Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Test First Construction of Distributed Systems

Joseph Blomstedt
March 29, 2012
Technology
3
1k

Test First Construction of Distributed Systems

My Erlang Factory 2012 talk.
http://www.erlang-factory.com/conference/SFBay2012/speakers/JosephBlomstedt

Joseph Blomstedt

March 29, 2012
Tweet

More Decks by Joseph Blomstedt

See All by Joseph Blomstedt
Data Structure Adventures for Fun, Profit, and Performance
jtuple
2
300
RICON West 2012: Bringing Consistency to Riak (Part 2)
jtuple
3
680
Riak -- Seattle Scalability
jtuple
2
460
Hansei: Property-based Development of Concurrent Systems
jtuple
3
1.8k
Riak 1.2 Webinar Preview
jtuple
1
260

Other Decks in Technology

See All in Technology
個人でもIAM Identity Centerを使おう!(アクセス管理編)
ryder472
3
200
オープンソースAIとは何か? --「オープンソースAIの定義 v1.0」詳細解説
shujisado
6
670
サイバーセキュリティと認知バイアス:対策の隙を埋める心理学的アプローチ
shumei_ito
0
380
誰も全体を知らない ~ ロールの垣根を超えて引き上げる開発生産性 / Boosting Development Productivity Across Roles
kakehashi
1
220
なぜ今 AI Agent なのか _近藤憲児
kenjikondobai
4
1.3k
Platform Engineering for Software Developers and Architects
syntasso
1
510
Adopting Jetpack Compose in Your Existing Project - GDG DevFest Bangkok 2024
akexorcist
0
100
エンジニア人生の拡張性を高める 「探索型キャリア設計」の提案
tenshoku_draft
1
120
インフラとバックエンドとフロントエンドをくまなく調べて遅いアプリを早くした件
tubone24
1
430
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
28
12k
RubyのWebアプリケーションを50倍速くする方法 / How to Make a Ruby Web Application 50 Times Faster
hogelog
3
940
Amazon CloudWatch Network Monitor のススメ
yuki_ink
1
200

Featured

See All Featured
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
Typedesign – Prime Four
hannesfritz
40
2.4k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
The Pragmatic Product Professional
lauravandoore
31
6.3k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M
4 Signs Your Business is Dying
shpigford
180
21k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5k
Fontdeck: Realign not Redesign
paulrobertlloyd
82
5.2k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
232
17k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
16
2.1k
Happy Clients
brianwarren
98
6.7k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
28
2k

Transcript

  1. Joseph Blomstedt (@jtuple) Basho Technologies [email protected] Test-First Construction of Distributed

    Systems Erlang Factory SF March 2012 Thursday, March 29, 2012

  2. 2 a distributed, scalable, and highly- available datastore store. Basho

    makes Thursday, March 29, 2012

  3. 3 Basho is a start-up Thursday, March 29, 2012

  4. 4 Ship Quickly Ship Correctly Highly Available Fault Tolerant Enterprise

    Start-up Iterate Agility Thursday, March 29, 2012

  5. 5 Ship Quickly Ship Correctly Highly Available Fault Tolerant Enterprise

    Start-up Iterate Agility Strive to reduce gap Thursday, March 29, 2012

  6. Erlang Is Indispensable 6 • Built-in concurrency and distributed programming

    • Fault-tolerant just-crash / supervisor mentality • Ability to inspect VM state • Hot load code loading Thursday, March 29, 2012

  7. 7 Result? Thursday, March 29, 2012

  8. 8 Majority of bugs are concurrent logic errors Thursday, March

    29, 2012

  9. Testing Tools 9 • Quickcheck Property-based testing • Pulse Randomizing

    Erlang scheduler • McErlang / Concuerror Model checkers Thursday, March 29, 2012

  10. Quickcheck 10 my_test() -> eqc:quickcheck(reverse_prop()). reverse_prop() -> ?FORALL(L, list(int()), begin

    lists:reverse(lists:reverse(L)) == L end) Thursday, March 29, 2012

  11. Quickcheck eqc_statem 11 Run against stateful code Verify postconditions Generate

    Command Sequence Thursday, March 29, 2012

  12. Quickcheck eqc_statem 12 command(State) -> %% Commands to run against

    stateful system oneof(Cmds). precondition(State, Cmd) -> %% Return true if cmd is valid in current state. next_state(State, Result, Cmd) -> %% Update test state after a given cmd. postcondition(State, Cmd, Result) -> %% Test postconditions. Thursday, March 29, 2012

  13. Testing Issues • Building test from implementation often not straightforward

    • Testing concurrent interleaving requires a different approach • Building a great implementation of a broken algorithm is disheartening 13 Thursday, March 29, 2012

  14. 14 Test First Construction Thursday, March 29, 2012

  15. 15 Build testable model Thursday, March 29, 2012

  16. 16 Test Iterate Gain Confidence Thursday, March 29, 2012

  17. 17 Convert model into implementation Thursday, March 29, 2012

  18. 18 Verify implementation against model Thursday, March 29, 2012

  19. History 19 • First built testable model for new clustering

    subsystem for Riak 1.0 • Model built on top of eqc_statem • The test itself was the model of the system and tested properties against itself • Somewhat ad-hoc, but it worked Thursday, March 29, 2012

  20. eqc_system (1/2) 20 • Refactored the approach into general-purpose framework

    based on lessons learned • Events External events, timers, things you do not care to model • Calls/Casts Similar to OTP gen_server • Calls/casts map to simulated receive/reply semantics Thursday, March 29, 2012

  21. eqc_system (2/2) 21 • Test consists of test module and

    a set of node modules • Callbacks handle_event, handle_call, handle_cast after_event, after_call, after_cast post_event, post_call, post_cast, always • Test module can generate events and test properties against global test state • Node modules generate events, calls, casts and test local properties Thursday, March 29, 2012

  22. Simple Example • Nodes join together an form a cluster

    • Nodes periodically gossip membership state to other known nodes 22 Thursday, March 29, 2012

  23. 23 events(#state{nodes=Nodes}) -> ?EVENT(join, [elements(Nodes), elements(Nodes)]). precondition(_, S, join, [Node,[OtherNode]])

    -> Singleton = S#state.singleton, all([Node /= OtherNode, lists:member(Node, Singleton), (Singleton == S#state.nodes) or lists:member(OtherNode, Singleton)]); after_event(_Nodes, S, {join, [OtherNode]}, Node, _NodeState) -> Singleton = S#state.singleton -- [Node, OtherNode], S#state{singleton=Singleton}; Test Module Thursday, March 29, 2012

  24. 24 events(Node, #state{members=Members}) -> ?EVENT(gossip, [Node, [elements(Members)]]). precondition(S, gossip, [Node,

    [OtherNode]]) -> all([lists:member(OtherNode, S#state.members), Node /= OtherNode]); Test Node Module (1/3) Thursday, March 29, 2012

  25. 25 handle_event({join, [OtherNode]}, State) -> call(State, OtherNode, get_members, fun(Members) ->

    Members2 = lists:sort([State#state.id | Members]), State2 = State#state{members=Members2}, {noreply, State2} end); handle_event({gossip, [OtherNode]}, State) -> cast(OtherNode, {gossip, State#state.members}), {ok, State}. Test Node Module (2/3) Thursday, March 29, 2012

  26. 26 handle_call(get_members, _From, State) -> {reply, State#state.members, State}. handle_cast({gossip, OtherMembers},

    State) -> Members2 = merge(Members, OtherMembers), {noreply, State#state{members=Members2}}. Test Node Module (3/3) Thursday, March 29, 2012

  27. 27 [{init,{sys_state,undefined,undefined,rc,0,[],undefined,undefined, model}}, {set,{var,1},{call,eqc_sys,init_dynamic,[]}}, {set,{var,2},{call,eqc_sys,init_system,[rc]}}, {set,{var,3},{call,rc,join,[3,[1]]}}, {set,{var,4},{call,eqc_sys,rcvmsg,[1,{3,{call,get_members}}]}}, {set,{var,5},{call,rc,join,[2,[1]]}}, {set,{var,6},{call,eqc_sys,rcvreply,[3,{1,[1]}]}}, {set,{var,7},{call,eqc_sys,rcvmsg,[1,{2,{call,get_members}}]}},

    {set,{var,8},{call,eqc_sys,rcvreply,[2,{1,[1]}]}}, {set,{var,9},{call,rc_node,send_gossip,[3,[1]]}}, {set,{var,10},{call,rc_node,send_gossip,[3,[1]]}}, {set,{var,11},{call,rc_node,send_gossip,[2,[1]]}}, {set,{var,12},{call,rc_node,send_gossip,[3,[1]]}}, {set,{var,13},{call,eqc_sys,rcvmsg,[1,{3,{cast,{gossip, [1,3]}}}]}}, {set,{var,14},{call,eqc_sys,rcvmsg,[1,{3,{cast,{gossip, [1,3]}}}]}}] Example Command Sequence Thursday, March 29, 2012

  28. Extended Example • Cluster maintains a weak leader Lowest node

    id in the cluster is considered the leader No actual leader election or failure detection • Property we care about At all times, there is only one node that believe it is the leader of a cluster 28 Thursday, March 29, 2012

  29. 29 -record(state, {id, members, leader}). handle_event({join, [OtherNode]}, _Node, State) ->

    call(State, OtherNode, get_state, fun(#state{members=Members, leader=Leader}) -> Members2 = lists:sort([State#state.id | Members]), {noreply, State#state{members=Members2, leader=Leader}} end); handle_event({send_gossip, [OtherNode]}, _Node, State) -> cast(OtherNode, {gossip, State}), {ok, State}; Extended Node Module (1/3) Thursday, March 29, 2012

  30. 30 handle_call(get_state, _From, _Node, State) -> {{reply, State}, State}; handle_cast({gossip,

    #state{members=Members, leader=Leader}}, _From, _Node, State) -> Members2 = lists:usort(State#state.members ++ Members), case State#state.id == State#state.leader of true -> Leader2 = hd(lists:sort(Members2)); false -> Leader2 = Leader end, {noreply, State#state{members=Members2, leader=Leader2}}; Extended Node Module (2/3) Thursday, March 29, 2012

  31. 31 get_leader(S) -> S#state.leader. get_members(S) -> S#state.members. Extended Node Module

    (3/3) Thursday, March 29, 2012

  32. 32 always(Nodes, S) -> all([begin Members = nodecall(Nodes, Node, get_members,

    []), one_leader(Nodes, Members) end || Node <- S#state.nodes]). one_leader(Nodes, Members) -> Leaders = [Leader || Node <- Members, Leader <- [nodecall(Nodes, Node, get_leader, [])], Leader == Node], length(lists:usort(Leaders)) < 2. Extended Test Module Thursday, March 29, 2012

  33. 33 [{init,{sys_state,undefined,undefined,rc,0,[],undefined,undefined,model}}, {set,{var,1},{call,eqc_sys,init_dynamic,[]}}, {set,{var,2},{call,eqc_sys,init_system,[rc]}}, {set,{var,3},{call,rc,join,[1,[3]]}}, {set,{var,4},{call,eqc_sys,rcvmsg,[3,{1,{call,get_state}}]}}, {set,{var,5},{call,eqc_sys,rcvreply,[1,{3,{state,3,[3],3}}]}}, {set,{var,6},{call,rc_node,send_gossip,[1,[3]]}}, {set,{var,7},{call,eqc_sys,rcvmsg,[3,{1,{cast,{gossip,{state,1,[1,3],3}}}}]}}, {set,{var,8},{call,rc_node,send_gossip,[3,[1]]}},

    {set,{var,9},{call,rc_node,send_gossip,[1,[3]]}}, {set,{var,16}, {call,eqc_sys,rcvmsg,[3,{1,{cast,{gossip,{state,1,[1,3],3}}}}]}}, {set,{var,18}, {call,eqc_sys,rcvmsg,[1,{3,{cast,{gossip,{state,3,[1,3],1}}}}]}}] {postcondition,false} Counterexample Thursday, March 29, 2012

  34. Versioned leader state 34 • Add version number to gossiped

    state • Leader increments version when changed • Node updates leader only if newer version • After changes, model passes without issue Thursday, March 29, 2012

  35. 35 Convert to Implementation Thursday, March 29, 2012

  36. Convert to Implementation 36 • Convert model into actual implementation

    • Majority of code reused eqc_sys designed to mirror OTP code • Update model if as necessary and reiterate Thursday, March 29, 2012

  37. 37 Test Implementation Thursday, March 29, 2012

  38. Recall model design 38 • Events Commands that trigger system

    transitions • Calls/casts Emulated as commands in order for testing purposes Thursday, March 29, 2012

  39. Testing Approach #1 • Quickcheck generates event sequences, not call/casts

    • Events mapped to equivalent implementation constructs • Erlang tracing used to capture actual call/casts that occurred • Verify events + observed call/casts against model and final cluster state 39 Thursday, March 29, 2012

  40. Testing Approach #2 • Modify implementation to enable controlling message

    interleaving • Implemented as a proxy process that delays forwarding messages until told to do so by test module • Investigating parse_transform option 40 Thursday, March 29, 2012

  41. Interacting with other tools • Pulse, McErlang, Concuerror All aimed

    at concurrency debugging • Testing approach #1 works well with these tools Generate event sequences + trace, but allow scheduling tools to force interleavings • Tested with Pulse and Concuerror • Even more confidence in model/code 41 Thursday, March 29, 2012

  42. Limitations • eqc_sys entirely random, may not hit lurking bad

    interleaving • Pulse also random • McErlang / Concuerror state space usually too large 42 Thursday, March 29, 2012

  43. Coq Proof Assistant • Working on using Coq to prove

    model • Coq script similar to Quickcheck model Represent commands as a list constructed from a generate Model are functions that operate over list, producing state Properties checked against state Prove: Forall commands, properties always hold. 43 Thursday, March 29, 2012

  44. Coq Challenges (1/2) • Writing Coq scripts Syntax (Basho is

    an Erlang company) Semantics (Mapping Erlang ideas to Coq) • Working on Erlang to Coq generate that works on subset of Erlang used in my models Solves syntax issues Semantics are tricker, but approached as encountered 44 Thursday, March 29, 2012

  45. Coq Challenges (2/2) • Proving in Coq is not automatic

    • Tedious process, not Basho specialty • Working on domain-specific proof tactic and library of lemmas to enable automated • Inspired by Professor Chlipala’s book http://adam.chlipala.net/cpdt • Possibly hear more later this year Personal project, so progress is slow 45 Thursday, March 29, 2012

  46. 46 Test Implement Model Verify Thursday, March 29, 2012

  47. 47 Ship Quickly Ship Correctly Getting a little closer Thursday,

    March 29, 2012

  48. Questions? [email protected] @jtuple Thursday, March 29, 2012