there's an old slogan if we were to break things with the infer tool so say we spammed the developer by giving them 60 copies of the same bug report which might not be the best thing if we did this to all the developers so if we make a mistake and it's on honest mistake and then we move fast to resolve it to help the people then it's good so i gave you a comical instance of where infer went wrong but um on any given day infer we'll make bug report suggestions which are not true and it will miss potential bugs too and this is all related to the undecidability right the undecidability of the problems we're working on the undecidability in the sense of touring and girdle you're going to run into these problems if you've got an undecidable if you're working on undecidable things so yeah it's another another way to say it is because it's imperfect because of undecidability but it also means we'll never be finished so our job will never be finished it's like a job for life working on an undecidable problem we're contributing some funds to help support bletchley park there's the link to touring which is um one of my intellectual heroes but also um bletchley park historically was important in computing and in society for the role that it played in in the second world war parallel way of removing all the nodes in the tree\n"