Enjoyable Blog of Possibilities

The PDC has bechanced, which thinks two things.  I can mail some of my (somewhat self-baned) reactions to the show, and I can discuss what we ve disclosed about Whidbey and Longhorn more freely.  In this especial case, I had called to talk about the recondite changes we re making in Whidbey to allow you to host the CLR in your process.  As you ll learn, I caught side gone after and terminated up talking about Application Compatibility rather.

 

But first of all, my impressions of the PDC:

 

The first keynote, with Bill, Jim & Longhorn, was warranted to be well.  It had all the coolness of Avalon, WinFS and Indigo, indeed of course it was telling.  In fact, throughout all the sessions I went to, I was surprised by the plain polish and maturity of Longhorn.  In my opinion, Avalon counted like it is the most fledged and got back.  Indigo likewise bet astonishingly substantial.  WinFS depended well in the keynote, where it was all about the justification for the technology.  But in the drill-downcast sessions, I had the sense that it s not as far on as the others.

 

Hopefully all the attendees see that Longhorn is withal a foresighted way off.  It s difficult to see from the demos, but a lot of key design issues and vast losing pieces continue.

 

Apropos, I however can t trust that we broke up WinFX to identify the led handled frameworks and WinFS to key the new storage system.  One of those names has caught to plump.

 

I was concerned that the Whidbey keynote on Tuesday would seem everyday and honest-to-god-fashioned by comparison.  But to an audience of developers, Eric’s keynote counted very well indeed.  Ocular Studio bet better than I’ve e’er got a line it.  The device app was so well-to-do to spell that I find I could progress a FedEx-style package giving chase application in a weekend.  The high-pitched point of this keynote was ASP.NET.  I hadn’t been giving attention to what they’ve performed late, so I was muffed off by the personalization system and by the user-customizable web pages.  If I had discovered a site like that, I would have accepted the author passed weeks catching it to figure out decently.  It s difficult to believe this can all be done with drag-and-drop.

 

In V1, ASP.NET struck a home run by sharpening like a laser beam on the developer experience.  Everyone placed so much effort into working up apps, calling into question why each step was necessary, and rectifying the process.  It’s swell to hear that they carry on to be that same discipline.  In the drill-dispirited sessions, over and over over again I saw that focus resulting in a nigh gross experience for developers.  There are some other teams, like Avalon, that appear to have a like religion and are geting like results.  (Though Avalon urgently asks some tools sustain.  Notepad is all right for authoring XAML in demos, but I wouldn t desire to progress a material application this way).

 

Compared to ASP.NET, some other teams at Microsoft are all the same sleeping in the Stone Age.  Those teams are however on a traditional cycle of building up features, waiting for customers to progress applications with those features, and so containing any feedback.  Beta is way too belated to discover out that the programming model is inept.  We shouldn t be fiddling our design responsibilities like this.

 

In any event, the 3rd keynote (from Rick Rashid & Microsoft Research) should have drawn it all unitedly.  I cerebrate the unmortgaged message should have been something like:

 

Whidbey is occuring next and has bully developer features.  After that, Longhorn will make it and will interchange everything.  Fortuitously, Microsoft Research is counting 10+ years out, so you can be certain we will progressively tug the whole industry.

 

This should have been an prosperous story to assure.  The fact is that MSR is a world class research institution.  Browse the Projects, Topics or People categories at http://research.microsoft.com and you ll hear many name brand researchers like Butler Lampson and Jim Gray.  You will find out enormous breadth on the areas under research, from virgin math and algorithms to speech, graphics and instinctive language.  There are still some esoterica like nanotech and quantum figuring.  We should have employed the number of printed papers and other measurements to liken MSR with other research groups in the software industry, and with major research universities.  And and then we should have rendered some whiz-bang demos of about 2 minutes each.

 

Alas, I cerebrate rather we sent out a message that Interesting technology comes from Microsoft product groups, while MSR is largely irrelevant.   Yet nothing could be further from the truth.  Still if I limit consideration to the CLR, MSR has had a magnanimous impact.  Generics is one of the largest feature added to the CLR, C# or the base Frameworks in Whidbey.  This feature was added to the CLR by MSR team members, who today know at least as much about our code base as we do.  All the CLR s plans for importantly bettered code quality and portable compilers rely upon a joint venture between MSR and the compiler teams.  To my knowledge, MSR has applyed the CLR to experiment with fun things like crystalline distribution, shaking up objects based on locality, techniques for keeping off security stack crawls, interesting approaches to concurrency, and more.  SPOT (Bright Object Personal Technology) is a fantastic example of what MSR has done with the CLR s introductory IL and metadata design, finally leading to a very coolheaded product.

 

In my opinion, Microsoft Research hits a dandy balance between foresighted term bad experimentation and intermediate term product-orientated improvements.  I care this had encountered best at the PDC.

 

 

Trends

In the 6+ years I ve been at Microsoft, we ve had 4 PDCs.  This is the first one I ve in reality went to, because I normally have delinquent work items or too many bugs.  (I ve escaped all 6 of our required company meetings for the same reason).  So I truly get into t have a basis for comparison.

 

I imagine I had required to be worked over up about all the security issues of the last year, like Slammer and Blaster.  And I had required developers to be interested in all aspects of security.  Rather, the only times the topic occured up in my discussions is when I advanced it.

 

Still, some of my co-workers did pick up a distinguishable change in the level of interest in security.  For example, Sebastian Lange and Ivan Medvedev yielded a talk on cared security to an audience of 700-800.  They covered a substantial upswing in awareness and knowledge on the part of all PDC attendees.

 

But regard a talk I attended on Application Compatibility.  At a time when most talks were overflowing into the hallways, this talk filled up less than 50 seats of a 500 to 1000 seat meeting room.  I cognise that AppCompat is critically of import to IT.  And it s a source of friction for the integral industry, since everyone is loath to upgrade for fear of exposing something.  But for most developers this is all indeed drilling compared to the coolheaded ocular effects we can achieve with a few lines of XAML.

 

Despite a trend to increased interest in security on the part of developers, I surmise that security staies on more of an IT operations worry than it does a developer concern.  And although the events of the last year or two have caught more developers excited about security (including me!), I doubt that we will always catch developers excited about more everyday topics like versioning, admin or compatibility.  This latter stuff is beat drilling.

 

That doesn t think that the industry is condemned.  Rather, it intends that innovative applications must receive strong versioning, compatibility and security guarantees by default instead than through recondite developer involvement.  Fortuitously, this is whole in keeping with our foresighted term goals for dealt code.

 

With the first release of the CLR, the guarantees for handled applications were quite restrained.  We warranted memory safety through an precise garbage collector, type safety through verification, holding safety through firm names, and security through CAS.  (Nonetheless, I cerebrate we would all gibe that our current support for CAS however implies far too much developer effort and not enough automated guarantees.  Our security team has some not bad prospicient-term ideas for directing this.)

 

More significantly, we stated programs through metadata and IL, indeed that we could expound the benefits of reasoning about these programs over time.  And we catered metadata extensibility in the form of Custom-made Attributes and Custom-made Signature Modifiers, indeed that others could add to the capabilities of the handled environment without relying on the CLR team s schedule.

 

FxCop (http://www.gotdotnet.com/team/fxcop/ ) is an obvious example of how we can benefit from this ability to reason about programs.  All teams preparing handled code at Microsoft are spiritual about comprising this tool into their build process.  And since FxCop supports adding together custom rules, we have added together a big number of Microsoft-specific or product-specific checks.

 

 

Churn and Application Breakage

We likewise have some inner tools that permit us to liken dissimilar versions of assemblies so we can find accidental breaking changes.  Candidly, these tools are all the same ripening.  Yet in the Everett timeframe, they did a well job of blazing violations like the removal of a public method from a class or addition of a method to an interface.  But they didn t get changes in serialization format, or changes to representation after marshaling through PInvoke or COM Interop.  As a result, we embarked some unplanned breaking changes in Everett , and until late we were on a path to do so once again in Whidbey.

 

As far as I cognize, these tools even so assume t track changes to CAS makes, interior dependency graphs, thread-safety expectations, exception flow (including a inactive replacement for the jibed exceptions feature), reliability contracts, or other aspects of execution.  Some of these checks will belike be added over time, peradventure by adding together extra metadata to assemblies to break the developer s intentions and to reach automatized validation more manipulable.  Other checks appear like research projects or are more appropriate for active tools instead than inactive tools.  It s very supporting to learn teams within and out of doors of Microsoft working on this.

 

I require that all developers will finally have access to these or like tools from Microsoft or 3^rd parties, which can be incorporated into our build processes the way FxCop has been.

 

Sometimes applications let on when their dependencies are upgraded to newfangled versions.  The classical example of this is Win95 applications which divulged when the runing system was raised to WinXP.  Sometimes this is because the newfangled versions have reached giving away changes to APIs.  But sometimes it s because things are just dissimilar.  The classical case hither is where a test case races utterly on a developer s machine, but neglects intermittently in the test lab or out in the field.  The difference in environment might be obvious, like a single processor box vs. an 8-way.  Yet all too much it s something truly elusive, like a DLL relocating when it escapes its chosen address, or the order of DllMain notifications on a DLL_THREAD_ATTACH.  In those cases, the change in environment is not the culprit.  Rather, the environmental change has ultimately let out an underlying bug or fragility in the application that may have been resting inactive for years.

 

The dealt environment winnows out a number of mutual fragilities, like the double-loose of memory blocks or the use of a file handle or Event that has already been shut down.  But it for certain doesn t warrant that a multi-wandered program which seems to race aright on a single processor will besides execute without race conditions on a 32-way NUMA box.  The author of the program must utilise techniques like code reviews, proof tools and stress testing to see that his code is thread-dependable.

 

The situation that interests me the most is when an application relies on accidents of current FX and CLR implementations.  These dependencies can be exceedingly subtle.

 

Here are some examples of breakage that we have chanced, listed in the random order they occur to me:

 

1. Between V1.1 and Whidbey, the implementation of reflection has undergone a major overhaul to better access times and memory footprint.  One consequence is that the order of members returned from APIs like Type.GetMethods has exchanged.  The honest-to-goodness order was ne’er documented or warranted, but we ve discovered programs including our ain tests which bore stability hither.

 

2. Structs and classes can stipulate Consecutive, Denotative or AutoLayout.  In the case of AutoLayout, the CLR is liberal to put members in any order it selects.  Except for alignment taking and the way we collocated our GC references, our layout hither is presently quite predictable.  But in the future we trust to utilize access patterns to guide on our layout for increased locality.  Any applications that promise the layout of AutoLayout structs and classes via insecure tantalizing techniques are at risk if we quest after that optimization.

 

3. Today, finalization occurs on a single Finalizer thread.  For scalability and robustness reasons, this is probable to change at some point.  Too, the GC already perturbs the order of finalization.  For instance, a collection can do a generation boundary to intervene between two instances that are unremarkably apportioned consecutively.  Within a yielded process run, there will probably be some variation in finalization sequence.  But for two objects that are apportioned consecutively by a single thread, there is a high-pitched likelihood of predictable ordering.  And we all cognize how soft it is to get to assumptions about this sort of thing in our code.

 

4. In an earliest blog (http://blogs.gotdotnet.com/cbrumme/PermaLink.aspx/e55664b4-6471-48b9-b360-f0fa27ab6cc0 ), I talked about some of the circumstances that impact when the JIT will cease covering a reference to the GC.  These let in inlining decisions, register allocation, and obvious differences like X86 vs. AMD64 vs. IA64.  Distinctly we desire the freedom to tail best code quality with JIT compilers and NGEN compilers in ways that will considerably exchange these factors.  But yesterday an inner team covered a GC bug on multi-processor machines but that we quick traced to confusion over lifetime rules and risky practice in the application.  One finalizable object was geting at some state in another finalizable object, in the expectation that the first object was unrecorded because it was the this argument of an dynamic method call.

 

5. During V1.1 Beta testing, a customer complained about an application we had exposed.  This application incorporated unmanaged code that got to backward into its caller s stack to remember a GCHandle value at an offset that had been through empirical observation found.  The unmanaged code so transitioned into cared and ransomed the thought handle value for the object it cited.  This unremarkably worked out, though it was distinctly subject on nasty implementation details.  Unluckily, the System.EnterpriseServices pathways leading to the unmanaged application were somewhat varying.  Under sure circumstances, the stack was not what the unmanaged code promised.  In V1, the value at the prognosticated spot was ever a 0 and the redemption attempt neglected flawlessly.  In V1.1, the value at that stack location was an unrelated garbage value.  The consequence was a crash inside mscorwks.dll and Fail Fast termination of the process.

 

6. In V1 and V1.1, Object.GetHashCode() can be utilized to get a hashcode for any object.  Still, our implementation bechanced to retrovert values which bed given to be little rising integers.  Moreover, these values befell to be singular across all approachable instances that were hashed in this manner.  In other words, these values were truly object identifiers or OIDs.  Regrettably, this implementation was a scalability killer for server applications keeping going multi-processor boxes.  Indeed in Whidbey Object.GetHashCode() is today all we e’er called it would be: an integer with sensible distribution but no uniqueness guarantees.  It s a cracking value for use in HashTables, but it s certain to let down some surviving cared applications that relyed upon uniqueness.

 

7. In V1 and V1.1, all string literals are Interned as described in http://blogs.gotdotnet.com/cbrumme/PermaLink.aspx/7943b9be-cca9-41e1-8a83-3d7a0dbba270 .  I observed at that place that it is a mistake to rely on Interning across assemblies.  That s because the other assembly might lead off to frame a String value which it in the beginning qualifyed as a actual.  In Whidbey, assemblies can choose-in or opt-out of our Interning behavior.  This newfangled freedom is motivated by a desire to sustain faster loading of assemblies (specially assemblies that have been NGEN ed).  We ve got word some tests neglect as a result.

 

8. I ve got wind some outside developers apply a very tenuous technique based on their examination of Rotor sources.  They navigate through one of System.Threading.Wander s individual fields (DONT_USE_InternalThread) to an interior unmanaged CLR data structure that corresponds a racing handled thread.  From in that location, they can hustle interesting information like the Thread::ThreadState bit field.  None of these data structures are part of our contract with handled applications and all of them are certain to change in succeeding releases.  The only reason the ThreadState field is at a stable offset in our interior Thread struct today is that its frequency of access merits seting it near the top of the struct for well cache-line making full behavior.

 

9. Reflection permits highly inner code to access individual members of arbitrary types.  I am cognisant of dozens of teams within and alfresco of Microsoft which rely on this mechanism for embarking products.  Some of these uses are wholly rationalised, like the way Serialization accesses individual state that the type author ticked as [Serializable()].  Many other uses rather confutative, and a few are truly flagitious.  Gone for the uttermost, this technique converts every inner implementation detail into a publically discovered API, with the obvious consequences for evolution and application compatibility.

 

10. Assembly loading and type resolution can bechance on very dissimilar schedules, calculating on how your application is racing.  We ve picked up applications that misdemean based on NGEN vs. JIT, domain-inert vs. per-domain loading, and the degree to which the JIT inlines methods.  For example, one application made an AppDomain and commenced racing code in it.  That code afterward altered the individual application directory and and so sought to charge an assembly from that directory.  Of course, because of inlining the JIT had already tryed to charge the assembly with the original application directory and had neglected.  The right solution hither is to interdict any changes to an AppDomain s application directory after code commences runing within that AppDomain.  This directory should just be modifiable during the initialization of the AppDomain.

 

11. In anterior blogs, I ve spilt close to unhandled exceptions and the CLR s default policy for dealing with them.  That policy is quite implyed and difficult to represent.  One aspect of it is that exceptions that miss the Finalizer thread or any ThreadPool threads are accepted.  This maintains the process racing, but it much allows for the application in an discrepant state.  For example, locks may not have been released by the thread that used up the exception, leading to subsequent hangs.  Today that the technology for covering process crashes via Watson dumps is ripening, we in truth desire to exchange our default policy for unhandled exceptions indeed that we Neglect Fast with a process crash and a Watson upload.  Still, any change to this policy will doubtlessly make many surviving applications to finish figuring out.

 

12. Despite the flexibility of CAS, most applications even so run with Total Trust.  I in truth trust that this will convert time.  For example, in Whidbey we will have ClickOnce permission elevation and in Longhorn we will present the Secure Execution Environment or SEE.  Both of these features were discussed at the PDC.  When we have material code executing in fond trust, we re plumping to get wind some inauspicious surprises.  For example, reckon message pumping.  If a Single Woven Apartment thread has some fond trust code on its stack when it blocks (e.g. Monitor.Enter on a disputative monitor), so we will pump messages on that thread while it is obstructed.  If the dispatching of a message expects a stack walk to fulfil a security Total Demand, and so the partially believed code further backward on the stack may spark off a security exception.  Another example is related to class constructors.  As you in all likelihood cognise,.cctor methods execute on the first thread that calls for access to a class in a exceptional AppDomain.  If the.cctor must fulfil a security demand, the success of the.cctor nowadays depends upon the accident of what other code is dynamic on the thread s stack.  Along the same lines, the.cctor method may neglect if there is deficient stack space left on the thread that befalls to run it.  These are all easily seen problems and we have plans for gearing up them.  But the fixes will needs exchange evident behavior for a class of applications.

 

I could fill up a lot more pages with this sort of list.  And our platform is yet in its infancy.  At any rate, one unmortgaged message from all this is that things will interchange and so applications will disclose.

 

But can we categorise these failures and get to some sense of it all?  For each failure, we necessitate to decide whether the platform or the application is at fault for each case.  And and so we involve to distinguish some rules or mechanisms that can keep off these failures or extenuate them.  I pick up four categories.

 

 

Category 1:  The application explicitly screws itself

The well-offest category to part with is the one where a developer purposely and explicitly uses up advantage of a behavior that s/he cognizes is warranted to exchange.  A double-dyed example of this is #8 in a higher place.  Anyone who navigates through individual members to unmanaged inner data structures is placing himself up for problems in succeeding versions.  The responsibility (or irresponsibility in this case) loves the application.  In my opinion, the platform should have no obligations.

 

But regard #5 in a higher place.  It s distinctly in this same category, and all the same opinions on our bigger team were quite separated on whether we necessitated to ready the problem.   I spoke to a number of people who unquestionably realized the unbelievable difficulty of maintaining this application keeping going newfangled versions of the CLR and EnterpriseServices.  But they systematically debated that the going system has traditionally kept itself to this sort of compatibility bar, that this is one of the reasons for Windows ubiquity, and that the cared platform must likewise tread up.

 

Likewise, we have to be naturalistic hither.  If a customer issue like this implies one of our bigest accounts, or has been escalated through a very fourth-year executive (a surprising number appear to progress to Steve Ballmer), and so we re plumping to draw out all the stops on a fix or a impermanent workaround.

 

In many cases, our side-by-side support is an equal and elementary solution.  Customers can carry on to race problematical applications on their honest-to-god bits, yet though a new version of these bits has as well been put in.  For instance, the config file for an application can qualify an sure-enough version of the CLR.  Or obligating redirects could revolve backward a specific assembly.  But this technique descends aside if the application is in reality an add-in that is dynamically loaded into a process like Internet Explorer or SQL Server.  It s unrealistic to shut away backward the integral managed stack inside Internet Explorer (perchance keeping newfangled applications that apply generics or other Whidbey features from racing in that location), merely so elder confutable applications can maintain racing.

 

It s possible that we could ply lock backward at finer-grained scopes than the process scope in next versions of the CLR.  So, this is one of the areas being explored by our versioning team.

 

At any rate, if we were under sufficient pressure I could suppose us working up a one-time QFE (patch) for an of import customer in this category, to facilitate them transition to a newfangled version and more maintainable programming techniques.  But if you aren t a Fortune 100 company or Steve Ballmer s brother-in-law, I in person desire we would be permited to disregard any of your applications that are in this category.

 

 

Category 2:  The platform explicitly screws the application

I would set #6, #7 and #11 higher up in a freestanding category.  Hither, the platform team desires to get to an designed breaking change for some valid reason like performance or reliability.  In fact, #10 higher up is a very particular case of this category.  In #10, we would care to unwrap compatibility in Whidbey indeed that we can ply a firm model that can keep off subsequent compatibility breakage.  It s a self-contradictory notion that we should disclose compatibility nowadays so we can increase next compatibility, but the approach truly is sensitive.

 

In any case, if the platform reachs a witting decision to divulge compatibility to accomplish some greater goal, and so the platform is responsible for for mitigation.  At a minimum, we should ply a way for disclosed applications to receive the honest-to-goodness behavior, at least for some transition period.  We have a few choices in how to do this, and we re probable to break up one based on masterminding feasibility, the impact of a breakage, the likelihood of a breakage, and schedule pressure:

 

• Rely on side-by-side and denotative administrator intervention.  In other words, the admin notices the application no farsighted works after a platform advance, indeed s/he authors a config file to lock up the application backward to the honest-to-goodness platform bits.  This approach is problematical because it asks a human being to name a problem and interpose.  Too, it has the problems I already mentioned with utilising side-by-side on processes like Internet Explorer or SQL Server.

 

• For some changes, it shouldn t be necessary to lock away backward the integral platform stack.  So, for many changes the platform could at the same time sustain the sure-enough and newfangled behaviors.  If we exchange our default policy for dealing with unhandled exceptions, we should by all odds continue the honest-to-god policy& at least for one release cycle.

 

• If we ask a important percentage of applications to discover when we reach a change, we should regard an opt-in policy for that change.  This rejects the breakage and the human involvement in a fix.  In the case of Stringing up Interning, we expect each assembly to opt-in to the newfangled non-intern ed behavior.

 

• In some cases, we ve thought of the idea of having the opt-in be inexplicit with a recompile.  The logic hither is that when an application is recompiled against newfangled platform bits, it is presumptively too tested against those newfangled bits.  The developer, instead than the admin, will deal with any compatibility issues that rise.  We re easily placed up for this, since cared assemblies incorporate metadata giving way us the version numbers of the CLR and the subject assemblies they were compiled against.  Alas, execution models like ASP.NET work against us hither.  As you cognise, ASP.NET pages are recompiled mechanically by the system based on dependency changes.  There is no developer uncommitted when this befalls.

 

 

Windows Shimming

Before we take the next two categories of AppCompat failure, it s deserving occupying a very speedy look at one of the techniques that the runing system has traditionally utilised to deal with these issues.  Windows has an AppCompat team which has built up something rang a shimming engine.

 

Reckon what befell when the company proved to displace consumers from Win95/Win98/WinMe over to WinXP.  They discovered a magnanimous number of programs which applyed the GetVersion or the opted GetVersionEx APIs in such a way that the programs defyed to keep going NT-founded systems.

 

In fact, WinXP did such a well job of accomplishing compatibility with Win9X systems that in many cases the only reason the application wouldn t run was the version check that the program made at start up.  The fix was to interchange GetVersion or GetVersionEx to lie around the version number of the current going system.  Of course, this lie should but be told to programs that take the lie in order to solve right.

 

I ve learnt that this shim which lies about the going system version is the most normally utilized shim we have.  As I see it, at process set up the shimming engine proves to twin the current process against any entries in its database.  This match could be based on the name, timestamp or size of the EXE, or of other files discovered proportional to that EXE like a BMP for the splash screen in a subdirectory.  The entry in the database names any shims that should be applied to the process, like the one that lies around the version.  The shimming engine typically bops the IAT (import address table) of a DLL or EXE in the process, indeed that its imports are bound to the shim instead than to the normal export (e.g. Kernel32!GetVersionEx).  In addition, the shimming engine has other tricks it do less often, like enveloping COM objects up with intercepting proxies.

 

It s well-off to find out how this infrastructure can permit applications for Win95 to execute on WinXP.  Notwithstanding, this approach has some drawbacks.  First, it s rather labor-intensive.  Someone has to debug the application, see which shims will set up it, and and so craft some suited mating criteria that will discover this application in the shimming database.  If an appropriate shim doesn t already survive, it must be built up.

 

In the betterest case, the application has some commercial-grade significance and Microsoft has performed all the testing and shimming.  But if the application is a line of business application that was created in a special company s IT department, Microsoft will ne’er catch its hands on it.  I ve seen we re nowadays permiting advanced IT departments to place up their ain shimming databases for their ain applications but this simply lets them to utilise surviving shims to their applications.

 

And from my skewed point of view the high-risk part of all this is that it truly made headway t work for cared applications.  For cared apps, obliging is achieved through firm names, Fusion and the CLR loader.  Obliging is practically never achieved through DLL imports.

 

So it s informative to deal some of the techniques the going system has traditionally utilized.  But those techniques assume t inevitably employ flat to our newfangled problems.

 

Anyhow, backward to our categories&

 

 

Category 3:  The application incidentally screws itself

Category 4:  The platform incidentally screws the application

Honestly, I m having trouble picking out these two cases.  They are distinctly distinguishable categories, but it s a judgment call up where to draw and quarter the line.  The mutual theme hither is that the platform has incidentally given away some ordered behavior which is not in reality a warranted contract.  The application implicitly develops a dependency on this coherent behavior, and is let on when the consistency is later turned a loss.

 

In the nirvana of some future to the full cared execution environment, the platform and tools would ne’er let out ordered behavior unless it was part of a guarantee.  Permit s look at some examples and get wind how hard-nosed this is.

 

In example #1 to a higher place, reflection utilised to present members in a unchanging order.  In Whidbey, that order changes.  In hindsight, there s a unproblematic solution hither.  V1 of the product could have incorporated a testing mode that randomised the retroverted order.  This would have broken the developer to our genuine guarantees, instead than to a firm inadvertent consistency.  Within the CLR, we ve utilized this sort of technique to squeeze us down code paths that differently wouldn t be worked.  For example, developers on the CLR team all use NT-founded (Unicode) systems and keep off Win9X (Ansi) systems.  So our Win9X Ansi/Unicode wrappers wouldn t typically catch tested by developers.  To direct this, our checked/debug CLR progress earlier seen the day of the week and utilized Ansi code paths every other day.  But opine chasing after a bug at 11:55 PM.  When the bug as if by magic disappears on your next run at 1:03 AM the next morning, you are far likewise frayed to cogitate distinctly about the reason.  Today, we be given to apply down order bits in the size of an image like mscorwks.dll or the assembly being proven, so our randomization is today more favorable to testing.

 

In example #2 to a higher place, you could think a like perturbation on our AutoLayout algorithms when runing a debug version of an application, or when launched from inside a tool like Ocular Studio.

 

For example #4, the CLR already has inner stress modes that hale unlike and belligerent GC schedules.  These can warrant compaction to increase the likelihood of finding cold references.  They can do all-inclusive checks of the integrity of the heap, to check that the write barrier and other mechanisms are efficient.  And they can see to it that every instruction of JITted dealt code that can synchronize with the GC will synchronize with the GC.  I surmise that these modes would do a fond job of eradicating assumptions about lifetimes reported by the JIT.  Nonetheless, we will stay exposed to significantly unlike code generators (like Rotor s FJIT) or execution on significantly dissimilar architectures (like CPUs with dramatically more registers).

 

In contrast with the above difficulty, it s well-to-do to guess tallying a newfangled GC stress mode that perturbs the finalization queues, to expose any hidden out assumptions about finalization order.  This would direct example #3.

 

 

Customer Debug Probes, AppVerifier and other tools

It turns over out that the CLR already has a fond mechanism for enabling perturbation during testing and transfering it on deployed applications.  This mechanism is the Customer Debug Probes have that we embarked in V1.1.  Adam Nathan s first-class blog site has a series of articles on CDPs, which are amassed unitedly at http://blogs.gotdotnet.com/anathan/CategoryView.aspx/Debugging .  The original goal of CDPs was to neutralize the dim box nature of debugging sure failures of dealt applications, like corruptions of the GC heap or crashes due to wrong summoning directives.  These probes can mechanically name mutual application errors, like neglecting to hold a marshaled delegate settled down so it advanced t be compiled.  This approach is so much well-heeled than wading through dynamically brought forth code without symbols, because we state you on the dot where your bugs are.  But we re nowadays seing that we can as well utilise CDPs to increase the succeeding compatibility of handled applications if we can disquiet current behavior that is probable to change in the future.

Regrettably, example #6 from to a higher place gives away a major drawback with the technique of perturbation.  When we worked up the original implementation of Object.GetHashCode, we merely ne’er viewed the difference between what we wanted to guarantee (hashing) and what we in reality presented (OIDs).  In hindsight, it is obvious.  But I m not won over that we aren t falling under like traps in our newfangled features.  We might be a little bright than we were five years ago, but simply a slight.

 

Example #10 occupies me for like reasons.  I simply get into t cogitate we were bright enough to foretell that exchanging the obliging configuration of an AppDomain after leading off to run code in that AppDomain would be so thin.  When a developer presents a feature, s/he necessitates to see security, thread-safety, programming model, cardinal invariants of the code base like GC reporting, correctness, and so many other aspects.  It would be awing if a developer systematically pinpointed each of these aspects for every newfangled feature.  We re bantering ourselves if we cerebrate that evolution and unwitting inexplicit contracts will catch equal developer attention on every newfangled feature.

 

Still if we had complete foresight and sufficient resources to total perturbation for all operations, we would even so have a major problem.  We can t inevitably swear on 3^rd party developers to try their applications with perturbation enabled.  See the unmanaged AppVerifier experience.

 

The functioning system has traditionally volunteered a active testing tool phoned AppVerifier which can name many mutual unmanaged application bugs.  For example, thanks to uploads of Watson process dumps from the field, most unmanaged application crashes can nowadays be attributed to wrong usage of dynamically apportioned memory.  Yet AppVerifier can utilise techniques like puting each allocation in its ain page or providing pages unmapped after release, to deterministically catch invades, two-fold frees, and takes or writes of freed memory.

 

In other words, there is difficult evidence that if every unmanaged application had only utilised the memory gibing support of AppVerifier, and then two out of every three application crashes would be winnowed out.  Distinctly this didn t befall.

 

Of course, AppVerifier can name far more than equitable memory problems.  And it s very prosperous and commodious to apply.

 

Since testing with AppVerifier is part of the Windows Logo compliance program, you would ask that it s utilized fairly rigorously by ISVs.  And, yielded its utility, you would ask that most IT organizations would utilise this tool for their interior applications.  Alas, this isn t the case.  Many applications submitted for the Windows Logo in reality neglect to launch under AppVerifier.  In other words, they violate at least one of the rules before they stop initialising.

 

The Windows AppCompat team discerns that proactive tools like AppVerifier are so much better than responsive mitigation like shimming exposed applications out in the field.  That s why they got to the AppVerifier tool a major focus of their ill gone to Application Compatibility spill that I seated in on at the PDC.  (Aha!  I in truth was plumping someplace with all this.)

 

There s caught to be a reason why developers wear t utilize such a worthful tool.  In my opinion, the reason is that AppVerifier is not integrated into Ocular Studio.  If the Debug Properties in VS let you to enable AppVerifier and CDP checks, we would have much best uptake.  And if an desegregated project system and test system could monitor code coverage numbers, and indicate exceptional test runs with especial probes enabled, we would be bordering on nirvana.

 

 

Weaving Down

Considering development within Microsoft, one trend is very unmortgaged:  Automatised tools and processes are a wondrous supplement for human developers.  Whether we re discoursing security, reliability, performance, application compatibility or any other measure of software quality, we re nowadays learning that still and active analysis tools can ease up us warrants that we will ne’er obtain from human beings.  Bill Gates impacted this during his PDC keynote, when he named our newfangled tools for statically controling device driver correctness, for some definition of correctness.

 

This trend was very unmortgaged to me during the weeks I spent on the DCOM / RPCSS security fire drill.  I passed days taking some cagey mobilising code, finally meeting myself that it licked dead.  Then someone else spelt an automatised attacker and found literal flaws in only a few hours.  Other architects and aged developers sized up dissimilar sections of the code.  Then some researchers from MSR who are focused on reflex program validation raced their up-to-the-minutest tools over the same code and yielded us step-by-step execution models that ran up to crashes.  Towards the end of the fire drill, a pure cycle was grounded.  The code reviewers acknowledged newfangled categories of vulnerabilities.  So the researchers essayed to germinate their tools to discover those vulnerabilities.  Aspects of this process were very crude, so the tools sometimes made a swell deal of noise in the form of assumed positives.  But it s unmortgaged that we were catching actual value from Day One and the next potential hither is tremendous.

 

One question that ever occurs up, when we talk about suming up important value to Ocular Studio through extra tools, is whether Microsoft should yield off these tools.  It s a litigious issue, and I discover myself plumping backward and forrard on it.  One school of thought supposes that we should give way off tools to upgrade the platform and ameliorate all the programs in the Windows ecology.  In the case of tools that reach our customers applications more unafraid or more resilient to succeeding changes in the platform, this is a compelling argument.  Another school of thought supposes that Ocular Studio is a profit center like any other part of the company, and it takes the freedom to institutionalize what the market will accept.

 

Yielded that my job is building up a platform, you might require me to favour easing up off Ocular Studio.  But I in reality cogitate the profit motive is a knock-down mechanism for geting to our tools competitive.  If Ocular Studio doesn t have P&L responsibility, their offering will deteriorate over time.  The betterest way to cognise whether they ve performed all they can to progress to the betterest tools potential, is to evaluate how much their customers are unforced to give.  I desire Borland to compete with Microsoft on progressing the betterest tools at the betterest price, and I desire to be capable to value the results of that competition through revenue and market penetration.

 

In all this, I have kept off in truth discussing the issues of versioning.  Of course, versioning and application compatibility are enormously enlaced.  Applications break for many reasons, but the distinctive reason is that one component is today binding to a newfangled version of another component.  We have a hale team of architects, gathered from around the company, who have been coming across on a regular basis for about a year to grapple with the problems of a ended managed versioning story.  Unlike cared AppCompat, the noetic investment in handled versioning has been tremendous.

 

In any case, Application Compatibility staies on a relatively disputatious subject over hither.  There s no question that it s a hugely of import topic which will have a large impact on the longevity of our platform.  But we are even so proving to educate techniques for attaining compatibility that will be more successful than what Windows has neutralised the past, without bounding our ability to innovate on what is however a very immature execution engine and set of frameworks.  I have by choice kept off discussing what some of those techniques might be, in part because our story staies uncomplete.

 

Too, we pulled ahead t see how bad AppCompat will seize with teeth us until we can learn a lot of deployed applications that are divulging as we promote the platform.  At that point, it s well-heeled to excuse having more resources at the problem.  But by and then the genie is out of the bottle& the deployed applications will already rely upon unannealed accidents of implementation, so recovery will be sorely leting out.  In a world where we are e’er under vivid resource and schedule pressure, the needs of AppCompat must be balanced against performance, security, developer productivity, reliability, innovation and all the other must haves.

 

You cognise, I in truth do desire to talk about Hosting.  It is a truly engrossing subject.  I m much more well-fixed talking about non-pre-emptive fiber scheduling than I am discoursing uninteresting topics like inexplicit contracts and compatibility trends.

 

But Hosting is plumping to have to wait at least a few more weeks.

Relating Posts:
Espouse the framework!
Reliability