Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Formal Specifications and Other People's Tech

Avatar for Marianne Bellotti Marianne Bellotti
September 13, 2019
Technology
160
0

Formal Specifications and Other People's Tech

How do you use formal specification like TLA+ to model real world engineering challenges?

Avatar for Marianne Bellotti

Marianne Bellotti

September 13, 2019

More Decks by Marianne Bellotti

See All by Marianne Bellotti
Building Safety Critical Systems
Avatar for Marianne Bellotti mbellotti
0
190
Killer Robots and Rogue AI
Avatar for Marianne Bellotti mbellotti
0
30
Five Lies of Modernization
Avatar for Marianne Bellotti mbellotti
0
35
Interdisciplinary Engineering
Avatar for Marianne Bellotti mbellotti
0
180
Worst Case Scenario in the Database
Avatar for Marianne Bellotti mbellotti
0
110
Death of the Trusted Internet
Avatar for Marianne Bellotti mbellotti
0
140
Debunking Other People's Data Science
Avatar for Marianne Bellotti mbellotti
0
130

Other Decks in Technology

See All in Technology
Platform engineering for developers, architects & the rest of us (AI agents)
Avatar for danielbryantuk danielbryantuk
0
180
脅威をエンジニアリングの糧にして:恐怖を乗り越えた先にあったもの / Turn threats into fuel for engineering: what lay beyond overcoming fear
Avatar for nrs nrslib
1
380
生成 AI × MCP で切り拓く次世代 SRE!自律型運用への挑戦と開発者体験の進化
Avatar for _awache _awache
0
120
OpenID Connectによるサービス間連携
Avatar for Shigeki Shoji takesection
0
160
AI活用を推進するために ファインディが下した、一つの小さな決断
Avatar for starfish719 starfish719
0
230
関西に縁あるMicrosoft MVPsが語るCopilotの未来
Avatar for Kaz Asada | しがない情シス kasada
0
1k
ITエンジニアを取り巻く環境とキャリアパス / A career path for Japanese IT engineers
Avatar for 高玉 広和 / TAKATAMA Hirokazu takatama
4
1.8k
実装は速くなった、レビューはどうする? ― 自身のレビューをAIで再現させるサーヴァントエンジニアリングのすゝめ / Implementation got faster. So what about reviews? — An invitation to Servant Engineering: Recreating your own code reviews with AI
Avatar for nrs nrslib
6
3.2k
PHP と TypeScript の型システム比較:AI 時代の「型」は誰のためにあるのか? #frontend_phpcon_do / frontend_phpcon_do_2026
Avatar for shogogg shogogg
1
240
Javaで学ぶSOLID原則
Avatar for Negima negima
1
280
Claude code Orchestra
Avatar for Taisei Ozaki ozakiomumkj
3
920
Chart.js が簡単に使えるようになっていたので OGP 画像生成に使った話
Avatar for すずとも kamekyame
0
140

Featured

See All Featured
SEO for Brand Visibility & Recognition
Avatar for Aleyda Solis aleyda
0
4.6k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
Avatar for panda_program panda_program
122
22k
YesSQL, Process and Tooling at Scale
Avatar for Rocio Delgado rocio
174
15k
Have SEOs Ruined the Internet? - User Awareness of SEO in 2025
Avatar for Akash Hashmi akashhashmi
0
360
Statistics for Hackers
Avatar for Jake VanderPlas jakevdp
799
230k
Lightning talk: Run Django tests with GitHub Actions
Avatar for Sarah Abderemane sabderemane
0
190
Leadership Guide Workshop - DevTernity 2021
Avatar for David Neal reverentgeek
1
300
Self-Hosted WebAssembly Runtime for Runtime-Neutral Checkpoint/Restore in Edge–Cloud Continuum
Avatar for Yuki Nakata chikuwait chikuwait
0
560
Between Models and Reality
Avatar for mayunak mayunak
4
320
Faster Mobile Websites
Avatar for Dean Hume deanohume
310
31k
How to build a perfect <img>
Avatar for Jono Alderson jonoalderson
1
5.6k
Digital Projects Gone Horribly Wrong (And the UX Pros Who Still Save the Day) - Dean Schuster
Avatar for UX Y'all uxyall
0
1.6k

Transcript

  1. auth0.com Formal Specification Taming Other People's Tech &

  2. SPECS! BY BEGINNERS FOR BEGINNERS @bellmar bit.ly/bellmar-auth0

  3. TLA+ Conf Finding Bugs Without Running or Even Looking at

    Code Correctness Proofs of Distributed Systems with Isabelle

  4. WHAT IS FORMAL SPECIFICATION? @bellmar bit.ly/bellmar-auth0

  5. -Inputs -Expected behavior -Legal outputs -Illegal behavior

  6. Tell me the future, wise computer @bellmar bit.ly/bellmar-auth0

  7. @bellmar bit.ly/bellmar-auth0

  8. !! @bellmar bit.ly/bellmar-auth0

  9. @bellmar bit.ly/bellmar-auth0 Mostly I write bad specs, and this talk

    is about how that still adds a lot of value The more people write specs the faster we all learn

  10. S3 Design Session @bellmar bit.ly/bellmar-auth0

  11. MOST ENGINEERS WILL NEVER BUILD A MESSAGE QUEUE You’ll buy

    one from AWS

  12. BUT SPECIFICATION CAN BE APPLIED TO MANY DIFFERENT THINGS! @bellmar

    bit.ly/bellmar-auth0

  13. @bellmar bit.ly/bellmar-auth0 Identity as a Service

  14. @bellmar bit.ly/bellmar-auth0

  15. Built by other teams

  16. In taking over a service: - Defining SLOs - Evaluating

    debt - Studying existing problems and rethinking architecture

  17. EMAILS - validate email - password reset - principal mode

    of communication We do logins not emails!

  18. EMAILS - validate email - password reset - principal mode

    of communication @bellmar bit.ly/bellmar-auth0

  19. X per hour @bellmar bit.ly/bellmar-auth0

  20. @bellmar bit.ly/bellmar-auth0

  21. @bellmar bit.ly/bellmar-auth0

  22. Email all my users! Password Reset Anomaly Detection Welcome Email

    Validation @bellmar bit.ly/bellmar-auth0

  23. @bellmar bit.ly/bellmar-auth0

  24. HOW DO WE KNOW IF THIS CHANGE IS SAFE? @bellmar

    bit.ly/bellmar-auth0

  25. LET’S WRITE A SPEC! @bellmar bit.ly/bellmar-auth0

  26. STEPS WITH SPECIFICATIONS YOU THINK IN STATES WITH ALGORITHMS YOU

    THINK IN @bellmar bit.ly/bellmar-auth0

  27. @bellmar bit.ly/bellmar-auth0

  28. @bellmar bit.ly/bellmar-auth0

  29. \ 40% → ✅ 41% → ✅ 42% → ✅

    43% → ✅ 44% → ✅ 45% → ✅ 46% → ✅ 47% → ✅ 48% → ✅ 49% → ✅ 50% → ✅

  30. VM 50% VM 20% VM 70%

  31. VM 50% VM 20% VM 70% Test all possible states

    to make sure the load balancer does the right thing

  32. 40% → ✅ 41% → ✅ 42% → ✅ 43%

    → ✅ 44% → ✅ 45% → ✅ 46% → ✅ 47% → ✅ 48% → ✅ 49% → ✅ 50% → ✅ 40% → ✅ 50% → ✅ 60% → ✅ 70% → ❌ ✅ ❌

  33. Normal Idle Unhealthy @bellmar bit.ly/bellmar-auth0

  34. Must always be true: 0 < servers > 10 Goto!

    Party like it’s 1979…

  35. LEAVE YOUR PROBABILITY AT HOME

  36. Sometimes we kill a server, sometimes we create one Literally

    the one time we just keep killing servers @bellmar bit.ly/bellmar-auth0

  37. Sometimes we kill a server, sometimes we create one Literally

    the one time we just keep killing servers ARGH! BUT WHY? THAT WILL NEVER HAPPEN!!

  38. SYSTEM NOT SYSTEM LGTM SAFETY @bellmar bit.ly/bellmar-auth0

  39. Normal Idle Unhealthy Health Check @bellmar bit.ly/bellmar-auth0

  40. - Several unhealthy servers == Create new - All servers

    healthy and more than 3 == Shut one down - Else assume we kill and refresh unhealthy

  41. - Several unhealthy servers == Create new - All servers

    healthy and more than 3 == Shut one down - Else assume we kill and refresh unhealthy

  42. WHAT STATES SHOULD BE IMPOSSIBLE? (NOT UNDESIRABLE?) @bellmar bit.ly/bellmar-auth0

  43. Servers keep restarting Too many servers Too few servers Healthcheck

    action inconsistency @bellmar bit.ly/bellmar-auth0

  44. Servers keep restarting Too many servers Too few servers Healthcheck

    action inconsistency Undesirable but not impossible states @bellmar bit.ly/bellmar-auth0

  45. Maybe you should turn yourself rather than the puzzle

  46. Anyway… @bellmar bit.ly/bellmar-auth0

  47. x per hour @bellmar bit.ly/bellmar-auth0

  48. One please! @bellmar bit.ly/bellmar-auth0

  49. One please! Sorry no more tokens. Sit in the retry

    queue and come back later @bellmar bit.ly/bellmar-auth0

  50. One please! Sorry no more tokens. Sit in the retry

    queue and come back later @bellmar bit.ly/bellmar-auth0

  51. STATE HOW DO WE MAKE THIS LOOK LIKE A MACHINE

    @bellmar bit.ly/bellmar-auth0

  52. Queued → Worker → Sent Has Tokens → No Tokens

    @bellmar bit.ly/bellmar-auth0

  53. Queued Worker Sent @bellmar bit.ly/bellmar-auth0

  54. Queued Worker Sent Dropped @bellmar bit.ly/bellmar-auth0

  55. WHAT’S STATES SHOULD BE IMPOSSIBLE? @bellmar bit.ly/bellmar-auth0

  56. Has Token → Deleted Sent → Deleted Deleted → Sent

    No Token → Sent @bellmar bit.ly/bellmar-auth0

  57. HOW DOES OUR IMPLEMENTATION PREVENT THESE STATES? @bellmar bit.ly/bellmar-auth0

  58. JUST TRYING TO BUILD THE MODEL OFTEN REVEALS BUGS @bellmar

    bit.ly/bellmar-auth0

  59. Email all my users! Password Reset Anomaly Detection Welcome Email

    Validation @bellmar bit.ly/bellmar-auth0

  60. Email all my users! Password Reset Anomaly Detection Welcome Email

    Validation @bellmar bit.ly/bellmar-auth0

  61. Queued Worker @bellmar bit.ly/bellmar-auth0

  62. GREAT, SO WHAT SHOULD OUR MODEL LOOK LIKE? @bellmar bit.ly/bellmar-auth0

  63. Tenant Tenant Tenant @bellmar bit.ly/bellmar-auth0

  64. Tenant @bellmar bit.ly/bellmar-auth0 For each tenant For each bucket

  65. LOOPS WILL F— YOU UP LOOPS @bellmar bit.ly/bellmar-auth0

  66. x in [a, b, c] print x “a” “b” “c”

    @bellmar bit.ly/bellmar-auth0

  67. x in [a, b, c] l=append(l, x) l = [

    ] print l @bellmar bit.ly/bellmar-auth0

  68. x in [a, b, c] l=append(l, x) [“a”] [“a”, “b”]

    [“a”, “b”, “c”] l = [ ] print l @bellmar bit.ly/bellmar-auth0

  69. x in [a, b, c] l = [ ] [“a”]

    [“b”] [“c”] l=append(l, x) print l @bellmar bit.ly/bellmar-auth0

  70. A B C then then A B C or or

    Steps States @bellmar bit.ly/bellmar-auth0

  71. Tenant Tenant Tenant @bellmar bit.ly/bellmar-auth0

  72. Tenant Tenant Tenant @bellmar bit.ly/bellmar-auth0

  73. @bellmar bit.ly/bellmar-auth0

  74. Alice Bob Oh… that’s easy!

  75. Undesirable -vs- Impossible

  76. Queue Publishers

  77. “SHOULD THE PUBLISHERS BE PUTTING THINGS DIRECTLY IN THE QUEUE?”

    @bellmar bit.ly/bellmar-auth0 WAIT…

  78. 1) Make it look like a state machine 2) Define

    the impossible states 3) Model what makes them impossible To Summarize: @bellmar bit.ly/bellmar-auth0

  79. Things that already look like state machines: @bellmar bit.ly/bellmar-auth0

  80. Things that already look like state machines: - Redux @bellmar

    bit.ly/bellmar-auth0

  81. Things that already look like state machines: - Redux -

    AWS Lambda @bellmar bit.ly/bellmar-auth0

  82. Things that already look like state machines: - Redux -

    AWS Lambda - Workflow Orchestration (Airflow, Conductor, Luigi) @bellmar bit.ly/bellmar-auth0

  83. Bit.ly/bellmar-auth0