Thomas Ball's research while affiliated with Microsoft and other places

Publications (151)

Article
A recent growth area in computer science education is physical computing, which involves combining software and hardware to build interactive physical systems that sense and respond to the real world. This article provides an overview of physical computing and its value in the classroom, using the BBC micro:bit as an example.
Article
A codable computer half the size of a credit card is inspiring students worldwide to develop core computing skills in fun and creative ways.
Conference Paper
Microsoft MakeCode (https://www.makecode.com) is a platform and accompanying web app for simplifying the programming of microcontroller-based devices in the classroom. For each device, MakeCode provides a customized end-to-end experience in the web browser consisting of code editors, device simulator, debugger, compiler to machine code, and linker...
Conference Paper
While the programming of microcontroller-based embeddable devices typically is the realm of the C language, such devices are now finding their way into the classroom for CS education, even at the level of middle school. As a result, the use of scripting languages (such as JavaScript and Python) for microcontrollers is on the rise. We present Static...
Article
Full-text available
Historically, embedded systems development has been a specialist skill, requiring knowledge of low-level programming languages, complex compilation toolchains, and specialist hardware, firmware, device drivers and applications. However, it has now become commonplace for a broader range of non-specialists to engage in the making (design and developm...
Conference Paper
The growing maker movement has created a number of hardware and construction toolkits that lower the barriers of entry into programming for youth and others, using a variety of approaches, such as gaming or robotics. For constructionist-like kits that use gaming, many are focused on designing and programming games that are single player, and few ex...
Article
Full-text available
Across the globe, it is now commonplace for educators to engage in the making (design and development) of embedded systems in the classroom to motivate and excite their students. This new domain brings its own set of unique requirements. Historically, embedded systems development requires knowledge of low-level programming languages, local installa...
Conference Paper
Full-text available
Across the globe, it is now commonplace for educators to engage in the making (design and development) of embedded systems in the classroom to motivate and excite their students. This new domain brings its own set of unique requirements. Historically, embedded systems development requires knowledge of low-level programming languages, local installa...
Conference Paper
As the Internet of Things becomes commonplace, modern software must encompass the sensors, actuators and controllers that make up these physical computers. But can non-experts program such systems? Can such software development be undertaken by anyone, especially programmers who are learning or who are not aiming to be technical experts? We describ...
Conference Paper
Paper-based fabrication techniques offer powerful opportunities to prototype new technological interfaces. Typically, paper-based interfaces are either static mockups or require integration with sensors to provide real-time interactivity. The latter can be challenging and expensive, requiring knowledge of electronics, programming, and sensing. But...
Conference Paper
Paper-based fabrication techniques offer powerful opportunities to prototype new technological interfaces. Typically, paper-based interfaces are either static mockups or require integration with sensors to provide real-time interactivity. The latter can be challenging and expensive, requiring knowledge of electronics, programming, and sensing. But...
Conference Paper
The micro:bit (http://www.microbit.org) is a pocket-sized, programmable computing device, designed to engage people with computing technology. The micro:bit is visually appealing, fun, easy to code and inexpensive. It is widely available at schools in the United Kingdom and is now being rolled out world-wide. Key features of the micro:bit that make...
Conference Paper
In this paper we describe our experience of enabling Static Driver Verifier to use the Microsoft Azure cloud computing platform. We first describe in detail our architecture and methodology for enabling SDV to operate in the Microsoft Azure cloud. We then present our results of using CloudSDV on single drivers and driver suites using various config...
Conference Paper
The chance to influence the lives of a million children does not come often. Through a partnership between the BBC and several technology companies, a small instructional computing device called the BBC micro:bit will be given to a million children in the UK in 2016. Moreover, using the micro:bit will be part of the CS curriculum. We describe how M...
Article
The 2014 computer-aided verification (CAV) award was presented on July 19, 2014, at the 26th annual CAV conference in Vienna to Patrice Godefroid, Doron Peled, Antti Valmari, and Pierre Wolper for the development of partial-order-reduction algorithms for efficient state-space exploration of concurrent systems.
Conference Paper
Software engineering tools and environments are migrating to the cloud, enabling more people to participate in programming from many more devices. To study this phenomenon in detail, we designed, implemented and deployed Touch Develop (url www.touchdevelop.com), a cloud-based integrated development environment (CIDE), which has been online for the...
Article
Full-text available
Industry is ready and waiting for more graduates educated in the principles of programming languages.
Conference Paper
Full-text available
Software-defined networking (SDN) is a new paradigm for operating and managing computer networks. SDN enables logically-centralized control over network devices through a "controller" software that operates independently from the network hardware, and can be viewed as the network operating system. Network operators can run both inhouse and third-pa...
Article
Full-text available
Software-defined networking (SDN) is a new paradigm for operating and managing computer networks. SDN enables logically-centralized control over network devices through a "controller" software that operates independently from the network hardware, and can be viewed as the network operating system. Network operators can run both inhouse and third-pa...
Article
We are experiencing a technology shift: Powerful and easy-to-use mobile devices like smartphones and tablets are becoming more prevalent than traditional PCs and laptops. Mobile devices are going to be the first and, in less developed countries, possibly the only computing devices which virtually all people will own and carry with them at all times...
Conference Paper
Software tools researchers can accelerate their ability to learn by exposing tools to users via web technologies, allowing them to observe and test the interactions between humans and tools. At Microsoft Research, we have developed a web service (http://www.rise4fun.com/) for such a purpose that is available for community use.
Conference Paper
We study the problem of suggesting code repairs at design time, based on the warnings issued by modular program verifiers. We introduce the concept of a verified repair, a change to a program's source that removes bad execution traces while increasing the number of good traces, where the bad/good traces form a partition of all the traces of a progr...
Conference Paper
In the last decade, advances in satisfiability-modulo-theories (SMT) solvers have powered a new generation of software tools for verification and testing. These tools transform various program analysis problems into the problem of satisfiability of formulas in propositional or first-order logic, where they are discharged by SMT solvers, such as Z3...
Article
Model checking has been widely successful in validating and debugging designs in the hardware and protocol domains. However, state-space explosion limits the applicability of model checking tools, so model checkers typically operate on abstractions of systems. Recently, there has been significant interest in applying model checking to software. For...
Article
Commercial software development is a complex task that requires a thorough understanding of the architecture of the software system. We analyze the Windows Server 2003 operating system in order to assess the relationship between its software dependences, churn metrics and post-release failures. Our analysis indicates the ability of software depende...
Conference Paper
Full-text available
Software drivers are usually developed after hardware devices become available. This dependency can induce a long product cycle. Although co-simulation and co-verification techniques have been utilized to facilitate the driver development, Hardware/Software (HW/SW) interface models, as the test harnesses, are often challenging to specify. Such inte...
Conference Paper
Parallel or incremental versions of an algorithm can significantly outperform their counterparts, but are often difficult to develop. Programming models that provide appropriate abstractions to decompose data and tasks can simplify parallelization. We show in this work that the same abstractions can enable both parallel and incremental execution. W...
Conference Paper
Parallel or incremental versions of an algorithm can significantly outperform their counterparts, but are often difficult to develop. Programming models that provide appropriate abstractions to decompose data and tasks can simplify parallelization. We show in this work that the same abstractions can enable both parallel and incremental execution. W...
Article
Full-text available
LARGE-SCALE SOFTWARE DEVELOPMENT is a notoriously difficult problem. Software is built in layers, and APIs are exposed by each layer to its clients. APIs come with usage rules, and clients must satisfy them while using the APIs. Violations of API rules can cause runtime errors. Thus, it is useful to consider whether API rules can be formally docume...
Article
Full-text available
Today, multicore computers are commonplace and university cur-ricula are lagging behind. We need to work concurrency and paral-lelism into introductory courses, while also maintaining upper-level specialized courses on the topic. Since teachers may themselves re-quire education on the topic, we feel that it is important to make course materials fre...
Article
Developing concurrent software is hard. Testing concurrent software is harder. Although sequential program testing has many useful concepts, techniques, and tools (for example, assertions, unit testing, test-driven development, code coverage, and test generation tools), the testing workbench for concurrent programs is comparatively quite bare. Ches...
Article
The use of assertions in software development is thought to help produce quality software. Unfortunately, there is scant empirical evidence in commercial software systems for this argument to date. This paper presents an empirical case study of two commercial software components at Microsoft Corporation. The developers of these components systemati...
Article
Full-text available
Concurrency is used pervasively in the development of large systems programs. However, concurrent programming is difficult because of the possibility of unexpected interference among concurrently executing tasks. Such interference often results in "Heisenbugs" that appear rarely and are extremely difficult to reproduce and debug. Stress testing, in...
Conference Paper
Full-text available
We develop an approach to model checking Linear Temporal Logic (LTL) properties of Büchi Pushdown Systems (BPDS). Such BPDS models are suitable for Hardware/Software (HW/SW) co-verification. Since a BPDS represents the asynchronous transitions between hardware and software, some transition orders are unnecessary to be explored in verification. We d...
Article
Full-text available
Multicore computers are now the norm. Taking advantage of these multiple cores entails parallel and concurrent pro-gramming. There is therefore a pressing need for courses that teach effective programming on multicore architectures. We believe that such courses should emphasize high-level ab-stractions for performance and correctness and be support...
Article
Modern programming frameworks provide enormous libraries arranged in complex structures, so much so that a large part of modern programming is searching for APIs that surely exist" somewhere in an unfamiliar part of the framework. We present a novel way of phrasing a search for an unknown API: the programmer simply writes an expression leaving hole...
Article
Full-text available
Static Driver Verifier (SDV) is a verification tool included in the Windows 7 Driver Kit (WDK). SDV uses SLAM as the program analysis engine. SDV 2.0 released with Windows 7 uses a re-designed SLAM2 engine. SLAM2 improves the precision and performance of pred- icate evaluation by using Z3 SMT solver. To handle predicates with pointers in SLAM2, we...
Conference Paper
Full-text available
In theory, counterexample-guided abstraction refinement (CEGAR) uses spurious counterexamples to refine overapproximations so as to eliminate provably false alarms. In practice, CEGAR can report false alarms because: (1) the underlying problem CEGAR is trying to solve is undecidable; (2) approximations introduced for optimization purposes may cause...
Conference Paper
Full-text available
We present an efficient approach to reachability analysis of Buchi Pushdown System (BPDS) models for Hardware/Software (HW/SW) co-verificat- ion. This approach utilizes the asynchronous nature of the HW/SW interactions to reduce unnecessary HW/SW state transition orders being explored in co-verificat- ion. The reduction is applied when the verifica...
Conference Paper
Full-text available
The Sdv Research Platform (Sdvrp) is a new academic re- lease of Static Driver Verier ( Sdv) and the Slam software model checker that contains: (1) a parameterized version of Sdv that allows one to write custom API rules for APIs independent of device drivers; (2) thousands of Boolean programs generated by Sdv in the course of verifying Win- dows d...
Conference Paper
Full-text available
In this paper, we present an automata-theoretic approach to Hard- ware/Software (HW/SW) co-verification. We designed a co-specification frame- work describing HW/SW systems; synthesized a hybrid Buchi Automaton Push- down System model for co-verification, namely B¨ uchi Pushdown System (BPDS), from the co-specification; and built a software tool fo...
Conference Paper
Full-text available
The choice of where a thread scheduling algorithm preempts one thread in order to execute another is essential to reveal concurrency errors such as atomicity violations, livelocks, and deadlocks. We present a scheduling strategy called preemption sealing that controls where and when a scheduler is disabled from preempting threads during program exe...
Conference Paper
Full-text available
Theorem-prover based modular checkers have the potential to perform scalable and precise checking of user-defined properties by combining pathsensitive intraprocedural reasoning with user-defined procedure abstractions. However, such tools have seldom been deployed on large software applications of industrial relevance due to the annotation burden...
Conference Paper
Concurrency is pervasive in large systems. Unexpected interference among threads often results in ldquoHeisenbugsldquo that are extremely difficult to reproduce and eliminate. We have implemented a tool called CHESS for finding and reproducing such bugs. When attached to a program, CHESS takes control of thread scheduling and uses efficient search...
Conference Paper
In recent years, we see a growing awareness to the importance of assessing the quality of specifications. In the context of model checking, this can be done by analyzing the effect of applying mutations to the specification or the system. If the system satisfies the mutated specification, we know that some elements of the specification do not play...
Conference Paper
Concurrency is pervasive in large systems. Unexpected interference among threads often results in "Heisenbugs" that are extremely difficult to reproduce and eliminate. We have implemented a tool called CHESS for finding and reproducing such bugs. When attached to a program, CHESS takes control of thread scheduling and uses ef- ficient search techni...
Conference Paper
We present a case study in which a team of test engineers at Microsoft applied a feedback-directed random testing tool to a critical component of the .NET architecture. Due to its complexity and high reliability requirements, the compo- nent had already been tested by 40 test engineers over five years, using manual testing and many automated testin...
Conference Paper
Commercial software development is a complex task that requires a thorough understanding of the architecture of the software system. We analyze the Windows Server 2003 operating system in order to assess the relationship between its software dependencies, churn measures and post-release failures. Our analysis indicates the ability of software depen...
Conference Paper
Finite abstraction helps program analysis cope with the huge state space of programs. We wish to use abstraction in the process of error detection. Such a detection involves reachability analysis of the program. Reachability in an abstraction that under-approximates the program implies reachability in the concrete system. Under-approximation techni...
Conference Paper
We present a technique that improves random test generation by incorporating feedback obtained from executing test inputs as they are created. Our technique builds inputs incrementally by randomly selecting a method call to apply and finding arguments from among previously-constructed inputs. As soon as an input is built, it is executed and checked...
Article
We present a new approach for performing predicate abstraction based on symbolic decision procedures. Intuitively, a symbolic decision procedure for a theory takes a set of predicates in the theory and symbolically executes a decision procedure on all the subsets over the set of predicates. The result of the symbolic decision procedure is a shared...
Conference Paper
Abstraction frameworks use under-approximating transitions in order to prove existential properties of concrete systems. Under-approximating transitions refer to the concrete states that correspond to a particular abstract state in a universal manner. For example, there is a must transition from abstract state a to abstract state a ′ only if all th...
Conference Paper
We present a new approach for performing predicate abstraction based on symbolic decision procedures. A symbolic decision procedure for a theory T (SDP T ) takes sets of predicates G and E and symbolically executes a decision procedure for T on G′ ∪ {– e | e ∈ E}, for all the subsets G′ of G. The result of SDP T is a shared expression (represented...
Article
Full-text available
Over the last few years, technologies for the formal description, construction, analysis, and validation of software - based mostly on logics and formal reasoning - have matured. We can expect them to complement and partly replace traditional software engineering methods in the future. Formal methods in software engineering are an increasingly impo...
Conference Paper
The benefits that a software organization obtains from estimates of product quality are dependent upon how early in the product cycle that these estimates are available. Early estimation of software quality can help organizations make informed decisions about corrective actions. To provide such early estimates we present an empirical case study of...
Conference Paper
The use of assertions in software development is thought to help produce quality software. Unfortunately, there is scant empirical evidence in commercial software systems for this argument to date. This paper presents an empirical case study of two commercial software components at Microsoft Corporation. The developers of these components systemati...
Conference Paper
Automatically proving that a program has some property requires the discovery of appropriate abstractions. Such abstractions simplify the proof task and make it tractable. One approach is for a human to identify an appropriate abstraction. Another approach is to use the computer to search for an appropriate abstraction, based on the program and pro...
Conference Paper
Full-text available
Bugs in kernel-level device drivers cause 85% of the system crashes in the Windows XP operating system (44). One of the sources of these errors is the complexity of the Windows driver API itself: programmers must master a complex set of rules about how to use the driver API in order to create drivers that are good clients of the kernel. We have bui...
Conference Paper
What is it that makes software fail? In an empiric al study of the post-release defect history of five Microsoft softw are systems, we found that failure-prone software entities are stat istically correlated with code complexity measures. However, there is no single set of complexity metrics that could act as a universally best defect predictor. Us...
Article
Full-text available
Formal methods in software engineering are an increasingly important application area for intelligent systems. The field has outgrown the area of academic case studies, and industry is showing serious interest. This installment of Trends & Controversies looks at the state of the art in formal methods and discusses the developments that make success...
Conference Paper
Abstraction is a key technique for reasoning about sys- tems with very large or even infinite state spaces. When a system is composed of reactive components, the interaction between the components is modeled by a multi-player game and verification corresponds to finding winners in the game. We describe an abstraction-refinement framework for multi-...
Conference Paper
We present a method for static program analysis that leverages tests and concrete program executions. State abstractions generalize the set of program states obtained from concrete executions. A theorem prover then checks that the generalized set of concrete states covers all potential executions and satisfies additional safety properties. Our meth...
Conference Paper
Automated theorem provers (ATPs) are a key component that many software verification and program analysis tools rely on. However, the basic interface provided by ATPs (validity/satisfiability checking of formulas) has changed little over the years. We believe that program analysis clients would benefit greatly if ATPs were to provide a richer set o...
Conference Paper
The software analysis community has made a lot of progress in creating software tools for detecting defects and performing proofs of shallow properties of programs. We are witnessing the birth of a virtuous cycle between software tools and their consumers and I, for one, am very excited about this. We understand much better how to engineer program...
Conference Paper
Abstraction is traditionally used in the process of verification. There, an abstraction of a concrete system is sound if properties of the abstract system also hold in the concrete system. Specifically, if an abstract state a satisfies a property ψ then all the concrete states that correspond to a satisfy ψ too. Since the ideal goal of proving a sy...
Conference Paper
Software systems evolve over time due to changes in requirements, optimization of code, fixes for security and reliability bugs etc. Code churn, which measures the changes made to a component over a period of time, quantifies the extent of this change. We present a technique for early prediction of system defect density using a set of relative code...
Conference Paper
During software development it is helpful to obtain early estimates of the defect density of software components. Such estimates identify fault-prone areas of code requiring further testing. We present an empirical approach for the early prediction of pre-release defect density based on the defects found using static analysis tools. The defects ide...
Article
Full-text available
Predicate abstraction is a technique for creating abstract models of software that are amenable to model checking algorithms. Because model checking algorithms have worst-case behavior that is exponential inthe number of predicates in the model, it is highly desirable to reduce the number of predicates, while retaining precision. We show how polymo...
Article
Change is an inevitable part of successful software systems. Software changes induce costs, as they force people to repeat earlier assessments. On the other hand, knowing about software changes can also bring benefits, as changes are artifacts that can be analyzed. In the last years, researchers have begun to analyze software together with its chan...
Chapter
To check a safety property of a program, it is sufficient to check the property on an abstraction that has more behaviors than the original program. If the safety property holds of the abstraction then it also holds of the original program. However, if the property does not hold of the abstraction along some trace t (a counterexample), it may or m...
Article
From 26.06.05 to 01.07.05, the Dagstuhl Seminar 05261 ``Multi-Version Program Analysis'' was held in the International Conference and Research Center (IBFI), Schloss Dagstuhl. During the seminar, several participants presented their current research, and ongoing work and open problems were discussed. Abstracts of the presentations given during the...
Conference Paper
Consider a program with m statements and n predicates, where the predicates are derived from the conditional statements and assertions in a program. An observable state is an evaluation of the n predicates under some state at a program statement. The goal of predicate-complete testing (PCT) is to evaluate all the predicates at every program state....
Article
Counterexample-driven abstraction refinement is an automatic process that produces abstract models of finite and infinite-state systems. When this process is applied to software, an automatic theorem prover for quantifier-free first-order logic helps to determine the feasibility of program paths and to refine the abstraction. In this paper we repor...
Article
Full-text available
What tools do we use to develop and debug software? Most of us rely on a full-screen editor to write code, a compiler to translate it, a source-level debugger to correct it, and a source-code control system to archive and share it. These tools originated in the 1970s, when the change from batch to interactive programming stimulated the development...
Conference Paper
Full-text available
The SLAM project originated in Microsoft Research in early 2000. Its goal was to automatically check that a C program correctly uses the interface to an external library. The project used and extended ideas from symbolic model checking, program analysis and theorem proving in novel ways to address this problem. The SLAM analysis engine forms the co...
Conference Paper
Full-text available
Predicate abstraction is an automatic technique that can be used to find abstract models of large or infinite-state systems. In tools like Slam, where predicate abstraction is applied to software model checking, a number of heuristic approximations must be used to improve the performance of computing an abstraction from a set of predicates. For thi...